24 December 2004

Seasons Greetings and 2005...

Seasons Greetings and in 2005, we must all look for ways to gain more wisdom and to further develop the methods and systems for keeping our most precious assets safe and secure.

We have learned a tremendous amount of new Operational Risk knowledge in 2004. As we celebrate the holiday season and move into 2005 it is imperative that we reflect on what we have learned. We must take this new found knowledge and use it to mitigate the ever changing threats to our institutions, organizations and business units.

We are reminded of the great book by Stan Davis and Jim Botkin titled The Monster Under the Bed. They talk about how Knowledge is information put to productive use. And they talk about getting from knowledge to wisdom.

Wisdom: The ability to judge soundly and deal sagaciously with facts, especially as they relate to life and conduct; knowledge, with the capacity to make due use of it; perception of the best ends and the best means; discernment and judgment...


Operational Risk Management is about knowledge management and more. It is about learning with the goal of gaining and retaining wisdom. It is about using advanced methods and technologies to detect threats far in advance so that the proper risk mitigation strategies can be put in place. Operational Risk Management is an evolving discipline in our corporate institutions only because we have not yet decided on the exact taxonomy and definitions for each facet of it's breadth and depth. Once we do this, it will become more pervasive across most aspects of business everyday. From the mail room to the board room, we will see Operational Risk Management having an impact on our collective "Wisdom".

22 December 2004

Whistle-blower laws go global...

As the U.S. recovers from yet another accounting scandal at Fannie Mae, other countries are getting on board with the Sarbanes-Oxley Act.

Japan is considering a new whistle-blower law if a local worker has his way in court.

A JAPANESE executive allegedly forced to weed the company car park for 30 years is at the centre of a major shake-up in corporate whistle-blowing law.

Tomorrow a district court in Toyama will hand down a verdict that could shape Japanese business practice for years to come. If Hiroaki Kushioka is successful in his suit against his employer, Tonami Transportation, the way could be open for startling revelations from within corporate Japan. If he fails, the culture of bullying and cover-ups will be given a tacit vote of support. The Kushioka case comes as Japan is preparing a massive overhaul of its legal treatment of whistle-blowers.


Fannie Mae executives may be some of the first to be successfully prosecuted under the laws in the U.S. that require companies to set up a whistle-blower program. It seems that Mr. Kushioka is finally getting his revenge for ratting on workers over 30 years ago thanks to the trend in improving corporate governance across the globe.

20 December 2004

External Events: Legal Liability

Pfizer has 10% of it's revenues coming to a halt as a result of the Celebrex Warnings about it's link to greater risk of Heart Attacks.

Pfizer Inc. said it would immediately stop advertising arthritis drug Celebrex to consumers after a study showed that high doses were associated with an increased risk of heart attacks, according to a published report.

The suspension of advertising is indefinite and includes television, radio, newspaper and magazine ads and other promotions to consumers, The New York Times reported on its Web site Relevant Products/Services from Verisign -- Free E-Commerce Start-up Kit, citing Pfizer spokeswoman, Mariann Caprino. Some magazine ads may appear for a few more weeks because of the long lead time of magazine advertising, she said.


If the Merck scenario with Vioxx is any indicator of the legal implications then Pfizer can also expect a series of class action suits to follow.

17 December 2004

Who is the right choice for the US DHS Secretary?

In the rush to get someone into the job, most high level qualified candidates have already said no and the current US administration is scrambling after the Kerik affair. So who is the best candidate for the next US Secretary of the Department of Homeland Security?

What the country needs is a career CEO. Not a cop, a lawyer or a politician. Think about what this job is all about and you can see that with over 170,000 employees and warring business units over a finite budget it's going to take someone from private sector business who also understands security.

The kind of security that we have been focused on for the past three years is on the physical aspects of homeland security more so than the intelligence side of the equation. And now with the new Intelligence Act signed and sealed, it's about time we hired someone who truly understands the fusion of data, information, and knowledge to gain "wisdom" aspects of the job.

