30 January 2007

Shareholder Value: Through Integrated Risk Management...

Supply chain risk management is getting more attention these days. As institutions get their own house in order with operational risk losses they are moving outside and auditing their suppliers. The complexity of the supply chain is increasing as organizations become leaner. A recent AMR Research Study results reveal that supplier failure and continuity of supply is the number one risk factor for 28% of firms.

The Enron scandal and the emergence of Sarbanes-Oxley compliance, the 9/11 terrorist attack, SARS and avian flu threats, the Asian tsunami and Hurricanes Katrina and Rita, and high-profile business failures have forced companies to evaluate how well-prepared their organizations are to handle catastrophe and unplanned events. For other firms, strategic and execution risks are front of mind, such as hitting a launch window for a short lifecycle product.

Additional survey results include:

  • 33% of firms say they have dedicated budget line items for supply chain risk management activities.
  • 54% of firms plan to increase their budgets for risk management over the next 12 months. Of those firms, the average spending increase will be 17% year over year.
  • The top areas of application spending to support supply chain risk management are sales and operations planning, inventory optimization, business intelligence and supply chain analytics, and supply chain visibility and event management applications.
And while much of these manufacturing and distribution organizations are focused on the supply chain, in the financial sector, two international laws will affect how organizations retain, recover and report on data. BASEL II, which took effect Jan. 1, requires the worldwide banking community to uniformly capture data to allow operational risk factors to be identified and analyzed. This is just the beginning of additional financial sector scrutiny as the hedge funds exposure becomes a regulators new target zone.

Concern that booming lending to hedge funds may have led to a relaxation in credit standards has prompted US and European regulators to start the first joint investigation into whether banks and brokers are managing such risks appropriately.

The move is a sign that regulators are stepping up transatlantic co-ordination. It comes after a call by Angela Merkel, the German chancellor, for closer US-European Union co-ordination on financial regulation.

Officials from the Securities and Exchange Commission, the UK’s Financial Services Authority, the New York Federal Reserve and other European regulators met last month to discuss credit issues, according to David Cliffe, an FSA spokesman.

They want to know if the collateral required of hedge funds from their lenders is enough to cover losses, and whether margins are set at appropriate levels to help avoid systemic risk in the event of trading losses.

Operational Risks span the enterprise from the front office to the back office. From the servers room to the trading room. It's no wonder that Boards of Directors and corporate management have now realized that Enterprise Risk Management is the name of the game:

"The creation of shareholder value through the integrated management of risk."

New rules on the evidentiary discovery of clients' electronically stored information, international banking rules and more detailed interpretations of the Health Insurance Portability and Accounting Act will spur customers to put mechanisms in place to more quickly discover and retrieve archived data.

2007 is going to be another year of growth and opportunity. How you manage risk is going to be a deciding factor.

23 January 2007

ORM: Automation Revolution...

There are many organizations out there evaluating the now more mature Operational Risk platforms for their institutions. Just as the dawn of Enterprise Resource Management (ERM) such as Peoplesoft, SAP and others; there will be a fight for maket share and end users will look to their trusted advisors for expert resources. How do you know what application is right for your organization?

The question remains, are you ready? Is your department and staff up to speed on what this means for the process changes necessary in your enterprise for an ORM application to succeed?

OpenPages ORM automates the process of identifying, measuring and monitoring operational risk, integrating all risk data – risk and control self assessments, loss events and key risk indicators – in a single solution. OpenPages ORM combines powerful document and process management with a monitoring and decision support system that enables organizations to analyze, manage and mitigate risk in a simple and efficient manner.

Risk self-assessment capabilities enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators and controls. Executive-level dashboard and reports provide visibility into key risk metrics and policy compliance, while business process automation capabilities provide for real-time event escalation; automated risk processes, such as loss event root-cause analysis; and, streamlined remediation of issues and action items.

With loss event tracking, risk managers can track loss incidents and near misses, recording amounts, determine root causes and ownership. OpenPages ORM provides statistical and trend analysis capabilities and enables end-users to track remedies and action plans. Key risk indicators provide capabilities for tracking risk metrics and thresholds, with automated notification when thresholds are breached. OpenPages ORM provides facilities for both manual and automatic data inputs from internal and external data sources.

With OpenPages ORM, organizations can embed operational risk management and governance into the corporate culture, making procedures more effective and efficient while providing management with peace-of-mind that the corporate brand is protected.

