24 December 2005

Enterprise Preparedness: Business Process Management (BPM)

Enterprise Preparedness Organizations are experiencing unprecedented pressure from a number of directions to remain competitive in today's changing economy. The challenges of satisfying profit expectations, meeting customer demands, avoiding litigation, and complying with government regulations have created tough conditions for the executives who are managing the business. Besides the pressure to create new markets, manage cost, and generate profits, they must also demonstrate the ability to effectively manage adversity when it occurs. The current stringent regulatory environment coupled with a hypersensitive investment community has made the need to prepare for adverse events a corporate mandate.


Troy Smith's article is correct on many of the fundamentals of Enterprise Preparedness. We would emphasize the need to also have some effective tools for capturing the processes during the important planning phases. One company to consider is Metastorm.

As the first breakaway BPM vendor, Metastorm is a leader in business process management (BPM) software and best practice methodologies for modeling, automating, integrating, and improving both human and system-based processes. Metastorm BPM™ is a complete solution for roundtrip process improvement, designed specifically to address complex processes that are unique to organizations. Metastorm’s 1200+ global client base in manufacturing, retail, financial services, business services, healthcare and government are achieving rapid ROI and Enterprise Process Advantage® in customer service, supply chain operations, risk management, and internal operations.


22 December 2005

Financial Services Marketers: Get Ready for Your Audit...

The FDIC Small-Entity Compliance Guide is now available. The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations.

Distinction between the Security Guidelines and the Privacy Rule

The requirements of the Security Guidelines and the interagency regulations regarding financial privacy (Privacy Rule)8 both relate to the confidentiality of customer information. However, they differ in the following key respects:

- The Security Guidelines address safeguarding the confidentiality and security of customer information and ensuring the proper disposal of customer information. They are directed toward preventing or responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that financial institutions must contractually require their affiliated and non-affiliated third party service providers that have access to the financial institution's customer information to protect that information.

- The Privacy Rule limits a financial institution's disclosure of nonpublic personal information to unaffiliated third parties, such as by selling the information to unaffiliated third parties. Subject to certain exceptions, the Privacy Rule prohibits disclosure of a consumer's nonpublic personal information to a nonaffiliated third party unless certain notice requirements are met and the consumer does not elect to prevent, or "opt out of," the disclosure. The Privacy Rule requires that privacy notices provided to customers and consumers describe the financial institution's policies and practices to protect the confidentiality and security of that information. It does not impose any other obligations with respect to safeguarding customers' or consumers' information.


3rd Party marketers of financial institutions are preparing for new audits of the their information securtiy controls and processes. Slicing and dicing customer information utilizing pscyhograpics and demographics is a normal task. Mailing millions of pieces annually with new offers from collaborating internal companies and external partners creates significant challenges in managing sensitive customer information. This increased exposure to potential data loss and other threats warrants additional scrutiny with supply chain companies that interface with the marketing department.

One way to find out how ready your partners would be for a formal audit is to ask them when was the last time they had an independent audit of their information security controls. Many organizations today serve multiple financial institutions in the same region and therefore are consistently being asked for evidence of a SAS 70 audit opinion. SAS 70 is not a predetermined set of standards that an organization must satisfy in order to “pass” the audit. In a SAS 70 audit, the service organization is responsible for describing its control objectives and control activities that might be of interest to auditors in user organizations. SAS 70 objectives can be non-specific for an audit and may have large gaps in real-time day to day operations.

20 December 2005

Resilience Masks the Real Problem: Training...

The UK financial services sector has completed the first phase of it's Resilience Benchmarking Project. More than 60 key firms and financial infrastructure providers from the UK volunteered to take part in the Resilience Benchmarking Project, the results of which were mixed and highlighted a number of significant operational risk issues relating to business continuity. Here is the summary of FSA discussion points:

1 Although the financial system appears to be technologically resilient, are there vulnerabilities in other areas that could put it at risk?

2 What action could the Tripartite Authorities take to help bring together the component parts of the system?

3 How can firms strengthen their collective resilience?

4 Would it be helpful to publish recovery-time targets for wholesale payments, trade clearing and settlement? If so, would 60-80% of normal values and volumes within four hours, rising to 80-100% by the next working day, be reasonable recovery targets?

