29 January 2008

OPS Risk Case Study: Societe Generale

In the aftermath of alleged fraud at French bank Societe Generale the Operational Risk Management team are shaking their heads. Was this an internal fraud? In analyzing the time line of events so far one has to read between the lines:

Preliminary charges have been filed against Jerome Kerviel, the trader blamed for huge losses at French bank Societe Generale.

He will be investigated for breach of trust, falsifying documents and breaching computer security - but not for fraud.

His lawyer, Elisabeth Meyer, called the judges' decision a "great victory" as Mr Kerviel was released on bail.

Societe Generale says his actions cost it 4.9bn euros ($7bn; £3.7bn).

Under French law, a formal investigation does not automatically guarantee that a trial will follow.

Societe General and Paris prosecutors had been pressing for a more serious charge of fraud against Mr Kerviel, but this accusation was thrown out by the judges tasked with investigating this case.

Risk Management 101 and "Segregation of Duties" will be at the forefront of OPS Risk discussions as the facts come out from the digital forensics examinations. The "Insider" has once again made the headlines and the book of lessons learned:

He said Mr. Kerviel claimed to have made his first fictitious transactions at Société Générale in late 2005, shortly after moving to the bank’s trading desk from a previous job in the risk-management department.

Three years ago it all began. And so goes the typical story line on the epic tales of fraud in the years past and the decades to come. Effective oversight and risk management walks a fine line between enabling innovation and insight and mitigating errors, omissions and significant losses. One thing is certain, the "Insider" threat in your organization exists today, tomorrow and next week. It's not going away regardless of the number of controls, personnel or systems put in place to eradicate it's existence in your institution.

Whether this incident will end up in the Fraud Museum is yet to be determined. What is more certain is that traders around the globe are under a new spot light and renewed scrutiny by oversight investigators. The goal now is to make sure that the combination of people, processes, and systems are fine tuned to the right tolerance levels and triggers for alerts. Only then will the correct balance occur between risk and reward.

What will certainly be an outcome of the investigation is the number of other people that will be implicated, either directly or indirectly by the incident itself. Stay tuned to this "Operational Risk Management" case study for more lessons learned.

17 January 2008

IPR Risk: Beijing Olympics 2008 & Beyond...

The global corporate security directors have been planning for the 2008 Olympic Games in China for well over a year now. Company employees of Fortune 500 institutions who are in the intellectual property and branding departments have been working feverishly for even longer. What do the two have in common?

Safety, Security and Intellectual Property Rights (IPR) Protection to name a few. The stakes are tremendous and the world's stage for sports and marketing is coming soon to a web site, cell phone and e-mail in your control. These Operational Risks are growing especially to Corporate Travelers and other Executive Management who have engaged in negotiations and business deals for the past 24 months. Let's put some of this into context:

China Customs is committed to providing Beijing Olympic Games with good service in all respects and is entitled to conduct control over Olympic materials entering or leaving China Customs territory (hereafter referred to as the territory) in accordance with relevant laws and regulations. This notice applies to the completion of Customs formalities and the payment of Customs duties and the taxes collected by Customs on behalf of other government departments for importation of all materials entering or leaving the territory (hereafter referred to as the inward and outward materials) for the Olympic Games, Paralympics, testing-games, torch relay and other related activities during Beijing Olympic Games and its preparation period. The time for Beijing Olympic Games and its preparation period refer to the time starting from January 1st,, 2007 to October 17th,, 2008.

This is a facet of the puzzle that corporate marketing and operations management have ironed out for the most part. However, what is being addressed from another Intellectual Property perspective is another question. The Digital Age is certainly upon us and this brings a heightened sensitivity to the strategy for employees who plan on visiting China, before, during and after the Olympic Games in 2008.

Companies often have negotiated contractual obligations to protect confidential and trade secret information of customers, vendors, and business partners. Companies aggressively guard against theft or loss of intellectual property, however, the loss of sensitive employee and customer information can be just as damaging. Lose trust with your customer and you may lose the customer. Additionally, the media and public are paying increased attention to privacy breaches. Companies risk significant public embarrassment—not to mention potential litigation—if they fail to appropriately safeguard private and confidential information. Courts nationwide are also taking an increasingly intolerant view of companies that fail to take reasonable efforts to protect sensitive employee and customer data. The digital age has significantly increased the risk of data losses.

Security Advisory and OPS Risk Consulting firms have been gearing up for challenges global corporations face in the next six months. Increasing awareness, educating and training employees while testing the soundness of legal and security policies is just the beginning:

“The next wave of global coordinated attacks blends physical, logical and cyber exploits – specifically targeting high-value intellectual property and customer information around the world,” said Watters, iSIGHT Partners’ Founder, Chairman & CEO. “This trend will dominate the future threat landscape.”

