22 April 2012

Workplace Trust: Integrity, Ethics & Legal Risk...

Operational Risk Management professionals wonder about the "Tone at the Top" and decisions at the latest Board of Directors meetings to ignore or investigate a whistleblowers claims of ethics or governance violations in the workplace.

The financial services companies have for years been the target of scrutiny for claims of fraud, mistreatment of consumers and violations of several U.S. federal regulations many under further examination by the SEC.  As time goes on in the evolution of maleficence you will find examples of wrong doing in other private sector areas, such as the Defense Industrial Base (DIB), Retail and Information Technology (IT).  Think about your own company and ask yourself how you treat and respond to the 800 number Ethics Line and those who staff the Internal Audit, Risk Management or Information Security departments.  Are these enablers or impediments to your future success?  Your answer may be a clue to the issue at hand.

The professionals in the Inspector Generals office, the Operational Risk Management department and the General Counsels office are also there for a good reason.  Think about them as the last "Thin Blue Line" between your company becoming a success or falling into a cultural abyss that will plague the institution for decades.  Steven Pearlstein explains from the Washington Post:

Steven Pearlstein: How could SAIC miss this? By , 
Last week in these pages, The Post ran a profile of John Jumper, the straight arrow former Air Force general who was brought in as chief executive of local contracting giant SAIC in the wake of an embarrassing overbilling scandal involving bribery, kickbacks, foreign shell corporations and a safe deposit box stuffed with $850,000 in cash. 
A year ago company officials were publicly denying that there were any problems at all with its contract to build a new timecard system for New York City, which by then was so late and so over budget that “CityTime” had become a frequent target for the New York tabloids and political embarrassment for Mayor Michael Bloomberg. 
It was just last June that SAIC executives and directors first informed shareholders that there might be a little $2.5 million overbilling problem with the contract and that federal prosecutors had brought criminal charges against six employees of an SAIC subcontractor. Shareholders had to read deep into Note 9 of that quarterly report to learn that there might be “a reasonable possibility of additional exposure to loss that is not currently estimable” that “could have a material adverse impact” on the company’s finances.

This episode by one DIB contractor, was not the first nor will it be the last.  One has to ask whether the advice these companies are getting from their outside counsel is always the right course of action.  The government and the internal risk management departments are going to be continuously deluged with new whistleblower claims.  Not just because new laws are in place to protect them and to provide them with the incentives to come forward.  It is because good people are sick and tired of having their organizations reputation tarnished and their respective ethical practices being jeopardized by a few bad cowboys or rogue actors.  Yet now, the Retail sector is being taught a serious lesson regarding a potential FCPA violation by Wal-Mart.  David Barstow at the NYT has this to report:

Published: April 21, 2012  MEXICO CITY — 
In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country. 
The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico. 
Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”

Mitigation of Operational Risks in the workplace, such as fraud and corruption is different than it is outside the enterprise.  The difference is, that corporate executives do not always believe that their own employees would behave this way.  They could be naive to the reasons why fraud finds its way into the psyche of some of the organizations must trusted officers.  Corruption and the signs that an organization has lost its way from a place of cultural integrity and one that condones others to look the other way or for many to help perpetuate schemes of wrong doing, requires a massive organizational transformation.  A transformation that is lead by focused and talented Operational Risk professionals.

But most of all, even if you have these professionals on your team already, there are still some important ingredients to achieving your own "Defensible Standard of Care":

1.  If you think you have funded the risk management department in your enterprise adequately, you haven't.  Do not confuse your outside audit function with your internal risk management function. 
2.  If you don't understand how your 800 number ethics line works and the outsourced organization that runs this, then you need to do so immediately. 
3.  If you have a favorite outside counsel to help you with investigations, it might be time for a check up.  Even more importantly, it might be time to get your outside counsel firms and your outside audit firms invited to a meeting of the minds on corporate integrity. 
4.  If you find any indications that 1 through 3 have been ignored, pushed aside or been giving you a false sense of security, then you might consider making a career change.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.

14 April 2012

Too Big to Fail: Basel III to ID Theft...

Now that the Basel III wheels are in motion and the "Top 29" vital Global banking institutions have been identified, Operational Risk Management is on everyones mind. The capital reserves will continue to assist them in becoming more resilient to the systemic volatility ahead. Are you feeling the uncertainty starting to disappear? Not for a minute.

