29 October 2004

Threat Detection & Management...

Robert Young Pelton's Travel Tips may be common sense. These are also the type of tips you get from those expensive executive seminars where no one ever gets out of their seat for two days.

If you are going to take an attitude of really protecting your organizations most valuable assets then you have to train your people in real life scenarios. The goal is to overcome the panic modes and replace them with smart actions to save your life and your companies precious information.

For those who travel on business into regions of political or religious instability it should be company policy that each individual travel with at least an experienced partner. Also essential is that both have gone through extensive hands on training to detect surveillance as well as manage emergency situations with smart decisions. For more on this visit: Threat Detection & Management

27 October 2004

Compliance and outsourcing: Oil and water or fine vinaigrette?

John and Stan could not have said it any better....

By John Van Decker and Stan Lepeak
10 May 2004 | Meta Group

One common misperception that still survives in the market is that existing outsourcing audit mechanisms, primarily the SAS 70 audit, are adequate for SOX compliance. The growing consensus is that even an SAS 70 Type 2 audit may not prove enough for SOX. The SAS 70 standard was developed long before SOX regulations and was not designed to focus on the type of controls that SOX addresses. In addition, there have been no requirements for users to request an SAS 70 audit, and many have not. One SAS 70 audit could potentially suffice for multiple clients of an outsourcer, whereas with SOX compliance, this is likely unacceptable. We are seeing more cases where aggressive/thorough clients are demanding additional controls and documentation beyond an SAS 70 Type 2 audit to enable what they estimate is "good enough" SOX compliance. It is not expected that the PCAOB will define requirements above and beyond an SAS 70 for SOX compliance until later this year.

A final challenge to SOX compliance that affects outsourcers is interenterprise compliance. Users must approach process compliance holistically, covering insourced and outsourced processes, as well as intersection points and continuums of processes that span supply and service chains. For example, how can a user's controls account for the breakdown in a supplier's financial controls that could lead to a parts shortage, which could impact revenue/profits that would then require a timely disclosure? Clearly, organizations cannot address SOX compliance in an isolated fashion. Outsourcers have the added dimension of being intertwined in multiple-clients compliance efforts across multiple process areas. This in itself increases the outsourcer's risk and demands greater focus on enabling compliance, for its own sake as much as its clients'.

Bottom Line: Business process and IT outsourcing currently do not mix well with SOX and related compliance requirements. However, outsourcers and their clients cannot wait for regulatory clarification and must define, document, and rationalize interim best-faith efforts for gaining and evidencing SOX compliance for affected outsourced functions and processes.

26 October 2004

Systems: Data Quality Risk...

The quality of data is becoming a risk management issue again according to this latest Banking Study of 1700 banks in 63 countries. Sarbanes-Oxley and Basel II are helping CIO's to increase their budgets yet the study finds that data quality is still one of the biggest operational risks.

The survey quizzed banks about eleven key topics involving reference data management and risk management and shows that financial institutions worldwide are making considerable efforts to deepen their data management and increase data quality.

These efforts are being driven, besides cost pressures and increased transaction volumes, by regulatory requirements such as Sarbanes-Oxley and Basel II, which will be implemented in more than 100 countries within the next few years. "The results show that companies realize the close connection between comprehensive data management and efficient risk management," explains Martin Buchberger, head of marketing at AIM Software.

Workflow management is a key concern and 54% of the respondents plan to spend money in this software as it is a vital component in managing operational risk. Furthermore, outsourcing and COTS solutions are outpacing proprietary development.

Looking further at standardization, 42 percent of the survey respondents plan to purchase an off-the-shelf data management solution or to buy and adapt a solution to their own needs. 26 percent of the respondents rely on proprietary development. "This is a significantly smaller proportion than in the past, when data management was still regarded as an internal core competency.

25 October 2004

Phishing goes Corporate...

Phishing is making it's way inside corporations and represents a new threat by hackers.

The ploy is to send an email that looks legitimate about upgrading a software component or windows program. The hackers site then downloads the Malicious Code.

“Companies must make their employees understand their role in improving security within the organisation,” he said.

A proper security policy must also be in place and the role of each individual who manages the security policy must be clearly defined, he said.

It must also be made clear to employees that the security policy is in place for their protection and not just for the company.

And finally, companies must be prepared for the worse. There should be an incident response team should the company's security be compromised."

22 October 2004

SOX a Ticking Time Bomb?

In the latest issue of Corporate Board Member you will find some very interesting statistics and comments. This one got our attention:

Is That A Ticking Clock Or A Time Bomb?

Has meeting Sarbanes-Oxley's requirements left directors enough time to think about other issues?

The answer is yes, but only because you're spending more time on the job than ever before.

