28 May 2007

Memorial Day: The Courage to Serve...

Today is Memorial Day in the United States and Spencer is on his way to Airborne "Jump School" in Ft. Benning, GA as a proud member of the US Army. He gave up going to a nice University of California campus and a few years of fraternity fun to serve his country and took a risk by joining a life long fraternity of men and women who have defended our country. Simultaneously Keith is risking his life serving the US again for the "nth" time in Afghanistan as US Army Lt. Col. (Ret) on another important and vital mission. He gave up a hunting, fishing and teaching lifestyle to help secure certain important real estate utilizing his diplomatic and training skills learned from decades of real-time experience in South East Asia with the Central Intelligence Agency.

Having spent some time with both of these brave and courageous men makes you wonder what they both have in common. What are the attributes of a person who makes a selfless sacrifice to protect and to serve? Whether it's in the military or in public safety, there is something that is in their DNA and not yours. It's something that many of us think about and end up not doing anything about it. When you fill up your gas tank this week or stroll down the outdoor mall you might ask yourself who made all of this possible? The answer is those who have served and those who are serving right now.

Millions across the country will pause Monday afternoon to honor the sacrifices of the American military in observance of the National Moment of Remembrance.

Crowds at Major League baseball stadiums, NASCAR tracks, train stations, malls, stores and even the astronauts aboard the International Space Station will participate in the “National Moment of Remembrance,” which is observed at 3 p.m. every Memorial Day.

"The national Moment of Remembrance is a time for Americans to contemplate those things that bind us together by remembering the legacy of those who died to better our country," Carmella LaSpada, executive director of the White House Commission on Remembrance, said.

"We encourage all Americans, no matter where they are and what they are doing, at 3 p.m. local time on Memorial Day, to stop and give thanks."

The observance is an initiative of the White House Commission on Remembrance, which Congress established in 2000.

The commission encourages Americans to remember the sacrifices of fallen troops and the families they left behind.

So when you return to work tomorrow after your Memorial Day holiday, hopefully you will have had a chance to say a prayer or to at least acknowledge those brave individuals. And it's also a time to evaluate your own work ethic or duty serving as leader of your organization. Are you putting your employees in harms way? What steps or measures are you taking to make sure that they are training and preparing to mitigate operational risks on a daily basis. To have the courage to do the right thing and to keep the organization out of jeopardy. Beware of the cowboy.

From Leadership Lessons of the Navy SEALS


The Cowboy

Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed.

"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation." --LT. CMDR. Jon Cannon


Believe it when he says that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics:

> Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.

> Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.
These are just two of the many facets of fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

You might think that the reason is greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

24 May 2007

Hedge Funds: Crystal Ball on Regulation...

Looking into the crystal ball for the future regulation of hedge funds is a cloudy subject and the feds are making statements that would alarm any high net worth investor. So what are the issues with asking for some additional transparency and reporting mechanisms for the 1% who choose to diversify their portfolios?

Why is regulation inevitable? There are a number of factors, including:

  • Industry growth and the increasing influence of hedge funds in the capital markets.
  • The absence of genuine regulatory oversight.
  • The changed political landscape.
  • Increased participation by public pension funds and corporate pension plans.
  • Continuing instances of fraud and blow-ups.
  • The lack of transparency.
  • Increasing complexity and concerns of systemic risk.

All of these factors, taken together, have created an environment that is ripe for regulatory oversight. Of course, this does not mean that hedge funds should be regulated. Indeed, there are good arguments that hedge fund regulation is not necessary, and may even be imprudent. Opponents of regulation have argued persuasively that, among other things, hedge funds provide benefits, such as market liquidity, and that regulation will simply drive hedge funds offshore.

As the financial wizards of the global markets figure out ways to keep regulators from asking too many questions the leadership of the companies operating in the hedge fund environment are getting prepared. They are strategically implementing the mechanisms and the controls that any prudent investment management company have in place to deal with the operational risks associated with other main stream institutions in the sector.

So what is on the mind of the SEC and others who oversee the implications of hedge funds that are not being so proactive:

The hedge fund industry, long a Wall Street innovator, has frequently created exotic money-making strategies that have then ballooned in popularity.

But as Neil Brown, director of AIMA and managing director of New York-based Citigroup Alternative Investments, noted, when a profitable arbitrage trade is uncovered, managers then pile onto the trade, and the opportunity to make money gets "arbed away."

