22 November 2007

The GC: The Truth Can Be Adjusted...

If you are a General Counsel (GC) today for an organization doing business on a global basis, your Blackberry must be "buzzing" every few minutes. The legal risk being encountered will always be a factor of the number of deals, the number of employees and the growing number of countries you do business in.

As a corporate GC of a global enterprise, you have a fiduciary responsibility to protect the enterprise from adversaries such as the rogue employee, the government regulator, competitors and plaintiff class actions. The Rule of Law in your organization is in your hands. How you transfer the "Talking Points" on ethics and legal messages to your employees, partners, suppliers and adversaries is critical. The effectiveness of your relationship with internal CSO, CISO and Internal Audit leadership could mean the survival of the company and your job.

In the latest hollywood movie Michael Clayton with George Clooney, he plays the role of a prominent law firm's "Fixer." He finds himself taking care of the messes corporate clients put themselves into and even the internal firm problems with senior litigators who have decided to do secret battle with a prominent clients General Counsel. The GC in this film takes every precaution to ensure the settlement of a pending class action suit that has achieved over +30,000 billable hours by Michael Clayton's law firm.

While this fictitious story displays the extremes of the world many GC's live in with their outside counsel, it sets the stage for gaining insight into the legal ethics and corporate challenges global institutions face on a continuous basis. The Yin / Yang of corporate compliance and governance is consistently wrestling with the pressure to save people from losing their reputations and the longing to do the right thing. The goal is to achieve a defensible standard of care and to have peace of mind. To be able to stand behind the fiduciary duty to uphold the law and enforce the rule of law in corporate business.

When was the last time a GC took the "Ethics" and "Rule of Law" program directly to the employees in face to face sessions? To give the employees, partners or suppliers first hand opportunity to meet, greet and engage with the General Counsel of the enterprise. By doing this you are directly engaging with the people on the front line to be the "eyes and ears" for the company. To be that early warning system of potential conflicts of interest, fraud and corruption. As an example, Scott Chaplin at Stanley Associates says this:

"I deal with a wide range of issues on any given day. I support not only our business operations but also corporate support. Our recurring issues include corporate governance and securities, and we're active in the mergers and acquisitions area -- we've done several deals recently. I handle labor and employment issues on a daily basis, along with government contracts issues, litigation, IP and compliance work. I'm also the ethics officer for the company, responsible for our ethics compliance program, as well as secretary of our board of directors, where I act as legal adviser to the board."

"I recently completed our annual ethics training at a number of our offices. After each training session, I would have a line of employees waiting to speak with me about various issues. That got me thinking that a lot of employees don't feel they have a direct line of communication to me at corporate. They might not feel that the issue is important enough to bring up with the GC. It made me realize that in-house lawyers need to get out of headquarters more often and go to the employees, instead of waiting for the employees to come to us. We have to get out to the field and foster the client relationship a little bit more."

Scott is absolutely correct and what a better time than to emphasize SOX Section 806. Protecting the rights of corporate whistle-blower's is the GC's responsibility in combination with an external ethics hot line for employees. While there have been plenty of other people calling for reform on other burdensome and expensive components of SOX, no one is going to touch Section 806. Employees don't understand the implications of the law and corporate management can't under estimate the impact of this in terms of potential litigation it may face.

Achieving a Defensible Standard of Care requires a General Counsel with the vision to address a spectrum of legal and ethical risks in the modern enterprise. When this is finally accomplished, the Michael Clayton's in law firms around the globe, will be looking for a new career.

16 November 2007

OSAC: The Insider Threat...

The "Insider Threat" was on the minds of Global Security Executives this week as evidenced by a half day emphasis on the current trends and issues at the OSAC Annual Briefing. The "Usual Subjects" were at hand with the crowd almost falling asleep while the speakers reinforced those due diligence rights and wrongs.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm. Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for is the means to gain a larger budget for their departments and to be able to invest in new technologies and tools. Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively. In a converging organization with outsourced services around every corner the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year! You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:

1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective operational risk program;

3. Lack of decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.


The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:


Is your policy enforced fairly, consistently and legally across the enterprise.

Would our employees, contractors and partners know if a violation was being committed?

Would they know what to do about it if they did recognize a violation?


If you don't know the answers to these questions then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management. And now in the United States there is still a feeling of a lack of guidance in the critical infrastructure sector of Banking and Finance with regard to terrorist financing. There are three main areas here to focus on from the perspective of Andrew Cochran:

  • Prepaid Stored Value Cards from Non-Money Service Businesses (MSB)
  • A List of "Politically Exposed Persons" (PEPs)
  • Updated Anti-Money Laundering (AML) manuals from the SEC
In all three areas, financial institutions are basically operating in the dark without guidance, and the risk of the unknown is the most fearsome and costly of all in this arena. As arcane as these might sound to those not working in or around the industry, I am confident that these three steps would reduce the risk of terrorist financing through financial institutions, often the first set of eyes and ears in contact with potential terrorists.