The SOX Factor
Do directors think Sarbanes-Oxley has created an environment where management is so distracted that company performance will be affected?

No: 44%
Not Sure: 36%
Yes: 20%

I would say that over one third don't know, don't care or are too scared to really find out. One fifth think that performance will be impacted. That leaves the remaining 40+ % feeling confident that SOX will not affect corporate performance. Let's just hope that the "NO" voters do really know that this is the case.

19 October 2004

People: Travel & Safety...

Travel risk to corporate executives is on the rise. Even if you are not an executive who can afford the services of personal body guards and armored cars, there are some prudent ways to mitigate the risk of traveling to the global hot spots.

Travel safety is becoming more of a main stream issue with savvy operational risk managers. In fact, the likes of some new firms are emerging by former FBI or other law enforcement heavy weights. The fact is, most of these so called travel safety courses are being taught from only one side of the equation.

Today, CSOs are often tasked with building their company's corporate travel safety programs. The job calls for a proactive approach to educate employees about precautions they can take to stay safe, whether they're the CEOs of multibillion-dollar conglomerates who fly on company jets that land on secured tarmacs or rank-and-file staff riding in commercial airline coach.

Business has to be done in some of the most dangerous places on the planet, even when it comes to being exposed to kidnapping, terrorism and corrupt governments. Our advice is to make sure your instructor transfers skills to people on "how" to detect, deter and defend against the attackers. Not just the "What to do".

For the real difference, visit: Threat Detection & Management

18 October 2004

Business Performance & Basel II...

The Tower Group is shouting the need for banks to automate now in the midst of the Basel II momentum. While business performance has converged with Basel II, the key understanding needed is what do Business Performance & Basel II have to do with my survivability as a money center bank?

Basel II introduces a convergent framework of risk management and controls that will encourage banks to invest wisely in IT and improve the efficiency of their business operations. Banks that adopt effective enterprise risk management platforms will reap business benefits that go well beyond regulatory compliance.

Knowledge Management is coming to banking in a way that the bean counters never imagined. With the focus on Operational Risks, the only way to be able to correlate new threats with the current asset base is through automation.

The industry is now at the implementation phase of Basel II. Few banks have the perspective and resources to experiment and establish their own enterprise risk management models that include this new field of operational risk. Notwithstanding their attention to business continuity and reputational risk matters, most banks have still to inscribe operational risk procedures in the broader picture of business management and operational efficiency. Not only may banks improve their operational efficiency by streamlining business processes, but they also can tap important benefits in operational resilience, responsiveness and flexibility to innovate. By adopting automation models for integrated business and risk management, proactive banks may derive significant returns from a concerted enterprise approach.

15 October 2004

External Events: The Risk of Loss from Eliot...

What other risk will the financial services industry find to be more of a threat? With the latest litigation filed by the now famous Eliot Spitzer the insurance industry is in for the same treatment as Wall Street. Clean up your act.

The New York AG's suit against insurance broker Marsh & McLennan and other heavyweights may change the way the industry does business

America's biggest insurers have found themselves in the midst of a scandal that could change the very nature of the business. On Thursday, Oct. 14, New York Attorney General Eliot Spitzer charged Marsh & McLennan (MMC ), the huge financial-services firm and world's largest insurance broker, with fraud. In a civil complaint filed in New York State Supreme Court, Spitzer alleges that the firm engaged in bid-rigging, price-fixing, and accepted payoffs from insurers. Marsh's stock has plummeted -- it opened on Oct.14 at $46.01 but is trading on Oct. 15 at around $28.20, a drop of roughly 38%.

The scrutiny of the sales process at every insurer in the country has now begun. If you have a P & C policy on your building with Marsh, it might be worth getting a competitive bid now. This is going to be another lesson in Management 101.

14 October 2004

Operational Risk driving new spending...

The latest surveys from PwC ASIA paints a rosey picture for a rise in Information Security spending.

About 67 per cent of information technology executives in Asia say they will increase spending on security, compared with a global average of 64 per cent in PwC's survey of 8,000 companies conducted this year.

There are four key areas driving this and 1SecureAudit has already figured this out:





Gartner and IDC also have some interesting predictions for growth in these areas.

Worldwide technology spending, including on telecommunications, will grow by 5.4 per cent to US$2.38 trillion (HK$18.56 trillion) this year, according to research firm Gartner.

However, global spending on business continuity and IT security solutions, at US$70 billion last year, is growing much faster, and will reach US$118 billion by 2007, according to International Data Corporation figures.

Operational risks are at the heart of all of this growth, especially in ASIA where Basel II is taking hold.

``Governance and compliance issues are driving the need for information security,'' partner Rick Heathcote said. ``In Hong Kong, we have observed that in order to comply with new laws and regulations such as Basel 2 [an international standard for capital requirements], personal data privacy laws and anti-money laundering obligations, companies are recognising the need for enhanced security and internal control.''

