29 June 2005

ERM Conference has a COSO bonus...

The 2005 Enterprise Risk Conference sponsored this Fall by The Conference Board is focused on How to Execute ERM in your company, topics include:

* What Does your Board of Directors Need?
* How to Articulate and Develop Risk Appetite within your Unique Culture
* COSO in the Real World
* Managing and Coordinating Risk Management Roles
* From SOX Compliance to ERM Value
* Tools, Techniques and Approaches for Building Sustainable ERM Program
* The Value Proposition for ERM: A Case Study
* Town Hall Session
* Quantitative Measurement of Operational and Strategic Risk: Fact or Fiction
* Integrating ERM into Strategy
* Integrating ERM with Performance Management

Mercer Oliver Wyman is the sponsor and they certainly know Risk Management Consulting. What is interesting about the conference is the location. The Financial District in New York City is "Ground Zero" for much of the risks that any organization is encountering these days whether they are credit, market or operational.

What is really the call here?

This conference is intended for executives who need a better understanding of the roadmap for a strategic risk management program. The 2005 ERM Conference is intended for Chief Risk Officers and everyone charged with overseeing integrated risk management in their companies. Attendees at past conferences have included CROs, CFOs, General Auditors, strategy, finance and operating executives.

The most relevant topic we see at this two day conference could be good for those CRO's who still are unclear about COSO:

COSO in the Real World
Concurrent Session C1: 1:15 - 2:15 pm

COSO has provided the “standard” for enterprise risk management.
We will talk about how companies are using the COSO guidelines
and how they are adapting them for their companies. We will also
learn the level of interest at corporations to follow COSO guidelines.
Should you be thinking about this? How do you respond to board
inquiries about COSO?

Jeff Cooper
Director, Enterprise Risk Management
Capital One Corporation

Greg Grieff
Enterprise Risk Manager
Chicago Mercantile Exchange Inc.

If you don't know about COSO, here is an Executive Summary

27 June 2005

Audit Committee's Allies...

The Audit Committee and it's chairperson are evolving into a significant "PowerBase" within our corporate ecosystems. What the shareholders are demanding makes the Audit Committee even more important in providing the information and communication of the true "State of Affairs".

Spencer Stuart has recently completed a study of 50 Audit Committee Chairs to get their perspectives.

The product of in depth conversations with a select group of highly respected audit committee chairs in Europe and North America, Global Fifty: Perspectives of Leading Audit Committee Chairs reveals how changing regulatory requirements have affected the functioning and composition of the audit committee, its interaction with corporate management and advisers, and audit committee recruitment. Specifically, the study examines:

* The audit committee's heightened role in assessing business risks
* The compliance demands of Section 404 and the business impact of the regulatory requirements
* The challenges to recruiting qualified audit committee members, including a discussion about the real and perceived increase in director liability
* Recommended practices for running an efficient and effective audit committee
* The elevated role of the internal auditor
* The potential long-term consequences of regulatory changes on the accounting profession

Having a diverse Audit Committee is a key component in having an effective team working on behalf of management and the shareholders. Beyond someone with a CPA or Finance background, you need someone with Operations and Technology experience. They should not have an adverse relationship with the C-level management. If they do, then this could be a sign that current management is under a higher level of scrutiny than they would like. It could be a signal that the Audit Chair is not getting the answers they need or are being blocked from getting the facts. Audit committee's always need the ability to get the answers to their questions quickly and without major hassles. Maybe even more importantly, they need allies to assist them in getting those facts and answers as efficiently and effectively as possible.

A new breed of Audit Committee ally is emerging to take on those tasks that they are not equipped to perfom themselves. These firms who are allies with Audit Committees can bring substantial talent and resources to the table on a tactical basis. These boutique consulting, audit and research firms are typically comprised of former executives from large corporations, systems integrators or the big four accounting firms. They work in tandem with the Audit Committee Chair to assist them in getting answers, background and profiles that provide them the bigger picture. And sometimes, it's that bigger picture that provides them with the insight and information to they require to do their job. To protect and preserve corporate assets.

