18 December 2006

Scenario Vs. Resource Planning: All Hazards...

This article by Saul Midler on Scenario Planning Vs. Resource Planning recently caught our eye and for a good reason. The link between Corporate Risk Management and Operational Risk Management is Business Continuity Management. Brilliant!

More importantly as he indicates:

The danger of undertaking an operational risk assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that impact or the consequence is low. This is essentially defining a solution before identifying a problem.

Think about 9/11 where 320 companies FAILED to return to business, 2800 workers DIED and 135,000 workers lost their jobs. By contrast a number of organizations did recover and continued operations. These include:

• Cantor Fitzgerald who lost 658 staff and resumed operations two days later;
• Marsh & McLennan with 3,200 staff over 8 floors;
• Morgan Stanley with 3,500 staff over 17 floors;
• NY Port Authority with 2,000 staff over 23 floors.

New school thinking saved these organizations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and, of course, staff.

While the scenario of airplanes being used as weapons of mass destruction is not a new concept for planning purposes, (in fact it was hypothesized long before 9/11) the fact is that organizations today have adopted an "All-Hazards" mind set. As a result of the new worldview, "Business Continuity Management" as previously mentioned, has provided a much needed conduit between Corporate Risk and Ops Risk.

What does this "All-Hazards" mentality mean for the cure to unplanned disruptions or untested scenarios? It means that you move to the proactive side of the line and away from the reactive mode that so many organizations are still coping with. The old "It will never happen" to us syndrome.

December 9th, 2006 - WASHINGTON, D.C. – Early this morning, the House approved S. 3678, the Pandemic and All-Hazards Preparedness Act authored by Senator Richard Burr. The Senate passed the bill on Tuesday. The bill will go to the President’s desk to be signed into law.

“Senator Kennedy, many of my Senate colleagues, and I have worked together for almost two years to pass this legislation. I am so pleased the House agreed to pass it before Congress adjourned and I look forward to the President signing it into law,” said Senator Burr.

“This bill will help improve our preparedness and response to emergencies and disasters be they a terrorist attack, or caused by Mother Nature,” Burr said. “It will also help improve our ability to create new drugs and vaccines to fight against emergencies like a flu pandemic.”

The ‘‘Pandemic and All-Hazards Preparedness Act’’ (S.3678) creates an additional incentive for an "All-Hazards" approach to mitigating the risks to your enterprise.

14 December 2006

Litigation Risk: Thirsty for Justice...

The big four or five or six firms have had a big run in the post-Enron era. Micro-cap companies with $75M. in assets are still not subjected to SOX. What does the crystal ball say about post-Spitzer investigations as he takes on his new role as governor? Did SOX clarify the CFO's internal controls and give investors a better view into their risk portfolio?

On the eve of a highly anticipated Securities and Exchange Commission meeting that could bring about looser regulations for small businesses that have yet to comply with the Sarbanes-Oxley Act, a new study credits the 2002 law with cleaning up larger companies' internal controls and reducing the number of errors in financial statements.

In fact, the Glass Lewis & Co. report — released on Tuesday — says the number of restatements by larger companies fell 26 percent during the first nine months of 2006. The report's authors attribute this decline to the most contentious provision of Sarbox, Section 404, which requires management to attest that their company has adequate internal controls.

In parallel, the Department of Justice has issued the McNulty Memorandum that will provide more clear guidance on the rules for a federal prosecutor should they want to bring charges against a company. The Principles of Federal Prosecution of Business Organizations was created as a result of intense lobby efforts by business advocates in Washington, DC.

The new guidelines, which the department has dubbed the "McNulty memo," say that "prosecutors generally should not take into account whether a corporation is advancing attorneys' fees to employees or agents under investigation and indictment." The only exception, according to a footnote in the memo, is in "extremely rare" cases where the "totality of circumstances" show advancing fees to culpable employees was done with the intention to "impede a criminal investigation."