How do you make a decision on OpenPages, SunGard or SAS? Like the implemention of ERM platforms you end up with new challenges, both technical and human oriented. Making a choice requires at some point a consensus of the end user, the departments impacted by the decision and the costs of customization or configuration. The total project will also require:

  • Choosing the correct technology solutions with your specific business challenges.
  • Rapidly integrating new technology with the remainder of your IT infrastructure.
  • Effectively fine-tuning business processes to address your organization.
  • Continuously re-evaluating the deployment to ensure maximum ROI.
As with most large IT projects it's important to have Program Management Office (PMO) functions up and running prior to making a final purchase. And if you are a true Operational Risk Management professional, you have already performed your analysis of the threats and hazards to the successful implementation, training and launch of your new ORM system.

19 January 2007

Investigations: Rules of Engagement...

Sarah Scalet at CSO has asked the question: What are the 10 commandments of responsible investigations?

The topic is a result of the HP scandal. What are the prudent rules of engagement to answer the original question? Who is leaking information from this Board Room to the media?

Sarah says, "I did a lot of thinking and had a lot of conversations about how to run corporate investigations in a responsible way.

By responsible, I mean not only done in a legal and ethical way (although those things, too), but also done in an effective and appropriate way. There are a lot of gray areas in investigations, and there are complicated and expensive ends to which you can take things. If we've learned anything from the mainstream media coverage of the HP debacle, it's the importance of making sure that an investigation meets the suspected crime."

In any investigation of fact finding and to find the truth there will be data leaving a trail of answers, the key is to make sure you have the correct hypothesis. If you haven't first created a sound and cohesive test plan, the results will not answer the question, hunch or theory. And that is where investigations go down a path of emotional intent as opposed to a process of factual discovery. The data collection didn't answer the emotional question so go find some information that does. This is where the real flaw lies in most investigations.

Let's take a quick quiz to make a point:

Business crime losses are typically the result of:

a. Non-violent acts committed by insiders.
b. Non-violent acts committed by outsiders.
c. Violent acts committed by insiders.
d. Violent acts committed by outsiders.

If you answered "B" then you are incorrect. The answer is "A". Insiders are the first place you begin to look when accounts are missing money, the system has been hacked or vital corporate information has fallen into the wrong hands.

From the behavioral sciences perspective it is axiomatic
that a protection program will not succeed unless it:

a. Meets the personal needs of the vast majority of the workforce.
b. Cultivates the willing cooperation of those affected by it.
c. Incorporates sufficient disciplinary sanctions to convince the workforce to follow
prescribed procedures.
d. Provides for termination of employment in the case of repeated violations of mandatory procedures.

If you answered "C" then you are wrong. The answer is "B". The willing work force, employees and society in general follow and obey the laws that they can identify with the most. In the Board Room the normal procedure is to have people sign a non-disclosure agreement. By having people submit to the act of promising not to talk about what happens behind closed doors, you are creating a forum for trouble.

The Ten Commandments of Responsible Investigations would not be necessary if transparency and policy governance was imbedded in the culture. If this was in place, people would not have as much of a motivation to break the rules. At the root of the issue, you have to go back to one of our earlier blogs on Trust.

16 January 2007

24: Lessons in Resilience...

It's going to be a busy day for Jack Bauer this season. Last night's episode of 24 ends like this:

9:58 A.M.
Numair completes work on the suitcase nuke. One of the guards sees the TAC teams and gunfire erupts. Ray ducks to the ground. Amid the shooting, Numair detonates the nuclear device.

From where he is, Jack can see the mushroom cloud in the sky.

The White House team is in shock. Wayne orders Karen to put the entire military at the disposal of the Los Angeles response teams.

9:59 A.M.
As CTU watches the video in horror, Milo alerts them to a warning from the FBI. An Arabic phrase was overheard at one of the detention centers. Nadia translates it: “five visitors.” There are four more nuclear weapons out there.

The WMD scenario is now being played out by focusing on the infamous "Suitcase Nuke" that has been talked about for years. The question remains how the remaining part of Jack's day will go now that he will be searching for four more devices during what is certain to be mass panic. And whether the incident is of the sudden magnitude of this 24 thriller or the sudden onset of a contagious virus, our hospitals and healthcare system will be immediately challenged.

Continuity of Operations and Contingency Planning is starting to get the funding it requires in the healthcare systems across the globe. We can only hope that it comes long before the first wave of Pandemic or the radioactive WMD event.

