31 March 2006

OPS Risk Refresher...

What are Operational Risks? Here is a refresher for the Financial Services Sector:

Key People Risks

Employee fraud or malice Including collusion, embezzlement, sabotage of bank reputation, money laundering, theft of physical and intellectual property, programming fraud including virus introduction

Unauthorized activity
Including misuse of privileged information, churning, market manipulation, activity leading to deliberate mis-pricing or with unauthorized counterpart or unauthorized product, limit breach, intentionally incorrect models such as deliberate changes to parameters, activity outside exchange rules, illegal/aggressive selling tactics, Ignoring/short-circuiting procedures deliberately

Employment law Including wrongful termination of employment, discrimination/equal opportunity, harassment, non-adherence to other employment law, non-adherence to Health and Safety regulations Workforce disruption Industrial action and other forms of disruption

Loss or lack of key personnel Lack of suitable employees and loss of key personnel

Key Systems Risks

Technology risk
Inappropriate architecture

Investment risk Including strategic platform or supplier risk, inappropriate definition of business requirements, incompatibility with existing systems, obsolescence of software

Systems development and implementation Including inadequate project management, cost/time overruns, programming errors (internal/external), failure to integrate and/or migrate from existing systems, failure of system to meet business requirements

Systems capacity
Including lack of adequate capacity planning, inadequate software Systems failuresIncluding network failure, interdependency risk, interface failure, hardware failure, software failure, internal telecommunication failure

Systems security breaches
Including external security breaches, internal security breaches, programming fraud, computer viruses

Key External Risks

Legal/public liabilities Including breach of fiduciary duty, etc. Criminal activitiesIncluding money laundering, terrorism, robberies, etc.

Outsourcing/supplier risk Including breach of service level agreement, supplier failure, etc.

Insourcing risk Including failure of firm as supplier of services to third-party

Disasters and infrastructural utilities failures Including fire, flood, and failure of critical supplies etc.

Regulatory risk
Including change of regulatory rules etc.

Political/government risk
Including expropriation of assets, changes in tax regime, law and industry regime, etc.

Remember, this does not even cover the largest category of Operational Risk, Processes. The process associated with our different procedures, protocols and mechanisms for doing business are one of the greatest areas to incur loss events. Errors, ommissions and lack of training are just a few of the areas that need to have consistent monitoring and continuous auditing.

24 March 2006

Availability Bias: The Risk of Low Probabilities...

Should corporate America be concerned about weapons of mass destruction? How do you prepare for risks beyond your own workplace? Rad Jones from the School of Criminal Justice, Michigan State University, recently talked about a critical incident exercise he has prepared exclusively for CSO Magazine.

Rad Jones, formerly with the Secret Service and later on security projects with Ford Motor Company, emphasizes that you don't have a plan unless it has been exercised. This is especially true if you have not involved the local first responders in the local area. Role playing in exercises on scenarios that are real world and done on premises is a key component of the preparedness equation. What is left out in many instances during the exercise with the local police, fire or EMS is the Incident Command with the top brass or executives who may be in other locations across the country or the globe. This was witnessed in the Hurricane Katrina catastrophe.

Every metro area in harms way has the ability to do these exercises even on a micro basis. The single 15 story building, the business park surrounding the suburban mall or hotels and even a square block in a downtown city location is a good start. This coordination, planning and continuity builds a new level of resilience into the fabric of the community. This effort has been going on since 2003 with a consortium in Chicago, IL called ChicagoFIRST. This particular effort was spearheaded by the large financial institutions in the city who wanted to get a say and a seat inside the JOC (Joint Operations Center).

The spirit of ChicagoFIRST is spreading with the launch of WashingtonDCFIRST, a consortium based in the Wasington DC metro area. This project will be focused on the critical infrastructure private sector and the relevant interfaces to the local first responder jurisdictions. Collaboration with the Council of Governments (COG) will add the planning already underway for the past few years on issues such as interoperability and credentialing. As an example, the FCC has adopted a plan to establish a Public Safety and Homeland Security Bureau. The new Bureau is designed to provide a more efficient, effective, and responsive organizational structure to address public safety, homeland security, national security, emergency management and preparedness, disaster management, and other related issues.