For a look at one trusted firm, see Caveat Research.

24 June 2005

Negative Stock Price Reaction to Announcements of Operational Loss Events...

This article by Cummins, Lewis and Wei has an interesting hypothesis regarding Operational Risk and the Market Values of institutions.

The Market Value Impact of Operational Risk Events for U.S. Banks and Insurers

This paper conducts an event study analysis of the impact of operational risk events on the market values of banks and insurance companies, using the OpVar database. We focus on financial institutions because of the increased market and regulatory scrutiny of operational losses in these industries. The analysis covers all publicly reported banking and insurance operational risk events affecting publicly traded U.S. institutions from 1978-2003 that caused operational losses of at least $10 million - a total of 403 bank events and 89 insurance company events. The results reveal a strong, statistically significant negative stock price reaction to announcements of operational loss events. On average, the market value response is larger for insurers than for banks. Moreover, the market value loss significantly exceeds the amount of the operational loss reported, implying that such losses convey adverse implications about future cash flows. Losses are proportionately larger for institutions with higher Tobin's Q ratios, implying that operational loss events are more costly in market value terms for firms with strong growth prospects.

Here are a few other papers worth exploring on Operational Risk Management:

Implications of Alternative Operational Risk Modeling Techniques

Operational Risk in Financial Service Providers and the Proposed Basel Capital Accord: An Overview

22 June 2005

Operational Risk: Call Center Fraud

The risk of offshoring is rearing it's head again as the infamous Sun Tabloid has uncovered Call Centre Fraud in India impacting banks and other firms that outsource these operations.

City of London police are investigating allegations that a call centre worker in India sold the bank account details of 1000 UK customers to an undercover reporter, raising fresh fears about the security of customer data at offshore centres. UK daily tabloid The Sun claims a reporter was able to buy personal bank account details for £4.25 each from an IT worker in Delhi. The worker reportedly told the journalist that he could sell up to 200,000 names a month.

Let's review the Benefits of BS 7799-2: 2002 Information Security Management System Certification:

· Brings your organization to compliance with legal, regulatory, and statutory requirements including HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, CFR21:Part 11, EU-Directive, and many others...

· Significantly limits security and privacy breaches that can cost millions: examples include lost information, downtime, internal/external threats, consumer driven litigation, etc.

· Ensures that a commitment to security and privacy exists at all levels and that all employees are educated on security and privacy within your business

· Provides your organization with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy

· Reduces operational risk; vulnerabilities are mitigated

Here is another good lesson from the International Security Forum.

Section:CB61 Third Party Access Source: ISF

To ensure that access to the application by a third party is only provided once a risk assessment has been performed and a formal agreement, such as a contract, has been established.

Standard of Good Practice:

Third parties (ie external organisations, such as customers or suppliers and members of the public) that require access to the application should be subject to additional controls. They should only be granted access on completion of a satisfactory risk assessment and if supported by a formal agreement.

Risk assessments of third party access arrangements should take account of the:

· criticality and sensitivity of information and systems to be accessed
· relationship with prospective third parties (including the strength of their security practices) and the nature of the associated business process
· technical aspects of connection (including the effectiveness of IT infrastructure, access control mechanisms, methods of connection and any vulnerabilities in third party networks)
· obligations implicit in any agreements such as providing a third party with a reliable service or timely and accurate information. Agreements should be documented in a formal contract and approved by the business ‘owner’.

The contract should:
· oblige third parties to comply with good business practices and provide information about any security incidents
· clearly state the services to be provided such as the business practices to be adopted, timeframes for completion of transactions and an agreed process for resolving disputes
· specify agreed security arrangements, such as those for managing changes / incidents, restricting access and preserving the confidentiality of important business information
· include arrangements for ensuring that transactions cannot be repudiated
· protect intellectual property rights
· include the right to audit third party security arrangements.

Third party access arrangements should be reviewed periodically to ensure that risks remain within an acceptable limit.