5 If we decide to publish targets, should these apply to core firms and financial infrastructure providers only, or should they apply more widely?

6 Should we consider publishing targets for other functions such as resumption of trading and retail payments?

7 If we were to publish targets, should these be informal in nature or should they be embedded into rules and guidance?

8 What more can be done to encourage joined-up planning and testing to reflect better the likely impact of a major operational disruption and how this could be facilitated?

9 Could the weaknesses in business continuity and crisis management arrangements undermine recovery time capabilities?

10 Would it be helpful to set a minimum distance criteria between primary and recovery sites? If so, what should that distance be?

11 Should we actively encourage firms to diversify their back-up arrangements, in particular core firms and financial infrastructure providers?

12 Do you agree with our conclusions and proposed actions in relation to recovery service provision? Is there more that the Tripartite Authorities should do in this area – for example including a specific survey on recovery service provision in future benchmarking studies?

13 We invite feedback on the measures we propose to take to mitigate concentration risk: encouraging end-to-end testing; sharing information on resilience and recovery arrangements the financial infrastructure providers have in place; and encouraging wider geographical diversification.

14 Should FSA maintain its non-prescriptive approach to business continuity management?

15 We would welcome comments on the estimated cost of reaching the targets we propose to publish for core firms and financial infrastructure providers:
– from those organisations to which these targets would apply; and
– from other organisations for which these targets might be considered aspirational goals.

16 We would welcome views on the estimated cost of lost business arising from the delayed recovery of a vital counterparty (i.e. a core firm or financial infrastructure provider).


The word "Resilience" occurs 70 times in this 52 page document. The word "Security" occurs only 12 times. The word "Continuity" occurs 63 times. The word "Risk" occurs 52 times. Resilience seems to be the overall theme these days.

The definition of Resilience is an interesting one:

Main Entry: re·sil·ience
Pronunciation: ri-'zil-y&n(t)s
Function: noun
1 : the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress

2 : an ability to recover from or adjust easily to misfortune or change


The definition has a reactive flavor to it with the thought that something is going to happen and when it does, you must be able to recover quickly. With all the synomyms and word games being used today it all comes back to effective training. And this is where the benchmarking study has revealed the corporate business enterprises greatest weakness:

Training is another potential area for improvement. Only 42 firms include business continuity planning in induction programmes for new staff, and ten respondents had provided training to less than 5% of their staff. Fewer than a third of participants have provided training to staff that might be called upon to deal with sensitive issues, such as working on a casualty helpline. The responses to these and a number of other questions indicate a lack of appropriate training needs analysis and a need for greater consideration of the effects of a crisis on those who might be asked to undertake some of the most harrowing and disturbing roles.


16 December 2005

High Quality or Low Price: Pick One...

Have you ever heard that old saying, "You can have high quality or you can have a low price, pick one." Now apply this to Operational Risk Managment in your domain.

It seems that the U.S. Senate has mixed priorities right now on the U.S. Patriot Act debate. Wyoming is a low risk area in terms of critical infrastructure yet it will receive the same funding as states with more shoreline, ports and vulnerabilities to the security of the United States. James Jay Carafano has identified what the key issue really is:

What’s Missing?

There was one important provision that did not make out of conference. The original Patriot Act established the requirement that a significant percentage of all homeland security grants be distributed automatically to each state, big or small, regardless of national priorities or risks. Current funding formulas guarantee each state .75 percent of the funds available. As a result, 40 percent of these funds are immediately tied up, leaving only 60 percent for discretionary allocations. As the 9/11 Commission’s report rightly stated, the current system is in danger of turning homeland security funding into “pork-barrel” spending, making spending on security just another state entitlement program. In conference, an initiative to restructure the system and allocate money according to risk and needs rather than an archaic formula was rejected by Senate conferees. This is the third time the Senate has turned back House legislation to reform the grant system. And it is just wrong.


Prudent risk management policies and strategy point to investing to improve resilience in the areas that are identified as being most vulnerable and that the consequences of a loss would be unacceptable. What part of the risk management methodology is missing in the presentations or education of our law makers?