What would happen if you woke up at 2 a.m. with chest pains but the area hospitals were closed due to a smallpox outbreak? What would happen if you couldn’t get lifesaving blood work because the labs couldn’t process the results or your health insurance provider couldn’t process the authorization? What would happen if you were scheduled for surgery but the computer network containing your patient records was down due to a computer virus?

These are just a few of the scenarios that keep business continuity planners at hospitals and healthcare organizations across the country up at night and focused on the task at hand. Healthcare is the one thing you hope you will never need, but when the time comes, the availability of healthcare in this country is often taken for granted. Business continuity planning (BCP) professionals in the healthcare industry want to keep it that way.

This is a clear example of where the Critical Infrastructure sector we call Healthcare and it's sister the First Responders is still behind in funding and increasing it's resilience to sudden disaster. Public - Private partnerships are working with diligence on an "All Hazards" mindset to help address the lack of preparedness in many of our metro regions.

It's vital to really understand the mission for not just the healthcare sector, but the government, law enforcement and first responders combined:

MISSION: To provide a forum that fosters communication and cooperation between industry and government security, law enforcement and emergency responders at the federal, state, local and tribal level to protect America's citizen's and critical assets.

It's been said that we could never be totally prepared as there will always be some degree of residual risk in any prudent planning or testing exercise. The only real truth is that working towards the worldview of increased Business Resilience creates a different perspective.

Business resilience
Even resolving these shortfalls and misunderstandings really is only part of the picture when seeking to create true resilience – we really must focus more broadly than on the technology and the facilities. Business resilience should be our goal. IBM has articulated its concept of business resilience as:

“The ability of an organisation’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”

The paradigm shift from a defensive posture to an offensive posture is the first leap of faith. To see the opportunities and upside not just the cost of protection and overhead. Mitigating Operational Risks, thinking through all possible contingencies and creating new strategies for the future success scenario is what this mindset is all about.

I wonder what's going through Jack Bauer's head right now? Defense. I don't think so.

12 January 2007

Policy Governance: The Road to Change...

The Board of Director's at your company are talking again about Policy Governance. The reason is that change is necessary and when it's time for a new worldview, there are only a few real choices anymore. The old way hasn't worked and now it's time to start with a blank sheet of paper.

So what is Policy Governance?

Policy Governance�, an integrated board leadership paradigm created by Dr. John Carver, is a groundbreaking model of governance designed to empower boards of directors to fulfill their obligation of accountability for the organizations they govern. As a generic system, it is applicable to the governing body of any enterprise. The model enables the board to focus on the larger issues, to delegate with clarity, to control management's job without meddling, to rigorously evaluate the accomplishment of the organization; to truly lead its organization.

In contrast to the approaches typically used by boards, Policy Governance separates issues of organizational purpose (ENDS) from all other organizational issues (MEANS), placing primary importance on those Ends. Policy Governance boards demand accomplishment of purpose, and only limit the staff's available means to those which do not violate the board's pre-stated standards of prudence and ethics.

Is management clear on the mission? Is the CEO out of synch with what the Board of Directors "Ends" are and what direction they are heading in? Policy Governance may be the answer. Yet a new mindset shift or a new methodology will not get you to where you want to be without effective Governance Strategy Execution.

Reinventing your board isn't easy and putting a fence around the CEO perimeter may be even harder. The goal is to make sure that your policies are resilient and endure beyond the potential longevity of a CEO. If you can accomplish this, then it takes the personal human to human potential for conflicting personalities or styles out of the equation. You have to start high enough and in the most broad context:

The CEO shall not cause or allow any organizational practice, activity, decision or circumstance that is in violation of commonly accepted business and professional ethics and practices...

Now that you have the outer perimeter set, you can start to narrow it down and provide greater scrutiny in places you are really concerned about.

As an example, and this is not a one way street:

  1. The Board will not provide orders to people who report directly or indirectly to the CEO.
  2. The Board will not review or evaluate staff other than the CEO.
At the end of the day or the fiscal year for that matter, being on the Board of Directors requires courage and the ability to make hard decisions. Policy Governance is one way to take the change process and to make it happen like you never have in the past. And remember, John Carver and the Policy Governance model are one in the same. He is the inventor and steward for this mechanism of change in the global corporate enterprise.

09 January 2007

Trust: In Pursuit of Implicity...

trust (trĊ­st)n.

