30 June 2007

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the CEO. When Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC last November 16th, 2006, her words were music to our ears:

It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change. The Council on Competitiveness is proud to offer this report, which promotes a strategy of resilience for both the public and private sectors a strategy with clear benefits for our companies’ competitiveness and our nation’s homeland security.

Globalization, technological complexity, interdependence, and speed are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face. Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies. Increasingly, disruptions can come from unforeseen directions with unanticipated effects. Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These new types of risk demand new methods of risk management.

Was this a way for the Chief Security Officers of the Fortune 500 to finally shift their thinking from protection to something less macho? How could "Resilience" become a platform for a mind set shift to justify new funding? After all, now we aren't trying to scare people into the low probability high impact incidents anymore and focusing in on the high probability incidents that may have enough impact to cause a significant business disruption. What are the incidents and areas of risk that insurance won't touch these days? If the insurance companies can write the policy to give you peace of mind then is this necessarily an area that you can ignore because you have transfered the risk to someone else? Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt. And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is operational risk management—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

Back in 2000, the Meta Group (now owned by Gartner) did a study on the cost of an hour of computer downtime by industry group. These numbers are now seven years old:

  • Energy - $2.8
  • Telecommunications - $2.0
  • Manufacturing - $1.6
  • Financial Institutions - $1.4
  • Information Technology - $1.3
  • Insurance - $1.2
  • Retail - $1.1
  • Pharmaceuticals - $1.0
  • Banking - $0.996

We all know that it costs lot's of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP). Yet is this the kind of resilience that is going to make you more competitive to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident that will attack your organization tomorrow.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive. It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Enabling Global Enterprise Business Resilience is just the beginning...

22 June 2007

Private Equity: Nexus of Risk...

In recent comments in the main stream security media we have heard that convergence is over. It means that the arguments are over on whether convergence is a highly debated topic, not that it is still occuring. In fact, it is speeding up with M & A activity and the private equity surge to buy and sell large global enterprises.

Why would a company like Blackstone Group do an MBO with a company like Intelenet Global Services? Convergence in information technology is still happening under the umbrella of Business Process Outsourcing (BPO) at a rapid pace. More layoffs and elimination of redundant data centers, call centers and customer service centers is a tremendous business. Especially when you are trying to gain control, slice up and sell companies like Sungard, Nielson and other significant investments in critical infrastructure. It's going to be a deja vu moment anytime soon. When you are operating a private equity firm with so many facets you require special people with power and to give you advice. That is why Paul O'Neil is only a phone call away from the Senior Managing Directors at BX.

What kind of Operational Risks are happening within the portfolio of private equity firms like Blackstone as they try to achieve economies of scale and convergence? The same kind that exist within any organization that is focused on convergence and divergence of information simultaneously. Centralize telecom and decentralize risk management to the business units. Centralize information processing and decentralize access through mobile devices. The list goes on.

Execution, Delivery & Process Management

Losses from failed transaction processing or process management, from relations with trade suppliers and vendors. This includes Transaction Capture, Execution & Maintenance Miscommunication, Data entry, maintenance or loading error Missed deadline or responsibility, Model / system misoperation Accounting error, entity attribution error, Delivery failure, Collateral management failure Reference data maintenance, Monitoring & Reporting Failed mandatory reporting obligation, Inaccurate external report (loss incurred), Customer Intake & Documentation Client permissions / disclaimers missed Legal documents missing / incomplete, Customer / Client Account Management Unapproved access given to accounts, Incorrect client records (loss incurred), Negligent loss or damage of client assets, Trade partners, non-client vendor misperformance and vendor disputes.

Business Process Outsourcing (BPO) and Business Process Management (BPM) are being hailed as the answer to mitigating much of the operational risk exposures. It is also about creating new found synergies and elimination of redundant systems in order to drive greater return on investment. Yet all of the enterprise architecture, IT reengineering and Six Sigma / Lean will not change the current and impending threat to our interdependent Internet Protocol (IP) linked economy.