This summer's meltdown in convertible bond hedge funds proved a wrenching case in point. Convertible arbitrage managers buy convertible bonds, which are bonds that can be exchanged for a certain amount of a company's common stock, and short the underlying stock of the issuing company to profit from the difference in price between the two securities.

Long considered a safe haven, the strategy posted big losses this year, which forced three big convertible bond hedge funds to close: San Francisco-based Marin Capital Partners, which had $2.2 billion in assets at its peak; Alta Partners, run by San Francisco-based Creedon Keller & Partners, which had about $1.2 billion at its peak; and Minnesota-based EBF & Associates' $669 million Lakeshore International Fund.

Now, hedge funds are coming up with new, more exotic strategies as traditional strategies, such as certain kinds of arbitrage, get overcrowded.

So what? The fact that the markets will regulate itself is a valid point being made around many dinner tables in London, New York City and Shanghai as hedge funds managers can feel the trend of fraud driven regulators breathing down their necks:

Shanghai is setting up a financial task force to counter a rise in cases of fraud and other abuses linked to soaring stock prices, state media reported Tuesday.

The task force, including staff from the securities and banking watchdogs, police and other government agencies, will focus both on combatting illegal share dealings in companies not listed on the bourse and also on the practice of diverting public funds into high-risk investments, the state-run newspaper Shanghai Daily reported.

"Risks are accumulating and we should be well aware of illegal financial activities and make it a priority of our work to clamp down on them," it quoted Feng Guoqin, a Shanghai vice mayor in charge of the task force, as saying.

So why are hedge funds any different than any other alternative investment? The myths are there and they need to be addressed:

MYTH #14: HEDGE FUNDS ARE NOT REGULATED
Hedge funds often are said to be unregulated or lightly regulated. The perception is that hedge funds are cowboys taking advantage of the wild-west financial markets without a sheriff in town.

EVIDENCE:
Hedge funds are required to comply with every rule, regulation, and law that affects virtually all investors in the public and private financial markets. Further, hedge funds are subjected to a variety of investor-related laws and regulations that impact who can qualify to invest with hedge funds. Additionally, there are a variety of state and federal laws that can require some managers to register as investment advisors—thereby invoking a series of additional regulations and requirements, including periodic regulatory examinations and filings. When the topic of regulation arises in the hedge fund industry, managers are far from being cavalier about the existing and continually proposed regulatory requirements.

19 May 2007

Cyber Terrorism: Attack on a Nations State...

The attack on the Critical Infrastructure of the nation state of Estonia over the past few weeks should be a wake-up call to governments across the globe. The facts are coming out in the mainstream media this week about the origins of the attack and the magnitude of the event. Yet the real lesson to be learned here goes deep into the chasm of having "Cried Wolf" too many times and the resulting ignorance of a major threat in the making.

Young men paying cash to learn how to fly large Boeing airliners and not worried about landings. Does this ring a bell?

Peter Finn of the Washington Post Foreign News Service has identified much of the real issue at stake here:

This small Baltic country, one of the most wired societies in Europe, has been subject in recent weeks to massive and coordinated cyber attacks on Web sites of the government, banks, telecommunications companies, Internet service providers and news organizations, according to Estonian and foreign officials here.

Computer security specialists here call it an unprecedented assault on the public and private electronic infrastructure of a state. They say it is originating in Russia, which is angry over Estonia's recent relocation of a Soviet war memorial. Russian officials deny any government involvement.


How many more of these "Botnet" attacks will be necessary for the public, the media and the government to realize that this is the beginning of a new generation of warfare that will be fought using "Zeros and Ones" as increasing effective ammunition against your enemy. Whether it be a nation state or your business competitor, large Distributed Denial of Service (DDOS) attacks can be rented on the Internet by the hour. So how big a network of "Bots" is necessary to disrupt a nation state like Estonia?

Roughly 1 million unwitting computers worldwide were employed, said Jaak Aaviksoo, Estonia's minister of defense. Officials said they traced bots to the United States, China, Vietnam, Egypt and Peru. By May 1, Estonian Internet service providers were forced to disconnect all customers for 20 seconds to reboot their networks.