The International Security Forum (ISF): Formerly known as the European Security Forum, the ISF has developed a standard of good practice for its forum members. The Forum’s Standard for Information Security is loosely based on the British Standard 7799 and COBIT. The Forum’s Standard of Good Practice addresses 5 primary aspects of information security, 30 control areas and 133 control sections.

20 June 2005

US National Preparedness Month: September 2005

National Preparedness Month is planned for September 2005 in the US to raise awareness and to "Get Ready". This is the time to focus on an "All Hazards" approach to preparedness and the American Red Cross and Department of Homeland Security will be emphasizing just that.

“We are pleased to have the American Red Cross, which has long been a leader in emergency preparedness and response, co-sponsor National Preparedness Month 2005,” said Homeland Security Secretary Michael Chertoff. “The commitment of the American Red Cross and the members of National Preparedness Month Coalition are integral as we work to encourage all Americans to prepare for emergencies. As leaders in their communities, these organizations will help spread life saving information and move the entire nation toward a greater state of preparedness.”

National Preparedness Month will provide Americans with a variety of opportunities to learn more about preparing for emergencies, including natural disasters and potential terrorist threats. Events, activities, and messages across the nation will encourage individuals to get an emergency supply kit, make a family emergency plan, be informed about different threats and get involved in preparing their communities.

In support of this important national initiative, local, regional and national events are being planned. 1SecureAudit will be providing free webinar's on how to create your own Corporate Emergency Response Team (CERT):

The 1SecureAudit Corporate Emergency Response Team Web Briefing will provide you with the Critical Success Factors to set up your own Emergency Preparedness Team and to make your business more resilient.

Preparing for unplanned interruptions has always been a good business practice. Availability is the name of the game and 1SecureAudit has been helping companies plan for and recover from interruptions of all kinds. Remember, any facility that acts as the primary location for business operations, whether housing your people, systems or both must be addressed.

Briefing Topics include:

· How to set up your own CERT

· Benefits of CERT Implementation

· Resources available for free

· Critical Lessons Learned

The reasons why an organization may need to evacuate its offices are not always site-specific. Some causes, such as a fire or power outage, may pertain to the systems or facility itself, while others like terrorism are external in nature - and equally unexpected. Regional events such as hurricanes, travel bans, and business interruptions at other local facilities may not physically affect your headquarters, but they do impact the ability of your people to reach it.

What you may be doing already
Having a formal evacuation plan for the facility in place, as well as plans for staff to work from home or other company facilities.

Possible weaknesses in your plan
Untested plans might prove to be ineffective and chaotic. Alternate facilities may not have required equipment and access to systems and data. Notifications of key personnel must be real-time and redundant to insure the correct message gets through every time.

Business Crisis and Continuity Management solutions from 1SecureAudit:

· Help you reduce or avoid revenue losses
· Prepare you for unplanned business crisis and disruptions
· Help you create Corporate Emergency Response Teams for the Enterprise
· Protect your mission-critical data by leveraging an ironclad infrastructure
· Reduce downtime and increase employee safety and productivity
· Enable you to resume business and employee activities more quickly and cost- effectively following a disaster or other unplanned interruption
· Help you reduce the cost of Terrorism Risk Insurance premiums

To register for an upcoming
CERT Webinar click here.

17 June 2005

DHS: GAO Report on Cyber Security...

The GAO report on the Department of Homeland Security's (DHS) Cyber Readiness is now out. The GAO Report Highlights are nothing new.

CNET'S Charles Cooper's commentary on the subject is to say the least, tired.

Will any of this light a fire in Washington? As a political issue, cybersecurity rarely leads the evening network newscasts. New legislation to establish the weighty-sounding position of Assistant Secretary for Cybersecurity may help. So might the passage of the DHS Cybersecurity Enhancement Act of 2005. (Money and authority never hurt.)

But a drumbeat of criticism nonetheless is growing in response to current events.

Maybe the new blood at DHS will take the criticism to heart and order a recalibration, because there's no time to waste. More than 1,000 new worms and viruses were discovered in the last six months alone. What's more, networks will run into more complex worms and viruses--some of which will be deployed by politically motivated hackers--in 2005 and beyond.