Unlike other private sector initiatives, WashingtonDCFIRST will involve all the critical infrastructure sectors and the private companies who represent the largest employers around the beltway
including: Pepco, Verizon, Washington Gas, Exxon Mobil, AOL, and the Water Utilities. Much of the focus will be on availability bias.

Availability bias is why the U.S. has spent the past four years focusing on scenarios involving terrorism, after the so-called failure of imagination that preceded 9/11. What have politicians and citizens done for the past four years if not imagine terrorism?

And it's why many observers are now questioning whether the country should have spent that time planning not for terrorism but instead for other potential catastrophes. Like a deadly pandemic. Or major earthquake. Or hurricanes.

"One of the key dangers is that people are always focusing on the last catastrophe," says Robert Muir-Wood, the London-based chief research officer for Risk Management Solutions, which does economic risk modeling for the insurance industry. "It's a big challenge to keep everything in perspective and not be biased by what has last happened."

A true risk-based approach means that, when all else is equal, one must override the availability bias and focus on the most likely future scenarios. Unfortunately, figuring out the probability of any given scenario raises its own set of complexities.

The most probable risks that you train and exercise for, will be the incidents that you will be most prepared to handle. Suffice it to say, that the risks that you don't plan for because they are too low probability, will be the incidents or catastrophes that catch you off guard. Think about it. Not preparing and training for the low probability scenarios could cost you millions or billions and maybe your life.

22 March 2006

Pandemic Flu: Financial Institutions Contingency Strategies...

The Board of Governors of the U.S. Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and Office of Thrift Supervision are issuing an interagency advisory to financial institutions and their technology service providers.

This advisory is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises financial institutions and their service providers to consider this and similar threats in their event response and contingency strategies. This issuance discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.

Critical infrastructure entities also must be engaged in planning for a pandemic because of our society’s dependence upon their services. Both the private sector and critical infrastructure entities represent essential underpinnings for the functioning of American society. Responsibilities of the U.S. private sector and critical infrastructure entities include the following:

• Establishing an ethic of infection control in the workplace that is reinforced during the annual influenza season, to include, if possible, options for working offsite while ill, systems to reduce infection transmission, and worker education.

• Establishing contingency systems to maintain delivery of essential goods and services during times of significant and sustained worker absenteeism.

• Where possible, establishing mechanisms to allow workers to provide services from home if public health officials advise against non-essential travel outside the home.

• Establishing partnerships with other members of the sector to provide mutual support and maintenance of essential services during a pandemic.

For more information see the official U.S. Pandemic Flu site.

20 March 2006

Critical Infrastructure Protection: Resolve to be Ready...

Insurers say risk of WMD terror is low from the traditional sense of the terrorism definition. Yet what about Madrid, London and the possibility of domestic terrorism? Why does Lockheed Martin currently have the contract to upgrade surveillance and security in the New York mass transit system?

Terrorism Risk includes the risk from attackers both internal and external to the organization. These attackers are using conventional (incendiary explosive devices) and unconventional (digital worms) methods to disrupt the operations and economic well being of corporate organizations, the real estate finance industry and of our critical infrastructures.

The process and systems for managing Terrorism Risk are rapidly changing as the commercial real estate finance and building owners strive to establish new standards. Critical Infrastructure Protection is now a national priority. The key catalysts for change could further motivate infrastructure owners to implement new risk reduction programs and measures.

Some of the key catalysts for change are:

·Insurance – those institutions that are sharing risks that a building owner faces.

·Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.

·Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.

Overall Terrorism Risk reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is a corporate office building, a hospital, subway, or a hotel. These soft targets are where the risk management decision-making is already taking new directions. Washington, DC is a prime example with the InfraGard Nations Capital Members Alliance.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen. Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future. First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure. In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles. These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers they must have a foundation of knowledge about the structures physical vulnerabilities. However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk. If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions. The building itself, two miles from The White House, 10 Downing Street or the Eiffel Tower, has little chance of moving outside the high-risk zone for terrorist events.

