CyberCom: Real-time Situational Awareness...

The Operational Risks to your enterprise that are associated with your digital assets, networks and infrastructure are vast.

What is your organizations exposure today?

The amount of daily "Cyber Intelligence" flowing into the organization is growing exponentially and there are few hours in the day to analyze it. You have invested hundreds of thousands if not millions on cyber security to keep your corporate systems protected and ready for any significant business disruptions.

Electronic Stored Information (ESI) is continuously being discussed at the Board of Directors meetings. Data Breach Notification Laws are being amended and the congressional pipeline for privacy and cyber laws is in full swing in the United States.

The Fortune 500 is already paying for "White Hat" hackers to test their online and data security. The only way to continuously determine the effectiveness of risk management controls, is to continuously test them in a lab or scenario environment.

This "Red Cell" approach to attacking the corporate assets from the "inside out" or the "outside in" provides the intelligence necessary to close the gaps and vulnerabilities. These penetration or vulnerability tests are necessary and the ecosystem of companies of sources and methods is expansive.

A Fortune 500 organization may currently subscribe to annual services that provide the intelligence that gives them an alert of a "Red Flag" in their security landscape.

The company that provides the intelligence is paying a substantial fee to a network of sophisticated professionals to exploit the vulnerabilities in software coding. Namely, the design, configuration or implementation of a complex set of technologies to determine where and how these vulnerabilities may pose a threat to your assets.

The model for Enterprise OPS Risk Management in the most savvy and enlightened critical infrastructure dependent organizations realize that cyber security is not a department or a unit at the company.

It remains a horizontal platform on which all business units and the departments of the organization rest and it's pervasive mechanisms for the security and safety of people, processes, systems and external events must operate 24 X 7 X 365.

Our future is about "Defend Forward" or an "Real-Time Situational Awareness" strategy.

"The “defend forward” concept outlined in the DoD’s 2018 cyber strategy charges Cyber Command to get as close to adversaries in networks outside the United States before they reach the nation. The command uses its authorities to operate in networks abroad to discover malware and enemy tactics that could be used against the American people or election infrastructure.

The command can either share that with relevant partners — such as the Department of Homeland Security, the FBI or private companies — so they can take necessary measures, or the command can unilaterally take action thwart malicious activities before they impact American networks."

The public and the consumer are becoming used to the fact, that the challenge continues to be an iterative process and worthy of some levels of patience. 

"Operational Risk Management (ORM) is not about eliminating all threats to the enterprise. It is about the speed and accuracy of understanding the current levels and threat vectors so you can effectively deter, detect, defend and document."

This "4D" approach to risk management in the rapidly changing, digitally mobile organization of 2020 and beyond is a shift away from pure information security thinking that is housed within the Information Technology Department...

Workplace Trust: Integrity, Ethics & Legal Risk...

Operational Risk Management professionals wonder about the "Tone at the Top" and decisions at the latest Board of Directors meetings to ignore or investigate a whistleblowers claims of ethics or governance violations in the workplace.

The financial services companies have for years been the target of scrutiny for claims of fraud, mistreatment of consumers and violations of several U.S. federal regulations many under further examination by the SEC.  As time goes on in the evolution of maleficence you will find examples of wrong doing in other private sector areas, such as the Defense Industrial Base (DIB), Retail and Information Technology (IT).  Think about your own company and ask yourself how you treat and respond to the 800 number Ethics Line and those who staff the Internal Audit, Risk Management or Information Security departments.  Are these enablers or impediments to your future success?  Your answer may be a clue to the issue at hand.

The professionals in the Inspector Generals office, the Operational Risk Management department and the General Counsels office are also there for a good reason.  Think about them as the last "Thin Blue Line" between your company becoming a success or falling into a cultural abyss that will plague the institution for decades.  Steven Pearlstein explains from the Washington Post:

Steven Pearlstein: How could SAIC miss this? By Steven Pearlstein, 

Last week in these pages, The Post ran a profile of John Jumper, the straight arrow former Air Force general who was brought in as chief executive of local contracting giant SAIC in the wake of an embarrassing overbilling scandal involving bribery, kickbacks, foreign shell corporations and a safe deposit box stuffed with $850,000 in cash. 

A year ago company officials were publicly denying that there were any problems at all with its contract to build a new timecard system for New York City, which by then was so late and so over budget that “CityTime” had become a frequent target for the New York tabloids and political embarrassment for Mayor Michael Bloomberg. 

It was just last June that SAIC executives and directors first informed shareholders that there might be a little $2.5 million overbilling problem with the contract and that federal prosecutors had brought criminal charges against six employees of an SAIC subcontractor. Shareholders had to read deep into Note 9 of that quarterly report to learn that there might be “a reasonable possibility of additional exposure to loss that is not currently estimable” that “could have a material adverse impact” on the company’s finances.

