30 October 2011

Arab Spring: Information Operations Risk Management...

The Operational Risks associated with doing business on an international scale is nothing new. Global companies have for years been subjected to laws in the U.S. that are highly scrutinized by the Treasury Department. The Office of Foreign Asset Control (OFAC) is one such office. Companies in several key industry sectors including financial services have been obligated to know who they doing business with KYC (Know Your Customer) programs. This complies with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) laws. The Commerce Department has the U.S. Bureau of Industry and Security.

As compliance in any business is one of those areas that in many cases may seem burdensome, it is only one aspect of a total risk management strategy in the enterprise. One industry group that may have underestimated the magnitude of compliance and an effective export control operation is the high technology sector. During the next decade as emerging markets are building new communications infrastructure, this will be even more important; perhaps not for the reasons one would normally think about.

Information Operations (IO) are alive and well within the ranks of official and clandestine forces around the world. Why is John Q. Public surprised to hear this news? The political aspirations of new and rising factions within nation states have found the tools of the Internet and "Social Media" to instigate and to perpetuate non-kinetic components of asymmetric warfare. Now, technology companies in the United States must be ever more so cognizant of the risk implications associated with this social, political and military nexus. Here is more from the WSJ:

A U.S. company that makes Internet-blocking gear acknowledges that Syria has been using at least 13 of its devices to censor Web activity there—an admission that comes as the Syrian government cracks down on its citizens and silences their online activities. Blue Coat Systems Inc. of Sunnyvale, Calif., says it shipped the Internet "filtering" devices to Dubai late last year, believing they were destined for a department of the Iraqi government. However, the devices—which can block websites or record when people visit them—made their way to Syria, a country subject to strict U.S. trade embargoes.

Discussions on the intersection of "The Arab Spring" and "Social Media" has been going on now for well over 9 months in the published press. One can only imagine that Google, Facebook and Twitter management have behind closed doors, been entertaining conversations from a myriad of .ORG and .GOV entities on this very subject. This week, the dialogue has taken on a more serious tone with comments from U.S. Secretary of State Clinton regarding Iran in the Washington Post:

By Thomas Erdbrink, Published: October 29
TEHRAN — An Iranian police unit that was formed this year to counter alleged Internet crimes is playing a key role in an escalating online conflict between the United States and the Islamic Republic. The “cyber police” force is part of a broad and largely successful government effort to block foreign Web sites and social networks deemed a threat to national security. Iranian officials say they must control which sites Iranians are able to visit, to prevent spying and protect the public from “immoral” material. The United States, they charge, is waging a “soft war” against Iran by reaching out to Iranians online and inciting them to overthrow their leaders. Secretary of State Hillary Rodham Clinton on Wednesday played into such accusations, saying U.S. officials had asked Twitter, the social networking site, to postpone online maintenance in 2009 so that it would be available for Iranian anti-government protesters organizing demonstrations against President Mahmoud Ahmadinejad’s disputed election victory. Iran’s state radio responded Thursday, citing Clinton’s comments as proof that Washington is using U.S. Internet companies to influence events inside Iran. Tensions between the two countries are high following allegations that an Iranian American citizen had plotted to assassinate the Saudi ambassador to Washington at the behest of the Quds Force, an elite branch of Iran’s Revolutionary Guard Corps. Iran has denied the accusations, but the United States has called for tougher sanctions against Tehran.

Again, where have John and Jane Q. Public been for the past few years? This is not new news to those who have been watching the growth of mobile communications and the explosion of the "Internet of Things." The utilization of wireless mobile communications and its intersection with social media apps in civilian environments is here to stay. How these consumer based applications have been now leveraged for situational awareness and information operations is exploding across the emerging nations, where the Internet is now gaining even more ubiquitous use.

What this means for risk managers in the C-Suites of major technology companies is a heightened sensitivity and awareness to the ways your tools and capabilities could be utilized in the hands of the wrong end user. No different than the unleashing of certain tools like Metasploit, to help understand vulnerabilities within the confines of the corporate enterprise. These same tools could be utilized by nefarious cyber terrorists to quickly exploit the weakness in our own U.S. government and corporate network systems.

Like many inventions by mankind, they can be used for good and simultaneously for evil in the hands of the wrong person. Risk Management in the high technology sector will be just as much of an imperative as the manufacturing and shipment of products from Barrett or the manufacturers of detcord. The "Export Control" compliance mechanism is here to stay and companies who operate in the new age of emerging social media via mobile technologies, will need more effective OFAC internal controls.

