30 May 2008

OPS Risk: Searching for Answers...

When you search on the Internet for "Operational Risk Management" in different search engines, you are destined to get some similar and yet different results. The algorithms utilized to determine who ends up at the top or bottom of that first page of results, depends on the creators perspective and their interpretation of "Relevance".

Let's take a quick test to demo what we mean. Here are the links to search on "Operational Risk Management" from Google, Yahoo, Microsoft Live and Ask. Compare them and you will witness how the results are different:

Microsoft Live

On this particular day, this blog was the #1 link on Microsoft Live and Ask. #9 link on Google. #2 link on Yahoo. And when you use the engine that utilizes all of these at once, Metacrawler, this Operational Risk Blog is the #1 link.

So What? So why does this matter. What matters to us, is that we cover the topics and questions people are searching for, in the context of "Operational Risk Management". Whether you are in the military, business or government doesn't really matter. Here are a few of the latest items that you have been searching for from six different continents, when you ended up landing at this site:

  • assessing operational risk for telecom phone service
  • operations risk
  • biocode accident records
  • cii operational risk managment
  • challenges faced by fraud investigators 2008
  • branch banking "operational resilience"
  • kyc in credit department abn amro bank of pakistan
  • corporate policy risk management
  • real and potential threat to corporate governance
  • risk records management
  • airport operational "risk management strategy"
  • risk management blog
  • "risk management" scuba audit washington
  • references to voip in iso 17799
  • ops risk
  • operational risk failure lockheed martin
  • different types of audits, pci, patriot act, level of difficulty
  • operational risk management fund of funds
  • basel ii operational readiness checklist
  • "authentication risk"
  • what is operation risk
  • operational risk management human resources
  • operational risk in funds management
  • operational risk data retention
  • operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events

In a sea of words, sites and the vast depth of the Internet all we are seeking is relevance. We seek the answer to a question or to add context to an idea or hypothesis. In many cases, we are just curious and want to learn more about Operational Risk.

Sorting through the links for the relevance to your question is getting easier as the subject matter becomes more cohesive and converges. However, the subject of "Operational Risk Management" can mean a very broad thing to a banker and a very precise discipline to a Brigadier General in the US Marine Corps. The object is to have a neutral ground to converge on the "change" factors associated with new threats, vulnerabilities and ways to mitigate these to a level of tolerance for your particular mission.

In the near future this blog will open it's ability for readers to share their comments and stories about Operational Risk Management. We look forward to hearing your first hand accounts about how you are applying the science and the art of OPS Risk in your particular risk environment.

23 May 2008

Intelligence Sharing: Responsibility to Provide...

The "Need to Know" is now finally becoming extinct. Intelligence Communities around the globe are ever so slightly changing their behavior. The Office of the Director of National Intelligence (ODNI) has released it's Information Sharing Strategy:

The Office of the Director of National Intelligence is announcing the first-ever strategy to improve the ability of intelligence professionals to share information, ultimately strengthening national security.

The "Responsibility to Provide" attitude combined with a "Rule-set" reset could get the entities moving the right direction. Risk Managers in institutions in the private sector have been grappling with this business issue for decades. The reality that the FBI, NSA, CIA and DHS are sharing more effectively will only be evident in actual behaviors, not technology.

The new mantra "Responsibility to Provide" will be repeated over and over but where is the evidence? The culture shift is predicated on the ability to manage risks associated with mission effectiveness and disclosure of sensitive information. A Trusted Environment.

This new information sharing model is not revolutionary and requires the same care with privacy, information security and civil liberties that we all expect when it comes to personal identifiable information. Adding new incentives to share information or rewards for doing so will soon be the norm and the behavior changes will be evident. Great care will be given to the ability to protect sources and methods of collection.

Creating a "Single Information Environment" (SIE) will improve the ability for analysts and investigators to get access earlier and to discover what exists. Enhancing collaboration across the IC community will be a strategic goal and has been a dream for over two years.

So let's go back to the "Trust Model" for a minute:

  • Governance: The environment influencing sharing.
  • Policy: The "rules" for sharing.
  • Technology: The "capability" to enable sharing.
  • Culture: The "will" to share.
  • Economics: The "value" of sharing.

A 500 day plan is now in place. The integration has now been reemphasized. Let's make sure that our vigilance continues and on this Memorial Day weekend, our spirits are reenergized.

08 May 2008

Legal Ecosystem: Survival of the Fittest...

The life cycle of monetary policy and financial fraud is being mapped once again in concert with new investigations into corporate malfeasance. As economic trends run their systemic course so do the highs and lows of human behavior to create new schemes to defraud customers, partners and even fellow employees.

Prosecutors in the Eastern District of New York in Brooklyn are stepping up their scrutiny of players in the subprime-mortgage crisis, focusing on Wall Street firms and mortgage lenders, the Wall Street Journal said on its Web site.

A task force of federal, state and local agencies will look into potential crimes ranging from mortgage fraud by brokers to securities fraud, insider trading and accounting fraud, the Journal said.

The Federal Bureau of Investigation is already targeting major corporate insiders and criminal groups in its investigation of fraud in the mortgage lending industry. The FBI has said it is investigating 19 companies in mortgage cases.

The formation of the task force amplifies efforts already under way in Brooklyn, where prosecutors are investigating whether investment bank UBS AG (UBSN.VX: Quote, Profile, Research) improperly valued its mortgage-securities holdings, the report said.

Also being investigated are the circumstances surrounding the failure of two hedge funds at Bear Stearns Cos (BSC.N: Quote, Profile, Research), which collapsed last summer because of losses tied to mortgage-backed securities, the report said.

Fraud, like other crimes of opportunity, have three common attributes:

  1. A growing supply of motivated offenders
  2. The availability of prospective or ideal targets
  3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. Grace Duffield and Peter Grabosky have captured the four main categories of fraud in their paper, "The Psychology of Fraud."

  • Fraud committed against an organisation by a principal or senior official of that organisation
  • Fraud committed against an organisation by a client or employee
  • Fraud committed against one individual by another in the context of face-to-face interaction
  • Fraud committed against a number of individuals through print or electronic media, or other indirect means

Now the IT departments will be buzzing as they will be under orders to preserve e-mail archives as evidence as soon as notices arrive on the doorsteps of not only the large funding institutions themselves, but the hundreds of organizations in the corporate supply-chain.

The duty to preserve attaches immediately once the company is on notice. Once an investigation or lawsuit is reasonably anticipated or a complaint is received, the requirement to preserve materials attaches and preservation efforts need to be undertaken as soon as possible. There are no cases that provide definitive guidance as to how quickly litigation hold notices must be sent once the duty is triggered, but any such case will be evaluated in hindsight, i.e., after relevant materials have been destroyed, and very little if any delay is likely to be tolerated by the courts.

Let's do some simple math here. Multiply the number of banking branches x the number of mortgage brokers for each branch x the number of appraisal firms and you start to understand the magnitude of the volume of data. While some larger banking institutions have centralized underwriting operations for all of the branches, they still rely on a supply-chain of small businesses in the local market to address the valuations and appraisals of property.

The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

"Survival of the fittest" is sometimes claimed to be a tautology. The reasoning is that if one takes the term "fit" to mean "endowed with phenotypic characteristics which improve chances of survival and reproduction" (which is roughly how Spencer understood it), then "survival of the fittest" can simply be rewritten as "survival of those who are better equipped for surviving"