As these banking institutions try to withstand the economic impact of a nation state failure like Greece, the consumers who are the customers of the "Top 29" too big to fail, are being simultaneously barraged and systemically targeted by international crime rings. Identity thieves have set up transnational operations, that will continue to plague millions of consumers at these same banking institutions. Their own governments continue to try and deal with the nexus of criminal elements, consumer privacy and law enforcement. How bad is it for the U.S. Treasury, as one example:
Identity theft involving tax fraud is increasing faster than law enforcement and government officials can deal with it, according to testimony today before a House oversight subcommittee. Identity theft to scam fraudulent tax refunds from the government has increased 100 percent in just three years.
”As of Aug. 31 of this past year, IRS incident tracking reports indicated that the numbers of taxpayers affected by identity theft has more than doubled since 2008 to over 580,000 taxpayers this year alone,” said J. Russell George, Treasury Department inspector general for tax administration.
The crime has become too easy. It’s like a party, according to Rep. Richard Nugent, R-Fla., whose district has a problem with tax-related identity theft.
“Tampa Police Department has busted what the lawbreakers call ‘make it rain’ parties, where criminals get together in a hotel room with Internet access and file fake return after fake return,” Nugent told the committee.
How does paying out billions of dollars to these fraud crime rings using your social security number and date of birth increase the operational risks on our banking institutions? Everyone who is a consumer at one of these banks who is a victim of fraud, will one day deal with the aftermath. If the fraudsters are filing a fraudulent tax return that impacts you, then the odds are that you may end up paying a higher interest rate and this will not be the only place they are using your ID Theft misfortune for financial gains.
For the victims of tax fraud identity theft, the people who had fraudulent tax returns filed in their names, getting the problem fixed and their lawful refund paid could take a year and a half.
“A typical path for an identity theft refund case that is not complex may take as long as 18 months to resolve,” said J. Russell George, Treasury Department Inspector General for tax administration.
The cost of dealing with Identity Theft has so many dimensions. The protection of Personal Identifiable Information (PII). The fact that the IRS and law enforcement have difficulty sharing information on the consumers themselves due to privacy laws. The technology and online Internet forums for buying and selling fraudulent identities is prevalent. The continuous salvo of attacks on financial institutions to compromise the cyber defenses that they have established is a 24 x 7 battle.

To exacerbate the problem, the "Death Master File" (DMF) is the genesis for much of the Identity Theft and tax fraud when this information gets into the wrong hands. The U.S. Social Security Administration has been publishing this list of 90 million dead Americans since 1980 to help the "Top 29" fight fraud. At the same time, the Identify Theft fraudsters are using the same data to perpetuate their schemes:

Identity thieves are cashing in on dead children across the nation, stealing their Social Security numbers to collect fraudulent tax refunds from the Internal Revenue Service.
Grieving families — including the Watters family of Lake Forest — say their anguish is amplified by the realization that the crooks get help from an unexpected source: the Social Security Administration’s “Death Master File,” which records and lists information about everyone who dies in the United States.
Armed with the deceased child’s Social Security number and other personal information, crooks falsely claim them as dependents and have the refunds routed to them.

One reason that the financial institutions, government agencies and law enforcement are going in circles is because "Operational Risk Management" processes and tools are still not as robust as they could be. As the Basel III regulatory mandates kick in along with other new laws, methods and tools, all of the impacted parties will get better at deterring, detecting, defending and documenting in this complex information age.

In the mean time, consumer beware. Look long and hard at the "Top 29" list and decide if you need to move your funds to somewhere else. And before you do, look at the online banking login page for that institution. Are they still using only a single factor user name and password? Multi-factor authentication is not fool proof, yet it does tell us whether the institution is serious about Operational Risks in the area of Information Security. This is a key indicator of their ability and capability to try and keep your data out of the hands of the transnational eCrime rings.

Finally, you have to take the monitoring of your own Identity, and all of your family members identities seriously. It will be far more proactive, than anything else that will be done by governments or financial institutions alone. Regardless how fast they implement the latest tools and technology the fraudsters are moving just as fast. By adding your own diligence on top of the banking institution, government agency or other entity (Doctors / Lawyers / Dentists/ Insurers) that may have your Personal Identifiable information, you are decreasing your odds of becoming an Identity Theft and fraud victim.

Financial risks for the banks and the consumers will continue to be the current state-of-play. Basel III alone will not eliminate the threat of failure or the possibility of a serious bank fraud. Monitoring services or checking your credit report on a quarterly basis, will not keep the ID Theft criminals from stealing your PII. Implementing both on a proactive and pervasive basis will make a positive difference over time. This is what Operational Risk Management is all about, in the global institution board room and at your own home office.

08 April 2012

Cyber Reality: Quest for the Digital Castle...