Operational Risks exist within the business processes that you use with your sales and business development organization. When was the last time you had a compliance-based OFAC discussion within the ranks of the sales force at your new emerging technology company? Are you fully funded by the VCs and ready to sell your new encrypted social media app for Android to the world? We need to make sure that part of the roll out strategy, encompasses the right conversations with the correct government departments to determine the right process and the online tools available to better understand where and who you can sell your products to outside the U.S..

The past Arab Spring and the next organized movement utilizing social media and mobile internet technologies that include encrypted messaging, GPS and live video will be more closely scrutinized by internal compliance officers and the regulatory watchdogs domestically and abroad. Yet the most effective management tools going forward, may lie in the same ones used by your Mother and Father growing up. The ethical and the moral arguments in many cases can have a dramatic impact on people at an early stage in their lives. Perhaps it is still not too late to reinforce and to emphasize the fact that our cyber environments, are nothing more than the mirror image of the physical world we already know. Good and bad.

The future of risk management online and the effective compliance with legal sanctions may well begin with a heart-to-heart conversation at your next company sales meeting.

15 October 2011

Degree in OPS Risk: The New Normal...

The discipline of Operational Risk Management is becoming more of a requirement in a multitude of companies outside the financial industry. In the United States, this is due to the fact that Fortune 500 enterprises and even small to medium size businesses, are now disclosing that they are in a silent and soon to be more acknowledged, battle against significant loss events. Information Capital Loss Events.

This decade long hush hush silent war, with cyber criminal syndicates, fraud rings operating in the "Cloud" and the advanced persistent threat (APT) orchestrated by sophisticated cells of nation states, is growing ever so more pervasive. Public companies shareholders and small business owners investors, are still asking more questions about the information loss risk of stolen intellectual property, corporate secrets, R & D and even cash. The reporting of hundreds of thousands of dollars per incident, that is being stolen via cyber malware attacks in concert with unauthorized banking ACH transactions, is already a classic case of asymmetric warfare. The banks are not the only critical infrastructure vulnerable to the silent war being waged by well funded units within the governments of China or Russia. Why do you think that US Cyber Command is housed within USSTRATCOM?

Now the Securities and Exchange Commission (SEC) wants information capital and data losses to be monetized and is encouraging the companies to acknowledge this silent battle and to be more transparent on incidents, regardless of the impact to the bottom line:

By Ellen Nakashima and David S. Hilzenrath, Published: October 14

Cyberspies and criminals steal what is estimated to be tens of billions of dollars worth of data from U.S. companies each year. Yet experts say few companies report these losses to shareholders.

Now the Securities and Exchange Commission is pressing for more disclosure, issuing new guidelines this week that make clear that publicly traded companies must report significant instances of cybertheft or attack, or even when they are at material risk of such an event.

“Investors have been kept completely in the dark,” said Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate commerce committee, which urged the SEC to take the action. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”

The SEC guidance clarifies a long-standing requirement that companies report “material” developments, or matters significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no exception.

For example, the SEC says, a company probably will need to report on costs and consequences of material intrusions in which customer data are compromised. The company’s revenue could suffer, and it could be forced to spend money to beef up security or fight lawsuits. In addition, if a company is vulnerable to cyberattack, investors may need to be informed of the risk, the SEC said.

Operational Risk Management is a discipline that encompasses science, methodology and art. No different than other academic pursuits. Each organization that realizes that loss events are inevitable across a spectrum of risks has already designated people and processes to mitigate, minimize or even accept these risks. Litigation and legal risks have been part of the disclosure to shareholders for some time. The process of negotiating with plaintiffs to settle law suits is in itself a strategy to minimize losses to the institution. So why are the SEC disclosure guidelines going to make these same institutions nervous? They aren't.

Public companies that now may have to be more transparent, because they trade shares on the stock exchange or because of their respective tax status with the Internal Revenue Service, will do this on an increasing basis. It will be just one more risk to the enterprise that is disclosed and has a cost associated with it. That cost is in many cases the remediation measures put in place for the members or the customers, because of other privacy laws such as SB 1386 or the HITECH Act that require notification and in some cases assistance for avoiding the risk of Identity Theft. How many letters did you get in the mail this last year like this? The number is growing and soon the whole American public will need to have their credit monitored at the cost of the institution who has disclosed the theft of personal identifiable information (PII). So, perhaps you could offset this cost by charging your customers $5.00 each month to use a debit card.

The SEC is just one more U.S. government agency that is capable of putting the pressure on the private sector, to comply with existing laws regarding the "material" incidents going on within the public company. The private sector should not even blink at this and will voluntarily do so just as it has with other material items. Or will it?