This episode by one DIB contractor, was not the first nor will it be the last.  One has to ask whether the advice these companies are getting from their outside counsel is always the right course of action.  The government and the internal risk management departments are going to be continuously deluged with new whistleblower claims.  Not just because new laws are in place to protect them and to provide them with the incentives to come forward.  It is because good people are sick and tired of having their organizations reputation tarnished and their respective ethical practices being jeopardized by a few bad cowboys or rogue actors.  Yet now, the Retail sector is being taught a serious lesson regarding a potential FCPA violation by Wal-Mart.  David Barstow at the NYT has this to report:

By DAVID BARSTOW 

Published: April 21, 2012  MEXICO CITY — 

In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country. 

The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico. 

Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”

Mitigation of Operational Risks in the workplace, such as fraud and corruption is different than it is outside the enterprise.  The difference is, that corporate executives do not always believe that their own employees would behave this way.  They could be naive to the reasons why fraud finds its way into the psyche of some of the organizations must trusted officers.  Corruption and the signs that an organization has lost its way from a place of cultural integrity and one that condones others to look the other way or for many to help perpetuate schemes of wrong doing, requires a massive organizational transformation.  A transformation that is lead by focused and talented Operational Risk professionals.

But most of all, even if you have these professionals on your team already, there are still some important ingredients to achieving your own "Defensible Standard of Care":

1.  If you think you have funded the risk management department in your enterprise adequately, you haven't.  Do not confuse your outside audit function with your internal risk management function. 

2.  If you don't understand how your 800 number ethics line works and the outsourced organization that runs this, then you need to do so immediately. 

3.  If you have a favorite outside counsel to help you with investigations, it might be time for a check up.  Even more importantly, it might be time to get your outside counsel firms and your outside audit firms invited to a meeting of the minds on corporate integrity. 

4.  If you find any indications that 1 through 3 have been ignored, pushed aside or been giving you a false sense of security, then you might consider making a career change.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.

operational risk

Product Innovation: Individual Responsibility for Risk Management...

The next generation of Operational Risk Management professionals will be focused on a whole new set of thinking. Mitigating business risks that are associated with running the day to day functions of the enterprise will require people who have a command of their own accountability. The management of risks in their particular area of operations, will have an acute sensitivity to the level of experimentation, testing and innovation. This responsibility for individual levels of proactive risk management, begins with a new mind-set shift about the world of work itself, and our own management of our personal work product.

When you analyze where the financial services industry has exposed itself to tremendous losses over the years, it will no doubt be tied to some innovative instrument or product that was invented by some very creative and innovative people. These losses surrounding Credit Default Swaps (CDS) or Collateralized Debt Obligations (CDO) as an example, all started when an innovative person utilizing the latest tools available created a new product to be introduced to the marketplace. Sure, there were risk management professionals involved in the pipeline to production including lawyers, math quants and finance experts. Yet a failure of Operational Risk Management, led to serious losses and a global crisis, that may well be just the precursor to something even more sinister.

The humans quest for innovation, creativity and the ability to adapt is built into our DNA. So is the ability to survive and to overcome the adversities of our environment to sustain ourselves. Whether that is in the form of food and water or capital and manpower doesn't really matter. Leveraging the available resources to stay alive, being competitive and gaining more power in the conference rooms of Wall Street, or the Madrasahs in South Waziristan, remains a constant.

Innovation in the workplace, is vital for our employees to thrive and for new products to be discovered and old ones to be enhanced. Those new products are invented by people who will have the simultaneous task of doing a sound operational risk assessment. Managing risks at the same time you are innovating, is hard to separate from each other. The trade-offs and the decisions on whether to use this material or algorithm based upon use, shelf-life and the environment that the new product innovation will be operating in, takes prudent risk analysis.

So what will be different for our next generation of Operational Risk Management professionals? What will the new thinking be all about? It will be about engineering the four-step process into everything we do, and to reinforce the compliance with each step of the teams process:

1. Assess the situation.

The three conditions of the Assess step are task loading, additive conditions, and human factors.

• Task loading refers to the negative effect of increased tasking on performance of the tasks.
• Additive factors refers to having a situational awareness of the cumulative effect of variables (conditions, etc.).
• Human factors refers to the limitations of the ability of the human body and mind to adapt to the work environment (e.g. stress, fatigue, impairment, lapses of attention, confusion, and willful violations of regulations).

2. Balance your resources.

This refers to balancing resources in three different ways:

• Balancing resources and options available. This means evaluating and leveraging all the informational, labor, equipment, and material resources available.
• Balancing Resources verses hazards. This means estimating how well prepared you are to safely accomplish a task and making a judgement call.
• Balancing individual verses team effort. This means observing individual risk warning signs. It also means observing how well the team is communicating, knows the roles that each member is supposed to play, and the stress level and participation level of each team member.