The point is valid yet the private sector is the one who is ultimately responsible for their own risk management and mitigation when it comes to protecting vital systems and networks. They already know this and don't expect the DHS or the government in general to be able to do much about the threat. Afterall, look how resilient the Internet has become. The measures taken in design, redundancy and failover is already a proven factor. What isn't proven is that each private sector company who has responsibility for the economic security of our nation has an "A" on their report card.

The fact is that when it comes to Information Technology, we are just bad housekeepers. It's complexity is part of the issue, the other is that the majority just don't have any clue what goes in to making it all work, 24/7. When you take the laptop home on the weekend and let the kids surf on AOL with it you are setting up your company for more house work back at the corporate shop. Insider threats from spyware and malicious code caused by plugging that laptop back in to the corporate network have been slowed, yet everyday the "Help Desk" rings with dozens if not hundreds of issues like this.

The DHS doesn't have a priority on stemming the tide of these script kiddies using tools like Metasploit. They have a priority on finding, arresting and prosecuting the few that are stealing Intellectual Property, Personal ID's, and government secrets. We can only hope that Congress gives them more resources to make a real difference.

15 June 2005

D&O: A Board of Director's Check-Up...

In a recent presentation by NASDAQ Insurance Agency, President and CEO Bill McGinty had some wise advice. Read your policies with extra care and your legal team at your side.

The Important Issues in Directors and Officers Liability Insurance

The Escalating Awards Issue – The average securities litigation settlement escalated from $16 million to over $36 million. Are your insurance limits sufficient?

The Shared Limits Issue – Over the last decade D&O policies have extended coverage to include protection for the corporation (“Entity Coverage”) as well as including coverage for employment practices liability and even some Errors and Omissions coverage. The result has been a cost effective program that has the effect of diluting the actual protection available to the Directors and Officers. In effect, the extension of coverage circumvents the original purpose of Directors and Officers Inability Insurance.

The Severability Issue – In the event of corporate misrepresentation such as significant financial restatements raising to a level sufficient for the rescission of the D&O, the innocent Outside Directors lose their policy protection along with the Inside Directors. The optimal situation is language insuring that innocent directors will be severed from the effect of the rescission of the policy making the policy non-rescindable under certain conditions.

The Bankruptcy Issue – Bankruptcy Courts have been considering arguments that D&O insurance proceeds are a corporate asset and denying or delaying the use of insurance proceeds for defense for Directors and Officers. Pre-set allocation of limits between the Corporation and the Directors and Officers provides some protection from the Bankruptcy courts. A safe haven may be separating protection for the corporation and the individual Directors and Officers.

Other items on your D&O Checklist should include: (Source: NASDAQ Insurance Agency)

1. Aggressively participate in brokering your D&O Program.

2. Insist on direct meetings with insurance carrier underwriters

3. Investigate higher "Side A" limits (cost-saving strategy)

4. Learn the difference between the denial of a claim and rescission of your policy.

What is at issue here is the plaintiffs recovering as much for their clients as possible, and that has included personal assets of the directors.

This article from Randy Myers at Corporate Board Member sums this up quite nicely:

Tim Burns, a partner at Neal Gerber & Eisenberg in Chicago says that you should always demand approval of the insurance and make sure your company doesn’t put off the purchase or renewal of D&O until the last minute, giving you less time and clout in negotiating coverage.

What if plaintiffs in a strong bargaining position insist—as happened with WorldCom and Enron—that they won’t settle without taking a piece of your hide? Burns has a possible way to work around this: buy yet another additional layer of insurance protection, with a unique provision that the layer of insurance disappears if a plaintiff goes after your personal assets. Given that stark choice, he suggests, most plaintiffs would take the insurance money at hand rather than gamble on reaching your personal funds. Burns says he has had informal conversations with insurance companies about underwriting such policies and expects they’ll become available if sufficient demand materializes.

13 June 2005

NORA is Now Dressed in Blue...

