30 September 2004

Operational Risk: People

After stopping by the booth at the ASIS conference in Dallas this week I'm convinced that Bruce McIndoe and his team are on to something great. Mitigating the risk of the loss of key personnel and other corporate assets is a vital priority.

iJet: ® Announces New Global Protection System
Ground-breaking Worldcue® GPS Application Employs Advanced Mapping, Notification, and Intelligence Capabilities to Better Protect Traveling Employees and Fixed Assets

Annapolis, Md - September 27, 2004 - iJET® Travel Risk Management (iJET), the industry leader in delivering real-time intelligence and proactive travel risk management services to multinational corporations and the travel industry, today introduced Worldcue® GPS, an innovative global protection system (GPS) for safeguarding people and assets, wherever they may be around the world. Worldcue® GPS employs advanced mapping, notification, and intelligence capabilities to make planning, monitoring, and crisis response more efficient and effective for those managing global risks.
"
Combining this capability with a focused surveillance and threat detection training program for employees could be exactly what our less than saavy corporate executives need. Peace of mind and to come home from their next business trip safely is the name of the game. The Threat Detection Program from 1SecureAudit provides a two day hands on course to educate and provide skills on various threats to individual security. These threats could include recruitment by a hostile service, kidnapping or assassination by terrorist and criminal elements or compromise by business competitors. Students are given intense, real-time instruction in surveillance detection and countersurveillance so that they can take appropriate actions.

Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, attorneys, judges, the wealthy and those responsible for their safety. This combination is one key strategy to mitigate the operational risks associated with key personnel in your organization.

29 September 2004

NFPA 1600 Tour...Will it come up short?

NFPA has announced that is has scheduled a series of workshops aimed at helping facility emergency managers understand and use NFPA 1600. The events will start in Miami in November and will be held in a dozen or so other major-city locations throughout the US over the span of a few months.

The question now is, who is going to attend and what is going to happen afterwards. A classic case of new standards and no action. The "What" known as NFPA 1600 is the new ANSI and National Fire Protection Association guidelines.

The standards are a taxonomy of common criteria for business continuity programs. In addition, it provides a list of resources within the fields of business continuity planning. Again, a worthy cause to get everyone on the same page. Now we have the "What". But do we have the "How"?

The tour is a great idea to create awareness. Now all we need to do is make sure that the owners of major infrastructure put it all into action. What needs to be done is always easier than how do it. The important step is to hire a reputable firm to guide your organization through the planning, execution and lessons learned of a Business Continuity or Disaster Recovery Exercise so that the next time it works even faster and is without major flaws.

27 September 2004

Fannie Mae Takes New Approach in Crisis

By Jeffrey H. Birnbaum and David A. Vise
Washington Post Staff Writers
Monday, September 27, 2004; Page A01

Fannie Mae, one of Washington's largest and most influential companies, is facing a serious crisis. Federal regulators have accused the mortgage-finance giant of cooking its books, in part to make room for huge bonuses for its top executives.

When confronted with emergencies in the past -- legislative efforts to tax the company or to end federal ties that give it a competitive advantage -- Fannie Mae has used a brass-knuckles approach. Its political machine, comprised of hired lobbyists, executives and directors of both political parties and grassroots groups nurtured by donations from its foundation, has long been able to run over its adversaries.

But this time, Fannie Mae is acting differently. While whispering to Wall Street that all the fuss is nothing more than a difference over accounting interpretations, the company's board has commissioned an independent probe led by former Sen. Warren Rudman (R-N.H.), making it clear that the directors want to put the matter behind the firm even if it means throwing some top executives overboard.

'I don't think they have ever faced a crisis like this. Political muscle is not going to fix this problem,' said Washington attorney Bill Lightfoot, who tangled with Fannie Mae over tax issues while a member of the D.C. Council."

26 September 2004

Securities Industry Subject to Basel II...

Since 1999, Basel II has been coming to a bank near you in America: "At the time, the Federal Reserve announced that the top nine banks - some of which, such as JPMorgan Chase, Citigroup and Wachovia, have brokerage businesses in addition to commercial banking arms - would have to comply and adopt the advanced measurement approach for their capital adequacy requirements for credit and operational risks."

The US securities industry including firms such as Merrill, Goldman Sachs and Bear Stearns will now be subject to BASEL II under the SEC's Consolidated Supervised Entities regime. The big question is whether the smaller brokerages will adopt the same approach to operational risk as many of the smaller regional banks have done.

