29 June 2006

Turnover Risk: Emotional Intelligence Factors...

The turnover in personnel in your organization could increase your operational risk.

Freddie Mac (FRE) on Wednesday released its annual report for 2005, with Chairman and Chief Executive Richard Syron describing the year as one that brought "reason for pride" as well as "some disappointment."

Freddie Mac said elsewhere in its information statement that "we have recently experienced high employee turnover rates, which strain existing resources and contribute to increased operational risk.

"We are also assessing our standards of performance and how we enforce those standards to create a more effective culture of accountability," the firm added.


There are many examples of how strained resources and a lack of personnel contribute to the increase in operational risks. Today's search on their corporate website under careers produced 216 job postings that mention "risk" and 19 of these are operational risk. Enforcing standards of performance is another matter in itself and remains a challenge for any enterprise the size and complexity of Freddie Mac.

In this research paper Key Personnel: Identification and Assessment of Turnover Risk by Craig Schreiber and Kathleen Carley you can find some of the answers for this significant business issue:

Intellectual work is the central commodity of any knowledge-based enterprise. Personnel are not simply brought in to run the assets of these companies as they are for more traditional manufacturing and service based enterprises. The personnel are the assets and as such, identifying and retaining key personnel is a major concern for knowledge-based enterprise.

While this example from a study at NASA is not even close to the financial services environment from a workplace perspective, it is valid from a knowledge worker point of view. When your personnel are your assets, turnover risk can be a real and present threat. What can a CEO or Executive Management do to mitigate the growing threat of turnover in personnel?

Some of the answers may be found in "Emotional Intelligence" by Daniel Goleman.

"The airplane cockpit is a microcosm of any working organization. But lacking the dramatic reality check of an airplane crash, the destructive effects of miserable morale, intimidated workers, or arrogant bosses---or any of the dozens of other permutations of emotional deficiencies in the workplace----can go largely unnoticed by those outside the immediate scene. But the costs can be read in signs such as decreased productivity, an increase in missed deadlines, mistakes and mishaps, and an exodus of employees to more congenial settings. There is, enevitably, a cost to the bottom line from low levels of emotional intelligence on the job. When it is rampant, companies can crash and burn."


The Board of Directors may want to ask about the Emotional Intelligence of corporate management at the next board meeting and put this on the operational risk dashboard.

26 June 2006

More Aspirational than Operational...

One day we could be asking ourselves about the insight gained from understanding aspiration, and then acting upon it. In the context of effective Operational Risk Management, understanding and detecting people's aspirations are critical to the safety and security of your business.

We should be thanking Robert S. Mueller, III and his team for preemption of what could be just one of many unknown operational plans by domestic terrorists. Here are a few words from his speech at the City Club of Cleveland June 23rd:

It has been nearly five years since the last terrorist attack on America. Yet there is no room for complacency. As we have seen in recent months, our enemies are adaptive and evasive. They are taking full advantage of technology. They are combining their resources and their expertise to great effect. We must do the same.

Our greatest weapon against terrorism is unity. That unity is built on information sharing and coordination among our partners in the law enforcement and the intelligence communities. It is built on partnerships with the private sector and effective outreach to the public as our eyes and ears. It is built on the idea that, together, we are smarter and stronger than we are standing alone.

No one person, no one agency, no one police department, and no one country has all the answers. We may not always know where and when terrorists will attempt to strike. But we do know they will try again. And we must combine our intelligence, our technology, and our resources to stop them.

We face many challenges today, both from overseas and from those living in our midst. But we must not let terrorism change our way of life.


Being vigilant is not enough these days. You also need courage and lot's of it. The courage to have unity. Organizations are doing just that and many are not waiting to find out if the FBI can preempt every possible plot to harm our economic way of life. Yet, they are doing it in collaboration and in cooperation with people they know and trust. People they can count on to preserve and protect our corporate assets. Organizations such as WashingtonDCFirst is just one example of how the private sector is working along side the public sector to increase the resiliency of our Critical Infrastructure. And the emphasis is on resiliency because everyone has finally concluded that "protection" in itself is a zero sum game.

People who aspire to be known for their criminal or terrorist act will continue to achieve their goal some of the time. Whether it is the lone homegrown variety or the organized and well funded class, we must remember that preemption in their aspirational phase is preferred over recovery in the operational phase. It is safe to say that regardless of the amount of money and manpower being applied to the security of the Sears Tower, it will never be enough. Bob Mueller is right. All we need is more "Unity".

22 June 2006

Protection vs. Resiliency: The New Standards for BCM...

