ORM Tools: So Many Choices...So Little Time

As the software marketplace begins to mature with the newest systems for various facets of Operational Risk, how do you know what software tools are right for your organization?

For starters, there are dozens if not hundreds of specific tools on the market today for helping you manage everything from Risk and Control Self Assessments (RCSA), Supply Chain Risk to documenting processes for SOX 404 compliance. 

"You can benefit from building your structures for processes, business strategy and tests for procedures. This still leaves many choices to evaluate and vendors who will flog you with powerpoints."

There are several key components of the ORM Framework Management that are essential when considering software tools to assist you:  

Policy 

Create security policies, standards and procedures, distribute them online, educate and train employees, and track compliance, exceptions and violations.  

Threat 

Comprehensive and customizable early warning system providing notification of physical and digital threats, vulnerabilities and malicious code to help prevent attacks before they affect the enterprise.  

Assets 

Manage enterprise assets such as buildings, vehicles, inventory, servers, applications or data centers and their relationships to ensure you are protecting your critical assets according to management expectations. 

Risks 

Perform online risk assessments to determine the proper controls to be implemented on specific assets based on their use and risk to the enterprise. 

Incidents 

Report incidents, manage their escalation, track investigations and analyze resolutions.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM software solution programs:

1. Dependence on inadequate and incomplete technology-based point solutions; 

2. Failure to integrate people, process and systems into an effective operational risk program; 

3. Lack of decision support and an actionable understanding of the threat to the entire spectrum of corporate assets; 

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to suport the programs.

The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues: 

•  Is your policy enforced fairly, consistently and legally across the enterprise.
•  Would our employees, contractors and partners know if a violation was being committed?
•  Would they know what to do about it if they did recognize a violation?

If you don't know the answers to these questions then there is much more work to do and much more strategic planning necessary before any software system is implemented for Operational Risk Management...

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:

Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.

And this little item in the "Privacy Policy" caught our eye:

5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.

So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.

Evidence: 

Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.

It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?

The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 

As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail could eavesdrop on its users communications when presented with a court order.

operational risk

Compliance: Workplace Security, Ethics & Governance...

Bernie Madoff clones and the 11,000 other unregulated investment advisors across the US will be subjected to increased scrutiny in 2009 and beyond. The SEC, FINRA, US Treasury FINCEN, FBI and the tribe of banking regulators are all gearing up for audits, inspections and more granular forensic accounting examinations.

Fraud and the corruption of corporate America is hard to detect. Even more difficult when the watchdogs are too busy or without the resources to do the job effectively. Post Enron and the whole SOX wave of documentation, controls implementation and testing the Big Four Accounting firms were very busy.

The cases are among a series of recent alleged frauds at financial firms. While they have been handled differently, they have shined a light on loopholes in federal regulations, such as fragmented regulations governing brokers, investment advisers, auditors and other firms. And the cases have underscored obstacles facing authorities, including inadequate resources for detecting wrongdoing and difficulties in gaining access to foreign financial accounts.

"Reform is needed to close the existing regulatory gaps that expose investors to risk," said Richard Ketchum, chief executive of the Financial Industry Regulatory Authority, Wall Street's self-policing agency.

SEC Chairman Mary L. Schapiro is looking to work with lawmakers to overhaul the nation's financial regulatory system. This week, the SEC announced that it would partner with a government-funded research center to study ways to better assess the thousands of tips and complaints that come in each year. The House and Senate plan to consider legislation as early as late spring that would bring all financial activities under federal regulation. The details, however, aren't clear.

At the SEC, Schapiro plans a new focus on spotting fraud and other market manipulation early on. She plans to create a large team to seek out where abuses might be occurring. Then she plans to direct the SEC's limited examination staff toward those places. "We've got to be able to conduct risk assessment that allows us to understand where problems might arise and connect the dots between different problems in different places -- whether they're generated by different products, different firms or different trends in the economy," Schapiro said in a recent interview.

The internal threat to your institution by your own employees who may do you harm, intentionally or not is just a core factor in day to day Operational Risk Management. Where it gets more interesting to plaintiff lawyers is when there is a clear pattern of ignorance or just plain lack of resource allocation or funding to policing the organization. The even more vulnerable facet of the OPS Risk mosaic could be the supply chain of companies and people who represent the vital outsourced functions. How many mission critical components of running your business have you handed over to call centers, ISP and hosting companies, distribution and delivery, back office administration including accounting and payroll?