1. Firm reliance on the integrity, ability, or character of a person or thing.

—Related forms
trust·a·ble, adjective
trust·a·bil·i·ty, noun
truster, noun

—Synonyms 1. certainty, belief, faith. Trust, assurance, confidence imply a feeling of security. Trust implies instinctive unquestioning belief in and reliance upon something: to have trust in one's parents. Confidence implies conscious trust because of good reasons, definite evidence, or past experience: to have confidence in the outcome of events. Assurance implies absolute confidence and certainty: to feel an assurance of victory. 8. commitment, commission. 17. credit. 19. entrust.


To have real trust in something or someone, you don't even think about it. It's implicit. If you start to think about it, then it is not really trust in it's purest form. In Operational Risk Management, we are always in pursuit of trust. We want to trust our sensors, monitors and fail safe process. Yet we know that this is why we train for contingencies. Because failure is always a possibility, even if it has a .00000000000099 probability.

As a true Operational Risk professional, you train for the remote possibility of failure and create alternative scenarios to test your contingencies. And when you find what works through exercises and experimentation, you put that in your memory bank or cache of alternatives. Never knowing when you will have to use it again.

And when it comes to trust and human beings, there is only one way we know you can get to implicity. It is through testing, training and observable behaviors. And when this person has demonstrated that they are able to repeat the tasks, actions and behaviors with a .00000000000099 probability of failure, that is when trust begins to become inherent.

The U.S. Department of Justice is pushing the FBI and its other operating units to speed up and expand their efforts to share a wide array of information with outside law enforcement agencies via a centralized database called OneDOJ.

In a Dec. 21 memo, Deputy Attorney General Paul J. McNulty also directed CIO Vance Hitch to work with the DOJ's component agencies to develop "an aggressive but practical plan" for increasing their information-sharing capabilities. The plans, which must be submitted to McNulty's office by Feb. 9, will include steps that can be taken within the next 180 days to enable the units to participate more fully in seven ongoing data-sharing initiatives.


OneDOJ as this application is named has been in development for over a year. This along with other Fusion Centers will provide the mechanisms for information and data mining. Now that we have a new DNI coming from Booz Allen Hamilton, Vice Admiral McConnell he should not have any problem finding ways for OneDOJ to either live or die a slow death.

Trust will not be accomplished through technologies. Nor the convergence of information in a database. It can only be forged through actions and observable behaviors. Outcomes based upon sound planning, training, testing and continuous contingency operations. Only then will we reach the level of implicity we seek.

03 January 2007

Insider Threat: Web 2.0 Wild West...

The Insider Threat is an Operational Risk that will never go away. It is without a doubt going to be a continuous issue for the Board of Directors, Corporate Management and shareholders for years to come. Fortunately, justice has recently sent a clear message about the implications of unleashing malicious code on a network.

The former systems administrator convicted this past summer of launching an attack on UBS PaineWebber four years ago was sentenced to 97 months in jail in U.S. District Court in Newark, N.J., on Wednesday.

Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as Judge Joseph Greenaway Jr. handed down the sentence. "This is a sophisticated crime," said the judge. "This wasn't an instance when an individual argues that 'I had a bad day and I made a mistake.' Its undoubtedly that Mr. Duronio, having felt wronged, came up with an elaborate, sophisticated scheme to take down a company." Judge Greeaway added that he was struck by Duronio's attempt to not only disrupt the company but to derive financial benefit from it.

Duronio was found guilty of computer sabotage and securities fraud for writing, planting, and disseminating malicious code -- a so-called logic bomb -- that took down up to 2,000 servers in both UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country. The attack left the financial giant's traders unable to make trades, the lifeblood of the company, for a day in some offices and for several weeks in others.

Executives at UBS, which was renamed UBS Wealth Management USA in 2003, never reported the cost of lost business, but did say the attack cost the company more than $3.1 million to get the system back up and running.

"If it doesn't send a message, people aren't listening," said Assistant U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving the maximum for this crime doesn't send a message to people with the ability to commit a crime and to the people who employ them, they're not paying attention. The potential for the impact of an insider is uncalculable."


Whether you have an unknown system admin working against you because they didn't get a raise last year or the corporate espionage ring selling secrets or identities it will continue to increase over time. This has to do with the new generation of employees who have grown up using the Internet and downloading intellectual property or open source software. It's the wild wild West and the policies and ethics workshops are nothing more than a compliance officers single strategy of justifying their existence.

The Web 2.0 is changing these employees attitudes about sharing everything. Many of them come to the organization with a profile on Facebook and don't have any qualms about sharing their own private information. The leaks to the press on major M & A deals should be enough evidence that good old fashioned ethics are in jeopardy.

The Insider Threat in a Web 2.0 world is not only here to stay. It is just getting started.