The latest AT&T Business Continuity Study has been published and the results are surprising. Operational Risk Professionals should take note that 28 percent of the companies do not have adequate plans in place to cope with natural or other disasters.

AT&T Inc.'s fifth-annual Business Continuity Survey released Tuesday, which polled about 1,000 CIOs and IT executives at U.S. companies with more than $10 million in annual revenue.

Nearly 30 percent of executives who participated in the survey said their company has suffered from a disaster. Eighty-one percent of executives said cyber security is part of their overall business plan for interruptions in 2006, up from 75 percent in 2005.

Eight out of 10 companies have revised plans in the past 12 months, including 48 percent that say they've been updated in the past six months. Of those companies with plans in place, 40 percent say they have not tested their plan in the past year.

Companies in Los Angeles, Miami, New York and Washington, D.C. were among the most prepared and made their disaster recovery plan a high priority, compared with those less prepared in Detroit, St. Louis and Seattle.


Since 40 percent of those with plans in place have not tested in the past, the real question is why? Is it the lack of time or resources and money? Is it the fear that new planning will have to take place once "Lessons are Learned"? It may be all of the above. Dr. Sean Gorman a Ph.D from George Mason University has some answers that may become the standard for a "Methodology for Critical Infrastructure Resiliency."

His argument is this:

The first step in any comprehensive plan for ensuring the resilient operation and reliable delivery of services is the establishment of a methodology by which standards and metrics can be set. There needs to be a common methodology by which stakeholders can objectively quantify investment in business continuity by measuring resiliency.


His work at FortiusOne is catching the eye of Venture Capitalist's since the Operational Risk tools that he and his team are developing have significant impact with any firm with Enterprise Risk Management priorities. This includes financial hedge funds as much as the large commercial retailers who have logistics, transport and supply-chain applications.

FortiusOne’s target market encompasses both the public and private sector. The former includes federal, state, local and international segments, with primary emphasis on Homeland Security, National Defense, Intelligence and Emergency Management for critical infrastructure vulnerability assessments and consequence management.

FortiusOne’s private sector market addresses risk analysis for the Banking/Financial Services, Transportation, Energy, Telecommunications, Insurance and general Supply Chain segments with primary emphasis on business continuity planning, business optimization and disaster recovery. Market size exceeds $40B and is upward trending in both public and private sectors. Recent events and consequences related to hurricane Katrina, terrorist threats and attacks, and corporate management/mis-management events have created intense interest in FortiusOnes’s products and services.


Infrastructure Resiliency Methodology provides the enterprise with the business case for investment. How do you know where to spend valuable budget dollars to get the most value for your investment in terms of increased resiliency? The fact is that you have to test, exercise and provide scenario simulations to find the failures. This will provide the operational impact and economic analysis that management and the Board of Directors need to authorize budgets that have a significant return.

There is more help on the way for Business Continuity Management (BCM) as PAS56 evolves into BS 25999:

BS25999 v PAS56

PAS56, published in 2003, provided a series of recommendations for business continuity management good practice. It was always intended to be the forerunner of a new standards for BCM (BS 25999). The first draft has been commented on and returned as of June 19th. If you liked what you have seen in ISO 27001 then you will see a similar approach in the next relase of the Code of Practice for Business Continuity Management, BS 25999 Part 1. This standard is not intended to be a beginners guide to BCM and will not cover the activities of emergency planning.

In this new code of practice the taxonomy is established:

Resilience: Ability of an organization to resist being affected by an incident.

The Homeland Security Advisory Council (HSAC) Critical Infrastructure Task Force is setting the policy and the pace for the future. "While protection is a necessary component of building resilience, resilience is not an inevitable outcome of strategies that focus on protection." This provides the foundation for changing our mindset from Critical Infrastructure Protection (CIP) to Critical Infrastructure Resiliency (CIR).

19 June 2006

The One Percent Doctrine: Prepared When Things Go Wrong...

The Department of Homeland Security (DHS) issued findings Friday, June 16, from a national operational risk assessment of the country’s catastrophic planning capabilities on Nationwide Catastrophic Event Preparedness. Responding to directives from President Bush and the Congress, following Hurricane Katrina, the Nationwide Plan Review looked at whether existing emergency operations plans for states and urban areas are sufficient for managing a catastrophic event. The Review also presents conclusions on actions needed by the federal government to improve and coordinate planning. Conducted in all 56 States and territories and 75 urban areas over six months, the Nationwide Plan Review was the most comprehensive assessment of emergency operations plans to date relative to planning for a catastrophic event. Reviewers examined nearly 2,800 emergency operations plans and related documents with participation from more than 1,000 emergency managers and homeland security officials. The National Plan Review findings demonstrate the need for all levels of government across the country to improve emergency operations plans for catastrophic events such as a major terrorist attack or category−five hurricane strike. After completing the assessments and findings, the reviewers also provided more detailed follow−up briefings to individual States and urban areas.