01 November 2007

Red Flags: The Oracle of Omaha...

What do you do when you see a "Red Flag"? This was the question posed to Directors in a recent poll by Corporate Board Member Magazine in the November/December 2007 issue. C. Warren Neel the Executive Director of the Corporate Governance Center, at the University of Tennessee could not have answered this any better:

I don't want to see it; I want to "hear" the red flag before I see it. I want to hear about it before it happens. And I don't want to just know it happened, I want a diagnostic as to why it happened. I want a postmortem. What led us down that track? How did it start? Was it personnel-based? Process-based? Because of a malfunctioning system? Did we have the wrong strategy? Or what?


Welcome to the world of Operational Risk Management Mr. Neel. These are the scenarios that are played out on a continuous basis in the midst of the daily humming of business throughout the organization. These Ops Risk professionals are testing, exercising, stressing, and "Thinking of the Unthinkable" everyday so you do hear it before it happens. It may not be weeks, or even days. It could be hours or minutes. And then what will the Board of Directors do next?

This is perhaps one of the largest worries these professionals have. They don't know you, the Board or the steps you might or may not take once you get the warning, the news or the prediction. As the Board of Directors it's imperative that you learn all you can about who the Operational Risk experts are in the enterprise and to know them personally. Otherwise, how are you ever going to have an early warning system that you can trust and gets you the answers sooner than later?

What you need is an extension to the "Whistleblower" mechanism that tracks potential ethics violations and other wrong doing of corporate policy. It's a risk management method integrated with your current fraud management systems and combined with the ongoing behavioral analysis of "High" risk employees. Without this early warning process and supporting system in place the Board is forever doomed to be on the "reactive" end of the spectrum, continuously wondering how to respond to an incident that has already occurred.

How did Warren Buffet get the "Red Flag" on Freddie Mac even years before their implosion with senior management?

The charges against Brendsel were filed three years ago by the Office of Federal Housing Enterprise Oversight, which regulates Freddie Mac and its larger government-sponsored sibling Fannie Mae. OFHEO, which blames the accounting scandal on management misconduct is seeking damages and penalties against Brendsel totaling nearly $1 billion, including $24 million in severance benefits and stock awards.

Buffett said he was uncomfortable, among other things, about an investment by Freddie Mac that was unrelated to its business as the nation's second-largest financer of home mortgages.

"I follow the old dictum: There's never just one cockroach in the kitchen," Buffett said.

Details of his testimony were reported in Wednesday's editions of The Washington Post. They were confirmed by people familiar with the proceeding, speaking on condition of anonymity because they weren't authorized to speak about the case publicly.

Regardless of the outcome of this proceeding, the point could be made that the board had a huge "Red Flag" that Warren was selling his stake in the company. Predictions are based upon a number of factors and there must have been many pieces of information that added up to "somethings not right" at Freddie Mac. Today, there are ten positions open at Freddie Mac for operational risk related jobs and here is what they are seeking:

Position is part of a team supporting Operations as an operational risk management partner. Significant time will be spent as the face of the Audit Liaison function. Engages with the business areas to fully understand the operational process in order to coach and support the group in identifying and assessing operational risk and designing appropriate controls to mitigate the risk. Provides subject matter expertise on operational risk management systems and Freddie Mac operational processes.

Ensures all operational risk deliverables are completed within established timeframes with a high level of quality especially the mitigation of outstanding major/critical issues and monitoring of status on all outstanding issues. Deliverables include Operational Breakdown and Loss Event Reporting, Risk and Control Self-Assessments, SOX Assessments, Internal and External Audit Responses. Also supports Quality Assurance testing of SOX Key Controls and Root Cause Analysis.

  • Skills/Knowledge needed:
  • Indepth knowledge of operational risk management and controls with minimum 2 years experience.
  • Knowledge of key principals of auditing.
  • Knowledge of key principals of mortgage operations.
  • Knowledge of financial industry operations and/or accounting is preferred.
  • Ability to work independently with strong organizational skills to meet frequent deadlines.
  • Strong interpersonal skills with ability to build working relationships.
  • Flexibility and ability to multitask.
  • Strong analytical skills.
One might wonder why they are looking for someone with in depth knowledge of operational risk management (ORM) with only two years of experience. Sadly, this is because the organization relied for too many years on their financial auditors and their armies of freshly minted MBA's from some of the best business schools in the nation. However, the main reason is that the science of ORM is new compared to other disciplines in the accounting profession.

As organizations evolve their ORM departments and combine the attributes of fraud management, systems testing, continuity of operations, records management and employee behavioral analysis the Board of Directors will have a better opportunity to predict "Red Flags". They will ultimately become more preemptive in their actions and follow through to protect the shareholders assets. Until that happens, keep your eyes and ears on the "Oracle of Omaha"...