The fact is that there is no government or private sector company that "HAS NOT" been breached or had data exfiltrated from their information systems. This is a given. We are in the age where our personal information is being socially shared with advertisers and so called analytics firms on a daily basis. This data is being sold to whoever will pay for it. The playing field is set and the baselines are clear. We have all been compromised in some way or some form and now it is just a matter of the magnitude.

Operational Risk professionals know this and we have been raising our hands for years asking for more resources to keep the perimeters secure and to prevent people from behaving badly. Yet substantial funding to ramp up "Cyber Security" tools and services in the institution will not put a dramatic dent in the real business issues at hand. Human Behavior. Humans acting with disregard to the rules sets or ignorant to the known risks, will not change.

So what is the answer for the SEC or even US Cyber Command? Only one thing. A greater attention to the science, methodology and art of the discipline of Operational Risk Management. We have institutions of higher learning teaching Homeland Security, Cyber Security and even Forensic Accounting. Maybe we need to establish a Bachelors Degree and Masters in Operational Risk Management, to pave the way to a more safe and secure global business environment in the next half of the millenium.

08 October 2011

Business Resilience: Late Bloomers Beware...

Believe it or not, there are still some Operational Risk Management late bloomers to the "Business Resilience" concept. The topic has been talked about for years and a recent IBM study highlights where risk management has changed and how business resilience is still gaining widespread adoption among large and smaller corporate enterprises.

Late bloomers—75 percent of which have revenues of US $500M or less—are not very well prepared for managing business risks and have narrow views on risk management strategies. Their performance is at the bottom of the scale on every indicator. A majority do not have a formal risk management strategy, and their financial performance trails the pack. Yet one-half say they plan to develop a formal risk management strategy and are most likely to say that they will establish a company-wide risk management team within the next three years.

The reason why the less than $500M. business enterprises are establishing more of a company wide risk management team is a multi-faceted issue. Depending on the industry sector being highly regulated such as financial services, energy or healthcare or not could be one indicator.

IBM in all of its wisdom has developed six elements of Business Resilience that are worth exploring more in detail. IBM provides a holistic, thorough and methodical approach to business resilience – in the pursuit of mitigating your organization’s risks:

  • Integrated risk management focuses on looking at the full scope of risks facing your operations —using technology to better understand, respond to and manage those risks, even as they change.
  • Continuity of business operations heightens your organization’s ability to maintain continuous operations, with processes and infrastructures that are responsive, highly available and scalable.
  • Regulatory compliance helps assure that your business and its technology infrastructure conform to constantly evolving government and industry regulations and standards —including those regarding information integrity.
  • Security, privacy and data protection helps you safeguard and manage your most valuable assets: data, information, systems and people.
  • Knowledge, expertise and skills addresses the resilience of your business by confirming that you have the right resources in the right place at the right time, despite staff constraints and fluctuating demands for highly skilled talent.
  • Market readiness concentrates on enhancing your organization’s ability to sense and respond to shifting customer demands and fast-breaking new market opportunities.

Any significant business disruption to your enterprise could be fatal. But if you had to create a budget to devote resources to the "Business Resilience Six Elements", how would you allocate your funding? Would you put 20% in "Security, privacy and data protection" or 30%? How much would you allocate to "Continuity of Business Operations" vs. "Regulatory Compliance"?

What "Operational Risk" professionals know is that it is a continuous process that requires emphasis in one area based upon market conditions and the overall business performance of the enterprise. When business revenues are down, you can bet that the budgets will suffer and the whole resilience of the business will suffer along with it. Could this be the greatest area of vulnerability that we have today? The fact that poor economic conditions exacerbate the risk in the enterprise for potential failure should it receive an unsustainable shock to its culture, operations or reputation.

We would contend that "Market Readiness" is the most underestimated element of the six outlined by IBM. The reason has to do with the word "Opportunity". All too often risk managers are so focused helping the enterprise avoid a natural catastrophe or keep it safe from a system wide data breach that it is blind to seeing the seam in the market that would allow the business to break away from it's competitors.

So are there any lessons out there that we can learn from, in terms of organizations taking their eye off of enterprise risk management and missing a market opportunity? Having spent so much time and effort working on the other elements, that it has created a vulnerable organization in the marketplace:
In the volatile political air ignited by the nation's economic struggles, $5 buys a lot more controversy than it used to.

The announcement by Bank of America Corp. last week that it would charge customers $5 a month to use their debit cards has rung up animosity from coast to coast.

Coming amid growing anti-Wall Street protests, BofA's new fee has become a focal point for anger and frustration about the flailing economy and Washington's attempts to help the nation recover from the financial crisis.