Disruptions of all kinds are giving Chief Security Officers (CSO) head aches and heart attacks as the economic impact of spoof e-mail and DDOS attacks wreak havoc beyond the network to the financial markets. The attacks could be the work of competitors or more likely the coordinated, well planned and funded mission of a worthy criminal or terrorist adversary:

Apple (Quote) shares dropped 3 percent to $104.63 in afternoon trading as ultimately false rumors of iPhone and Mac OS X Leopard delays spread across the Internet.

The plummet started when technology news blog Engadget.com reported Apple pushed iPhone's launch from June to October and Mac OS X Leopard from October to January. Ryan Block, the post's author, cited an "authority" for a source.

It turns out that "authority" was a forged e-mail sent to thousands of Apple employees at 9:09 a.m. this morning. It was eventually leaked to Block who posted at 11:49.


What impact does the media and information leaks have on the market value of your company? How do you as a CSO, CEO or Chief Risk Officer mitigate the risk of this kind of "Social Engineering" ploy to manipulate your stock price? The answer is not more software or some kind of fancy new device for analyzing network traffic.

The answer is education and enhanced monitoring of information. It's also making sure that your institution has prepared for and tested the resiliency of the organization for such a scenario. The Department of Homeland Security has been exercising for major incidents of the magnitude described against Estonia for years. The next event is scheduled for the spring of 2008 and is know as CyberStorm II. In this exercise the scenario will involve both physical disruption and the digital origin of vulnerability exploits. The lessons learned will be a public and private partnership discussion for years to come.

The Case Studies of the Estonia attack and the Apple spoof are being written as we speak and the output is what any CSO should be seeking. Increased awareness and education of it's employees, customers and suppliers. Without effective learning, the resiliency of the enterprise is in jeopardy.


16 May 2007

Defensible Standard of Care: Legal Risk...

A "Defensible Standard of Care" is a hot topic these days around the Board of Directors Audit Committee conference table. Information Security standards are consistently being discussed by the CIO and CSO in the context of compliance. So where is the nexus? Why is it so critical to enabling the enterprise business resilience of a global institution?

The answers lie in the fundamental understanding that the Board of Directors and the "C" Suite are both working towards the same focal point. Their motive is almost identical. To be able to provide the evidence and the testimony that keeps their integrity and reputation intact. To understand this nexus, first we must provide the definitions:


What is ISO/IEC 27001:2005?

ISO/IEC 27001:2005 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.

ISO/IEC 27001:2005 covers the following topics:

  • Security policy - This provides management direction and support for information security
  • Organization of assets and resources - To help you manage information security within the organization
  • Asset classification and control - To help you identify your assets and appropriately protect them
  • Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
  • Physical and environmental security - To prevent unauthorized access, damage and interference to business premises and information
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities
  • Access control - To control access to information
  • Systems development and maintenance - To ensure that security is built into information systems
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

ISO/IEC 27001:2005 is the updated version of the world renowned British Standard for Information Security Management Systems, BS 7799-2:2002.

This Information Security Management System (ISMS) is simply that, a published set of guidelines and controls. Useless without the support of the correct tools, methodologies and people to make it come alive and incorporated into the culture of the organization. This requires an adaptive and resilient framework for managing change.

A "Defensible Standard of Care" comes alive within this ISO 27001 standard:

Clause A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

Clause A.15.1.3 Protection of organizational records

Control
Important records shall be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements.

In the United States, as well as many other countries, a party involved in civil litigation is responsible for preserving any potentially relevant evidence, including materials that may lead to the discovery and production of other relevant evidence, beginning when the party knew a lawsuit had been filed, or had a reasonable basis to believe that litigation would occur.

Effective December 1, 2006, the United States Federal courts adopted revised Rules of Civil Procedure that confirm the importance and admissibility of Electronically Stored Information (ESI) as evidence in civil litigation. As lawyers and the courts begin to operate under the new Rules, company officers responsible for demonstrating the reliability of their corporate electronic records are rapidly moving into the “firing zone”.

The reason is entirely adversarial: if a hostile lawyer can discover uncontrolled risks that compromise the reliability or integrity of a company’s electronic records, then the value of those records as evidence declines and the potential for how the case will be resolved, whether in the courtroom or through settlement, is altered. In response, a company must be prepared to demonstrate their ESI has been managed pursuant to a defensible standard of care.