To improve their operational-risk-assessment capabilities, firms are targeting three initiatives, says Dushyant Shahrawat, senior analyst in TowerGroup's securities practice: upgrading core infrastructure, including building data warehouses; using integration and business-process-management technology to improve operations workflow; and exploring newer technologies such as Web services and grid computing to improve operational-risk management.

23 September 2004

DHS: Ready for Business launch today...

The Department of Homeland Security launches the Ready for Business Campaign at the US Chamber of Commerce today.

The extension of the Get Ready site for business is supported by the following organizations:

* ASIS International
* Business Executives for National Security
* The Business Roundtable
* International Safety Equipment Association
* International Security Management Association
* National Association of Manufacturers
* National Federation of Independent Business
* Society for Human Resource Management
* U.S. Chamber of Commerce

The private sector is responsible for securing the infrastructure that they own and that is vital to our nations economy. Then why haven't the large owners of commercial real estate invested in pervasive preparedness initiatives to "Get Ready" for business disruptions? The simple answer is that they don't have enough incentives to do so.

Unfortunatley for the people who happen to be tenants in the largest commercial office buildings, the landlords believe that it should be everybody for themselves. And as owners of stock in Real Estate Investment Trusts (REITS), your question should be: What is the company doing to better protect our corporate assets (buildings, malls, manufacturing plants, hospitals) from a myriad of operational risks, including catostrophic events such as tornados and terrorism?

If the DHS "Ready for Business" campaign does nothing more than get owners feeling guilty about their level of committment to preparedness, then it has done the first part of the job. The rest will be left up to business itself to demand that their leased facilities are more secure, have properly trained staff to handle incidents of any kind and exercises to test and learn on a continuous basis.

21 September 2004

Phishing: Preventive strategies

As Symantec has recently been publishing their version of the losses sustained from Phishing, the vendors are busy trying to grab market share. Preventive strategies and tools to thwart Phishing attacks are getting more mainstream as companies respond to the new threats.

All of the social engineering that goes into "Phishing" scams will heavily out maneuver the vendors new tools. The consumer is still running windows without patches and will continue to click on bogus e-mail that looks identical to the ones coming from their bank. ScamBlocker, Phishnet and the rest of them will continue to evolve yet the financial losses will continue.

The Symantec point of view is nothing new. What is interesting is the increase of the number of "bots" and other malware roaming the web:

Symantec also recorded a rise in the detection of bots -- "programs that are covertly installed on a targeted system", according to the company, allowing the hacker to control the computer remotely -- from 2,000 detections per day to more than 30,000. The number peaked at 75,000 in one day.


Symantec said malicious code also increased by more than 4.5 times the number it was in the same period in 2003, equating to over 4,496 new Windows viruses and worms, with most aimed at the Win32 operating system.


Symantec says that phishing costs banks $1.2B. If this is true, you can bet who is paying for all of these operational losses.

20 September 2004

SAS is gaining momentum...

More global companies have selected the operational risk measurement framework from SAS, and they seem to be gaining momentum in the marketplace.

The more than 10,000 loss events include events where losses were incurred due to inadequate or failed internal processes, people or systems as well as external events. These could be anything from failed hardware, forgery, embezzlement, and fraud, to natural events such as earthquakes and floods. When assessing the impact of operational risk scenarios on its business, Royal & SunAlliance will use the SAS data both in the scenario analysis process as well as a benchmark for its own internal data.

17 September 2004

1SecureAudit ORM...

Operational risk management protects and enhances shareholder value. 1SecureAudit enhances shareholder value as a primary benefit of its impact on operational risk management (ORM). Clients utilize baseline knowledge, industry experience and ORM decision support to increase operational mission effectiveness by anticipating threats/hazards and reducing the potential for loss. Change and the speed of change continue to provide a challenging environment for the entire financial and health care services industry.

Some of the key trends include:

1. Innovations in products, technology and distribution channels

2. The effect of globalization and regulatory modernization

3. The convergence of capital markets and the ever evolving pace of competition

The many challenges facing health care and financial institutions today are forcing senior management to address the totality of risks and opportunities in various lines of business and in different markets and regulatory environments. Protection of critical infrastructure assets is a Homeland Security priority.

16 September 2004

Flawed FAA system: Operational Risk Super-Sized

The operational risk associated with process error is a major concern these days. Especially when a human is concerned with the continuity and safety of people flying every major airline in the Southwestern U.S.. According to several reports, an FAA worker did not update a flawed FAA system that handles critical communications between controllers and pilots.