John Schwarz from the New York Times highlights the reality of the possibility of an Internet Armageddon. "ANYONE who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect; the microchip-controlled Tickle Me Elmos will be transformed into unstoppable killing machines."

Private sector companies that are owned or controlled by large private equity and alternative investment hedge funds may be even more at risk and the target of both nation state (China) and non-state actors (Al-Qaeda in Europe). Getting access to the information on the future plans, strategy and architecture of protecting critical infrastructure companies is a priority by those who wish to wage a simultaneous salvo of both digital and physical attacks.

A major hurdle that nations face in defending their critical infrastructures is working with the entities that actually own their countries' telecommunications networks, electrical grids, and transportation systems. This is a major issue in the United States, given that the private sector owns more than 85% of the critical infrastructure and doesn't take kindly to government demands that shareholder money be invested in protection rather than expansion.

Cooperation between government and private-sector critical infrastructure owners is essential. "When it comes to information warfare, corporations in general are no match for a trained [enemy] intelligence officer," David Drab, a 27-year veteran of the FBI who retired in 2002 and is now principal for information content security with Xerox Global Services, said in an interview. These officers have an objective, they have resources, and often they have the element of surprise on their side, he added.

Acceleration of private equity investments puts control of managing the vital lifeblood of information into the hands of Senior Managing Directors, CIO's and Project Managers at the BPO third parties. The nexus of thinking from these participants is to do what ever it takes to converge operations and eliminate redundancy. One can only hope that they are becoming together to discuss the same topics as other large financial institutions. The East Coast Buildings Plot is just one example of why this is imperative.

In publicly released statements, bin Laden has also stressed his “policy” of “bleeding America to the point of bankruptcy.” And an excerpt from the Al Qaeda publication Sawt al-Jihad states:

“If the enemy has used his economy to rule the world and hire collaborators, then we need to strike this economy with harsh attacks to bring it down on the heads of its owners. If the enemy has built his economy on the basis of open markets and free trade by getting the monies of investors, then we have to prove to these investors that the enemy's land is not safe for them, that his economy is not capable of guarding their monies, so they would abandon him to suffer alone the fall of his economy.”

19 June 2007

FACTA: The Writing is on the Wall...

Now that the financial community is wiping their brow with a sigh of relief on this latest Supreme Court ruling, what can a General Counsel or Chief Risk Officer expect? Will the adversarial train of plaintiff suits slow down and come to a halt. Not likely.

The U.S. Supreme Court's ruling that blocks investors from suing Wall Street investment banks under antitrust laws could save Wall Street firms a bundle by limiting investors to smaller recoveries.

In a case dating back to the dot-com bubble, the high court ruled Monday that antitrust suits would pose a "substantial risk" to the securities market. Damages in antitrust cases are tripled, in contrast to penalties under the securities laws.

The ruling struck down a lower court decision that would have allowed investors to go after Wall Street firms that they say engaged in anticompetitive practices by conspiring to drive up prices on about 900 newly issued stocks in the late 1990s.

Because the well-documented implosion of names like Enron Corp. swallowed any serious money that investors might hope to recover from that and other flame-outs, some investors have turned to the banks and other Wall Street regulars such as accounting firms that did work for such companies.

Wall Street institutions in the case before the Supreme Court were Credit Suisse Securities (USA) LLC, formerly Credit Suisse First Boston LLC; Bear, Stearns & Co. Inc.; Citigroup Global Markets Inc.; Comerica Inc.; Deutsche Bank Securities Inc.; Fidelity Distributors Corp.; Fidelity Brokerage Services LLC; Fidelity Investments Institutional Services Co. Inc.; Goldman, Sachs & Co.; The Goldman Sachs Group Inc.; Janus Capital Management LLC; Lehman Brothers Inc.; Merrill Lynch, Pierce, Fenner & Smith Inc.; Morgan Stanley & Co. Inc.; Robertson Stephens Inc.; Van Wagoner Capital Management Inc.; and Van Wagoner Funds, Inc.