13 October 2004


There seems to be some discussion on whether the CFO should also act as the Chief Risk Officer?.

These days, however, the risk management "tent" has grown into a "big top" called enterprise risk management (ERM). To be sure, the discipline should help companies cope with natural disasters, worker injuries, lawsuits against directors and officers, and other traditionally insurable perils, according to the long-awaited ERM framework issued late last month by The Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Believe me, the CFO is way too focused on getting the financials right to add the equally important tasks of a CRO. The next thing they will be asked to do is take on duties associated with the CIO. This has to end.

But there's a big obstacle on that rosy career path. If a single executive manages the potential upside as well as the possible downside of a company's moves, there's the chance that the executive's decisions might be overly biased. If the CFO/CRO is especially fond of taking risks, then the company might end up excessively exposed to disaster; if the officer is too risk-averse, opportunities could be missed.

That, apparently, was the reasoning of the Office of Federal Housing Enterprise Oversight (OFHEO) when it sharply criticized J. Timothy Howard's dual roles as CFO and CRO at Fannie Mae in a September report on the mortgage company's accounting.

The Board of Directors has figured this out in most savvy financial services companies already. In fact, the CRO may soon have more of a powerbase inside the executive management ranks than the Chief Financial Officer if the trend continues.

12 October 2004

Operational Risk Headlines...

The newspapers are full of headlines today displaying the operational risks we contend with in these volatile days ahead of the US Presidential election:

Oil Prices Reach $54, a New Record - New York Times

US seizes independent media sites - BBC News

UN watchdog concerned by disappearance of nuclear material from Iraq - UN News Centre

U.S. Subpoenas Chiron Over Flu-Shot Shortage - SmartMoney.com

Fannie Mae faces DOJ probe, 8 investor lawsuits - Reuters

Feds: Hurricanes devastated Florida's citrus crops - Ft. Wayne News Sentinel

Westar testimony will include lavish lifestyles - CNN

The Global 500 company is dealing with a myriad of operational risks. Those that have proactive risk mitigation and management systems will survive. The question now is what will happen once the new President of the United States is finally decided.

What will happen with the price of oil? The corporate governance enforcement? World Trade and Diplomacy? The only thing of certainty is that the outcome of the elections will not affect the weather. Prepare.

11 October 2004

IPR making headway...

The Special 301 process is gaining some new attention in the IPR battle. The WIPO conference in Geneva has also produced some new headway in fighting the spread of Intellectual Property Rights violations.

“Special 301” is the part of U.S. trade law that requires the U.S. Trade Representative (USTR) to identify countries that deny adequate protection for intellectual property rights (IPR) or that deny fair and equitable market access for U.S. persons who rely on IPR.

Under Special 301, countries that have the most egregious acts, policies, or practices, or whose acts, policies, or practices have the greatest adverse impact (actual or potential) on relevant U.S. products and are not engaged in good faith negotiations to address these problems, must be identified as “priority foreign countries.” If so identified, the country could face bilateral U.S. trade sanctions if changes are not made that address U.S. concerns.

The 2004 Special 301 report has identified 34 trading partners and placed them on the watch list.

China and Paraguay, due to their serious IP-related problems are subject to another part of the statute, Section 306 monitoring, because of previous bilateral agreements reached with the United States to address specific problems raised in earlier reports.

07 October 2004

Beyond SOX: Keeping Up with Corporate Governance Changes

Most CIOs have been intimately involved in meeting Sarbanes-Oxley (SOX) deadlines and setting up auditing reporting processes. But if you're tempted to sigh in relief as your company becomes compliant - don't. Rather, this is the time to investigate the talk you've heard of "beyond SOX." As the reality of corporate boards' new accountabilities is played out, the CIO will be highly impacted. What specifically should you be doing now to keep up with fundamental changes in corporate governance?

The five things that A.T. Kearney consultants are recommending makes some sense. The close kinship with EDS makes the items look like they are designed for a CIO. The point is that the IT organization has a tremendous responsibility to continue to try and move as fast as the business is changing. This by itself is a formidable task. The key to keeping the business in alignment with Information Systems is to make sure you have a robust Enterprise Architecture initiative.

For more on this visit: Adaptive

06 October 2004

U.K. - Insurers Threaten to Pull Terrorist Cover -Continued

In last month’s Survive newsletter Patrick Roberts commented on an interesting article in the Times about insurance companies proposing to deny cover for terrorist attacks to businesses unless they can demonstrate a satisfactory level of business continuity planning. In response to this, Peter Higgins from 1SecureAudit sent us a few thoughts from a white paper the company has written on similar subjects:

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen. Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future. First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure. In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles. These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers they must have a foundation of knowledge about the structures physical vulnerabilities. However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk. If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions. The building itself, two miles from the White House, has little chance of moving outside the high-risk zone for terrorist events. The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident. Insurance losses resulting from a catastrophic events fall into several key areas:

• Property losses to the target building and adjacent structures, incurred by the owners themselves.