With respect to obtaining privileged information, federal prosecutors will have to go through a more rigorous approval process, similar to the process required of prosecutors seeking electronic wiretaps or subpoenas for reporters. For certain types of sensitive attorney-client information, such as the advice a defense attorney gave to the management of a corporation facing a fraud investigation, prosecutors are now required to obtain the approval of the Justice Department's No. 2 official in Washington -- currently McNulty.

For privileged factual material a company has obtained through an internal investigation into an alleged fraud, such as transcripts of interviews with culpable employees, prosecutors will need to obtain the approval of the local U.S. Attorney in their district, who can only sign off on such a request with the approval of the head of the DOJ's Criminal Division in Washington, currently Alice Fisher.

And just when KPMG thought they were being vindicated they have been served with a law suit from Fannie Mae. When the auditors start fighting against corporate management or vice-versa, the lawyers get in the middle and you can bet that hundreds of millions of dollars are at stake. In the end, there is only one winner; and it's not the investor.

11 December 2006

Privacy: Phone Records Protection Act...

Last week, HP agreed to a $14.5 million settlement in the California civil lawsuit related to the company’s spying scandal. And this week we only have President Bush to sign the "Pretexting" bill:

The U.S. Congress has wrapped up its work for the year by passing a bill that would make it illegal to obtain a person’s phone records without permission.

The Senate late Friday passed the Consumer Telephone Records Protection Act of 2006 , spurred in part by revelations in September that Hewlett-Packard (HP) investigators had used deceptive means to gain access to phone records of reporters and company board members.

The bill, sponsored by Representative Lamar Smith, a Texas Republican, would make illegal the act of pretexting — tricking phone companies into giving up private records by pretending to be a customer. The bill, which passed by voice vote in the Senate, allows prison sentences of up to 10 years and fines of up to $500,000 for deceiving phone companies into handing over records such as phone logs.

As Jon Doak, the new Chief Ethics and Compliance Officer continues in his new role at HP it should be interesting to see how the criminal case proceeds. Corporate monitoring of it's employees and suppliers will get new oversight and the IT organization will soon be storing all e-mail meta data if it isn't already. Organizations like HP have a duty to protect their intellectual assets and trade secrets. Exactly how you implement those policies, tools and strategies calls for an effective risk assurance program that includes far more than just new awareness training.

The Private Investigation industry and Online Data Brokers who have collaborated in the past will be scrutinizing any upcoming enforcement actions to determine if the bill actually has any "teeth". Can you hear the US Attorney on the phone right now? "Set up a task force"...

07 December 2006

Basel II: Hedge Funds Risk...

Hedge Funds Managing Partners have been looking in the rear view mirror as they see the regulators following their every move. Oversight is not just a phenomenon here in the U.S. with the SEC and our own legislators. There is another international wave of change on the horizon:

Japanese banks may be forced to cut back their investments in hedge funds to comply with a global risk regulation.

Banks, pension funds, and insurers are among the largest Japanese investors in hedge funds. Japanese investors have quadrupled their hedge fund holdings during the past five years, to $35 billion.

The March 2007 deadline for Japanese banks to comply with Basel II, a regulation that will alter the capital reserve requirements for financial institutions, is what is causing the concern. The regulation could be especially problematic for smaller Japanese institutions, which manage more than one third of the country's $6.7 trillion of assets. Those institutions may be "incapable" of managing the associated risk under the new rules, one banking executive told Bloomberg News at a conference this week.

In some cases, banks will have to hold $1 in reserve for every $1 invested. Japanese regulators have yet to announce any guidance for complying with Basel II.

Here in the United States the pressure is building to develop more systematic compliance for hedge funds to address the growing corruption and fraud schemes.

Senate Judiciary Committee Chairman Arlen Specter, a Pennsylvania Republican, is circulating draft legislation that would require hedge funds accepting pension money to register with federal regulators. Hedge funds would also be forced to set up ethics codes and compliance programs, and allow the U.S. attorney general to reward private citizens for helping in insider trading cases.

Why all of the talk about regulation and oversight? With over 8000 hedge funds now controlling over $1 Trillion in assets it won't be long before the marketing gets pushed down to just the "high net worth" individuals. Having a place for pension fund managers to get some portfolio exposure on the other end of a risk spectrum is one thing. To move the access to these investment vehicles closer to the average consumer is now the concern.

