30 April 2010

Resilience: Homeland Security Strategy...

Homeland Security is under siege the past few weeks in the United States. The "Deep Horizon" oil rig disaster in the Gulf of Mexico is threatening the states of Louisiana, Mississippi, Alabama and Florida. The Coast Guard is the lead agency. On the other front is the battle for the southern border with the state of Arizona and their quest to stem the flow of humans and millions of pounds of illegal narcotics from infiltrating the country.

For several years we have advocated the arguments for "Resiliency" for the corporate operational risk paradigm and now it seems that Homeland Security is making it's way towards the migration away from "Protection." And for good reason:

For example, resilience is listed as one of the five homeland security missions in the recently published Quadrennial Homeland Security Review, which defines it as “fostering individual, community, and system robustness, adaptability, and capacity for rapid recovery.”

Typically, the response to resilience is focused on critical infrastructure and the protection of these assets, such as our electrical, information technology and telecommunications sectors. At some point in the asymmetric warfare being waged daily online you realize that the the only strategy has to be that of resilience as the barriers of protection continue to fail. If you think about any system that has so many moving parts, complexity and shear breadth of vulnerabilities you realize that spending all of your efforts and resources on protection is fruitless.

Now if we apply the thoughts of resilience to the physical aspects of drilling for oil offshore and defending the borders that are thousands of miles long, what comes to mind? Remember, there is no possible way to eliminate the vulnerabilities completely to an unprotected mile of the border or a blowout on the drilling platform.

You see, as you come at the problem from a point of view that has to do with "Resilience" not just protection, you begin to think of new ideas that certainly should be considered going forward.

Notably, Dr. James Carafano of the Heritage Foundation spoke to this issue at a congressional hearing on resilience in the homeland in 2008. He said, “The current paradigm of ‘protecting’ infrastructure is unrealistic. We should shift our focus to that of resiliency. Resiliency is the capacity to maintain continuity of activities even in the face of threats, disaster, and adversity.”

So what would be some of the activities that we must have the capacity to maintain as we defend our U.S. borders? And what activities would we deploy, to keep oil from reaching the magnitude it has so far in the DeepWater Horizon breach in the Gulf? If you are one of these companies your Operational Risk teams are billing overtime:

Transocean Ltd (RIGN.S) (RIG.N) - The Zug, Switzerland-based company owned and operated the Deepwater Horizon Rig. The rig went into service in 2001 and was drilling the Macondo prospect about 40 miles off the coast of Louisiana.

BP Plc (BP.L) (BP.N) - BP hired Transocean's rig at a rate of about $500,000 per day to drill the well. BP is the project's operator and has a 65 percent working interest in the well.

Anadarko Petroleum Corp (APC.N) - The Houston company owns a 25 percent nonoperating interest in the well.

Cameron International Corp (CAM.N) - The Houston company supplied a piece of equipment known as a blowout preventer. Blowout preventers are put in place to stop an uncontrolled flow of oil or gas. The Deepwater Horizon's blowout preventer failed to operate and seal the well.

Halliburton Co (HAL.N) - The oilfield services company, which has headquarters in Dubai and Houston, provided a number of services on the Deepwater Horizon. The company was providing cementing on the well to stabilize its walls, according to Transocean's website. (Reporting by Anna Driver in Houston; Editing by Lisa Von Ahn)

In each case these are wake up calls to the work that is still to be done and the ideas yet conceived to address the key issues. One item of certainty will be the increased focus on compliance and regulatory oversight. The government is already mandating the inspection of all the Gulf oil rigs for the types of safety and security measures that may be mandated for these types of incidents.

And when it comes to the kinds of resiliency strategies for the continued influx of humans and contraband coming into the U.S., from Canada, from Mexico and from almost every other nation through our ports and airports, we have to be more creative. And the strategies have to be more robust.

Take it from someone who has been dealing with insurrections, 4th Generation Warfare and other irregular methods for dealing with systemic threats to our well being and our security interests:

"Insurgents are living proof of why man is at the top of the food chain. We are the most creative, treacherous, loyal, aggressive and determined life form to yet evolve. Any nation that assumes it is inherently superior to another is setting itself up for disaster." Colonel Thomas X. Hammes, USMC

24 April 2010

FCPA: OPS Risk in Pharma & Small Business...