These institutions may not have "Anti-Trust" anxiety from the Supreme Court any longer yet there are plenty of other Operational Risks on their minds. Namely International Fraud.

In an era of data warehousing, metadata management, business process management and the looming BASEL II Accord there are plenty of conversations about what to do about fraud and other regulatory compliance. Multi-factor authentication for online banking systems is not a trivial matter when it comes to Enterprise Risk Management. Is the customer service organization ready for the upgrade? Is the consumer going to be confused on what questions they are being asked to get access to their latest online credit card statement? What is my customer "churn" factor? In other words, how many of my customers are jumping ship as a result of the operational risks that have turned their loyalty into consumer driven class action fraud litigation?

An International Banking Fusion Center is on the horizon and it's not too far from the same justification that addresses Know Your Customer (KYC) and the financing of terrorism.

According to one study respondent, "Organizations are secretive of fraud losses and that inhibits our ability to work together."

"The sharing of intelligence is key to being able to take advantage of the predictability of fraud," First Data's Barwell continues. "Banks are sitting on valuable data that, if analyzed innovatively, could provide fraud intelligence worth sharing. One major bank has shown that if their internal client databases across business lines and geographies are analyzed using sophisticated link analysis tools, spurious networks of accounts can be uncovered and, when fully investigated, could uncover organized networks of first-party fraud accounts."

Barwell adds that several U.S. banks have expressed interest in taking the "quantum leap" to true data sharing.

The International Language of Fraud

"In the last eight to 10 years, fraud has really gone international," says Steve Baker, director of the Midwest region of the Federal Trade Commission (FTC). The FTC maintains a Consumer Sentinel database that includes more than 3.5 million consumer fraud complaints and is accessible to more than 3,000 law enforcement agencies internationally. In 2006, 22 percent of the reported fraud was cross border.

So What? What does information sharing have in common with:

International fraud, Identity Theft and the risk of litigation within the banking or credit card industry. Now the bankers want to sue the retailers and recover losses for the lack of privacy and security controls at the retailers. Since December 2006, plaintiffs’ class action firms in California and elsewhere have filed over 200 nationwide class actions in federal court against a broad spectrum of retailers and restaurants alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA"). In addition to California federal courts, FACTA cases have been filed recently in federal courts in Pennsylvania, Illinois, New Jersey, Nevada, Maryland and Kansas.

13 June 2007

ID Theft: The Innocent Insider...

If you were a betting person you might think that the threat of 1 Million Botnets is a greater Operational Risk than a "lone wolf insider". What is the likelihood that one person will impact your business and disrupt your operations vs. the power of thousands of rogue computers unleashing a salvo of malicious code or denial of service attacks on your institution?

A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy.

“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”

Yet there are individuals within your own organization who lie in wait, innocently. For the right timing and the right vulnerability to be exploited. They have been unknowingly planning and operating under cover for years and are masters at evading detection. In the Executive Suite, the "Bot" may operate in the background or under the radar of management audits and risk management control mechanisms. So how do you catch them or at least detect their presence? Send everyone on vacation.

When was the last time you had the fraud investigators training the internal auditors? When did you last utilize a "True" Independent outside advisor, investigator or consultant to assist your CISO in early detection. If you have 10,000 employees, 99.x% of these employees are hard working and honest people without any hidden agenda to bring harm to the organization or individuals inside the company. However, not all who would bring harm to you are stealing money or other physical assets from the warehouse. We aren't talking about a few items from the office supplies closet or a case of beer from the 7-11.

We are talking about the one employee who is operating a "Botnet" from behind the walls of your Fortune 50 company. Do you have anyone sharing pictures or music in the executive suite? Without you detecting it.