Now that Jeff Jonas's NORA (Non-Obvious Relationship Awareness) and SRDnet.com have been dressed in IBM Blue, a.k.a., DB2 Entity Analytic Solutions it's anyones guess who or what will be "Connecting the Dots."

DB2 Relationship Resolution answers the question "Who Knows Who?" IBM DB2 Relationship Resolution software begins where most solutions leave off, extending the customer view to identify and include the non-obvious relationships among individuals and organizations. An individual's relationships can provide a more complete view of their risk or value to your organization, whether they're a customer, prospect, or employee - even if an individual is trying to hide or disguise his or her identity.

Industry applications DB2 Relationship Resolution has tremendous application in industries such financial services, insurance, government, law enforcement, health care and life sciences, and hospitality. Organizations in these and other industries can use Relationship Resolution to: Connect insiders to external threats.

> Find high & low value customer relationships.
> Give fraud detection applications x-ray vision.
> Determine "network" value of the customer.
> Protect customers, employees, & national security.

What types of relationships can Relationship Resolution find?

> A potential employee who shares a P.O. Box with a convicted ID thief
> An account holder who shares a cellular account w/ a known money launderer
> An account exec who shares the same address as your hottest prospect
> A customer who lived with a wanted terrorist suspect
> An employee who lists your largest account holder as an emergency contact

DB2 Anonymous Resolution determines "Who is Who and Who Knows Who... Anonymously? It enables multiple organizations to selectively share data and leverage proprietary data in a matter that never exposes sensitive information, while still identifying relationships and developing leads.

"Finding the Needle" is not really the right analogy here. It's more like, let's find the one piece of straw in this haystack that meets this range of parameters. However, false positives and false negatives are always the name of the game when it comes to these kinds of solutions.

In order for this solution to work accurately, first you have to know "Who is Who". If this means that some how you have the same name as someone else, and that someone else has links to other people that are on a "Watch List", then you could become a false positive. The only ways to solve this are to feed the system with more information such as addresses, social security numbers, dates of birth and all the normal ways to more effectively ID people who have the same name. It also allows you to cross check who had an insurance policy, drivers license or any other data that would show up on a credit application such as your mothers maiden name. The other strategy is to make sure that you go "public" with who you are, where you live and what your blood type is so that their starting point will always verify who you are, for certain.

"The seemingly simple questions of 'who is who?' and 'who knows whom?' cut across a wide variety of business problems today," said Janet Perna, general manager, IBM Information Management Software. "The SRD technology provides solutions to these age-old problems with unparalleled speed and accuracy."

SRD software strengthens IBM's middleware portfolio via a multidimensional approach to analytics that dramatically extends the capabilities of identity-based applications. The combination provides value to business partners who deliver business intelligence and other applications that might require a single customer view, fraud detection, or customer relationship management across many industries, such as government, banking, insurance and healthcare.

"The combination of SRD technology with IBM's middleware platform will bring a new era of accuracy, speed and scale to business analytics," said John Slitz, CEO, SRD.

The biggest question now is; how do you find some entity that we don't know we are looking for? That is why it's important to see who is connected to what, a phone number, a bank account, an address, a frequent flyer number or a license plate. These patterns and relationships will ultimately give us the "insight" we need to detect a potential plot to commit fraud, launder money or attack a target.

03 June 2005

Critical Infrastructure Protection: NISAC to the Rescue

The NISAC has a small $20.M budget yet a very important task. Educating the next generation of Robert Oppenheimer proteges. Oppenheimer was the leader of the 20's something team that created nuclear devices known as "Little Boy" and "Fat Man" that helped end WWII with Japan.

In collaboration with Sandia National Laboratories, LANL (Los Alamos National Labs) through CHS (Center for Homeland Security) has also established the National Infrastructure Simulation and Analysis Center, or NISAC, whose contribution to homeland security is to identify infrastructure vulnerabilities to feasible terrorist threats.

