31 December 2007

2007: The Year of Living Dangerously...

What a year 2007 has been for Operational Risk Management. Looking back over the past 365 days, brings visions of significant accomplishment and historical failures. Reflection on what has worked can sometimes bring out the emotions and the evidence of our most vivid encounters with risk. You can't see risk. You can only witness the effectiveness of your work in the aftermath of incidents as a result of your people, processes, systems or external events. That measurement or metrics is why the loss event databases are growing. So we can keep score.

Unfortunately, many are trying to keep score so that they can justify additional funding and resources for their pet projects or new initiatives. The Board of Directors and executive management needs something to judge whether the programs and the efforts for managing risk in the enterprise are working. Sometimes the quantitative must be taken in context with the qualitative measures to see the entire landscape of operational risk across your environment:

Here are just a few National Security milestones in the United States this past year:

  • PROTECT AMERICA ACT: In August, the President signed the Protect America Act of 2007, which closed critical intelligence gaps that threatened the safety of our Nation. The Protect America Act (PAA) modernized the Foreign Intelligence Surveillance Act of 1978 (FISA) to provide our intelligence community essential tools to acquire important intelligence information about foreign terrorists abroad who want to harm America. Unfortunately, critical provisions of the PAA expire on February 1, and Congress must act to keep our Nation safe by making these tools permanent and provide meaningful liability protection for companies who are believed to have assisted the Government after 9/11.
  • BORDER SECURITY: The Administration has taken steps within existing law to secure our borders more effectively. In 2007, we exceeded our goal of 145 miles of fencing at the border, and are on track to strengthen the border with 18,300 Border Patrol agents, 370 miles of fencing, 300 miles of vehicle barriers, additional cameras and radar towers, and three additional unmanned aerial vehicles by the end of 2008. The Administration has also instituted a policy of "catch and return," ensuring that all removable aliens caught trying to cross the border illegally are held until they can be returned to their home countries.
  • IMMIGRATION ENFORCEMENT: In 2007, ICE removed roughly 240,000 illegal aliens, made over 850 criminal arrests, and fined or seized more than $30 million following worksite investigations. The Department of Homeland Security has issued a "No-Match" regulation to help employers ensure their workers are legal and help the Government identify and crack down on employers who knowingly hire illegal workers. Unfortunately, this useful regulation is being held up by misguided litigation.
  • COUNTERTERRORISM: Working with our partners overseas, U.S. efforts to combat terrorism have contributed to the arrest of terrorist suspects and have disrupted plots aimed at both the United States and its allies. For example, in September, U.S. and German authorities disrupted a major terrorist plot resulting in the arrest of three suspects who were planning to attack a U.S. military base in Germany as well as Frankfurt International Airport. In June, the United States worked with authorities in Trinidad to arrest four men suspected of planning to blow up fuel tanks and a fuel pipeline at the John F. Kennedy International Airport.
  • NATIONAL STRATEGY FOR HOMELAND SECURITY: In October, the President issued an updated National Strategy for Homeland Security, which is serving to guide, organize, and unify our Nation's homeland security efforts. The Strategy articulates our approach to secure the Homeland over the next several years, reflects our increased understanding of the threats confronting the United States, incorporates lessons learned from exercises and real-world catastrophes, and articulates how we should ensure our long-term success by strengthening the homeland security foundation we have built.
  • 9/11 COMMISSION ACT: On August 3, the President signed the "Implementing Recommendations of the 9/11 Commission Act of 2007." This legislation protects Americans from being unduly prosecuted for reporting activity that could lead to acts of terrorism, and takes steps to modernize the VISA Waiver Program, particularly the additional security measures. The President continues to work with Congress to advance security and foreign policy objectives by allowing greater flexibility to bring some of our closest allies into the program.
In other events across the globe we witnessed how risks continue to challenge even the most prepared nations:

  • Virginia Tech joined the annals of US gun atrocities when a student killed 32 people and then turned the weapon on himself in what was the country's worst shooting rampage.
  • Three days after Gordon Brown became prime minister, and a day after two car bombs were found in London, Scotland experienced its first terrorist attack since Lockerbie. Two alleged Islamic extremists, one a doctor, drove a Jeep into the security bollards at the entrance of a busy Glasgow Airport on the first Saturday of the local school holidays. The car carried explosive gas canisters and although it burst into flames on impact, most of the containers remained intact. A few bystanders were injured, and were treated at nearby Royal Alexandra Hospital where one of the alleged terrorists worked. The driver of the car, Kafeel Ahmed, 27, died a month later from his burns, and others suspected of being involved in the attack were apprehended on the M6. All the suspects in the case were foreign recruits to the NHS.
  • The credit crunch arrived. Northern Rock became the most high-profile British victim of a crisis sparked by low-income American homeowners who'd been lent money they could never afford to pay back. Northern Rock was forced to apply to the Bank of England for emergency funds, in what was to become one of the biggest financial crises in a generation. Cue panic, cue queues.
  • A human chain of depositors formed at branches as bank customers attempted to reclaim their money. There was some very un-British behaviour, with police called to one branch when a couple staged a sit-down in an attempt to recover their £1m deposit. They left empty-handed. The run on Northern Rock caused the Treasury to pledge that no-one would lose their shirt, a promise which has so far cost £24 billion in lending to the troubled institution. The sheen of middle class security was wiped off property prices as people began to sniff a recession. It was the first of many indicators that Britain was still a nation divided by class, education and income.
  • The most significant event of the year, for the future of the planet, came this month when the Arctic Ocean melted back to a record low point. The extreme melt rate was not predicted by any supercomputer or climate change scenario and scientists began to think that an educated guess for an ice-free Arctic summer might be 2030, well within most of our lifetimes.
  • Six foreign-born men are charged in what authorities say was a plot to attack the Fort Dix Army base in New Jersey.
  • Pakistani army commandos capture the Red Mosque in a 35-hour battle; the cleric who led the mosque's violent anti-vice campaign is among those killed.
  • A strong earthquake in northwestern Japan causes malfunctions at the world's most powerful nuclear power plant, including radioactive water spilled into the Sea of Japan.
  • Minneapolis bridge collapses into the Mississippi River during evening rush hour; 13 people are killed.
  • Mattel recalls 9 million Chinese-made toys because of lead paint or tiny magnets that could be swallowed.
  • Magnitude-8 earthquake strikes Peru, causing more than 500 fatalities.
  • A B-52 bomber armed with six nuclear warheads flies cross-country unnoticed, in serious breach of nuclear security; Air Force later punishes 70 people.
  • Hurricane Felix slams into Nicaragua's coast, the first time two Category 5 Atlantic hurricanes hit land in the same year.
  • Osama bin Laden appears in a video for the first time in three years, telling Americans they should convert to Islam if they want the war in Iraq to end.
  • Citigroup Inc. CEO Charles Prince resigns as company loses billions in debt crisis.
  • Suicide bombing kills six parliament members in Afghanistan; a U.N. report later says some of the 77 total victims were killed by gunfire from panicked bodyguards, not the bomb.
  • Cyclone Sidr strikes Bangladesh with 150 mph winds, killing more than 3,200 and leaving millions homeless.
  • Oil prices peak at $99.29 a barrel.
  • CIA director says interrogations of two top terror suspects in 2002 were videotaped but the tapes were destroyed later to prevent leaks; lawmakers and courts investigate whether evidence was destroyed.
  • President Pervez Musharraf lifts a six-week state of emergency he says was imposed to save Pakistan from destruction from an unspecified conspiracy.
  • Opposition leader Benazir Bhutto is assassinated in Pakistan by an attacker who shot her after a campaign rally and then blew himself up. The attack and rioting after her death claim at least 29 more lives.


These events over the course of 2007 illustrate the breadth and depth of the operational risks we face in the next few years. Climate change, terrorism, market volatility and human behavior will continue to challenge us as professionals. So as we embark on a new journey into 2008 what resolutions will we make? What have we learned about risk? Can it be managed?

One event not mentioned above may be a clear warning for a threat still unimagined in it's capacity to cripple the entire planet.

Cyber security experts quoted in the McAfee report believe 99 per cent of attacks on government systems go unnoticed. But one attack this year that could not be overlooked was launched against the Baltic nation of Estonia, and that incident serves as a warning for other nations. The report calls the Estonia attack in April 2007 "the first real example of nation states flexing their cyber-warfare capabilities".

Estonian computers for government, banks and news organisations were hit with what is known as a distributed denial of service attack - that is, they were bombarded with so many requests they couldn't function.

First the mobile fails. Intermittent black spots are nothing new but you haven't had so much as an SMS from motormouth Michael in hours or anything from Jen who always calls with arrangements for Tuesday's movie by now.

You resign yourself to catching up on email and the frustrations mount with each minute on an unresponsive computer. Has the whole world stopped?

You resist the urge to slam the door as you head to the nearest ATM and the walk does you good ... until you key in your pin number. The machine is so sluggish it seems to take forever but eventually the screen responds. The news is worse than you thought. Your balance is: $0. It's as worrying as it is wrong. No mobile, no mail, no money.