We define peer-to-peer, bot, and botnet below.

  • peer-to-peer - A peer-to-peer network is a network in which any node in the network can act as both a client and a server.
  • bot - A bot is a program that performs user centric tasks automatically without any interaction from a user.
  • botnet - A botnet is a network of malicious bots that illegally control computing resources.

Some definitions of peer-to-peer networks require no form of centralized coordination. Our definition is more relaxed because the attacker may be interested in hybrid architectures. Our definition of a bot is not inherently malicious. However, the malicious nature of a bot is implicit under some contexts. Finally, we do define a botnet to be malicious in nature.

The case study of the Trojan.Peacomm bot demonstrates one implementation of peer-to-peer functionality used by a botnet. That "Lone Wolf" in your organization could be your innocent administrative secretary and they don't even know it.

10 June 2007

The New New Math: Corporate Responsibility...

The "New New Math" (N2M) is the evolution of economics and return on investment in the modern day organization. Is it a hybrid equation of a previously published and patented algorithm? An upside down or inside out way of justification for new resources or or just new emphasis on the latest shareholder suit. The N2M is something all too often found in the most successful corporations across the globe and it's starting to see the light of day as a result of increasing Operational Risks.

Another way of looking at and understanding the "New New Math" for investment can be found in the roots of what some would say is just good old fashioned Corporate Social Responsibility (CSR):

Corporate Social Responsibility (CSR) is a concept that organizations, especially (but not only) corporations, have an obligation to consider the interests of customers, employees, shareholders, communities, and ecological considerations in all aspects of their operations. This obligation is seen to extend beyond their statutory obligation to comply with legislation.

CSR is closely linked with the principles of Sustainable Development, which argues that enterprises should make decisions based not only on financial factors such as profits or dividends, but also based on the immediate and long-term social and environmental consequences of their activities.

So the N2M on Return on Investment is now being considered across the enterprise and the Board of Directors meetings. ROI discussions are shifting away from the typical GAAP dialogue and more directed at whether new strategic initiatives are "The Right Thing To Do." When you have executives nodding their heads in the meeting about making positive decisions to invest millions of dollars in corporate initiatives based upon it's "The Right Thing To Do" justification, you are experiencing the "New New Math" (N2M)

Making strategic decisions on CSR and N2M is quickly becoming the emotional reasoning and rationale for many corporate enterprise investments. Measuring the ROI doesn't always come in a percentage of dollars invested or a normal way of thinking about getting a return. Many times the executives who champion these initiatives have an underlying reason for doing so that reaches into their personal lives. So when you invest in more robust security for the company or significant programs to increase the protection for key employees, that ultimate driver could be as simple as losing a fellow colleague to kidnapping or the latest law suit.

How your organization is perceived internationally may dictate the degree of risk for your traveling executives. The attack on an employee may be an attack on your "Brand" and what the general public believes that you stand for, in the "minds eye" of the media blur.

Why us?
Where businesses are the target of terrorism, it is usually because of what they represent, rather than anything they do or don’t do themselves. Global brands can assume symbolic significance for terrorists. The US National Counterterrorism Center’s list of significant terrorist events describes 24 attacks on McDonald’s restaurants between 1993 and 2005 worldwide.

Of the minority where responsibility was claimed, motivation for the attacks included nationalism, anti-globalisation, religion and Marxism – but in each case the perpetrators objected to the restaurant as a symbol of America, not a purveyor of products. Mr Jenkins notes that, before 9/11, the two best correlated predictors of whether a US firm would suffer an attack were size and familiarity to the public – corporate behaviour, even philanthropy, was inconsequential. Added to this is the very real possibility of risk displacement: business targets are often easier to hit than government facilities or sites.