We already have plenty of cops on the streets keeping their eyes and ears open. What we need now is someone who can get all of the DHS business units working in "concert" and more importantly with the DOD. Homeland Defense is gearing up more than you know and Northern Command is now expanding it's reach beyond it's traditional borders.

Our prediction is that someone will emerge from the ranks of the private sector to take on this enourmous task of getting all of the pieces of the "Homeland Security" puzzle put together. Let's also pray that they understand the difference between Phishing and Fishing. In that case, look hard in the financial services sector.

15 December 2004

Tower Group Study: $362.B for Financial Services IT

The latest Tower Group Study says spending will be up to $362.B with 72% in North America and the EU.

Tower said consumer banking will dominate spending globally. The firm predicted that consumer spending will continue to represent the largest share of IT spending while wholesale banking will experience a continued recovery during the year.

As for the securities and investment industry, TowerGroup projects IT spending in the segment will grow four percent during 2005, partially driven by a return to markets by investors who were burned by declining stock markets a few years ago.

14 December 2004

People Risk: Avian Flu

The Gartner Group has determined that their clients need to prepare for the upcoming Avian Flu pandemic that is being discussed among the World Health Organization (WHO)as a possibility.

On 13 December 2004, health leaders from around the world met in Geneva to discuss the potential threat posed by the predicted future mutation of avian influenza into a highly contagious and virulent form that could quickly pass from person to person. The World Health Organization (WHO) has warned that avian flu variant H5N1 ("bird flu") could combine with an influenza strain already contagious in humans to cause a pandemic that might kill millions of people. H5N1 has been found in poultry in 11 Asian countries. Attempts to eradicate the disease have not succeeded, despite the destruction of 100 million birds. To date, 44 human cases of avian influenza have been reported, all in Thailand and Vietnam. Most of the victims had direct contact with birds; 32 of the victims died.


The difference with this virus and the digital type is that this one can take out key personnel and requires a whole different contingency planning mindset.

Recommendations:

* Use scenario planning to understand and prepare for the possible impact on your business.
* Make your workforce aware of the avian flu threat and the steps you are taking to prepare for it.
* Assess your business continuity preparedness and try to improve it.
* Assign someone in your business to track biological threats such as avian flu. He or she should regularly review business continuity plans and update them in response to new information.
* Establish or expand policies and tools that enable employees to work from home, with broadband access, appropriate security and network access to applications.
* Expand online transaction and self-service options for customers and partners.
* Work with customers and partners to minimize disruption by developing coordinated crisis response capabilities.


While these are great recommendation from Gartner, I think most savvy contingency planners might have a big yawn reading these over.

13 December 2004

ORM: Systems Integration Challenges

In Deloitte's 2004 Risk Management Survey more than half of the respondents say integration of systems to handle Operational Risk is a big concern. More Chief Risk Officers (CRO)have been hired and are reporting directly to the CEO or the Board of Directors.

Operational risk management - according to the survey, operational risk management (ORM) continues to be a relatively new and developing field compared to the more established risk management disciplines, with the majority of respondents still in the beginning stages of implementation. However, the survey shows an increase over 2002 in the number of firms that have established ORM programs. The capability of ORM systems continues to be a challenge for a substantial majority of respondents who indicated that at least some improvement in functionality is needed.

Risk systems and technology - while information technology is considered to be the key enabler of a risk management architecture, respondents report a host of continuing challenges in developing adequate risk systems. More than half (52 percent) cited a lack of integration among systems as a major concern and 42 percent cited it as a minor concern. Lack of flexibility and scalability as well as performance issues were also noted as key challenges. Improving regulatory related systems capabilities and implementing operational risk management and advanced credit risk systems were the three highest priority items cited by respondents in the systems development and technology area.