The system that failed — a high-tech touch screen tool that allows air traffic controllers to quickly communicate with planes in transit — shut itself down at the Palmdale communications center shortly after 4:30 p.m. Tuesday after a worker did not complete required monthly maintenance.

Then, the backup system failed to work because technicians had rigged it improperly, FAA officials said.


When it comes to processes and the risks associated with them, a software system flaw such as this can cause tremendous business disruption at the minimum. It's the cost of human lives that gets situations like this as much news coverage as it has garnered already. The more interesting news is that these kinds of operational incidents occur in business daily and the public will never know about it. Unless they are on the magnitude of this event. ATM's shelling out too much money. Patients being prescribed the wrong drugs. Both are errors in the systems or processes associated with running a service business. What is more alarming and still yet on the brink of discovery is how much our rush to fix Y2K problems rushed our programmers in making shortcuts, eliminating proper security code at the application level and getting the applications online at the sacrifice of good quality assurance.

Don't blame the FAA. Blame the company they hired to develop the system at the lowest bid, and the highest cost to people who are exposed to it.

15 September 2004

Risk Mitigation Training in Prep for Ivan

Hey New Orleans, got Hurricane Ivan yet? RMS predicts from $4 to $10B in damages.

Business continuity plans are being exercised. People are evacuating. Now we wait for the storm surge that could put New Orleans under 20 feet of water. What about the cities North who will no doubt be experiencing tornados and other severe weather as Ivan roars across Alabama?

Hopefully the owners of buildings and critical infrastructures have provided their employees and tenants with risk mitigation training. For an example of what WTG Properties in Washington, DC has done on this very topic, see this client case. Teaming up with Operational Risk Management firm, 1SecureAudit, they provided their tenants and staff with the training, tools and resources they needed to survive a catastrophic event.

Let's just hope the owners in New Orleans have done the same to prepare for Ivan.

14 September 2004

Cyber Extortion Study is complete...

The Heinz School at Carnigie Mellon has finished it's survey on Cyber Extortion and some of it's findings are surprising.

Companies are still slow to implement preventive strategies and only 21% of the companies surveyed have formal education programs for their employees. Even more shocking is that 63% have not performed a security assessment in the last six months.

Although cognizant of the most commonly perceived security threats and countermeasures, (The most common types of attacks and misuse as reported by the participants of the CSI/FBI survey were virus attacks, unauthorized access and web use by insiders, and denial of service attacks. Ibid) businesses relying on IT often do not address one of the most complex and potentially damaging exposures: Cyber-extortion.

This research has two goals: First, generate the first academically available statistics on the advent and threat of cyber extortion against small and medium sized businesses. Second, create immediately usable guidelines for organizations that may be "at risk" to extortion. The guidelines will describe the most common methods extortionists use against their targets, how to ready your information infrastructures against this, and what to do if you become a victim of extortion - regardless if you plan to work with law enforcement or not.

13 September 2004

Malicious Code: Managed Mail Protection Emerges

When the image contains text you might be vulnerable to a new scam online. This new advertising headline may soon be in vogue, Malicious Code: Managed Mail Protection Emerges.

In a new wave of phishing variants, companies like Citibank are constantly making changes in their systems to adapt to the new online threats from new malicious strategies.

"We continually modify our systems to enhance safeguards for our customers," said a spokesperson for Citibank, a unit of Citigroup Inc., in New York. "It is also important that consumers be aware of these issues and act appropriately."

While individual filtering tools from large vendors have proved largely powerless against the new threat, some security vendors are preparing help in the managed e-mail model as well.

McAfee Inc., of Santa Clara, Calif., will launch a Managed Mail Protection service for small and midsize businesses. The service, which may be extended to large enterprises in the coming months, comprises anti-spam, anti-virus and content filtering. All inbound e-mail goes through McAfee servers before it hits the customer network.

11 September 2004

Third Anniversary of 9/11

As We Mark The Third Anniversary of 9/11 one can imagine how the world will be in the next three years. A globe pock marked by terrorist incidents. Russia, Malaysia are of recent headlines. How soon will the terror strike the US again? Many say before the election and only then will we have what we need to reinforce what work has already been accomplished, and will never be completed.

The people of the free world know in their hearts that the struggles of real estate and religion will continue for decades to come. Only those who are proactive, preventive and aware of the continuously changing threat will survive.

God bless us all.

08 September 2004

PWC Study on Risk...