Industry leader Nokia held onto its No. 1 slot, but its market share continued to plummet, sinking to 24.2 percent in the second quarter from 33.8 percent a year ago. Excess inventory in regions like China and Europe apparently triggered a drop in shipments. Stung by the iPhone and Android phones, Nokia recently reported a huge loss for the second quarter.

While Bank of America and Nokia are just two companies who have seen their market share and presence become the subject of business MBA student case studies, there are plenty others to make the example for paying more attention to "Market Readiness". And then there is one of our favorites, Siemens AG. After having missed the exposure to the threat of the Foreign Corrupt Practices Act (FCPA) and paid out several billion dollars to the US Government and to business services companies to rectify the internal controls, there is this:

*Stuxnet computer virus analyzed"

By Tabassum Zakaria

IDAHO FALLS, Idaho, Sept 29 (Reuters) - Behind the doors of a nondescript red brick and gray building of the Idaho National Laboratory is the malware laboratory where government cyber experts analyzed the Stuxnet computer virus.

The malicious software targets widely used industrial control systems built by German firm Siemens (SIEGn.DE). Cyber experts have said it appeared aimed mostly at Iran's nuclear program and that its sophistication indicates involvement by a nation state, possibly the United States or Israel.

The Stuxnet virus was a "significant game changer in the cyber world, said Marty Edwards, a Department of Homeland Security official in charge of a cybersecurity program in partnership with the Idaho National Laboratory, which conducts nuclear research.

The U.S. government is concerned that cyber attacks could wreak havoc on the industrial base and cost millions of dollars. The Idaho lab programs are geared toward protecting the industrial infrastructure: chemical plants, food processing facilities, utilities, water systems and transportation.

"It is probably the most important security issue that we face today," said Greg Schaffer, a top official in the DHS National Protection and Programs Directorate. "This is a problem that continues to grow."

When any prudent risk management professional in the financial, energy or high technology sectors looks at the lessons learned on an annual basis, it should help develop the strategy for exploiting a seam in the market. If you are a late bloomer in the game of business resilience and proactive enterprise risk management, heed the lessons of the marketplace and don't under estimate the element of "Market Readiness".

01 October 2011

Deepwater Energy Risk: Protecting Business Performance...

The Operational Risk professionals are applying the use of effective software tools in the Energy Sector. After all, the core disciplines of OPS Risk lie with safety and security and the current reality of deepwater drilling beyond 8,000 feet of ocean is here now.

There are few organizations that understand the risks associated with drilling and capturing precious natural resources under these demanding conditions more than the Marine Well Containment Company, (MWCC) based in Houston, TX USA. This new and quickly expanding consortium of ten energy exploration companies have banded together to address the "All Hazards" requirements as a result of the Deepwater Horizon catastrophe. Never before, have so few private sector energy companies converged to take on readiness, and managing operational risks with so much capital and mission focus.

Simultaneously, others close to the maritime risk management industry such as Lloyds Register Group have embarked on the bold mission to assist organizations like MWCC in the future quest for our insatiable thirst for energy. They too, understand the necessity for mitigation and prevention of another Macondo incident where a blowout preventer failed:

ModuSpec BV and Scandpower AS, members of the Lloyd’s Register Group, are developing a new tool with origins from the nuclear power industry that may prove highly useful to subsea engineers, offshore drilling managers, and regulators.

Operational Risk Management (ORM) is the process that evaluates the likelihood of a casualty occurring while comparing it to its associated consequences. BOP Monitor, a new tool under development by Scandpower applies ORM principles in a highly specific manner to one of the most important, and highly complex systems on board a drilling rig, the blow out preventer.

Last year’s Deepwater Horizon disaster cast an enormous spotlight on blow out preventer technology because the one sitting atop the Macondo Well failed to accomplish its mission, and millions of gallons of oil spilled into the sea. A one-in-a-million chance? Perhaps. In the decades since subsea blowout preventers have been used, countless have worked as-designed mitigating the disastrous consequences we all saw last summer. As the industry moves toward the arctic however, failure of these systems is absolutely not an option and risk management is of utmost importance to operators and coastal states.

The combination of MWCC and Lloyds Register to address the challenges ahead in deepwater drilling is a natural, in the Gulf of Mexico and beyond. Perhaps even more so, is the division Lloyds Register Quality Assurance (LRQA) who are experts in Business Assurance and protecting business performance. They are the people who go beyond the words in a regulation or international standard to apply a holistic and multi-faceted approach to your business achieving higher performance. MWCC will need that business assurance and performance management going forward if they are to work in concert with the United States regulatory agencies such as Bureau of Ocean Energy Management, Regulation Enforcement (BOEMRE).