As a result, adherence to Clause A.15.1.3 includes protecting records that become important to litigation and assuring their continued integrity and availability. For these purposes, information security practices are indispensable, and the failure to apply and extend those practices to relevant evidential materials can create a material risk for many companies.

And this risk extends well beyond the inner sanctum of the legal department, internal audit and information technology. This risk reaches into the outside counsel the company has retained for defense litigation. How many law firms are under retainer at your institution? Do they have an effective set of standards, methodologies and programs to handle your next ESI request? In the game of litigation only the most agile and preemptive strategies will prevail.

So how do you understand and determine how adept your outside counsel is when it comes to ESI and eDiscovery? Now it's time for your own investigation, audit and request for information. You have to develop the same kind of process for evaluation of outside legal counsel as you do for the next set of financial auditors or outsourced disaster recovery vendor. It's imperative that you look at enterprise content management and the records administration controls within your Information Security and Operational Risk Management framework to see how it supports a Defensible Standard of Care. The Nexus of Information Security and The Law. Here are 8 Survival Strategies courtesy of Jeffrey Ritter at Waters Edge Consulting:

  • Start a Dialogue.
  • Be Prepared to Bear Witness.
  • Be Prepared to Preserve.
  • Define "Not Reasonably Accessible".
  • Demonstrate "Routine Good Faith Operation".
  • Prepare to Deal with eDiscovery vendors.
  • Prepare your lawyers "In and Out".
  • Protect your records at the Law Firms.
Institutions wishing to achieve a defensible standard of care for protecting business sensitive data such as intellectual property, financial records, customer data and business records will find the Waters Edge Protocol a welcome advantage in streamlining the effort required to tailor requirements, policy, processes, and implementation plans to meet their business needs.

10 May 2007

IT Audit: Communicating with the CEO...

In the latest issue of ITAudit, Jackie Bassett is right on target. She has clearly identified the items necessary to close the gap of communicating to top management before, during and after an Information Technology Audit. A key component of any prudent Operational Risk Management Program:

At its most basic level, an IT security audit is a systematic evaluation of a company's IT security infrastructure that measures how well security policies, procedures, and controls conform to a set of established criteria. Today's internal auditors know that the true value of an IT security audit to an organization goes beyond compliance. By successfully communicating their IT security audit recommendations, auditors can have a major influence on corporate strategy. Unfortunately, many auditors find there is little guidance to help them communicate audit results and recommendations to senior-level managers when preparing for the IT security audit. Consequently, conveying IT security recommendations can be one of the most challenging parts of an internal auditor's job. However, with a little preparation and knowledge, auditors can enhance the way they communicate IT security audit results as well as provide recommendations senior managers can relate to, understand, and implement.

What can the board of directors do to make sure that their CEO has moved to a place focused on mitigating operational risks to enhance opportunities and long term strategy?

Fundamentally, the first task is to make sure that the CEO has a management system in place for operational risk. What is needed is a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organisation’s operational risk enterprise architecture (OREA).

Let’s break OREA down this a little further to get a better view of some of the specific operational attributes:

People
Employee fraud, misdeed, unauthorised activity, loss/lack of personnel and employment law.

Process
Payment/settlement, delivery/selling, documentation/contract, valuation/pricing, internal/external reporting and compliance.

Systems
Technology investment, development, access, capacity, failures and security breach.

External
Legal liability, criminal activities, outsourcing, suppliers / insourcing, disasters / infrastructure, regulatory/political.

The attributes of operational risk are the same key areas that need to have metrics created for measurement and auditing. Performance management, Balanced Scorecard and other methodologies for managing, monitoring and continuous improvement need to be implemented so the boards of directors have a way to get timely alerts, updates and reporting.

The operational risk enterprise architecture (OREA) is a management framework that requires a process approach embedded with the legacy of our quality initiatives of the past several decades. The reason is because of the threat of change itself. The P-D-C-A model (plan – do – check – act) is appropriate for application to this process approach and threat of a constantly changing corporate environment:

Plan
Establish policy, objectives, targets, processes and procedures for managing operational risks to deliver results in accordance with the organisations business objectives.

Do
Implement and operate the policy, controls, processes and procedures.

Check
Assess and measure in applicable areas while reporting results to management for review.

Act
Take corrective and preventive actions based on results to continually improve the OREA framework.