• Liability losses for claims due to inadequate procedures for evacuation or fire prevention incurred by building owners.

• Workers compensation, health and life insurance losses resulting from death or injury of tenants or visitors to the building.

• Business income and rent loss due to inability to occupy the structures incurred by tenants and owners.

• Financial losses by various lenders and investors in mortgage-backed securities associated with the mortgage notes themselves.

The real estate finance community and building owners associations have been subjected to a substantial debate since 9/11 about the exclusions of Terrorism Risk insurance. The real estate and lending environments in target cities such as New York, Washington, DC and Los Angeles have been in turmoil over the unavailability or terrorism risk insurance at reasonable prices.

Anti-Phishing Consortium created...A Risky Business

As the newest band of banks collaborate on Anti-Phishing strategies one can only wonder what they will do differently to mitigate this operational risk.

The Financial Services Technology Consortium, a financial-industry research group, said Monday that 11 financial institutions--which include Citicorp, J.P. Morgan Chase, Comerica, Visa USA, ABN Amro, KeyBank, Capital One, and University Bank--will define technical and operating requirements for counter-phishing measures, and clarify the infrastructure fit, requirements, and impact of technologies when deployed in concert with customer education, enforcement, and other industry initiatives. The consortium named Gene Neyer, managing executive of its Security Standing committee, to lead the initiative.

The banks own FDIC has also been a recent target of this social engineering trend. Hopefully they will soon find out that these attackers are not using scripts, data taps or autonomous agents as their tools. A new generation of firewall will not stop this threat. These attackers are not exploiting vulnerabilities in design, implementation or configurations of web services.

These attackers are using social engineering stategies and tactics to create the unauthorized result that they seek:

1. Increased Access
2. Disclosure of Information
3. Corruption of Information
4. Denial of Service
5. Theft of Resources

These attackers only have the following general objectives:

A. Challenge, Status, Thrill
B. Political Gain
C. Financial Gain
D. Damage

And the trend will continue to escalate as fast as new people are getting online. Think about all of the 60+ people in the world who are now moving to online banking and other e-commerce services. A whole new generation of naive kids getting on the Internet before they are in middle school are falling prey to the social engineers we sometimes call voyeurs.

It's a risk to be doing business on the web today. The strategies of these criminals have not changed. What has changed is that now they can do it from the other side of the globe in countries our own FBI will continue to have challenges getting their cooperation. This is one risk we will be living with for some time to come.

04 October 2004

CIO SOX Report Card

A recent study has found that 93% of CIO's that were polled were clueless on their Section 404 compliance responsibilities of Sarbanes-Oxley.

"What they've failed to recognize is that 30-40% of a corporation's internal controls over financial reporting are information technology specific and that CIOs and other senior IT executives have a significant role in the process," he continued. "As a result, most corporate IT executives remain in the dark about their full responsibilities, even at this late stage, placing their companies at serious risk for failure. In fact, under the guidelines, if a company's CIO does not understand Sarbanes-Oxley Section 404 requirements, that alone demonstrates a deficiency in the control system."

Sarbanes-Oxley requires issuers of financial instruments in the U.S. - including all public companies whose shares trade on U.S. stock exchanges - to identify their significant financial accounts, the business processes that support those financial accounts and the applications and IT systems that support those business processes. Companies must then document and test the adequacy and effectiveness of controls at the financial reporting level, the application level, the IT infrastructure level and the IT management level. The deadline for the majority of public companies for Section 404 compliance is December 31, 2004 .

Continuity of Business: Hurricanes Lessons Learned

As the estimates come in from the losses from Florida hurricanes it looks like it will exceed $22 Billion.

The total economic impact is yet to be realized as this estimate is only the insurance claim payments estimate. Now that business has a better perspective on what being prepared really means, we should see some interesting Business Crisis and Continuity Management lessons learned here.

For example, how many organizations had their contracts in place with the diesel fuel supplier to replenish their back up generators after several days? Most prudent continuity planners would have such supplier arrangements already in place. However, if the supplier can't get to the business or their own plans have been disrupted then even the most well written contract will not hold up in the face of what happened over the course of a few weeks in Florida.

More importantly, the topic of outsourcing and redundant data centers continues to be a top strategic subject among COO's and CIO's as the operational risk events continue to surprise us. Let's just make sure that we take the time to exercise those plans and contingencies so that we go far beyond the contracts and actually test, learn and adapt.