3. Communicate risks and intentions.

• Communicate hazards and intentions.
• Communicate to the right people.
• Use the right communication style. Asking questions is a technique to opening the lines of communication. A direct and forceful style of communication gets a specific result from a specific situation.

4. Do and debrief. (Take action and monitor for change.)

This is accomplished in three different phases:

• Mission Completion is a point where the exercise can be evaluated and reviewed in full.
• Execute and Gauge Risk involves managing change and risk while an exercise is in progess.
• Future Performance Improvements refers to preparing a "lessons learned" for the next team that plans or executes a task.

So what does the renewed emphasis on the process being embedded into our work actually do for our work product? It gives the human a sense that the innovation is now ready for experimentation and field testing. This means that it is still not ready for prime time or the marketplace. You see, this realization is important. The recent focus on rapid prototyping and a push to get products to the marketplace before the competition, has produced the sinister and evil outcomes we have all witnessed. Why does it take so long for a new drug to make it through the pharmaceutical pipeline and end up being advertised on the CBS Evening News?

And even then, after so much testing and study, we find that a new drug (product) is not really so safe compared to the long term complications of using it as prescribed. The risk reward equation is at stake in our financial services industry and every other economic sector that is striving to be more innovative in todays global marketplace: For individuals, here are $18 Million reasons:

Attorney Lynn Szymoniak had spent a career investigating insurance fraud when a bank moved to foreclose on her Florida home in 2008. Almost four years later, the fraud she said she uncovered by combing through mortgage documents earned her $18 million.

Szymoniak, 63, is among six whistle-blowers who will pocket $46.5 million as part of a $25 billion national foreclosure settlement that state and federal officials reached in February with five banks, including Bank of America Corp. andJPMorgan Chase & Co. (JPM), according to the U.S. Justice Department.

“When they did this to her, they picked the wrong person at the wrong time in the wrong place,” Richard Harpootlian, Szymoniak’s attorney in two whistle-blower cases, said in an interview. “They stuck their hand into the beehive.”

Szymoniak’s examination, in which she relied on her experience as an insurance-fraud investigator, led to her claims against banks for submitting fraudulent documents to the federal government asserting that they owned loans insured by the Federal Housing Administration, she said.

The national foreclosure settlement with the five banks, which resolves claims of abusive foreclosure practices, provides mortgage relief to borrowers, pays $1.5 billion to those who lost their homes to foreclosure, and sets standards for how the banks service mortgage loans.

Who will be your choice for effective operational risk management as your new innovative products are consumed by the marketplace?

A. Your employees or workplace stakeholders

B. Your customers or consumers

The choice is yours as your institution puts new resources and new incentives in front of your workplace stakeholders.

operational risk

FCPA Alert: Dodd-Frank vs. Powerball...

Board Directors are ever more tuned into the recent 2011 case settlements in Foreign Corrupt Practices Act (FCPA) violations. This is because Operational Risk Professionals are being much more proactive than years past on uncovering malfeasance in the supply chain operations of major global conglomerates:

• Notable 2011 FCPA Settlements. 2010 was a record year for FCPA enforcement, and thus far 2011 has been no different. In the first half of 2011, 10 notable FCPA enforcement actions have settled, resulting in a total of about $490 million in penalties, disgorgement and prejudgment interest:

1. Tenaris agreed to pay a $3.5 million criminal penalty and $5.4 million in disgorgement and prejudgment interest.

2. Rockwell Automation agreed to pay disgorgement of $1.7 million, prejudgment interest of $590,000 and a civil penalty of $400,000.

3. Johnson & Johnson agreed to pay a $21.4 million criminal fine and $48.6 million in disgorgement and prejudgment interest, as well as about $7.9 million in related United Kingdom Serious Fraud Office recovery.

4. Comverse agreed to pay a $1.2 million criminal fine and $1.6 million in disgorgement and prejudgment interest.

5. Ball Corporation agreed to pay a $300,000 civil penalty.

6. Jeffrey Tesler, a key member of the TSKJ-Bonny Island joint venture accused of being part of a scheme to bribe Nigerian officials in exchange for contracts related to the construction of liquefied natural gas facilities, forfeited nearly $149 million, the largest FCPA-related forfeiture imposed on an individual to date.

7. JGC Corporation of Japan agreed to pay $218.8 million in criminal fines.

8. IBM agreed to pay a $2 million civil penalty, disgorgement of $5.3 million and $2.7 million in prejudgment interest.

9. Tyson Foods, Inc. agreed to pay a $4 million criminal penalty and $1.2 million in disgorgement and prejudgment interest.

10. Maxwell Technologies agreed to pay $8 million in criminal penalties, as well as $6.4 million to settle SEC civil charges.