All of the plans and processes will not be enough for those operators who are drilling in deepwater. This is exactly why exercising and testing those people, plans and processes will be a verified requirement:

Tracking and verification of exercise requirements for spill responders is an BOEMRE function that ensures that all responders have the required experience and expertise to respond to an offshore facility spill. Operators are required to conduct annual Spill Management Team “table top” exercises. These drills are required to test the Spill Management Team’s organization, communication, and decision-making in managing a response. The operator is also required to conduct an annual deployment exercise of the equipment staged at onshore locations identified in their plan. Each type of equipment staged onshore must be deployed and operated every 3 years. The operator is required to exercise their entire response plan every 3 years. Another exercise that tests the ability of the operator to communicate information in a timely manner is the required annual notification exercise required for every facility that is manned on a 24-hour basis. The operator must notify BOEMRE at least 30 days prior to these drills occurring. This notice provides an opportunity for BOEMRE to witness the exercise or to request changes in the frequency or location of the exercise, equipment to be deployed and operated, or deployment procedures or strategies. BOEMRE can also evaluate the results of these exercises and advise the owner/operator of any needed changes in response equipment, procedures or strategies.

The operational risk readiness factor is at the core of all of the exploration companies as it pertains to the Safety and Environmental Management Systems (SEMS). All of the MWCC consortium companies will already be well versed in "Operating Integrity Management Systems" yet, as all ten come together to work on a combined solution, a baseline of standards and guidelines will be paramount to their inevitable success.

Remember, all of this focus is on the prevention of another "All Hazards" incident. Much of which stems from the lack of confidence in equipment or procedures being replicated by humans, at just the right moment and if an emergency condition presents itself. That is why testing and exercising the multi-facets of the entire spectrum of threats is necessary, beyond those related just to the equipment integrity or failure:

More specifically, the goal of an offshore energy exploration and production safety regime must ensure that:

• Life, environment and property are protected in an effective, consistent, transparent and predictable way; both for those directly affected and involved in offshore operations.

• Risks are properly evaluated and all prevention and mitigation measures are identified;

• Control measures are implemented and maintained by all parties in accordance with mandatory risk assessments as well as what is prescribed by regulation;

• Conditions of safeguards, facilities, procedures, personnel and organizations are continuously monitored throughout the lifetime for proper functioning and compliance with all regulatory requirements and to assure that risks do not increase;

• Technical innovation and efficiency improvements can be implemented safely and responsibly.

And then there is the kind of risk, that many are still not thinking about in the Gulf of Mexico. The risk that exists in other offshore drilling regions of the globe today:

Gunmen attack ExxonMobil supply vessel kidnapping one, wounding another

By Dorothy Davis

Industry sources have reported that gunmen have attacked a ship supplying an ExxonMobil (NYSE:XOM) oil rig off the coast of Nigeria, kidnapping one crew member and injuring another.

Nigel Cookey-Gam, a spokesman for the ExxonMobil subsidiary Mobil Producing Nigeria (MPN) told The Associated Press that the kidnapping happened early Friday (09/30) off the coast of Nigeria's Akwa Ibom state.

"Mobil Producing Nigeria, operator of the joint venture with the Nigerian National Petroleum Corporation, confirms that in the early hours of Friday, some armed men attacked a supply vessel near one of our platforms, offshore Akwa Ibom State," Cookey-Gam offered in the official statement. “The incident has been reported to security and relevant government agencies”

According to ExxonMobil, MPN is the second largest oil producer in Nigeria having begun production of crude oil in February 1970 from the Idoho field, located off the coast of Akwa Ibom State.

Violence and extortion driven kidnappings have been prevalent in Nigeria’s oil and gas -rich southern delta since 2006 when militants kicked-off a series of attacks targeting oil companies. In 2009 a government amnesty program offering Niger Delta rebels an unconditional pardon and cash payments brought about a short period of reprieve, but has not been successful in quelling the targeted violence in mostly impoverished the region.

Deepwater Energy Risk in the next decade will be expanding off the coast of Brazil and in the Arctic:

In a warming and changing Arctic, China is stepping up its activities in the Arctic Ocean Basin. While China’s interests and policy objectives in the Arctic Ocean Basin remain unclear, Beijing is increasingly active and vocal on the international stage on issues that concern the region. To that end, China is actively seeking to develop relationships with Arctic states and participate in Arctic multilateral organizations such as the Arctic Council. The region includes a rich basket of natural resources: The U.S. Geological Survey estimates that 25 percent of the world’s undiscovered hydrocarbon resources are found in the Arctic region along with 9 percent of the world's coal along with other economically critical minerals. There is presently scarce open source information on China's Arctic policy and very few public pronouncements on the Arctic by Chinese officials.