Attacks on your organziation or employees don't always have to take a violent twist. Many times these are orchestrated under the cloak of a "personal scandal" or even the filing of a civil Intellectual Property litigation. Legal Risk is a consistent threat to the enterprise and is far often the most effective way of bringing down the house in terms of putting a cloud of uncertainty and speculation about a company that may be in, a competitors "cross hairs."

A week after the public learned of Qualcomm Inc.'s bombshell admission that it withheld potentially thousands of important documents in a high-stakes patent trial against Broadcom Corp., many in the intellectual property community are still buzzing about the gaffe.

The case is even more striking because the attorney who has publicly apologized for Qualcomm's error has a strong reputation in his field, as does his firm. Yet several attorneys say it's still too early to assign blame for the error.

"Whenever there are accusations of concealment of evidence and they prove to be true, there definitely is going to be harm to the lawyers and the parties," said Anup Tikku, an IP associate with Kirkpatrick & Lockhart Preston Gates Ellis, who has followed the case closely. "What I find difficult to understand is how Qualcomm interviewed witnesses, put them on the stand and did not realize these documents existed."

Corporate Social Responsibility extends to Enterprise Litigation Governance and goes well beyond just understanding electronically stored information (ESI). The "New New Math" on doing the right thing in preparation for legal risk are taking on new dimensions as the implications of judgements in favor of the plaintiff set new legal precedence and case law. The Board of Directors and executive management are getting the message that protecting their employees from violence and politically motivated terrorism is just as imperative as preparation for adversarial law suits.

When you hire a defense firm and they get blindsided about eDiscovery or Enterprise Content Management (ECM) and your own Records Management and IT personnel are scratching their heads, your "Brand" is going to take hit. The operational risks associated with a lack of preparedness and a limited strategy for preemptive action calls for the "New New Math." It's coming to a board room near you and when it does, don't be surprised that the investment decisions are based more on emotion than on your controllers 27 pages of hard numbers.

07 June 2007

Risk Visualization: Enterprise Prevention...

When bankers start talking about how to reduce fraud and other critical operational risks across the institution there is going to be plenty of debate. Where do you focus your resources and investments in order to get the best ROI and economic value? If you thought the pornographers were the leading ledge of innovation on the Internet, there is a new breed of international criminals and corporate attackers that have emerged at the top of the pyramid. Financial services organizations are taking an enterprise view of global risk prevention to try and keep ahead of these increasingly clever and technology oriented crooks:

Fraud likely has been around in some form for as long as people have been using banking services. But while the crimes remain a constant for financial institutions, the methods for perpetrating them have become just as diverse as the products and services offered by banks. Today's financial institutions have to be on their toes more than ever to keep that one important step ahead of fraudsters.

This isn't easy in a world where fraud has become the domain of organized crime rings with vast resources that often are out of reach of domestic law enforcement. "We're seeing an increase in losses across all fraud types in the context of fraud rings being more organized and sophisticated with their use of technology," says Christopher Ward, SVP and manager, payables and receivables solutions, with Charlotte, N.C.-based Wachovia ($707 billion in assets). "But [banks'] ability to detect and stop losses is growing faster than the losses themselves."

"The bad guys are more ingenious today," adds Milton Santiago, SVP, head of electronic banking products, for ABN AMRO (Amsterdam; US$1.3 trillion in assets) in Chicago. "For example, in traditional check fraud, they'd wash the entire check and alter all the information on it. Once positive pay was introduced, criminals got wise to this and just modified the payee information. So banks responded and developed payee positive pay."

Having an enterprise view of holistic risk is the "Holy Grail" and some would say that focusing on the account and not more on the customer is the wrong approach. What is clear about the online evolution of fraud activity is that social engineering is working in the exploitation game. Hardening all of the systems with two factor authentication or even IP Geolocation is just part of a layered risk strategy:

The US Federal Financial Institutions Examination Council (FFIEC) has issued guidance stating that banks must better authenticate the identity of their Internet customers by the end of 2006. There are of course a number of possible solutions. These include shared secrets, security tokens, and even biometric devices. Many, however, are cost-prohibitive and can negatively impact customers’ online banking experiences. And crucially they all fail to identify one vital element: where the account is being accessed from. This is an important indicator of whether the person accessing an account really is your customer. That’s where IP geolocation comes in.