One of the key areas of due diligence long overlooked at these investment advisers is the supply chain of feeder firms. The alternative investment industry has it's reach into the accountants and tax advisory services for a good reason. They are the ones who prepare your tax returns. Their insight into your cash flow, ability to invest and necessity for potential hedging of tax liability gives them the opportunity to be great referral agents. How many times has your tax advisor recommended you go see a friend in the alternative investment industry?

Creating awareness among the ranks of corporate America that everyone is going to be under the magnifying glass won't change the motivators:

• Money
• Ideology
• Compromise
• Ego

Economic challenges inside the corporation or on the home front can increase exposure to heightened threats in the workplace. These include violence, fraud and product theft at a minimum. However, the greatest asset of value being attacked, stolen and sold to the highest bidder is information. Corporate espionage and good old fashioned competitive intelligence is a 21st century Operational Risk Managers nightmare.

Workplace Security, Ethics and Governance programs will continue to be a focus for auditors and inspector generals. A lack of evidence of effective and robust efforts to deter, detect, defend and document withing the confines of the institution could be a differentiator when it comes time for any sentencing guidelines to be considered.

§8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

operational risk

EESA: Oversight & Legal Filings...

What is on the mind of GCs in the United States and United Kingdom? What are they saying about the costs of litigation, labor and employment, the financial/subprime crisis, regulatory investigations and FCPA, e-discovery preparedness and patent infringement claims. A Fulbright & Jaworski 5th year survey, gets the answers from 350 senior-level executives.

Lawsuit fears also vary across the United States: California companies have qualms about employment cases; Northeastern companies worry about environmental cases; and Southern companies expressed concerned about class actions and products liability lawsuits.

The survey responses indicate that lawsuits filings ultimately vary by industry.

During the past year, two-thirds of insurance companies reported at least six new lawsuits, followed by 55 percent of retail companies.

Manufacturing companies were the third most sued industry, with 54 percent facing six new claims. Health care providers followed closely behind with 52 percent reporting a half dozen new cases.

Two industries were far less likely to face multiple lawsuits in one year.

Thirty-seven percent of financial services companies reported six new lawsuits compared with 30 percent of technology firms.

Somehow we think the financial services companies are going to see a large spike in the next nine months. The SOX cases will be tested and there will be a few that won't get settled. The outcomes will set the precedence for Corporate Governance related suits for years to come.

Keep on "eye" on this one. Part of the new EESA legislation will have some kind of IG and oversight. This will be keeping the legal teams busy:

7) Compliance: The law establishes important oversight and compliance structures, including establishing an Oversight Board, on-site participation of the General Accounting Office and the creation of a Special Inspector General, with thorough reporting requirements. We welcome this oversight and have a team focused on making sure we get it right.

The Special Inspector General's purpose is to monitor, audit and investigate the activities of the Treasury in the administration of the program, and report findings to Congress every quarter.

The "TARP" Inspector will have their hands full and since they are appointed by the President, you can be sure that they will not be too partisan.

operational risk

The GC: The Truth Can Be Adjusted...

If you are a General Counsel (GC) today for an organization doing business on a global basis, your Blackberry must be "buzzing" every few minutes. The legal risk being encountered will always be a factor of the number of deals, the number of employees and the growing number of countries you do business in.

As a corporate GC of a global enterprise, you have a fiduciary responsibility to protect the enterprise from adversaries such as the rogue employee, the government regulator, competitors and plaintiff class actions. The Rule of Law in your organization is in your hands. How you transfer the "Talking Points" on ethics and legal messages to your employees, partners, suppliers and adversaries is critical. The effectiveness of your relationship with internal CSO, CISO and Internal Audit leadership could mean the survival of the company and your job.

In the latest hollywood movie Michael Clayton with George Clooney, he plays the role of a prominent law firm's "Fixer." He finds himself taking care of the messes corporate clients put themselves into and even the internal firm problems with senior litigators who have decided to do secret battle with a prominent clients General Counsel. The GC in this film takes every precaution to ensure the settlement of a pending class action suit that has achieved over +30,000 billable hours by Michael Clayton's law firm.

While this fictitious story displays the extremes of the world many GC's live in with their outside counsel, it sets the stage for gaining insight into the legal ethics and corporate challenges global institutions face on a continuous basis. The Yin / Yang of corporate compliance and governance is consistently wrestling with the pressure to save people from losing their reputations and the longing to do the right thing. The goal is to achieve a defensible standard of care and to have peace of mind. To be able to stand behind the fiduciary duty to uphold the law and enforce the rule of law in corporate business.