Operational risk management is getting the attention of organizations outside of the major banks at a rapid pace. Board of directors in any industry will soon realize that the successful CEO of the future will be a master of building a culture with effective operational risk management systems at its core.

Furthermore, interpreting how enforcement of IT security controls and policies can strengthen connections with customers and suppliers, how authorization processes can preserve intellectual property, or how separation of duties can drive innovative new business processes demonstrates to senior managers that internal auditors are an invaluable company resource and asset.

03 May 2007

Fusion Center: A Top Line Opportunity...

Operational Risk Management (ORM) is about managing a jigsaw puzzle of vulnerabilities and the threats that expose those weak points in corporate operations. The public sector is taking a lesson from many global organizations in creating a "Fusion Center" to help prevent losses as well as improve reputation, safety, security and resilience. The U.S. Department of Justice has created fusion center guidelines:

How can law enforcement, public safety, and private entities embrace a collaborative process to improve intelligence sharing and, ultimately, increase the ability to detect, prevent, and solve crimes while safeguarding our homeland? Recently, an initiative has emerged that incorporates the various elements of an ideal information and intelligence sharing project: fusion centers (or “center”). This initiative offers guidelines and tools to assist in the establishment and operation of centers. The guidelines are a milestone in achieving a unified force among all levels of law enforcement agencies; public safety agencies, such as fire, health, and transportation; and the private sector.

Fusion centers bring all the relevant partners together to maximize the ability to prevent and respond to terrorism and criminal acts. By embracing this concept, these entities will be able to effectively and efficiently safeguard our homeland and maximize anticrime efforts.

The private sector has embraced the idea of "Fusion Center's" for some time and now the convergence of both the physical and information-based risk management professionals is taking place to mitigate a spectrum of risks and opportunities. The economic reasons for doing this are many and the benefits of greater insight and more rapid response are a mandate. A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorists by analyzing data from a variety of internal and external sources.

When you begin to establish the company departments or government entities the rules of the game calls for agreements, contracts and memorandums of understanding (MOU) that are required to help facilitate coordination and cooperation. Here are some of the elements that should be considered:

  • Involved parties
  • Mission
  • Governance
  • Authority
  • Security
  • Assignment of personnel (removal/rotation)
  • Funding/costs
  • Civil liability/indemnification issues
  • Policies and procedures
  • Privacy
  • Terms
  • Integrity control
  • Dispute resolution process
  • Points of contact
  • Effective date/duration/modification/termination
  • Services
  • Deconfliction procedure
  • Code of conduct for contractors
  • Special conditions
  • Protocols for communication and information exchange
Regardless of how much planning goes into the establishment of the corporate or the public domain fusion center, the challenges are similar. Funding, resources and attention by the powerbase of leadership. One way to keep the Fusion Center at the center of the CEO's or Mayor's daily progress review comes back to economics. The top line revenue discussions here are no different than the same arguments that the head of Marketing has for the advertising budget. The Senior Vice-President of Marketing is consistently getting a robust piece of the budget pie because they have done an effective job of convincing everyone that advertising is what generates sales leads. Sales leads convert to top line revenue. So the question is, how many dollars produce a sales lead and what is the ratio of the number of leads generated to the number that close.

What is the argument for the head of the Fusion Center? How does this become a top line revenue opportunity and not just a cost? The same way advertising is justified to create leads is the same way the Fusion Center creates a different yet equally valuable risk management lead. In either case, the data and information required to generate a lead in advertising and to generate a lead in mitigating risk begins with a hypothesis. The test is performed on a set of data and information that has been compiled on people. Who is the audience that would be best served to view this advertisement to generate the most leads for this product or service? In the Fusion Center, the question may be directed at mitigating a new threat. Who are the people in our company or community who have access to these businesses or accounts?

At the center of the argument is the question of what is more valuable? A new sales lead or a new risk lead? Both are generated from raw data and information either collected internally or purchased external to the organization. The answer lies in the Information Economics analysis exercise of generating each and the value to the continuous operations of the organization. In the end, you may find that both are equally important and now it's a matter of fine tuning the ratio of budget dollars devoted to the Fusion Center vs. the Marketing Department.

If you are a Chief Risk Officer, Chief Information Officer, or Chief Security Officer the answer to funding your Fusion Center just might be found in how data and information is utilized and what value it has to the livelihood and resilience of the enterprise.