In David Suskind's new book The One Percent Doctrine we are reminded that the fact remains that planners need to continue to focus on the 1%. See the synopsis of his book:

Relying on unique access to former and current government officials, this book will reveal for the first time how the U.S. government - from President Bush on down - is frantically improvising to fight a new kind of war. Where is the enemy? What have been the real victories and defeats since September 11? How are we actually fighting this war and how can it possibly be won?

Little, in fact, has been revealed about the nature of this struggle and the methods being used. This book will change all that. Readers will, for the first time, see harrowing close calls in America where thousands of lives have been saved - and learn how terrorists have artfully adapted to America's early successes in capturing al Qaeda operatives.

Suskind will show readers what he calls "the invisible battlefield" - a global matrix where U.S. spies race to catch soldiers of jihad before they strike. It is a real life spy thriller with the world's future at stake.

Suskind's report is filled with astonishing disclosures and will profoundly reframe the debate about a war that, each day, redefines America and its place in the world.


Do you think you're spending too much time with your team planning and training? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

Even if Mr. Suskind's new book is critical of the US Government, the combination of the DHS findings and looking in our own corporate mirror of preparedness should be enough to get most executives rethinking their resource allocations for the current and future budget for planning, rehearsing and exercising for catastrophic events.

15 June 2006

Board of Directors: Beware of Reputation Risk...

How do Board Directors understand risk vs. how their companies manage risk? A recent study by The Conference Board entitled "The Role of the US Corporate Board of Directors in Enterprise Risk Management" finds out the answers:

When we asked directors personally, many said they approach risk on a case-by-case basis in connection with a specific strategic issue such as a merger or acquisition or the entrance into a new market. This may not constitute a sufficiently robust process to satisfy directors’ fiduciary responsibilities.”

The new research found significant differences in how directors understand risk and how their companies manage risk. Moreover, directors may have more of a top down understanding of risk. The Conference Board study finds: Although 89.5 percent of directors say they fully understand the risk implications of the current strategy,

- Only 77.4 percent of directors say they fully understand the risk/return tradeoffs underlying the current strategy.

- Only 73.4 percent of directors say their companies fully manage risk.

- Only 59.3 percent of directors fully understand how business segments interact in the company’s overall risk portfolio.

- Only 54.0 percent have clearly defined risk tolerance levels.

- Only 47.6 percent of boards rank key risks.

- Only 42 percent have formal practices and policies in place to address reputational risk.

Directors are, however, sensitive to the need for additional information:

- While 71.8 percent of directors believe they have the right risk metrics and methodologies in making strategic decisions, 47.6 percent of directors would like to see more data analysis related to the company’s risk profile.


The good news is that almost half of those surveyed think that they need more data analysis to determine the companies true risk profile. The bad news is the same number of Boards actually rank their risks. This means that half of those surveyed, do not rank their risks. Is this possible?

Certainly these organizations are measuring risk. They have tools and systems to gather the data and to analyze it. They have some kind of Risk Model to assist in the ranking of those areas that have high impact and high exposure. These areas of risk in the upper right quadrant, correct?

The report, is authored by Carolyn Kay Brancato, Matteo Tonello, and Ellen Hexter of The Conference Board. These findings are based on a comprehensive research effort on the topic that incorporated personal interviews with 30 board members, analysis of Fortune 100 board committee charters, and a broad survey of 127 board members. The report has not yet been released, but is forthcoming.


It seems that at least with this small number of board members surveyed, the topic of Reputational Risk is still a mystery as 58% say they still don't have policy in place. In Brian Murray's book Defending the Brand his introduction says it all:

Digitalization and the convergence of networked communications mediums have forever changed the way we live and conduct business. Broadband and wireless technologies, networked appliances, and multipurpose consumer devices promise to embed digital networks even deeper into our everyday routines. Unfortunately, while such technological advances have created fantastic opportunities, they have also facilitated new, unscrupulous business tactics and provided a haven for criminals who thrive on the victimization of corporations and consumers alike.


The Board of Directors who are not taking "Reputation Risk" seriously may have more work ahead of them. Protecting your assets goes well beyond the surveillance cameras and the clear presence of armed guards. 9 out of 10 incidents that impact corporate reputation will begin with information. And it may end with that information being in the hands of those that will exploit you with piracy, fraud, counterfeiting and deceit. Mr. Murray is correct when he says: "Fierce competition and economic pressures have exacerbated the situation as ethics fall by the wayside in the struggle for profits and survival."

