27 February 2008

Lessons Learned: The Impact of Executive Decisions...

In times of economic downturn the Operational Risks within your institution will begin to rise. Enron, Worldcom and HealthSouth are the few names people recognize as the major casualties of the last significant dip in our economy. When times get tough, people get desperate and try to keep the schemes and any red flags from being discovered.

So what are some of the areas that encompass Operational Risk:

  • Internal Fraud - bribery, misappropriation of assets, tax evasion, intentional mismarking of positions
  • External Fraud - theft of information, hacking damage, third-party theft and forgery
  • Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  • Clients, Products, & Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  • Damage to Physical Assets - natural disasters, terrorism, vandalism
  • Business Disruption & Systems Failures - utility disruptions, software failures, hardware failures
  • Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Cynthia Cooper has written a new book "Extraordinary Circumstances: The Journey of a Corporate Whistleblower" about her honorable quest to find the truth at Worldcom. Her quote in the March/April issue of Fraud Magazine says it all:

"Listen to your instinct. If people are acting out of character or appear to be working to head you in another direction, step back and ask yourself why. Continue to ask for support and dig until you're satisfied that you've gotten it right."

Beyond Cynthia's first person account to give the reader her emotional perspectives, Operational Risk Management professionals realize that their role and the job they have been trained to do is not always a "Pleasant" experience. This is why all of the training and education is so important and the rehearsals are absolutely imperative. Testing, evaluating and testing some more is the norm. Understanding what "Normal" looks like, takes time and persistence. Yet without it, our horizon for positive change could be in jeopardy.

With many of the "Lessons Learned" books now published from the last economic dip, who will be next to blow the whistle or expose the real risks that some companies are hiding from the Board of Directors and the shareholders. The class action lawyers are even gathering their evidence on the possibility of cashing in on predatory lending practices:

A federal appeals court is nearing a decision on a battle between Chevy Chase Bank and a Wisconsin couple that could for the first time enable homeowners across the country to band together in class-action lawsuits against mortgage firms and get their loans canceled.

The case is alarming Wall Street 's biggest banks, which could bear the hefty cost of reimbursing all mortgage interest, closing costs and broker fees to groups of homeowners who uncover even minor mistakes in their loan documents. After a federal judge in Milwaukee ruled last year that the Wisconsin couple had been deceived and other borrowers could join their suit, Chevy Chase Bank appealed to the circuit court in Chicago.

So what we have are markets that are volatile. Bankers who are raising the stakes for borrowers. And naive consumers who are facing higher prices across the board. The time for increased vigilance is in front of us all. From the Board Room to the Court Room it's time that we spend more time looking at the interdependencies and realize that risk is more than a prediction.

During these times, it's worth revisiting this post on Fear: The Elements of Prediction.

21 February 2008

Hedge Funds: Focus on Sound Practices...

So what is on the mind of Hedge Fund Managers in these days of "volatility" and uncertainty? Afterall the CFOs and COOs at hedge funds and fund of funds must have some questions about best practices for auditing their funds' operations, and mitigating the most common forms of operation risk.

Top industry practitioners and industry advisors will discuss these topics at THE HEDGE FUND OPERATIONAL RISK MANAGEMENT SUMMIT Strategies for Stress Testing and Hedging Operational Risks:
  • New auditing standards – an operational due diligence checklist
  • Methods for attaining greater transparency while protecting strategies
  • Financing your operations – key considerations for managing operational risk
  • Implementation of disaster recovery strategies
  • The role of operational due diligence in your risk management strategy
  • Current issues in regulation and compliance
  • Updates on tax risk management and international tax compliance
  • Understanding methodologies for hedge fund ratings
  • ERISA – new info for hedge fund operations
  • Best practices for managing counterparty risk
The speakers and panelist's are prominent leaders in banking, alternative investments and the usual suspects of lawyers and accountants. Yet there is one item in the list that stands out. The topic of ERISA and new info for hedge fund operations. Among other things, ERISA provides that those individuals who manage plans (and other fiduciaries) must meet certain standards of conduct. The law also contains detailed provisions for reporting to the government and disclosure to participants. There also are provisions aimed at assuring that plan funds are protected and that participants who qualify receive their benefits.

Hedge Funds CxO's are thinking more about implementation of disaster recovery strategies. We know that they have been planning for it since the day the doors opened somewhere in Greenwich, yet now the vital topic of "Implementation" is at the forefront of the discussion.