If you are a large U.S. based pharmaceutical company the odds are that over a third of your annual sales are overseas. Selling drugs in the EU, Asia and South America into the health care systems is a tremendous pipeline for Eli Lilly, Pfizer and others who find these markets hungry for their products. What kind of Operational Risks might exist for these firms and should be on "Red Alert" status with the General Counsel?

The DOJ is currently pursuing 120-130 FCPA investigations, and now it has set its sights on enforcement in the pharmaceutical industry where on an annual basis “close to $100 billion dollars, or roughly one-third, of total sales … [are] generated outside of the United States.” The DOJ’s new focus stems in part from the fact that many foreign health systems are regulated, operated and financed by government entities, and competition is intense, which creates more opportunities to “pay off foreign officials for the sake of profit,” and a perceived need for greater supervision from law enforcement.

The head of the Criminal Division of the United States Department of Justice (DOJ), Assistant Attorney General Lanny A. Breuer has indicated their interest in looking at this industry with increased scrutiny. So if you are a General Counsel at one of the companies in the cross-hairs of the government what are you doing about it?

First, you have to call together the right people and create your own internal FCPA Task Force within the enterprise. The General Counsels Office has the lead on bringing together four to six people from Sales & Marketing, Finance, Information Technology, and Internal Audit. This team will have the autonomy, funding and jurisdiction to work specifically on the vulnerabilities that exist on a global basis.

Second, you have to understand the culture, governments and the "Ground Truth" in each country you are selling your pharmaceuticals in, to map the processes and the people associated with the heath care systems, hospitals or the military that are the actual consumers of the medicines and drugs.

Finally, you have to educate your work force on the fact that pharmacists, doctors, lab technicians and other health care consultants may indeed be officials of the government of that country based upon who they work for. Why is this important?

The FCPA has a broad definition under the law that pertains to the foreign officials. In some countries it's entirely possible that if the medical institutions are owned by the government that almost everyone who works in these facilities could be considered under the FCPA. So what is the task force going to do to ensure that the company does not violate the law?

Beyond the focus on compliance and education of employees, there is much work to be done in the collection, analysis and actions within the enterprise of relevant information. Predictive analysis of data that is coming from the CRM, ERP and other open sources can provide the task force with the "Corporate Intelligence" and "Red Flag" warning to prevent a violation of the law. The ability of the company to utilize data collection and predictive analytics to not only head off any DOJ investigation also can be effective in providing voluntary disclosure to government.

Wait a minute. You mean, tell the government that we have identified a violation of the law and bring the wrath of the law and the possible impact on our corporate reputation? Yes and this is why.

Under Federal Sentencing Guidelines, those organizations that do a rigorous internal investigation and share the results with the government can avoid such sanctions as the mandate for a costly independent compliance monitor. Deferred prosecutions are not unheard of and the government can in some cases help you save money in terms of getting fines on the lower end of the sentencing guidelines.

The General Counsel's "Corporate Intelligence Unit" that is focused on the analytics of relevant data, combined with the education, awareness and compliance processes will be well on there way to keeping the legal risk and Operational Risk events associated with the Foreign Corrupt Practices Act (FCPA) from impacting their global pharmaceutical enterprises. And just when you think that the DOJ is only looking at the Fortune 500, then think again:

More focus on small and mid-sized companies: As part of their increased FCPA-related efforts, the DOJ and SEC are expected to look more at small and mid-sized firms which do business overseas. The majority of such companies have a small established compliance program, or none at all, yet some may conduct billions of dollars in foreign transactions.

Companies that are not household names have long believed that they were under law enforcement’s radar. Smaller firms have also thought that the DOJ would not expend the resources to investigate their overseas sales. That comfortable illusion no longer exists.

If you are a small disadvantaged supplier to a large Defense Industrial Base (DIB) company working on a sub-contract, then you too should be standing up your FCPA Task Force now:

On January 18, 2010 twenty-two business executives were arrested and over 100 FBI agents conducted related searches. These actions were based on sealed federal indictments handed down by a grand jury several weeks earlier, which in turn stemmed from a two-and-a-half year undercover operation. The indictments claimed that the defendants believed that they were involved in a scheme to acquire a US$15 million defense contract to outfit the presidential guard of an unnamed country. They allegedly agreed to pay a 20 percent bribe to a sales agent, supposedly representing the defense minister but really an undercover FBI officer. This was the first large-scale use of undercover law enforcement techniques to investigate Foreign Corrupt Practices Act (FCPA) violations.