12 June 2006

Outsourcing: New Consideration for Protecting Trade Secrets...

In a recent dialogue at an industry conference, the topic focused one afternoon on "outsourcing information-based services". The fifty or so executives were comprised of some of America's largest companies and most valuable brands including Nike, Starbucks, Wells Fargo, Microsoft and Visa.

As the discussion turned to the information security and intellectual property concerns, the mood began to change. Should we be engaging in offshore and outsource contracts with companies who are not based in the United States? What about the rule of law in those countries? And that is when this hand went up. It was more of a comment and less of a question:

"Any US company considering an outsourcing relationship with a foreign counterpart or business entity needs to revisit The Economic Espionage Act of 1996. The theft of trade secrets and corporate espionage is the number two issue at the FBI and for good reason. Unknown to many, our trade secrets, brands, ideas, formulas, algorithms and software code are being stolen by criminals all over the globe and right under our noses." The problem begins with a naivety or ignorance of the current definition of Trade Secret:

The definition of the term "trade secret" under the EEA is very broad. As defined at 18 U.S.C. § 1839, it includes, generally, all types of information, however stored or maintained, which the owner has taken reasonable measures to keep secret and which has independent economic value:

(3) the term "trade secret" means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if --

(A) the owner thereof has taken reasonable measures to keep such information secret; and

(B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.


The most recent numbers of the impact on the US economy is staggering:

Economic Espionage is as real a threat as terrorism or global warming. But it is subtle, insidious and stealthy. Even if the United States finds the will to come to grips with the many threats it faces, this silent, invisible hemorrhaging of intellectual know-how and trade secrets could deliver the death blow to our pre-eminent place in the global economic world before we even wake up to the magnitude of the danger.

According to the U.S. Commerce Department, intellectual property theft is estimated to top $250 billion annually (equivalent to the impact of another four Katrinas), and also costs the United States approximately 750,000 jobs, while the International Chamber of Commerce puts the global fiscal loss at more than $600 billion a year. But both estimates appear to be woefully underestimated; by some other estimates, there was over $251 billion worth of intellectual property lost or illegal property seized in August 2005 alone.


In the pursuit of saving a few percentage points in profitability, we could actually be losing money. The Board of Directors are looking at results and Wall Street demands that you get a handle on volatility. The group of saavy executives acknowledged that the operational risk does soar when vital transaction processing is carried out abroad. However, it is risk accepted for various types of outsourced operations. The question remains, how many US companies have software code being developed for various applications being deployed across the globe for the benefit of our own economy? In your next meeting with your CISO, CIO or head of Risk Management, read the latest intel on intellectual property theft and discuss it with your General Counsel. Make sure you have a sound outsourcing plan and the countermeasures to keep your precious zero's and one's safe and secure. It's an issue of national security as much as it is a strategy to boost the corporate bottom line.

09 June 2006

The Modernization of Investigative Techniques Act (MITA)

As the Canadian terror plot unfolds, financial district operational risk managers and contingency planners are hard at work. Targets including the Toronto Stock Exchange, an unspecified military installation and the headquarters of the Canadian Security Intelligence Service were at the center of the plan.

The Royal Canadian Mounted Police announced Saturday that authorities had foiled a terrorist attack and said 12 men and five teenagers had obtained 3 tons of ammonium nitrate fertilizer, three times the amount used in the 1995 Oklahoma City bombing that killed 168 people.

But some police later said that although the suspects had sought to obtain ammonium nitrate, they actually had been delivered a safe substance instead during a sting last Friday.

According to court documents cited by the Canadian Broadcasting Corp., 20-year-old Zakaria Amara led efforts to buy enough ammonium nitrate through sellers on the Internet to make three truck bombs and had obtained a remote triggering device that investigators found at his home in Mississauga, just west of Toronto.


And the legislators are listening now to the Royal Canadian Mounted Police (RCMP) and other risk managers about reviving the "Modernization Investigative Techniques Act" (MITA). Even though this plot was interdicted, there may be back up operations in place. This new bill will give the investigators with greater tools to do their job and keep Canadians from the same fate as those in Oklahoma City and New York. In both cases, an Ammonium Nitrate truck bomb was used to inflict hundreds of casualties and hundreds of millions in lost property.

Police have credited Internet surveillance with playing a key role in last week's arrests of 17 terror suspects who are alleged to have plotted attacks in Toronto and Ottawa.

Police and intelligence officials have insisted that their technological capabilities have not kept pace with new technologies used by terrorists and organized crime, and have asked for the law to require telephone and Internet networks to build in quick and easy access for wiretaps and surveillance.