In the context of Operational Risk Management with hedge funds, the goal is no different even while the feds may not have all the new regulations in place or the laws on the books. After all, the industry as a whole is just now getting their new leader in place to lobby "The Hill". The Managed Funds Association (MFA) has announced their new President, Mr. Baker .

Oversight and transparency will be a continuous topic for regulators. Yet as managers of several trillion dollars in assets, there are some important and vital practices that will gain momentum within the ranks of the Alternative Investments Industry.

We are pleased to see that Section I of the MFA Sound Practices Guidance includes Information Technology Controls:

The Recommendations also include information technology (“IT”) guidance in order to control changes to any software applications, data, and IT infrastructure and to maintain proper security therein. Finally, the Recommendations in Section 1 provide guidance on relationships with third-party service providers that perform key business functions, such as calculating net asset value (“NAV”) or monitoring risk.

And beyond the normal rules around "Ethics" and best practices associated with the code of conduct in the financial services industry, Hedge Funds must realize that they are not hedging their Operational Risk by outsourcing to 3rd Parties. They are still responsible for the oversight of these 3rd Parties and the extent to which they are in compliance with all federal and state laws.

V. PERFORMANCE OF INVESTOR IDENTIFICATION AND
OTHER AML PROCEDURES BY THIRD PARTIES

A. Relationships between the Hedge Fund Manager and Third Parties

This section should address the fact that the U.S. Department of Treasury has recognized the ability of a Hedge Fund or Hedge Fund Manager to contractually delegate the implementation and operation of certain aspects of its AML compliance program to third parties (e.g., fund administrators, IAs, CPOs, CTAs, broker-dealers, and futures commission merchants), although the Hedge Fund and Hedge Fund Manager remain fully responsible for the program.

With so much riding on the hedge funds industry and it's importance to the performance of the markets, it's everyones wish that the CxO's implement robust compliance and ethics programs to support their Operational Risk Management Frameworks.

12 February 2008

Business Survival: Anticipating Breakpoints...

"The final plunge of the most powerful and dreaded firm on Wall Street in the roaring eighties came with astonishing speed. Like the abrupt fall of the Berlin Wall thousands of miles away, the collapse suddenly confirmed what everyone in the financial world could already feel in the wind: A new era had arrived."
Business Week cover story on 2.26.90

Many excellent companies have fallen from grace, not because they ignored their customers or lacked superior management skills, but because business conditions shifted beneath them. In an environment of fluctuating markets, proliferating technologies, and changing political frontiers, the management challenge is no longer to manage only growth. Now managers must cope with breakpoints, or sudden shifts in the rules of the game.

So has this deja vu moment reminded us that the Drexel Burnham Lambert implosion could be replaced with a new corporate name in the year 2008. Junk bonds were a financial instrument that were utilized for leveraged buy out financing. Then a "Breakpoint" occurred. Paul Strebel in his 1992 book entitled "Breakpoints: How Managers Exploit Radical Business Change" explains:

"Breakpoints, or sudden radical shifts in the rules of the business game, may shape the course of an industry, or of a company, but they need not be as dramatic as the junk bond story."

If you are the Chief Risk Officer (CRO) at a major institution facing sleepless nights these days then you are not alone. Just make sure that you "Tivo" the moment so that you can replay it in another decade, around the year 2015. If the last major breakpoint took 18 years then the next one should occur in about half the time. Do you have your finger on the pulse of change and potential breakpoints in your organization? Can you anticipate the next one in time to have the correct actions and plans to mitigate the impact on your enterprise?

Certainly there will always be those incidents and crises that are unknown and sudden. And how you recover during these times could save your reputation:

ZURICH (Reuters) - Credit Suisse (CSGN.VX: Quote, Profile, Research) trimmed full-year subprime writedowns to 2.0 billion Swiss francs (932 million pounds) but its stock fell as investors took fright at the bank's remaining exposure to the credit crisis.

The bank also reported a 49 percent fall in fourth-quarter profit from continuing operations to 1.33 billion francs, slightly below analysts' expectations, as losses in its huge asset management business eroded results.

Subprime writedowns in the fourth quarter were 1.26 billion francs, Credit Suisse said, though hedging earlier in the year had helped it lower its full-year charges for bad credits from an estimate of 2.2 billion francs made earlier.