John Watters knows the stakes and understands the magnitude of the digital challenges faced by corporate entities across the globe. In the wake of the speeding boat towards brand presence and intellectual property rights management, lies another common and misunderstood threat. It's called "guanxi".

Understanding this threat in the context and relevance to corporate stakeholders is vital. The focus on developing a vigilant strategy for interacting with business partners in China is imperative. Prudent CSO's and GC's are well on their way to rolling out the legal programs and security management training to mitigate the risks to their employees and their precious corporate secrets. This is the result of some very well known cases involving counterfeiting and enforcement of trademarks and intellectual property.

What might be less well known, is how digital information is being removed without your knowledge from devices such as laptops, cell phones and PDAs such as a Blackberry while you walk through the hotel lobby or the airport waiting area. Here is some easy advice and a simple strategy as you contemplate your intineary for the Olympic Games. Leave it at home, locked up in your corporate office.

11 January 2008

Fraud Preemption: Global Integrity Management...

The top ORM challenges for 2008 are starting to emerge. Oprisk & Compliance has their top ten and we would agree with most of them, especially "Legal Risk" in light of the growing subprime exposure. Our forecast is for continued convergence of the risk management functions within the institution, along with increased automation in places that human-based tasks can produce errors. These same trends will continue as we investigate the qualitative components of analyzing risk.

Analysis of qualitative data by quantitative methods is a tremendous opportunity for the Operational Risk Management profession. And for the bottom line. HSBC has invested heavily in understanding customer behavior through new systems initially designed for fraud detection and now being leveraged beyond compliance to address more effective customer service. Getting to top line revenue discussions from the center of OPS Risk units is now a given. A single framework to reduce IT systems costs while simultaneously providing new found Market Intelligence is the latest game plan.

The U.S. regulatory environment is going to get a new injection of investigators, forensic accountants and aggressive federal oversight not seen for many years. The writing is on the wall already for the hedge fund industry. They are already gearing up with the potential hiring of a political heavyweight to head up their industry non-profit on Capitol Hill.

Hedge funds are multimillion-dollar investment pools designed for wealthy individuals. They have grown enormously in recent years, collecting more than $1 trillion, seizing control of underperforming companies and increasingly drawing money from gigantic pension funds, including those of government employees. There are about 9,000 hedge funds in the country.

For years, they barely registered on the Washington agenda. But now that they are so large and aggressive, federal regulators, state authorities and lawmakers have been clamoring to learn more about them, including whether fraud and risky trading flourish in their secretive operations.

In the traditional consumer banking sector customers are leaving institutions in droves that have not implemented multi-factor authentication. The fact is that criminals have moved online and their fraud schemes are growing exponentially, except in places like Singapore. This simple set of statistics says it all.

The benefits of two-factor authentication have been proven in other jurisdictions. In 2005, the Monetary Authority of Singapore (MAS) dictated the use of :

The impact has been dramatic. In 2004, banks in Singapore lost $356,000 USD to Internet fraud that was reported. Twelve months later after implementation of two-factor authentication, the number was $5,000 USD. Organizations today in the U.S. that have implemented these capabilities will be grabbing market share, as they roll out these fraud busting measures in front of their competitors.

Fraud is at the core of Operational Risk matters and whether it's the internal employee manipulating your internal control environment or the external transnational crime syndicate flogging your customers with spam, really doesn't matter. What has your "Red Team" told you is at stake this week? The vulnerabilities they have discovered utilizing the new tools or techniques to exploit the changes in your design, implementation or configuration are real. Here is just one latest example:

To the annals of creative bank heists add this: Two Washington area banks turned over more than $850,000 in less than 24 hours this week to someone who impersonated a cash courier and claimed to be filling in for the regular guys.

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

Once they catch this guy it will all come back to a classic Operational Risk failure. In this case, there are two banks who are getting some fresh reminders about process and procedures at the branch level. Yet whether we have multi-factor authentication online or in the branch with the armored car driver, the issue remains the same. The consumer and the merchants will continue to pay for this in the long run. Why are they still trying to authenticate people instead of the transaction?

"To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity, which is in the best position to mitigate the risk, responsible for that risk. And that means making the financial institutions liable for fraudulent transactions."

Once institutions realize that they need to focus on a culture of compliance and build robust fraud detection and prevention programs, the losses may start to dwindle. Only however, if they are properly organized, deployed and funded. And finally, these integrated initiatives must include a substantial investment in systems and a systemic automation mechanism to drive awareness. Microsoft is one organization who is on the leading edge of implementing effective Global Integrity Management.