You want to throw your hands in the air - and surrender is a more appropriate response than you suspect. You've lost a war you didn't even know was being waged.

The war of the future, according to an international look into cyber crime, could well be waged online. And the dangers are magnifying as governments and organised groups hone their abilities to spy on each other and attack critical pieces of public infrastructure with an arsenal of e-weapons.


20 December 2007

FRE 502: Evidence & Digital Discovery...

What could the implications of this ruling be for employees in New York state? Scott v Beth Israel Med. Ctr. Inc.

The writing is on the wall with the attorney-client privilege and Federal Rules of Evidence 502. A review of current e-mail policy may also be in order at your institution if you plan on achieving "A Defensible Standard of Care."

On December 11, 2007, Senator Patrick Leahy, Chair of the Senate Judiciary Committee, introduced S. 2450, a bill adding new Evidence Rule 502 to the Federal Rules of Evidence. The legislation addresses waiver of the attorney-client privilege and work product protection and is identical to proposed Evidence Rule 502, which was approved by the Judicial Conference of the United States and transmitted to Congress for its consideration in September 2007.

Here are comments by the BLT:

If approved, the legislation would allow litigants to avoid waiving privilege on inadvertent disclosures if parties took reasonable efforts to vet the documents and asked for the return of any privileged information in a timely manner.

"The surging use of email and other electronic media has forced parties to spend billions of dollars and countless hours to guard against the unintentional release of such information," Leahy's office reported. Specter added that the new rule would help ensure that "the wheels of justice will not become bogged down in the mud of discovery.”

Stephen D. Whetstone, Esq. of Stratify says this:


Given the increased risks and costs, it is no surprise that many companies are trying to wrest control over the discovery process. More companies are now directing outside their counsel to leverage technology to automatically organize huge data collections, help understand foreign languages and detect privilege and thereby drive down the costs and mistakes that result from fatigued human review. The rule-makers get it, too. The Advisory Committee Notes to proposed FRE 502 provide: "Depending on the circumstances, a party that uses advanced analytical software application and linguistic tools in screening for privilege and work product may be found to have taken 'reasonable steps' to prevent inadvertent disclosure."

In short, in the 12 months since adoption of the new discovery rules, the sky did not fall. But, for some, it grew darker and more expensive to prop up.

In case you haven't noticed your CIO in the General Counsel's office lately, you soon will. The use of automated tools for Electronic Content Management (ECM) have converged with the tools for Disaster Recovery Management (DRM). In the middle of the pile of documents, email and other electronically stored information (ESI) is something called effective Records Management.

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.
"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

15 December 2007

Complacency Risk: The Next Attack...

In Ronald Kessler's latest book "The Terrorist Watch" you get the impression that this journalist, author and nonfiction story teller is walking a thin line. A line between telling us too much because it could compromise national security and not telling us enough so that the public can really visualize what the truth is. "Inside the desperate race to stop the next attack". This tag line says it all.

Drawing on unprecedented access to FBI and CIA counterterrorism operatives, New York Times bestselling author Ronald Kessler presents the chilling story of terrorists’ relentless efforts to mount another devastating attack on the United States and of the heroic efforts being made to stop those plots.

Kessler takes you inside the war rooms of this battle—from the newly created National Counterterrorism Center to FBI headquarters, from the CIA to the National Security Agency, from the Pentagon to the Oval Office—to explain why we have gone so long since 9/11 without a successful attack and to reveal the many close calls we never hear about. The race to stop the terrorists, Kessler shows, is more desperate than ever.

Never before has a journalist gained such access to the FBI, the CIA, the National Counterterrorism Center, and the other agencies that are doing the unheralded work of finding and capturing terrorists.

Ronald Kessler’s you-are-there narrative tells the real story of the war on terror and will transform the way you view the greatest problem of our age.

OK, so what? So how does this war on terror and media leaks within the context of Operational Risk impact your institution or organization? Here are a few ways:

  • Will your company have staffing challenges as a result of new immigration legislation or limits on H1-B Visas? Remember the 9/11 hijackers?
  • Will your institution require new systems and processes to meet increased compliance or regulatory mandates? Remember the Patriot Act?
  • Will you or a senior staff member be the target of a kidnapping, ransom or extortion plot at the hands of a terrorist cell? Remember Danny Pearl?
  • Will your organization be impacted by the leaks in the press regarding your operational strategy or Board Room discussions? Remember pretexting at Hewlett Packard (HP)?