The part that is missing is the part that no one can present in fear of it becoming public information and for it to get into the hands of those who may use it to harm the homeland. Those single-points-of-failure exist in every country or city that has a significant capitalist marketplace. The resilience of the respective economies depends on the infrastructure that fuels it and every dollar and resource needs to be focused on those highest risk areas.

Mr. Carafano makes another observation worth consideration, regarding the The September 11 Commission Report Card: The Good, the Bad, and the Ugly:

At the top of the list is the failure of the Congress to put together a comprehensive package of border security and immigration reforms that enhance security, promote economic growth, and protect civil liberties. Also missing from the list is the tragic underfunding of the Coast Guard. The same service that saved 33,000 lives during and following Hurricane Katrina faces cuts to its modernization budget in the House.


The private sector can change all of this in a heart beat. The safety and security of our economic livelihood is in the hands of the telecom/high tech, banking and finance, health care and energy sectors. In the long run, the executives in these industry sectors have the power to change our law makers points of view. Let's just hope that they all realize that it is their own corporate assets that are at a greater risk now, than they were over four years ago.

15 December 2005

CIP Risk Management: NIPP & Tuck...

As part of the new National Infrastructure Protection Plan NIPP v1.0 the years old RAMCAP (Risk Analysis and Management for Critical Assets Protection) methodology of the American Society of Mechanical Engineers makes it's way into the mainstream:

RAMCAP is an overall methodology and provides a common framework for homeland security risk analysis decision-making that includes:

–Common terminology
–Common metrics for comparing risks across sectors
–Common basis for reporting results
–Basis for informing resource allocation decisions

•Countermeasures
•Consequence mitigation actions


ASME was awarded a grant by the Department of Homeland Security to develop uniform risk-based guidance in September 2003. The methodology's sequential steps include:

•Vulnerability analysis
•Consequence analysis
•Risk analysis
•Countermeasures and mitigation
•Decision analysis
•Multiple assets and sectors


The NIPP is a "draft" today and the comment period has already expired December 5, 2005. We expect that we will see sector specific plans soon after the national plan is finalized. It will be interesting to see how the private sector reacts. Industry critics say the draft lacks specificity at this point. However, maybe this is a good thing for the owners and operators of 85% of the nations critical infrastructure.

12 December 2005

Reducing Operational Risk Through CAP & IPv6...

After attending the United States IPv6 Summit last week it was apparent that Emergency Preparedness and National Security is a top priority. This is increasingly true as we see the grades on our progress by the 9/11 commission and others with regard to data communications and interoperability issues. One facet of all of this has to do with the important work already underway by the technical committees at OASIS:

The mission of the EM TC is to create incident and emergency-related standards for data interoperability. The TC welcomes participation from members of the emergency management community, developers and implementers, and members of the public concerned with disaster management and response.

Standards currently under review by the committee:

The Common Alerting Protocol (CAP), a data interchange standard for alerting and event notification applications, currently in version 1.1. CAP functions both as a standalone protocol and as a payload for EDXL messages.

The Emergency Data Exchange Language (EDXL), a broad initiative to create an integrated framework for a wide range of emergency data exchange standards to support operations, logistics, planning and finance.


Why is IPv6 and CAP a big issue in operational risk management? It will save lives and property as it is deployed in numerous communications devices and services in the future. Currently, the big drive for IPv6 is new uses, such as mobility, quality of service, privacy extension and so on. The U.S. Government has also specified that all federal agencies must deploy IPv6 by 2008.

Karen Evans and the OMB are preparing the federal CIO's for the transition:

The CIO Council will develop additional transition guidance as necessary covering the following actions. To the extent agencies can address these actions now, they should do so. Beginning February 2006, agencies’ transition activity will be evaluated using OMB’s Enterprise Architecture Assessment Framework:

• Conduct a requirements analysis to identify current scope of IPv6 within an agency, current challenges using IPv4, and target requirements.
• Develop a sequencing plan for IPv6 implementation, integrated with your agency Enterprise Architecture.
• Develop IPv6-related policies and enforcement mechanisms.
• Develop training material for stakeholders.
• Develop and implement a test plan for IPv6 compatibility/interoperability.
• Deploy IPv6 using a phased approach.
• Maintain and monitor networks.
• Update IPv6 requirements and target architecture on an ongoing basis.