"Financial institutions are recognizing the need for strong risk management governance, now more than ever," said Jack Ribeiro, managing partner of Deloitte's Global Financial Services Industry practice. "They are responding to increased expectations from regulators, counterparties, the public, and others to ensure sound governance of their risk management programs."

09 December 2004

The Most Feared Words in the Boardroom...

You have been indicted. This Boardmember article by Peter Higgins of 1SecureAudit articulates the essence of an effective OPS Risk compliance program. Even today it is a great reminder of why ethics and education are a key component of an effective system.

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

* Systems for monitoring and auditing
* Incident response and reporting
* Consistent enforcement including disciplinary actions


Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

The answer lies in the human factors of what motivates people’s behavior. This requires programs, controls and good old fashioned vocational counseling. However, the real facts are that all of these alone will not be able to stem the tides of corporate malfeasance.


07 December 2004

ERM: Here to stay...

Last summer Scott Berinato penned this article. It sums up the many facets of Enterprise Risk Management (ERM) and the challenges for the CIO. As a CIO, he should know right?

Are you on board with enterprise risk management? You had better be. It's the future of how businesses will be run.

What would you do if, two months after your company went public, one of the two major markets you sell products to simply vanished? If, in the span of seven days, $500 million in sales just disappeared?

Would you throw your hands up and say, No one could have foreseen the events of 9/11, and then just stand by as the company tore off a half-dozen bad quarters? Would you just absorb the discomfiting cuts to your budget and your staff, and eschew any strategic plans you had set up to help the business grow, because, well, no one could have been prepared for such a catastrophe?


ERM is hard work. Not to sound too much like the last GOP campaign who had a similar sound bite, "We are workin hard", but Enterprise Risk Management is a culture shift and also one found in an old project managers tool kit called "Change Management".

So Why Now?

Just why ERM is important now is complex, but the reasons include IT as a primary risk to operations.

First, several macro-trends have accrued to expose operational risks to the business from IT that in the past were blissfully ignored. Start with Y2K - the realization that IT systems we depended on were vulnerable. Then came 9/11 and the (literally) thousands of risks to businesses that it exposed. Computer viruses have continually interrupted work, illuminating the risks of using bad software. More recently, the risks to a corporation's reputation have announced themselves in the form of massive thefts of personal data. There is, of course, terrorism, political unrest, war and weather, among other global risks to consider.

The reason these risks are suddenly being accounted for is because the systems are becoming ever more critical. Today, one bad IT decision can severely hamper - or even take down - a company.

The second factor driving ERM now is the regulatory environment
, along with efforts within some industries to protect companies from the volatile global business environment.

For example, the Basel II Accord, an effort spearheaded by the Group of 10 countries' leading financial services stakeholders, dictates that by year-end 2006, a financial services company must carry a predetermined amount of capital to offset the level of risk found in the company, as determined by guidelines in the Accord. Unlike the first version of this regulation from 1988, Basel II addresses not just capital risk, but also operational risk, including the risks IT systems create for the company. In other words, it mandates some form of enterprise risk management.

Likewise, the Treadway Commission's Committee on Sponsoring Organizations (COSO), a voluntary private-sector organization formed in 1985 to combat fraudulent financial reporting, produced an enterprise risk management framework. The Information Systems Audit and Control Association (Isaca) developed Cobit (the Control Objective for Information and related Technology), a document that also lays out how to set up an enterprise risk management framework. Both are efforts designed to jump-start the use of ERM in corporations.

Of course, there's Sarbanes-Oxley too. While not the engine driving ERM, Sarbox might be the spark plug. CEOs, after all, don't want to go to gaol. Says David Weymouth, CIO of Barclays, the UK-based financial services company: "We've spent something like £136 million on a regulatory program. Non-compliance is a huge risk we need to manage."


The bottom line is this. Operational Risk is old and it is new. It is not something to be ignored and underfunded. It's constantly changing and requires exceptional people, processes, systems and technology to make it work.

06 December 2004

Phishing moving to prime time...