Sharing information. Too much or not enough. The paradox of our generation as we all go digital.
The speed of business in the connected economy and 24 hour news cycles has created a beast that will not ever be tamed or controlled. Operational risks are a result of the continuous challenges to the collection, dissemination and analysis of information. Think about your own institution and those who hold the keys to the most valuable information. Those who disclose operational secrets could be putting that "deal" in jeopardy just as easily as putting that "life" in harms way. Those who try to sleep at night in close proximity of their "Blackberry" know the feeling of information overload, or starvation. Both represent operational risks that keep the same people grabbing the Prilosec OTC or the AmbienCR.

Ronald Kessler's book should be a wake-up call for all of us in the United States as we approach 2008. A Presidential election is ahead of us and there has been over six years of testing and waiting by those who wish to do us harm.

"To many fail to recognize that al Qaeda's long-term goal is to send the US the way of the Roman Empire. And too many in the press are willing to take the chance of compromising the lives of innocent Americans by running stories that gratuitously disclose operational secrets."

The risk of complacency is and will continue to be our greatest threat.

08 December 2007

Human Factors: Minds Eye of Risk...

There seems to be some continuing debate out there about the concept of adopting a strategy of "Protection" vs. "Resilience". The question is whether to focus your resources and assets on preemptive or adaptive missions.

Whenever organizations adopt the guards gates and guns mentality as a high ratio of deployed assets and presence, it does have a deterrence effect. Having a high profile, showing your hand and creating a visible barrier to obtaining the desired target(s) can have a positive outcome however, it must be in greater balance with the ability to be agile and to adapt to human factors. Resilience represents a layered approach with multiple contingencies and the mindset that even the highest walls, stealth technology or deepest oceans will not prevent catastrophic failure from a future occurrence.

The topic along with the critical infrastructure nexus has been discussed in depth for almost the past year. Grants, studies and academia have found this "Protection" vs. "Resiliency" debate worth writing about:

The goal of this working paper series is to point out trajectories of the concept of critical infrastructure resilience in theory, policy, and implementation. On the one hand, “resilience” may just be another policy buzzword; but on the other hand, it might indicate a shift in perception and priority of threats, vulnerabilities, and consequences. Indeed, the Critical Infrastructure Task Force (CITF) has recently recommended to the Homeland Security Advisory Committee (HSAC) to “Promulgate Critical Infrastructure Resilience (CIR) as the top-level strategic objective - the desired outcome - to drive national policy and planning.”

Defined broadly as the ability of a system to withstand to and recover from adversity, resilience is increasingly applied to larger social and technical systems. Stress and adversity are experienced not only by individuals and groups, but also by organizations and institutions. In the context of increasing natural and man-made threats and vulnerabilities of modern societies, the concept seems particularly useful to inform policies that mitigate the consequences of such adverse and potentially catastrophic events.

While each of the authors in the white paper cited above from George Mason University have their unique perspectives on the topic being discussed, yet Lewis J. Perelman Senior Fellow
Homeland Security Policy Institute, in Washington, DC gets the prize:

"The allure of resilience is stoked by the contradictions and thorny tradeoffs inherent in traditional concepts of ‘national security’ in an age of increasing social-technical complexity, transnational ‘globalization,’ and ‘asymmetric’ conflict. Certainly, ‘homeland security’ has realized, since 2001, both political impetus and bureaucratic mass. Nevertheless it has been fraught by a tumultuous and yet unresolved quest to reconcile legitimate but competing social objectives:

• Security against attacks vs. security against natural disasters, disease, accidents, etc.;
• Intelligence operations vs. privacy;
• War-fighting vs. human rights, civil liberties, the rule of law, etc.;
• Needs for secrecy vs. needs for information sharing;
• Federal responsibility vs. state/local/private authority;
• Centralized command and control vs. communal collaboration.

As the debate continues on a hard vs. soft policy perspective Perelman identifies one of the key components of Operational Risk Management. Human Factors. His suggestion of adding human factors to the equation for risk is critical to the issue:

Risk = HF(Threat x Vulnerability x Consequences)

where HF is a function of the “soft” human factors that translate the “hard,” physical parameters of engineering failure into human perceptions, emotions, and behavior.

Human behavior and the perception of risk continues to be at the center of the overall discussion. Socially, what is more of a threat? Loss of the use of a half dozen buildings, an entire city or the Internet itself. Is the threat a hurricane, a radiological device or the most deviant virus known to date?

The perception of "Risk" as being in the eye of the beholder is not new here. The policy being shaped across the globe however, is moving rapidly towards a mindset of agility, adaptiveness and endurance. That alone, should be the clue that resilience will become a major facet of the risk strategy paradigm of choice in the next decade.