The hedge fund industry has shown few signs of major fraud, but cases of wrongdoing may rise if more of these investment vehicles are sold to mass-market savers, international financial regulators said on Monday.

The sector does not appear to have high levels of dishonesty, but some national watchdogs fear risks of fraud could rise if these funds were to become more available to retail investors, the International Organisation of Securities Commissions (IOSCO) said in a report.

Hedge funds, traditionally a secretive industry domiciled in offshore tax havens such as the Cayman Islands, have come under growing scrutiny from central banks and regulators concerned about the sector's potential impact on financial stability.

Traditionally, hedge funds have been used only by wealthy individuals or institutions such as pension funds.

"The extent of fraud relating to hedge funds varies in the member jurisdictions ... the absolute number of fraud complaints is presently not high, although some regulators perceive a risk of greater fraud in the future as further retailisation occurs," the report said.

04 December 2006

Open-Source Intel: Future Preemption...

The methods of Intelligence gathering and sharing for the 17+ agencies that comprise the DNI is evolving to new Web 2.0 capabilities. In fact, they are putting these new tools to work to break down the silo's and connect the dots faster than the embedded and legacy systems have been capable of in the past.

Intelligence heads wanted to try to find some new answers to this problem. So the C.I.A. set up a competition, later taken over by the D.N.I., called the Galileo Awards: any employee at any intelligence agency could submit an essay describing a new idea to improve information sharing, and the best ones would win a prize. The first essay selected was by Calvin Andrus, chief technology officer of the Center for Mission Innovation at the C.I.A. In his essay, “The Wiki and the Blog: Toward a Complex Adaptive Intelligence Community,” Andrus posed a deceptively simple question: How did the Internet become so useful in helping people find information?

Yet even those who have implemented the use of new Web 2.0 collaboration and social networking to try and break through those typical information sharing barriers have another problem. Getting everyone to make a seachange and cultural shift to the use of these new tools and processes. The question is that even if you get everyone to use it and there is not anything "Secret" for fear of it ever being known by the wrong person, will it work? Thomas Fingar, the patrician head of analysis for the D.N.I.:

Fingar says yes, for an interesting reason: top-secret information is becoming less useful than it used to be. “The intelligence business was initially, if not inherently, about secrets — running risks and expending a lot of money to acquire secrets,” he said, with the idea that “if you limit how many people see it, it will be more secure, and you will be able to get more of it. But that’s now appropriate for a small and shrinking percentage of information.” The time is past for analysts to act like “monastic scholars in a cave someplace,” he added, laboring for weeks or months in isolation to produce a report.

Fingar says that more value can be generated by analysts sharing bits of “open source” information — the nonclassified material in the broad world, like foreign newspapers, newsletters and blogs. It used to be that on-the-ground spies were the only ones who knew what was going on in a foreign country. But now the average citizen sitting in her living room can peer into the debates, news and lives of people in Iran. “If you want to know what the terrorists’ long-term plans are, the best thing is to read their propaganda — the stuff out there on the Internet,” the W.M.D. analyst told me. “I mean, it’s not secret. They’re telling us.”

The amount of self-publishing on "Blogs" and "Wiki" applications is here to stay and now it is just a matter of having the right analysts using the correct tools. The point is that new search technologies and all of the "bots" and "crawlers" can try and keep up with the new content, but it is not likely. Intelligence analysis will continue to take far more grey matter than we have people trained and able to do so. This fact alone, should bring us back to square one. There is no such possibility as 100% security. Prevention and Preemption are both elusive goals and will be our "Holy Grail" for some time to come.

Today’s spies exist in an age of constant information exchange, in which everyday citizens swap news, dial up satellite pictures of their houses and collaborate on distant Web sites with strangers. As John Arquilla tells Clive Thompson a contributing writer to the New York Times, if the spies do not join the rest of the world, they risk growing to resemble the rigid, unchanging bureaucracy that they once confronted during the cold war. “Fifteen years ago we were fighting the Soviet Union,” he said. “Who knew it would be replicated today in the intelligence community?”