With an estimated 4.5 million "Phishing" attacks last month now being reported by Messagelabs our customers and clients need to be even more aware of this growing threat. This is especially true since the Phishers have figured out how to extract valuable information without someone clicking on a hyperlink in the email itself.

The boom in phishing attacks -- spam that masquerades as messages from legitimate companies that tries to dupe users into divulging confidential information, such as bank or credit card account numbers -- has been phenomenal. MessageLabs tracked a mere 279 phishing e-mails in September 2003, but a year later, monitored over two million in the same month. During November 2004, MessageLabs tallied a whopping 4.52 million phishing-related messages.

And if you think that's bad, wait until next year, said Natasha Staley, an information security analyst with U.K.-based MessageLabs. "Phishing is really only 12 to 18 months old. It's not even in its prime."

Phishers, who are believed to be composed primarily of organized criminal gangs, many of them based in central and eastern Europe, including the republics of the former Soviet Union, are quickly refining their techniques, added Staley, to make their bogus messages even more enticing or effective.


You have to have diligent awareness campaigns for your customers, members and clients if you are going to mitigate the risks of operational losses. Banks, e-commerce sites and any other big brand on the net is being targeted by a growing criminal element.

03 December 2004

H.R. 4830 - Private Sector Preparedness Act of 2004

What is H.R. 4830?

A bill introduced last summer in the U.S. House of Representatives to amend the Homeland Security Act of 2002 to direct the Secretary of Homeland Security to develop and implement a program to enhance private sector preparedness for emergencies and disasters.

Program Elements- In carrying out the program, the Secretary shall develop guidance and identify best practices to assist or foster action by the private sector in--

`(1) identifying hazards and assessing risks and impacts;

`(2) mitigating the impacts of a wide variety of hazards, including weapons of mass destruction;

`(3) managing necessary emergency preparedness and response resources;

`(4) developing mutual aid agreements;

`(5) developing and maintaining emergency preparedness and response plans, as well as associated operational procedures;

`(6) developing and maintaining communications and warning systems;

`(7) developing and conducting training and exercises to support and evaluate emergency preparedness and response plans and operational procedures;

`(8) developing and conducting training programs for security guards to implement emergency preparedness and response plans and operations procedures; and

`(9) developing procedures to respond to external requests for information from the media and the public.


Congress has found out the following:


Identifying standards and best practices is necessary to promote emergency preparedness by private sector organizations, in addition to educational activities to effectively communicate such standards and best practices.


As business waits for this bill to get out of committee, business leaders around the country are not standing around. They realize that contingency planning and continuity of operations is imperative for their business survival. We can only hope that no one is waiting around for what the standards body or best practices authority will be. Let's pray that the private sector has gone beyond developing plans and now is exercising Corporate Emergency Response Team (CERT)training in all the facilities deemed to be soft targets. Without this, we will certainly not be as ready as we could be. And once we have trained and tested numerous times, we will know what to improve and how to change the procedures accordingly.

01 December 2004

Some SOX relief for smaller firms...

US companies with a market cap between $75 and $700 Million will get a 45 day extension for compliance with SOX (Sarbanes-Oxley Act of 2002). According to the SEC Statement:

The online statement quoted SEC Chief Accountant Donald Nicolaisen, saying: "The Commission is sensitive to resource constraints at accounting firms and at smaller public companies, and is taking this step to facilitate the successful and effective implementation of the Section 404 internal control requirements." Alan Beller, director of the Division of Corporation Finance, added that the exemption should "encourage companies to file important information for investors, including audited financial statements, on a timely basis, while providing an appropriate accommodation for internal control reports."

Eligible companies now have 45 days after the expiration of their 75-day reporting window to add the required management reports on internal controls, along with auditors' comments, the SEC said. The PCAOB's ruling allows auditors to sign off of internal reports at a later date than financial reports. The temporary rule is expected to be in effect until July 15, 2005.