The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident. As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount. CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises. Now that threats to government and business operations are becoming ever more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

16 March 2006

Whistleblowers: The Risk of Unethical Corporate Behavior...

To some people, Sherron Watkins is a hero. To others, she is an Enron Whistleblower that has capitalized on her now famous memo.

Ms Watkins had previously sent Mr Lay an anonymous memo questioning the use of off-balance sheet financial partnerships which were then running up huge losses.

In the memo, which she read out in court, she had expressed concerns that Enron could "implode in a wave of accounting scandals".

She added: "This was not just aggressive accounting, it was fraudulent accounting. I couldn't believe we had done it."

Implementing an effective ethics and compliance program in corporations requires a robust educational and legal strategy. Awareness development, effective policy design and administration is imperative if the organization is going to have any chance of achieving high marks in Corporate Governance.

David Gebler makes some valid points in this article:
Moving in the Right Direction

How do compliance leaders move their organizations to these new directions?

1. The criteria for success of your ethics program must be outcomes-based. Merely checking off program elements, even from the seven steps of the Federal Sentencing Guidelines, is not enough to change behavior.

2. Each organization must identify its own key indicators of its culture. Only by assessing its own ethical culture can a company know what behaviors are the most influential in effecting change.

3. The organization must gauge how all levels of employees perceive adherence to values by others within the company. One of the surprising findings of the (2005 National Business Ethics Survey) (NBES) was that managers, especially senior managers, were out of touch with how non-management employees perceived their adherence to ethical behaviors. Non-managers are 27 percentage points less likely than senior managers to indicate that executives engage in all of the ethics-related actions outlined in the survey.

4. Formal programs are guides to shape the culture, and not vice-versa. People who are inclined to follow the rules appreciate the rules as a guide to behavior. Formal program elements need to reflect the culture in which they are deployed if they are going to be most effective in driving the company to the desired outcomes.

While there may be some who say that a whistleblower is just a discouraged or passed over employee, it may be the origin of a corporate environment that is ready to implode. Fraud and other unethical corporate behavior is a combination of poor operational risk management controls and the people who perpetuate the culture of dishonesty. In a recent survey by Protiviti, companies continue to admit to poor risk management practices.

Other findings of the survey:

* 43 percent of executives consider financial reporting and Sarbanes-Oxley Section 404 compliance to be very significant risks.

* 49 percent tie business success to client satisfaction, believing potential weaknesses in this area pose a very significant risk. Executives said the following risks affect their company's ability to sustain customer satisfaction: operating performance; materials procurement; business continuity; and fraud matters.

* 45 percent of executives cited information systems and IT security as potential areas of vulnerability.

08 March 2006

Vigilance is The Name of The Game...

President George W. Bush logged a victory last night when the U.S. House of Representatives renewed the USA Patriot Act, a law that gave the FBI expanded powers to investigate terrorism after the Sept. 11 attacks. Here are a few of the renewed provisions:

_Section 201 _ Gives federal officials the authority to intercept wire, spoken and electronic communications relating to terrorism.

_Section 202 _ Gives federal officials the authority to intercept wire, spoken and electronic communications relating to computer fraud and abuse offenses.

_Subsection 203(b) _ Permits the sharing of grand jury information that involves foreign intelligence or counterintelligence with federal law enforcement, intelligence, protective, immigration, national defense or national security officials

_Subsection 203(d) _ Gives foreign intelligence or counterintelligence officers the ability to share foreign intelligence information obtained as part of a criminal investigation with law enforcement.

_Section 204 _ Makes clear that nothing in the law regarding pen registers _ an electronic device that records all numbers dialed from a particular phone line _ stops the government's ability to obtain foreign intelligence information.

_Section 209 _ Permits the seizure of voicemail messages under a warrant.

_Section 212 _ Permits Internet service providers and other electronic communication and remote computing service providers to hand over records and e-mails to federal officials in emergency situations.