When was the last time a GC took the "Ethics" and "Rule of Law" program directly to the employees in face to face sessions? To give the employees, partners or suppliers first hand opportunity to meet, greet and engage with the General Counsel of the enterprise. By doing this you are directly engaging with the people on the front line to be the "eyes and ears" for the company. To be that early warning system of potential conflicts of interest, fraud and corruption. As an example, Scott Chaplin at Stanley Associates says this:

"I deal with a wide range of issues on any given day. I support not only our business operations but also corporate support. Our recurring issues include corporate governance and securities, and we're active in the mergers and acquisitions area -- we've done several deals recently. I handle labor and employment issues on a daily basis, along with government contracts issues, litigation, IP and compliance work. I'm also the ethics officer for the company, responsible for our ethics compliance program, as well as secretary of our board of directors, where I act as legal adviser to the board."

"I recently completed our annual ethics training at a number of our offices. After each training session, I would have a line of employees waiting to speak with me about various issues. That got me thinking that a lot of employees don't feel they have a direct line of communication to me at corporate. They might not feel that the issue is important enough to bring up with the GC. It made me realize that in-house lawyers need to get out of headquarters more often and go to the employees, instead of waiting for the employees to come to us. We have to get out to the field and foster the client relationship a little bit more."

Scott is absolutely correct and what a better time than to emphasize SOX Section 806. Protecting the rights of corporate whistle-blower's is the GC's responsibility in combination with an external ethics hot line for employees. While there have been plenty of other people calling for reform on other burdensome and expensive components of SOX, no one is going to touch Section 806. Employees don't understand the implications of the law and corporate management can't under estimate the impact of this in terms of potential litigation it may face.

Achieving a Defensible Standard of Care requires a General Counsel with the vision to address a spectrum of legal and ethical risks in the modern enterprise. When this is finally accomplished, the Michael Clayton's in law firms around the globe, will be looking for a new career.

operational risk

4GW: Trusted Information Class Actions...

The SEC is in the middle of a Supreme Court battle and they have called in the "A" team to assist. Former SEC officials William H. Donaldson, Arthur Levitt and Harvey J. Goldschmid want to expand investors' abilities to sue in frauds:

The big-money issue has mobilized lawyers who bring class-action lawsuits and the companies and executives they target in one of the most important securities-law issues to reach the Supreme Court in years.

In cases in which fraud-ridden corporations have filed for Chapter 11 bankruptcy protection, investors may not be able to wrest money from the company itself. Lawsuits against business partners and advisers such as accountants and lawyers may present the only rich and viable option for shareholders and plaintiff lawyers, experts said.

What have we learned since Enron? Do we not have a more ethics based atmosphere at the professional services firms? In the long run, will investors be better off with the ability to sue the advisors of the companies as accomplices to wrong doing? You can bet that if the US Chamber of Commerce has it's way, the SEC is in for a real fight on this one.

Some people are behind bars. Some companies are out of business. And the Dow is again at an all time high nearing the 14,000 threshold. All of the legislation, class actions and fraud allegations are all about one thing. Information. Trusted Information.

A number of trends focused on corporate data continue to distract today's IT departments. Shareholders are clamoring for more transparency as a result of the financial scandals that have shaken confidence in corporate governance around the world. Compliance legislation such as the U.S. Sarbanes-Oxley Act (whose impact is reaching far beyond the U.S.) can result in jail sentences for executives who - even unintentionally - report erroneous information. New privacy laws around the world restrict the use of customer information. Increasing global competition has put pressure on organizations to use their expensive information assets more strategically.

All these issues can be summed up in a single concept: trusted information. Simply accessing data is no longer enough. Today's CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions back to the original source systems in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively. Despite this, information users at all levels of the organization are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures are correct, rather than what to do about the company's issues. Additionally, they worry about the consequences of making strategic decisions using the wrong information, directly impacting the long-term survival of the organization.

This brief essay by Jeffrey Ritter discusses the compelling forces converging at the beginning of the 21st century that are shaping the need to consider trusted information as a vital asset that should be the priority of any organization:

As the 21st century accelerates, digital devices connected to the Net will continue to be indispensable to modern life. But those devices, and the services provided through them, remain vulnerable to human judgment—the 21st century winners will be those who earn and sustain the trust of those using the devices and the services—whether those are consumers, employees, shareholders, lenders or service providers.

When the law intersects with the validity of information the corporate battle lines are drawn. Think about how much time and dollars are spent proving or disproving the integrity of information in a court of law. Those organizations who know that they are in the "4th Generation Warfare" (4GW) era will survive only if they can grasp this concept. Fourth Generation Warfare removes the front entirely. Attackers rely on a barrage of information salvos and coordinated incidents to paralyze or erode the adversaries political will, rather than seeking decisive hand-to-hand combat. Does this sound familiar to your General Counsel?