Working from within the walls of your institution trying to figure out how to protect your assets and your customers is merely a myopic strategy. The attackers are moving too fast and have access to the same tools in their labs where they utilize their own methods and processes for exploiting the vulnerabilities in your latest applications. Now that you have spent millions on implementing that new AML or fraud detection system, are you sleeping any better at night?

True strategic analysis of risk and the convergence of relevant data makes scenario development, proactive planning and open source intelligence an area that requires consistent attention. Simulations and evaluation of possible physical and digital exploits that haven't even been detected yet could provide the proactive and preventive advantage you have been seeking. What is your latest hypothesis? Have you tested it effectively to determine the likelihood and impact of success?

Training and practicing for the unknown and unthinkable puts you and your team in a more resilient mode to survive the next attack. Whether it's through the front door, the suppliers back door or through the copper wire into your customers home or business office, detection is critical. Anticipation and deterence is imperative.

01 June 2007

Performance Management: Risk on the Front Line...

Delivering Value to the CEO is the mantra from Mick Leonard, the Chief Risk Officer at Commonwealth Bank of Australia. In his article in the June issue of the RMA Journal focused on Operational Risk, he talks about growing the business:

"My CEO expects operational risk management to help support and deliver the business plan and to build and preserve the right culture. So there will be nothing in my address about reducing risk; rather it's about how we can manage our businesses to optimize the risk/return outcome that our management, customers, and shareholders expect."

Mr. Leonard understands that Operational Risk and the management processes to make risk management an enabling and growth oriented mechanism requires a mind set shift. Understanding how to enable more risk taking and created innovation to achieve superior growth requires the ability to effectively incorporate risk management into daily work products.

When you create a new document, start a new e-mail or enter new data into the database in the course of your daily work you are playing the role of a risk manager. The degree to which you follow protocols, procedures and training involved with records management, information security and work place employment policies creates the foundation for how much risk you will take today. And it will impact your ability to be innovative, competitive and productive at the same time.

Turning risk management into performance management could begin on the front line of the deal makers with the compensation strategy and the behaviors you are seeking from your revenue generators. Whether it's direct or in-direct personnel, you have to understand how to use the right mix of compensation and incentives to drive a risk appetite that is appropriate for your organizaition.

Performance Management could be enabled or supressed by the amount of power you give your leadership. Do they have the ability to make a $1M decision or $10K decisions when it comes to investing budgeted capital into their business unit growth? Do they manage risk on a level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office dictating the way they spend or the way they invest?

PNC Bank has been converging functional business units as a way to impact their operational intelligence strategy. Do you have fraud management and Anti-Money Laundering (AML) programs that are operating without strategic coordination? Increasing the performance of operational risk sometimes requires the sharing of intelligence across boundaries and business units:

Ann Mele, PNC's Director of Financial Intelligence says "unification of corporate structures, operational processes and subject-matter-expertise presents the opportunity to combat fraud and AML issues more effectively and efficiently. We can now capture analyze, and disseminate information in a manner that proactively identifies threats before losses or major customer impact occurs."

The ability to know how to manage risk at the point of creating new information is the nexus of several disciplines and requires substantial training. Every minute that goes by with people not behaving correctly puts the enterprise at greater risk to lost performance opportunities.

A misprinted internal Bank of America fax inadvertently sparked a bomb scare and the evacuation of a bank branch in Ashland and about 15 local businesses for more than two hours in an Ashland shopping plaza Wednesday morning.

The fax - which showed images of a match lighting a bomb fuse and a timer - turned out to be a botched promotional flier, counting down the start of Bank of America’s "Small Business Commitment Week."