The Modernization of Investigative Techniques Act (MITA) is intended to ensure that telecommunications service providers build and maintain an interception capability on their networks that allows for the lawful interception of communications by law enforcement agencies and the Canadian Security Intelligence Service (CSIS).

Similar legislation is already in place in many countries including the United States, the United Kingdom, France, Germany and Australia. This Act will also require service providers to provide subscriber contact information upon request and in accordance with strict privacy safeguards.


08 June 2006

ID Theft: "Data Encryption Utilized on Premises"

Now that data theft has hit the US Military not just the veterans, agency CIO's and CSO's will be on the operational risk hot seat.

Personal information stolen from the home of a US government employee included data on 2.2 million military, officials said on Tuesday.

It was previously thought the data only related to some 26 million veterans.

The Department of Veterans Affairs (VA) said as many as 1.1 million on active service, 430,000 National Guardsmen and 645,000 reservists may be affected.


The lawsuits have started and they are asking for $1,000 for each person affected. That's just the beginning. The Inspector General's and the Auditors will be ramping up this season to make sure nothing like this happens again. Unfortunately, it will. As information becomes the most valuable target for theft, the criminals will cease robbing banks and homes for cash and credit cards and just steal computers and hard disc storage. Recent news has shown that banks are being broken into and nothing but the computers are stolen. Home invasions of prominent business executives or government workers who may also have that valuable information on their laptop may soon be at greater risk.

What is the answer to try and deter this wave of crime? Deterrence for the information itself. While many have objected to the value of encryption or encrypting data because it's too expensive, hard to administer or slows down the process, now it may be a more relevant option. See PGP to learn more.

Mobile computers are quickly emerging as the industry standard for increasing user productivity and efficiency. The portable nature of these devices also increases the possibility of loss or theft. Operating system login authentication alone cannot protect sensitive data on disks. If a system is ever stolen or lost, an enterprise may be exposed to significant risk of financial loss, legal penalties, and brand damage.

PGP Whole Disk Encryption for Enterprises locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system files, and swap files. Encryption runs as a background process that is transparent to the user, automatically protecting valuable data without requiring the user to take additional steps.


Sometime soon the warning signs on the front lawn or on the bank door will say:

"Data Encryption Utilized on Premises"


05 June 2006

Backdating: What is your E-Discovery Readiness Factor?

There is additional volatility in the wind as the SEC steps up investigations of "Stock Option" grants prior to August of 2002. The focus is on Backdating of Grants to executives and whether the grant dates were backdated to a time when the stock price was at it's lowest. Stock Option grants are to be priced with an exercise price that equals the current price of the stock. "Backdating" is the intentional grant date setting to a point in the past when the price was lower, so to increase the gain upon exercising.

In general, government probes are being launched to determine whether the grants were backdated to a point shortly before the company announced good news, so option holders could capitalize on a lower market value. Although the practice is considered controversial by many investors, backdating is legal if disclosed in regulatory filings, allowed by the company's own policies, and accounted for properly.

Six of the 22 companies named in the Moody's report are rated by the agency. They are: Affiliated Computer Services, American Tower, Caremark Rx, Jabil Circuit, Juniper Networks, and UnitedHealth Group.


What are the implications?

Accounting restatements to start with. Tax issues to follow. Even the resignations of senior executives in the midst of a continuing investigation by the SEC and Justice Department. The fact is that backdating is a credit risk on paper. It is an Operational Risk in behavior.

Be prepared to produce all relevant records upon receipt of the discovery request. Even the most proactive organizations are already doing their own internal reviews before the financial auditors ask for this information. Send a message to all relevant personnel responsible for the information archives to be ready to produce the documents on all stock option grants for new hires and executives who receive regular grants as part of their total compensation.

Compensation Committee's will soon be dictating that future grant option dates be timed for the "open window" after earnings announcements. This will increase the confidence that executives are not getting special treatment upon hiring or for annual performance bonuses. Look to the savvy organizations to also time their annual performance reviews with employees so that any other stock option grants are done so in the next calendar "open window".

Caremark Rx Inc. shortchanged investors by granting senior executives backdated stock options, allowing them to buy shares at artificially low prices and exposing the company to costly legal actions.

That's according to a shareholder derivative lawsuit filed against the company in federal court here.

The company denies that any backdating of options occurred.


The plaintiff threat is now gaining momentum and it would be in most high profile companies to recheck their "E-Discovery" Readiness Factor. The documents produced five or six years ago will no doubt be under the magnifying glass of the auditors and investigators in the weeks and months ahead.