Whether you are a government or a small business you must have a layered and defense in depth approach to the safety and security of your enterprise. You have to monitor insiders, gather intelligence and keep an eye on foreign competitors. Key people in your organization are key targets for a spectrum of threats both physical, economic and digital. When is the last time you saw a CEO, CFO, CRO or Board Member walk down to the INFOSEC department and ask the team if they had all the tools and resources they need to do their jobs effectively?

Lumeta IPSonar is one tool that could help if they don't have it already.

The Need For Better Network Intelligence
Effectively managing risk and change has become a daily task for IT management. Rapidly evolving virus and worm threats, compliance mandates, partner relationships, outsourcer arrangements and mobile workers create a wide range of unpredictable internal and external pressures that make managing and securing your IT infrastructure a constant challenge. In this dynamic business environment where almost everyone has a role in what connects to the network your success depends on the ability to gather and leverage up-to-date and accurate intelligence on the operational state of IT infrastructure.

And if they did raise their hand and say they could use some help with solutions to help combat all insider threats including intellectual property leakage, vendor collusion, financial fraud, and customer data loss. You would recommend they look at Oakley Networks.

The Financial and Banking industry is under daily scrutiny by regulatory bodies due to the constant stream of fraud allegations, prosecution of high profile executives, and penalties for violations of SEC, NASD, GLBA, and other regulations. One recent case involves a former trader who practiced deceptive trading as part of a “secret agreement” with a large mutual fund. Further investigation uncovered a bogus brokerage (worth $500 million) which he used to carry out ethically questionable trades.

The leaders of a medium-size community bank, Fortune 500 Pharmaceutical company and local city government have the same thing in common with George W. Bush. They realize that their people and assets are under attack and they need all the tools and resources possible to stay vigilant. And at the end of the day, vigilance is what the US Patriot Act or purchasing the latest IT tools is all about.

03 March 2006

Keeping Your Business Clean...Revisited

This two year old article is still so true. Worth revisiting in a more risk management conscious corporate environment.

Keeping Your Business Clean - CSO Magazine - June 2004

Take this quiz to test the ethical health and well-being of your business.


A COLLEGE PAL OF MINE—a corporate lawyer at a major, publicly traded company—has been watching all of the corporate-integrity meltdowns from his not-so-distant vantage point. Just for fun, he helped me devise a quiz of sorts to check out the "uprightness" of my own situation at my company. I was shocked and disturbed enough with my results to share them here (under the protection of anonymity, of course).

Maybe I'm a good Samaritan, but I care about America's corporations, and I hope our times offer an opportunity to change some thinking. Take this little corporate hygiene quiz with a few of your trusted business pals over a latte or two. And since catharsis is good for the soul, I'll share my answers with you here. I used a scale of one (not so much) to five (absolutely) to get a numerical sense of where I stood.

To start, does your business depend on a complex technical environment with significant uptime reliability?

Aren't we all increasingly reliant on a networked environment with nodes, access points and critical intersections in places that we can't see or control? Uptime reliability is important for everybody these days, but it's an expected cornerstone of businesses that feel they need to hire a CISO. I give myself a four on this one.

Does your company have operations in any country below the equator?

Many U.S. companies have core business processes located in countries below the earth's beltline. Security risks exist there that make knowledgeable security professionals twitch every time their phone rings: kidnappings, corruption, incompetent and criminal law enforcement, Internet crime, organized crime, drugs, money laundering, an overall unsafe environment with too many Foreign Corrupt Practices Act temptations. But what are you going to do? The labor is cheap and we have to be competitive. My company is moving in that direction but not there whole hog yet. So I'll give us a three on this one.

Would you characterize the velocity of your company's business as high-speed?

How about warp speed? How else can we continue to satisfy Wall Street and our fickle shareholders? We're all being pushed to do more with less. And there's so much going on in the back draft of this fast pace, I wonder what the hell else I'm missing. I'll take a five on this one. I'd take a six if it were allowed.

Do you forgo a criticality rating to identify shortcomings in business controls and security measures?