On this Easter Sunday the prayers are silent. For family, friends and also for the subject matter experts in business and the U.S. government. They have been waking us up again to the reality of the Operational Risks we now face, to our ubiquitous digital-based economic infrastructure. The message is clear to those insiders, who have been trying to defend our "Digital Castles" against tremendous odds of these seemingly invisible threats. Is it really, game over?

The short answer is yes. The current mindset should be, that every major business of valuable interest in the eyes of the enemy has already been compromised or soon to be. It is already too late. The stealth digital code is currently waiting in the shadows of your organizations hundreds or thousands of digital assets. Whether it is the aging Dell Tower Desk Tops still running on Windows XP somewhere or the latest Android PDA/Apple IOS devices tethered to the corporate network does not matter. Your adversary has control of when and where to begin the attack on you and your organization. To illustrate the point, Shawn Henry had this to say in a recent interview:

Q: So the cyber threat is truly global in scope?

Henry: Absolutely. In the physical world when somebody robs a bank, the pool of suspects is limited to the number of people in the general vicinity of that bank. When a bank is robbed virtually, even though it is very real for the victims—the money is actually gone—the pool of suspects is limited to the number of people on the face of the earth that have a laptop and an Internet connection, because anybody with an Internet connection can potentially attack any other computer that is tied to the network. You don’t have to be a computer scientist to launch these types of attacks.

So if this is the reality of the global state-of-play, in both the business world and also to government, what should the risk management strategy consist of going forward? How could we ever get to a point of advantage over those who seek to do us harm? That requires a longer answer. Here is what just happened this past week on the Apple beach head:

A strange thing happened earlier this week when Apple closed a security hole that allowed more than half a million Mac computers to get infected.

The infections, by and large, stopped spreading, according to Doctor Web, the Russian maker of antivirus software that researched and publicized the threat.

In the security world, that’s the opposite of what’s expected.

In a paradoxical way, fixing a well-known software bug can expose users to worse attacks. That’s because patching a security hole is the equivalent of planting a flashing neon sign on top of the hole alerting hackers to its presence.

Granted, the patch covers the hole and fixes the problem, but only for people who get the updates. And many people don’t get the updates.

They might use pirated software and thus can’t get patches. They might work in a corporation that tests all patches before pushing them out to all employees, which causes delays. They might have automatic updates turned off. Or their computer might already be infected and blocking security updates.

So internally, the prudent corporate business strategy should be for your General Counsel and the CIO of your organization to be already preparing themselves for the day that they will step before the press conference microphone to disclose the material breach of the companies intellectual capital or theft of assets. They should already know, that it is just a matter time and not a denial that it will ever happen on their watch. If you are a Board Director and you still have not had "The Talk" with management about this stark reality, then you too are complicit in the scheme to present your stockholders and stakeholders with a false sense of confidence that you are safe and secure.

The new normal for forward thinking organizations is already being implemented for adverse events. The Crisis Management Team has already exercised the "Data Breach" scenario numerous times. Your General Counsel and Chief Information Officer have rehearsed and practiced their testimony before opposing and adversarial questioning of your organizations information security processes. The company subject matter experts are more than prepared to submit evidence of their best practices, industry standards compliance and previous tests of due diligence. The stage is set for the court room battles ahead:

Global Payments Inc. (GPN), the bank-card processor whose shares were halted last week after reports of a data breach, said perpetrators may have obtained fewer than 1.5 million card numbers.

The impact is confined to North America, the Atlanta-based company said yesterday in a statement. So-called track 2 data, the information encoded on the back of payment cards, may have been stolen while cardholder names, addresses and Social Security numbers weren’t compromised, the firm said.

“These are fiends, these are bad guys, these are guys who are working day and night to hurt all of us,” Chairman and Chief Executive Officer Paul R. Garcia said today on a call with analysts. “How’d they get in in the first place? That’s not a good thing.”

Global Payments, a so-called merchant acquirer that sets up retailers to accept credit and debit cards, plunged as much as 14 percent on March 30 and was down 9 percent when trading in its stock was halted. The Wall Street Journal reported the same day that 50,000 cardholders may have been put at risk as the firm was hit by a security breach, and krebsonsecurity.com, which tracks cybercrimes, said more than 10 million accounts may have been affected by an incident in the payments industry.

The stock fell an additional 3.2 percent today to $46 at 9:51 a.m. in New York.

The quest for the "Digital Castle" has been going on for years. Are you awake now or still living in a dream of denial on your state of achieving a Defensible Standard of Care? Our Father who art in Heaven...