Much of what IPv6 is all about has to do with capacity of our current standard IPv4. However, as more emphasis is put on interoperability and the use of millions of new data capture and reporting sensors both CAP and IPv6 will both be essential building blocks to the future. One example illustrated the other day is the changes being made in London and other global metro areas to capitalize on the fact that most citizens are carrying mobile phones with picture and video taking capabilities. These video images are increasingly being utilized to assist both law enforcement and emergency responders with new insight into the real situation as it unfolds. In some cases while voice circuits are jammed the data communications can get through.

Sometimes, a picture is worth a thousand words.

06 December 2005

Mitigating Operational Risks Around the Globe...

In this month's CSO Online, Todd Datz has an article worth exploring. How to Manage Security Halfway Around the World talks about several key components of global operational risk mitigation:

Different cultures. Unstable political environments. Language barriers. CSOs in global companies face many a challenge as they try to manage security in far-flung locations. One of the biggest challenges? A good number of your security managers reside in functions other than corporate security, so security is often a part-time gig managed by people with part-time security training. There’s no ironclad set of rules or policies that all those employees can follow.


If you are like most organizations doing business on a global basis, you don't have a security department in every office. This is why it is imperative for your local employees to establish local relationships with other businesses or entities who will help protect your vital corporate assets.

Educate Your Global Security Staff
Training is a critical component of any global security program, especially given that many security managers in foreign locations come from nonsecurity functions—such as HR or engineering—and thus wear multiple hats.


It's critical to have a local presence along with a centralized global policy and audit function know as Enterprise Security Risk Management. Together the partnership keeps a great degree of relevance to the issues and cultures in a particular country while simultaneously keeping a consistent and correlated set of standards for legal compliance. International laws for exchange of information, transmitting funds and selling products and services to Specially Designated Nationals (SDN)'s are all important business risks to be managed.

With a growing focus on risk management, The Yankee Group predicts that by 2008, the $165 million Enterprise Security Risk Management market will grow to $650 million as more organizations move to strengthen their global security posture. According to The Yankee Group, most organizations today utilize informal security risk management processes using professional services and homegrown databases that are often time-consuming and ineffective.

01 December 2005

Board of Directors: Corporate Responsibilities...

The primary responsibilities of the Board of Directors are getting more scrutiny than ever before. Especially in the light of the fact that statements executives make about quarterly earnings are a focus for class-action shareholder lawsuits.

Many public institutions are no longer bowing to Wall Street and publishing or promising quarterly numbers. In fact, many are following the lead of people like Warren Buffet of Berkshire Hathaway. He doesn't believe in the short sighted behavior that occurs around quarterly conference calls with analysts. Look to the The Washington Post as one example.

The Board is ultimately responsible for ensuring the performance and survivability of the corporation. The shareholders want the Board to do the following:

1. To ensure legal and ethical conduct.

2. To insist on strategic and operational planning.

2. To develop in collaboration with management a real-time risk assessment.

4. To establish a Corporate Governance culture based on best practices.

5. To exercise the Director's fiduciary duty of care on behalf of the shareholders.

An ever more important responsibility is to apply the use of technology and it's purpose in the survival and longevity of the organization. At the Washington Post, which does not offer quarterly guidance, they have adopted technology to help satisfy the analysts needs for information.

WASHINGTON, Nov. 30 -- The Washington Post Company (NYSE: WPO) will audio webcast its presentation at the Credit Suisse First Boston (CSFB) Global Media Week Conference next week. The Company's presentation will take place on December 6 at 4 p.m.

The live webcast will be accessible from a link on The Washington Post Company's website, http://www.washpostco.com, and at http://www.csfb.com. A transcript will be posted on http://www.washpostco.com following the presentation.


Maybe someday the SEC will reconsider Regulation FD:

"The Reg FD rule reads as follows: "Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to [certain enumerated persons], the issuer shall make public disclosure of that information... simultaneously, in the case of an intentional disclosure; and... promptly, in the case of a non-intentional disclosure."


In light of this, most Directors and Executive management are counseled to say very little about what is happening in the company.