NISAC's function is to figure out the answers to some difficult questions or "What if's". A good example might be: Should a dirty bomb make it's way past our detection and defenses in Long Beach and God forbid be detonated, how long can we afford to keep the port closed? The answer has an economic impact and a socially political paradox that requires unbiased thinking. That is where NISAC comes in.

These NISAC students have been selected by the Office of Educational Programs (OEP), which hosts the program for the U.S. Department of Homeland Security (DHS). The Science and Technology Directorate supports the program, which is open to any student interested in pursuing scientific and technological innovations that can be applied to the DHS.

Through the Program, DHS supports the growth and mentoring of the next generation of scientists as they study ways to prevent terrorist attacks within America, reduce America's vulnerability to terrorism and minimize the damage and recovery efforts from attacks that occur.

Given that the policy makers and scientists are now looking at how critical infrastructure has sophisticated interdependencies, it's time to use some of our great computing assets to answer these really hard questions. Seven of Sandia's computers are the fastest supercomputers in the world and even the older models are faster than most corporate or university machines. NISAC can do most of it's modeling on even a cluster of Dell's that have enough muscle to get the answers faster than the 6 week waiting list for time on supercomputers at Los Alamos.

CHS is home for some agent-based modeling projects that are used to help answer really hard questions. Especially about the behavior of humans in the aftermath of such significant business disruptions as closing the port of Long Beach. Or Houston?

The Los Alamos National Laboratory's Center for Homeland Security is evolving into the premier homeland security resource for the nation in the areas of Chemical and Biological Threat Reduction, Nuclear and Radiological Threat Reduction, and Borders, Information, and Infrastructure Protection. As an intramural Laboratory, we are a trusted DHS resource that responds in a continually adaptive, highly responsive manner to all technical requests. Through the steady development of our ReachBack capability the Center has permeated all corners of the Laboratory engaging the full resources of the Los Alamos National Laboratory to be brought to bear on DHS issues, crises, and questions. The Center for Homeland Security is viewed as a valued asset to regional, state, and local homeland security organizations because of our willingness to engage these entities and assist in helping them prepare, train, and if necessary, respond to both terrorist events and natural disasters.

Unfortunatley for the scientists, testing the models is difficult since 85% of the critical infrastructure is owned by the private sector. These corporate giants such as Verizon, Con Edison, Archers Daniel and the major banking institutions all are under the "Liability" constraint to share their precious and proprietary data, maps and diagrams. DHS is helping to smooth the way for more diligent cooperation in the legal discussions.

Let's just hope that we can give the scientist's what they need to do their job, faster and with more accuracy. Only then will we be able to truly understand the matrix of critical infrastructure in our country.

01 June 2005

Hurricane Season 101: Contingency Plan

Now that the Atlantic Hurricane season has now started, it's time for a little review.

Contingency Plan Objective:

To provide individuals with a documented set of actions to perform in the event of a disaster, enabling information processing to be resumed within critical timescales.

Contingency plans should be formulated to ensure that staff are aware of the steps they would be required to take in the event of a disaster affecting the computer installation.

The format and content of contingency plans should comply with enterprise-wide standards / procedures, form part of a wider business continuity plan and be distributed to all individuals who would require them in case of an emergency. Such individuals should be informed of their responsibilities and equipped to fulfil them.

Plans should include:

· conditions for their invocation
· the critical timescales associated with the business applications supported by the installation
· a schedule of key tasks to be carried out, responsibilities for each task and a list of services to be recovered, in priority order
· information security controls applied during the recovery process
· arrangements for processing from last successful back-up to time of disaster and then to resumption of normal service
· provisions for the clearance of any processing back-logs that may have built up during the system outage
· resuming processing using alternative facilities
· procedures specified in sufficient detail to be followed by individuals who do not normally carry them out.

Source: ISF Section IP7 - Service Continuity
If there is a serious interruption to information processing, for example if a disaster occurs, the computer installation may be unavailable for a prolonged period. Considerable forethought is required to enable information processing to continue in these circumstances and to keep the business impact to a minimum. Accordingly, this area covers the development and content of contingency plans, and the coverage and validation of contingency arrangements.