31 December 2008

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

  • Organizational Security
  • Information Security Infrastructure: Cooperation between organizations
  • Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
  • Asset classification and control
  • Information Classification: Information labelling and handling
  • A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
  • Personnel Security
  • Responding to security incidents and malfunctions: Reporting security weaknesses
  • Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
  • Communications and operations management
  • Operational procedures and responsibilities: External facilities management
  • Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
  • Exchanges of information and software: Security of electronic mail
  • A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
  • Access Control
  • Monitoring system access and use: Monitoring system use
  • Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
  • Business Continuity
  • Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
  • Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
  • Compliance
  • Compliance with legal requirements: Collection of evidence
  • Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:
  • Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
  • Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.
The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

22 December 2008

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:

“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “n├╝tzliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.

The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

  • · Systems for monitoring and auditing
  • · Incident response and reporting
  • · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

15 December 2008

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.

Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

  1. A growing supply of motivated offenders
  2. The availability of prospective or ideal targets
  3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

02 December 2008

ID Risk Management: Protective Intelligence Factors...

The root cause of the safety and security threat to corporate personnel and assets can be traced back to an identity of someone. It can be said that protective intelligence utilizing the proper Operational Risk Management framework will mitigate the impact of a successful attack. Whether the intelligence is based upon monitoring or proactive and preemptive factors to be alerted to any threat actors who wish to do us harm; you still have to have a valid identity of the "unsub."

Today as you walk into your employer, you may be happy that you are there. This is your sanctuary away from the threat at home. Your work place provides a potential "safe zone" for the next 8 to 10 hours until the work day is over and you have to return to an environment filled with physical and emotional violence. The growing workforce of women in today's corporations are faced with an increasing challenge to keep their jobs and to mask the problems on the home front.

Simultaneously, those who are the root cause of much of the domestic violence are also walking into the same corporation. Who would know that they are the same people that have never been convicted of a crime and yet are beating their wife or girl friend at home? The point is that in your corporate environment today you have a mix of both kinds of people that are the potential threats to your organizational security and safety. Workplace violence is an Operational Risk that requires a proactive protective intelligence mechanism operating on a 24/7 basis. The identities of your employees may be known upon hire, but their changing profiles over the course of their career could change dramatically. Let's illustrate the true picture with some real incidents.

The US Bureau of Labor Statistics has data on 5,488 workplace fatalities in the US in 2007. 610 were homicides, 491 of these were shootings. 22% of these homicides involved former employees yet 43% were current employees. The remaining incidents were committed by non-employees. Understanding the red flags on your current employees and those who have left the organization is the focus here. Your Operational Risk Framework should incorporate the processes, systems and tools to mitigate this relevant internal threat in the enterprise.

The implications of effective identity management go far beyond the operational risks associated with the work place. ID Management encompasses the following domains:

  • Public Safety: Identity theft, cyber crime, computer crime, organized criminal groups, document fraud and sexual predator detection
  • National Security: Cyber security and cyber defense, human trafficking and illegal immigration, terrorist tracking and financing
  • Commerce: Mortgage fraud and other financial crimes, data breaches, e-commerce fraud, insider threats and health care fraud
  • Individual Protection: Identity theft and fraud

The research and development community has been focused of late on the use of biometrics. For access controls and other ways to validate true identities; these tools and systems for authentication are vital. Yet the stolen identity to fraudulently obtain a drivers license, passport or visa comes back to our root cause issue. Dr. Gary Gordon and his team at CAIMR are on the right track:

Those challenges, aggravated by the rapid changes in our society, include identity theft and fraud, cyber crime, computer crime, travel and immigration document fraud, and data breaches. They impact individuals, public safety, commerce, government entitlement programs, and national security. As the concept of an identity (or entity) expands in the physical and digital worlds, determining if the person claiming an identity is really that person becomes critical to conducting business, providing access to services and systems, and tracking cyber criminals and terrorists. Responding to these challenges requires a collective effort by the key thought leaders from the public and private sectors, working in concert with academe.

The Center's mission is to conduct applied research in order to provide pragmatic outcomes, utilizing a multi-disciplined approach that draws on the expertise of its diverse members. The results will be specific and measurable, whether they are in the form of industry or law enforcement best practices, technologies, policy adjustments, or training and educational materials.

The Center's purpose is to convene key stakeholders and marshal their respective strengths to help solve very challenging societal problems. Our partners include organizations such as the United States Secret Service, the United States Marshals Service, LexisNexis, VISA, Cogent Systems, Indiana University, Intersections, Wells Fargo & Company, and Fair Isaac Corporation. Our government/law enforcement partners must adapt to quickly evolving identity fraud and cyber crimes. As such, they must understand current attack vectors and prepare for future ones. They need to become more proactive by improving investigations and enhancing training. Corporations are faced with many challenges, including increased fraud losses, compliance and regulatory oversight, and enhancing products and improving services to keep up with the rapidly changing environment. The academic research community is challenged with gaining access to key data sets, tight funding budgets, a limited ability to interact with corporate and government decision makers, and the need to infuse their curricula with cutting-edge research.

Establishing effective tripwires and situation awareness begins with people and may be augmented by technologies and software. CCTV, biometrics and other access controls can become the catalyst for a complacent environment and is no replacement for effective training, education and scenario exercises with personnel.

Protective Intelligence is the front line for early warning and proactive measures to interdict the loss of corporate assets. Having the correct combination of human and technology capabilities will create the most effective means for a myriad of incidents internal to the work place. Application of these these same measures of countersurveillance, monitoring of identities and the lawful use of systems will provide the red flags necessary to preempt incidents external to the institution. In the 21st century, "soft targets" in our critical infrastructure will continue to be exploited for their vulnerabilities:

India picked up intelligence in recent months that Pakistan-based terrorists were plotting attacks against Mumbai targets, an official said Tuesday, as the government demanded that Islamabad hand over suspected terrorists believed living in Pakistan.

A list of about 20 people — including India's most-wanted man — was submitted to Pakistan's high commissioner to India on Monday night, said India's foreign minister, Pranab Mukherjee.

India has already demanded Pakistan take "strong action" against those responsible for the attacks, and the U.S. has pressured Islamabad to cooperate in the investigation. America's chief diplomat, Secretary of State Condoleezza Rice, will visit India on Wednesday.

The Indian government faces widespread accusations of security and intelligence failures after suspected Muslim militants carried out a three-day attack across India's financial capital, killing 172 people and wounding 239.