The Blackberry mobile e-mail service has returned to normal after a breakdown on Monday afternoon wiped out the service across the US and Canada.

The Blackberry device, owned by Canadian firm Research in Motion, is popular among business people who rely on it to keep in touch with the office.

The service began to fail at about 1530 EST (2030 GMT) and users struggled to retrieve information for three hours.

The firm said no messages were lost and apologised for the problems.


Whether the CRO encounters the wrath of financial instruments at a breakpoint in the martetplace or hours of downtime on the corporate lifeblood of information exchange does not matter. Operational Risk is pervasive and creates discontinuity that impacts employees, customers and shareholders. The only answer is a resilient framework for anticipating and addressing "Change" or in other words, incidents.

Having a taxonomy for change in your organization is imperative to gaining insight on potential incidents whether they be [high frequency-low consequence] or [low frequency high consequence] events. So what is the potential aftermath without this taxonomy:

  • Companies have myopia in viewing the actual breakpoint in front of them
  • The company fails to capture the opportunity and exploit the breakpoint
  • A rare company actually creates a competitive breakpoint

The analysis with your organization begins with the understanding of what your adversaries are utilizing as tools, to exploit your vulnerabilities. Your future Business Survival depends on it.

05 February 2008

ESI Lessons Learned: CREDO & Qualcomm...

Qualcomm Inc. v. Broadcom Corp., Case No. 05cv1958 (BLM) (S.D. Cal.), issued on January 7, 2008, should be a major wake-up call for corporate litigants. (The U.S. District Court for the Southern District of California) This case is about electronically stored information (ESI) and the ability to manage and produce the correct records at the time requested.

Evidence Lifecycle Management (ELM) is imperative in the context of Governance Strategy Execution within the halls of corporate legal departments. Having an Operational Risk Framework to address legal matters is the "Holy Grail" for many Audit Committees of global Fortune 50 institutions and the General Counsel. What are some of the elements of enterprise ELM? To start:

  • Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
  • Role-based collaboration and communications that drive all case-specific ESI activities
  • Auditing and reporting of all ESI communications and events, including litigation holds

Duane Morris LLP has this to say about the Qualcomm case:

Emphasizing that it is the responsibility of attorneys (both in-house counsel and retained counsel) to make certain that their clients carry out an effective and comprehensive document search, the court noted that "[p]roducing 1.2 million pages of marginally relevant documents while hiding 46,000 critically important ones does not constitute good faith and does not satisfy either the client's or attorney's discovery obligations." The court suggested that in-house counsel have a duty to confirm the veracity of any signed papers produced during discovery.

The district court's solution was to order Qualcomm to implement a "comprehensive Case Review and Enforcement of Discovery Obligations ('CREDO') program" which, at a minimum, includes:

(1) identifying the factors that contributed to the discovery violation, (2) creating and evaluating proposals, procedures, and processes that will correct the deficiencies identified in subsection (1), (3) developing and finalizing a comprehensive protocol that will prevent future discovery violations, (4) applying the protocol that was developed in subsection (3) to other factual situations, such as when the client does not have corporate counsel, when the client has a single in-house lawyer, when the client has a large legal staff, and when there are two law firms representing one client, (5) identifying and evaluating data tracking systems, software, or procedures that corporations could implement to better enable inside and outside counsel to identify potential sources of discoverable documents, and (6) any other information or suggestions that will help prevent discovery violations.

The court ordered that the attorneys submit a proposed protocol for the court to evaluate and revise, if necessary. While the district court's immediate goal was to remedy this specific instance of misconduct, the court hoped that its opinion would be a "road map" for electronic discovery and would "assist counsel and corporate clients in complying with their ethical and discovery obligations and conducting the requisite 'reasonable inquiry.'"

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The Board of Directors have learned their lesson turning over the entire process to outside counsel. The trend of outsourcing the many tasks and duties assigned to the discovery and admissibility of (ESI) is coming to an end. Soon the General Counsel will be standing up the internal "Task Force" to identify and produce in a reliable and cost-effective manner. The trend is gaining momentum and law firms are getting more "Requests for Information" (RFI) on their true electronic discovery capabilities.

Establishing "A Defensible Standard of Care" within the enterprise continues to be the ultimate goal. While some law firms have started to offer services to determine the readiness of their clients for large ESI cases, more corporate institutions are reversing the economic process associated with E-Discovery and asking:

"What are the Electronic Discovery Capabilities of our outside counsel?"