PricewaterhouseCoopers has found the Ten Attributes they say leads to a world class risk management organization:

• Pay equal attention to quantifiable and unquantifiable risks
• Identify, report and quantify all possible risks
• Let an awareness of risk pervade the enterprise
• Make risk management everybody’s responsibility
• Avoid products and businesses the enterprise does not understand
• Accept that uncertainty exists
• Monitor your risk mangers
• Good risk management delivers value
• Define and enshrine your company’s risk culture.


They also say that reputational risk is the greatest threat in financial institutions. Phil Rivett, global leader, banking/capital markets group, PricewaterhouseCoopers said: “Financial institutions have made significant strides since our last risk management survey two years ago, but our latest findings have revealed that too many organisations are still concentrating on calculating market and credit risk to a further order of accuracy and too few on understanding the totality of the risks they face in order to give themselves a competitive advantage.

07 September 2004

The Wheel of Misfortune

What are some classic cases of operational risk out of control? Check out The Wheel of Misfortune.

One of the best ways to develop risk awareness is to learn from others' mistakes. The Wheel of Misfortune contains instructive case studies of a dozen infamous financial disasters.

Each case study includes a description of the event, an analysis of what happened and exactly what went wrong, and the risk management lessons to be learned.


Your organization could do the same by creating a learning tool for existing and new employees. After all, the best way to keep awareness at a high level is to consistently place reminders about lessons learned.

03 September 2004

WPA2 standard reduces risk...

The new wireless networks in your enterprise are now becoming more secure as a result of the WPA2 standard,says the Wi-Fi Alliance.

WPA2 is ideally suited for enterprises in both the public and private sectors," said Frank Hanzlik, Wi-Fi Alliance managing director. "Products that are certified for WPA2 give IT managers the assurance that the technology meets interoperability standards and in turn helps them manage support and deployment costs."

The 802.11i standard has components of WPA2 already embedded in it and should make the enterprise Wi-Fi solutions finally worth considering on a more enterprise scale. Those organizations who have already deployed previous standards are wide open to vulnerabilities and interception of their sensitive data transmissions.

02 September 2004

The summer of 2004...

The Terrorism Risk Insurance business is on the rise according to a recent Marsh Report on Terrorism Risk. The percentage of policy holders who buy terror coverage increased from 44% to 46% by midyear.

In November 2002, President Bush signed the Terrorism Risk Insurance Act (TRIA) into law. TRIA made it illegal for providers of property & casualty (P&C) insurance to exclude terrorism coverage in their policies. Still, the act did not specify how much insurers could charge for the coverage, and as a result, the price for TRIA coverage varied greatly.

The summer of 2004 will continue to be a prime window for the “What if” discussions of potential terrorist attacks on United States assets located domestically or abroad. It is important to remember several key items as we move into more proactive, preventive and preparedness modes within our global organizations and U.S. based business communities.

The soft targets for these catastrophic plans by our terrorist enemies will continue to focus on the places, events and structures that will provide the most impact, both in loss of life and the long-term economic impact. Based on analysis by RMS in their latest Catastrophe, Injury and Insurance study, the study looks at those cities with the highest density of population at 2:00PM. In the RMS report, New York, Chicago and Washington DC are the top three cities in the US for potential impact of a terrorist incident. San Francisco, Boston, Philadelphia and Los Angeles are next in the line up of populations that are the highest density within several miles of the city center.

The five factors for anti-terrorism threat analysis are Existence, Capability, History, Intention and Targeting. Further defined as follows:

1. Who is hostile to the asset?
2. What tools/weapons have been used in carrying out past attacks?
3. What has the threat element done in the past and how many times?
4. What does the potential threat element or aggressor hope to achieve?
5. Do we know if an aggressor is performing surveillance on our building / asset?

When answering these questions for your particular building, city, business park or community you should keep in mind the goal of our attackers. They want to do the most harm to the most number of people for the longest period of time. While we may not be able to totally prevent a planned incident from happening, we can reduce the impact on our personnel, property and business operations.

01 September 2004

Frances Slams Allstate's stock

Frances Slams Allstate's stock upon fears that the hurricane is going to make landfall any day in Florida.

Shares of Allstate Corp., Ace Ltd. and other insurers fell today as Hurricane Frances approached the Florida coast, threatening to become the second storm packing 140- mile-per-hour winds to hit the state in three weeks.

The impact to the bottom line goes far beyond just the claims by it's customers. In this case, the institutional investors are taking a profit after a 50% increase over the past 18 months.

The other possibility is that they may already be "stretched" after hurricane Charley. Should Frances make landfall in Florida with its current wind strength, it would mark the first time since 1915 that two storms of that magnitude hit the U.S. in the same year, the Miami- based hurricane center's data show.