Are any Board Directors out there amazed that companies such as IBM are still being impacted by the FCPA risk to the enterprise? Maybe more importantly, why is a Japanese company paying a criminal fine of over two hundred million dollars?

JGC CORPORATION is a Japan-based company mainly engaged in the engineering business. The Company operates in two business segments. The Integrated Engineering segment is engaged in the planning, design, procurement, construction and testing of equipment, appliances and facilities for petroleum, petroleum processing, petrochemistry, gas, liquefied natural gas (LNG), general chemistry, nuclear energy, metal smelting, biotechnology, food, pharmaceutical, logistics, information technology, environment protection and pollution prevention industries. This segment is also engaged in the provision of related inspection, maintenance and information processing services, as well as water and power generation business, among others. The Catalyst and Chemical segment is involved in the manufacture and sale of catalyst agents, functional materials, deodorants and enzymatic filters, electronic materials and high-performance ceramic products, as well as next-generation energy related products.

The Board of Directors of any transnational organization should be doing their homework on the reasons why JGC Corporation has employed an independent compliance consultant for the next two years and paid the $200M. fine. Remember, your supply chain and your business partners may be the reason why you are sitting around the Board Room table negotiating with the U.S. Department of Justice.

The larger question is, could this have been prevented? Is this a risk that can be mitigated within the corporate enterprise? Has the company done everything in it's capacity to put the right controls in place and the tools to keep the possibility of FCPA ever finding its way back to the Board Room Agenda? Do you know all of your joint venture partners are from the U.S. and all of the projects that they are working on together?

JGC’s agreement to pay the fine brings to $1.5 billion the total penalties in a case against a joint venture known as TSKJ that included Houston-based Kellogg Brown & Root LLC, Paris- basedTechnip SA (TEC) and Dutch engineering firm Snamprogetti Netherlands BV, according to a Justice Department statement.

The joint venture’s prosecution represents one of the biggest foreign bribery cases undertaken by the Justice Department since it stepped up pursuit of such cases starting in 2008 when Munich-based Siemens, Germany’s largest engineering company, paid $1.6 billion to settle U.S. and German probes.

“Each of the four companies in the TSKJ joint venture, the former chairman of the U.S. joint venture partner, and several other individuals have now been held accountable for a massive conspiracy to bribe Nigerian government officials to obtain lucrative construction contracts,” Deputy Assistant Attorney General Mythili Raman said in the statement.

What is the cost of a FCPA investigation beyond the fine? Imagine for a moment the number of e-mail messages that have to be acquired, preserved and examined. Add up the billable hours for subject matter experts to review the remaining mountain of data to determine the final relevancy of a communication with the matter and the people associated with the project. As an example, what was the magnitude of the Siemens case?

According to court records, it was a vast undertaking spanning 34 countries, with private investigators conducting more than 1,750 interviews and gathering more than 100 million documents. They reviewed approximately 14 million of those documents and gave the Justice Department and the SEC a small subset, about 24,000, according to a Siemens tally.

So what is one of the answers or solutions to finding the "Red Flags" and to self-disclose the issue to the proper authorities early and often? First off, you need to develop your corporate "Human Intelligence" (HUMINT) capability, around your Corporate Intelligence Unit (CIU). Developing and building an awareness factor in a pervasive manner is one way to do this. In order to get your HUMINT working for you, the people on the front lines and in the middle of the corporate hierarchy need to understand and internalize these "Red Flags". If the monthly or quarterly bulletin from the CEO, discussing the integrity factor of the company supply chain partners raises the issue of ethical behavior around a particular scenario, this will educate and increase awareness with those people in the enterprise who comprise this HUMINT network.

Sticks and carrots or other methods for awarding compliance is so 1980's and 1990's. Wake up! In order to bring your global enterprise into the next decade of the 2000's, you have to start using the methods, processes and tools your deal makers use to run their business (SAP, Siebel CRM, Oracle). When was the last time the CEO visited the deal makers pipeline meeting to review and discuss the joint ventures or pending projects that the business developers are forecasting to close in the next quarter? This is the perfect time for the CEO to ask them to fire any partner, agent, consultant, contractor or vendor that does not meet the foundation for the companies "Corporate Integrity Standards." Does your CEO even know what Social CRM is all about?

And how quickly the lessons that should have been learned, are soon forgotten. Not any more. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, employees, partners and other persons who provide original information on an FCPA violation by a public company can receive between 10% and 30% of the resulting fines as a "Whistleblower" bounty.

We wonder whether the odds of winning the next "Powerball" Lottery in the U.S. might be more difficult than getting 20% of a $200 million dollar fine. Global corporations should be preparing their internal processes for Ethics and Integrity Management now. This Operational Risk will soon be more apparent as employees understand the odds of "Winning".

operational risk

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.

The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

• Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.

Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

operational risk