21 April 2010

Operational Risks: Undercover Boss to the Rescue...

Operational Risk Management is becoming a more relevant topic these days in the Board Room. Does "John Q. Public" realize that these events are the result of "Operational Risk" incidents:

  • Fabrice Tourre, the Goldman Sachs Group Inc. banker at the center of fraud
  • No doubt, Gizmodo has turned the tech news cycle on its head this week with its exclusive on the iPhone 4G. Everybody from MSNBC to Good Morning America, and even the ladies on The View are talking about what is arguably the biggest leak in consumer technology history.
  • Twelve people were missing and seven critically injured after an explosion and fire at an oil-drilling rig in the Gulf of Mexico.
  • Airports across Europe began reopening Wednesday, six days after ash from an Icelandic volcano forced the shutdown of airspace and stranded thousands of passengers around the world.

Each quarter, Boards of Directors and Executive Management are becoming more concerned about the risk of loss resulting from inadequate or failed processes, people and systems or from external events. Operational Risk includes the exposure to litigation from all aspects of an institution’s activities.

Operational risk is not new yet it is being talked about in a whole different context these days. At it's origin in the financial services industry the focus and discipline fell into the categories that market risk and credit risk did not substantially address. Today, Operational Risk Management is a core discipline that spans the flight decks of naval aircraft carriers to the halls of corporate enterprises as they study the latest plaintiff litigation matter that just arrived by courier.

In the past six plus years that we have been blogging on this subject and becoming more of a subject matter expert each day the clarity of effective operational risk management improves. To understand the interdependent attributes of a "Credit Default Swap", the details of a sophisticated transnational eCrime syndicate or the exposure to the loss of life from workplace violence or acts of mother nature requires a sound framework, methodology and systems thinking approach.

In many incidents the after action reporting, lessons learned and the investigative report find that human behavior was a factor in the failure. When earthquakes hit or volcanoes erupt the question set focuses on resilience and preparedness because these are events that we can't predict yet know will occur.

It is with great amazement that still to this day the corporate enterprise is deluged with the amount of human perpetuated fraud incidents that could be mitigated with the proper controls, awareness building and training sessions. Whether it be the insider who has embezzled from the accounts payable supervisor position or the external ID Theft non-state actors who have targeted your institution for ACH cyber bank thefts the fact remains that people's behavior is the culprit in the operational risk incident.

Regardless if you are a small business owner or the CEO of Goldman Sachs you can be sure that "Operational Risks" are present in your organization. Even the likes of companies in the US such as Walmart have recognized the impact of a robust OPS Risk program that spans the front office to the logistics and transportation departments. Understanding the risks themselves however is only a very small part of the equation. Realizing and exploring the interdependent relationships between assets and entities will remain the most unsolved challenge.

In light of the recent US over haul of the financial industry to abate future operational risks and the legislation pending to increase the oversight and compliance mechanisms, one can only wonder what will change? Hopefully the law will compel the CEO's to become a participant in the latest CBS series "Undercover Boss."

Michael Corkery at WSJ has a great idea:

With news that the reality show “Undercover Boss” is coming to Wall Street, Deal Journal couldn’t help but suggest some plot lines.

The CBS show features CEOs going “undercover” at their own companies and working along side their every day employees. The first episode involved a top executive of Waste Management disguising himself as a blue collar worker.

What is the Wall Street equivalent of a hauling trash or cleaning out porta potties? We thought we’d run down the list of possible roles for the various CEOs, starting with JP Morgan’s Jamie Dimon.

Dimon has been joining other big bankers in pushing back on calls to modify mortgages of underwater home owners. Well, it might make for good TV watching Dimon man the phone lines at a JP Morgan call center, fielding calls from some of those borrowers. How would the CEO who Forbes magazine recently dubbed “Master Banker, Master Schmoozer” stack up against that unemployed family, looking for a principal reduction on their Option ARM mortgage?

How about Lloyd Blankfein, of Goldman Sachs? We suggest he spend some time with the programmers who run the firm’s super computers, which are driving a good deal of Goldman’s profit machine. Blankfein might just meet the firm’s next CEO. Hello Hal.