With all the open books and disclosure emphasis these days, the lawyers are really nervous about recording any risk information that could come back to haunt us. As a security professional, I've always lived with criticality ratings—it's all about the likelihood of problems we need to be prepared to address. But I know for a fact that we have no organized process for doing this across the business. In the aftermath of Sarbanes-Oxley, our auditors now rank their findings; but that's ex post facto and, besides, an audit is cyclical and periodic. This is all about what keeps knowledgeable risk managers awake at night and what we are missing. I'd better take a four (and hope for the best).

Does your corporate risk-management model discourage individual managers from seeking out vulnerabilities in the system of controls?

My company doesn't have a risk-management model, per se—and then blame is typically parceled out to the lowest common denominator. I'll take a four on this one, too. (This isn't shaping up well is it?)

Are managers ill-informed about what to look for on control deficiencies or cues on risky behavior?

There's not a lot of sharing here, especially concerning errors or incidents. After all, who wants to shoot themselves in the foot? We have an active infosecurity awareness program, but it hasn't been integrated into any of the training and employee development programs we run on a continuous basis. HR owns management training, but it doesn't recognize that the manager's job has a core risk-management component. And what's the first question out of the CEO's mouth when it hits the fan? "Who's the manager of this disaster?" I can't vouch for manager awareness across the board. So let's score a three here.

Are there unaddressed vulnerabilities in your company's safeguards or other such exposures that could be exploited?

The fact that this question has to be included speaks volumes about the maturity of risk management. Of course there are known gaps! And it's the people who work here who know where to find the holes. The guy who is empowered to do you the most damage already works for you. The developers leave open doors in our applications, and our LAN administrators have the keys to the kingdom. There's no one place where all the data comes together to enable those of us on the firing line to see where the interconnections and interdependencies may exist. Besides, I get paid to think about "what if," so scoring anything less than a five would be dishonest.

01 March 2006

The Wild West of the New Millennium...

Rather than engaging in a futile attempt to suppress technology, the music business should try to work with consumers. Murray writes: "The most sustainable solutions include the creation of favorable alternatives to piracy by making legitimate distribution channels more convenient." Bingo! Imagine how much more money the music industry would have made by creating pay-per-song download sites instead of paying lawyers to prosecute downloaders."

These words by Brian H. Murray were the writing on the wall in January 2004 in this article by Jonathan Jackson. Mr. Murray may have predicted the transition by the MPAA and other digital rights advocacy groups to change the industry from one of piracy to one of profits. Introduce Mr. Steve Jobs of Apple, the iPod and iTunes and now you have your 1 billionth download. That's .99 cents X 1,000,000,000.

How could you endorse the use of technology and tools like Weblogs to create new opportunities for your enterprise? Message boards and other chat web sites have been around for a decade making online brand management a necessity for any brand conscious entity. Defending The Brand was the title of Brian Murray's book published in 2004 and it is still a component of any comprehensive risk management strategy.

Managing Intellectual Property Rights and sensitive or proprietary information is a major concern for General Counsel's and Chief Marketing Officers. Making sure that trade secrets and ideas are protected is a priority. And when it comes to employees expressing their opinions about management, the watercooler and local bar has not been enough. When message boards, web sites or blogs post comments on a company or organization they typically are a way for discouraged, disgruntled or maybe even dangerous employees to vent their feelings.

The intersection of Civil Rights, Privacy, Cybercrime and White Collar Crime is creating a buzz. With whistleblowers sending anonymous email, posting to weblogs and a whole new spectrum of enforcement actions, sometimes you have to step back and see the big picture. General Public License, 3.0 and Open Source has created new subjects for debate.

The Operational Risks in your organization are growing at an exponential rate. Cooperation and information sharing is still a road block to progress. The answers are only clear if you can see the beauty in what Mr. Murray's thinking was over two years ago:

"I never cease to be amazed by the bold, clever, and unscrupulous behavior that is so common on the Internet. Through my experience defending brands, I can say with confidence that anything that you thought would never happen online is probably already going on, and anything you think couldn't possibly exist on the Internet is almost certainly there. Though it's an overused cliche, the Internet really is the Wild West of the new millennium."