We are not talking about Al Qaeda now. We are talking about the class action "Army" that is forming the strategy and the means to wage unconventional battles against your, trusted information. Or is it?

operational risk

Ethics: The Tone at the Top...

Have you had your annual check-up? Is the health of your organization improving or on the way to a potential loss of reputation?

The Board of Director's are consistently talking about how they can create the correct "Tone at the Top" when it comes to ethics and compliance. Global corporations realize the importance of these issues in order to create a focus on competitive advantage and other new "Carrots" rather than the old motivators of fear, uncertainty and doubt (FUD Factor). Employees who are "Beaten with a Stick" in order to comply with federal laws and state rules of conduct are looking for new vision and new methods to improve the health of organizational ethics. An interview with Perry Minnis, Alcoa's Director of Ethics and Compliance highlights this point:

Organizations have always confronted ethics problems, but it seems that only in the last 25 years or so that ethics has grown from an academic discipline into a mandatory department at most corporations. How has this happened?

I believe the heightened awareness can be attributed to several factors: the defense contracting scandals during the Reagan Administration; the issuance, in the early 1990s, of the Federal Sentencing Guidelines, which established criteria for assessing the completeness of ethics and compliance programs; the emergence of high profile scandals - Enron, Tyco, WorldCom, etc.; and the passage of the U.S. Sarbanes-Oxley Act and the associated provisions of the New York Stock Exchange and SEC requirements. Plus companies now have a general sense that a reputation for ethical behavior is a competitive advantage. It engenders customer loyalty and employee allegiance.

Mr. Minnis and other officers like him who are charged with creating the right "Tone at the Top" must cooperate with a multitude of players within the enterprise to address this cultural awareness. Part of this strategy should include the check-up for fraud and the signs that it may be present in certain business units or processes within the organization.

In this Fraud Prevention Check-up tool we are especially pleased to see question number 7:

To what extent has the entity established a process to detect, investigate and resolve potentially significant fraud? Such a process should typically include proactive fraud detection tests that are specifically designed to detect the significant potential frauds identified in the entity’s fraud risk assessment. Other measures can include audit “hooks” embedded in the entity’s transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading edge fraud detection methods include computerized e-mail monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.

The use of automated tools to help prevent fraud from occuring will continue to be just that, a tool. It's imperative that anyone utilizing such mechanisms for early warning remember the taxonomy for an "Incident:"

"Attackers use tools to exploit vulnerabilities to create an action on a target that produces an unauthorized result to obtain their objective."

While the ethics and compliance department teams up with the IT and Security departments to create the policies and implement the tools to deter, detect and defend against fraud, the opposing force is also gaining ground. Hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs are using their own tools to test and to exploit your vulnerabilities.

The three areas that you need to focus on continue to be:

• Design
• Implementation
• Configuration

Whether it is through physical attack, information exchange, user commands, scripts, programs, autonomous agents, toolkits or data taps you can be assured that these tools are being utilized to exploit you. They are being directed at the design, implementation or configuration of your "Controls" in order to achieve the action they desire:

• Probe
• Scan
• Flood
• Authenticate
• Bypass
• Spoof
• Read
• Copy
• Steal
• Modify
• Delete

All of these actions are directed at their target. Accounts, people, processes, data, components, computers, networks or internetworks. They are looking for and unauthorized result:

• Increased Access
• Disclosure of Information
• Corruption of Information
• Denial of Service
• Theft of Resources

And sadly, when you boil it down to the reasons or objectives they seek to achieve; it usually falls into one of four categories:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

Once you understand the entire taxonomy of an "Incident" you are far better equipped to prevent and preempt attacks on your valuable corporate assets. Equally as important is the "Tone at the Top" to set the foundation for an environment that employees embrace and will protect at all costs.

operational risk

Corporate Fraud: Revenue vs. Risk...

It's been over five years now since the "Black Monday" at Enron. Volatility in the markets over the sub-prime mortgage industry has investors a little nervous. Operational Risk Executives are hoping that this is not a deja vu moment.

Though the main Enron characters have received their prison sentences, there's no closure for corporate fraud. Sherron Watkins, Enron's sentinel, describes the debacle's details and warns that it could happen again.

Dec. 3, 2001. Black Monday. The day that Enron declared bankruptcy. CEO Ken Lay had left a voice mail on the phones of all Enron employees asking they come into the office regardless. Nearly 5,000 were called to a massive meeting and told that the paychecks that they had recently received would be their last. Three weeks before Christmas.

In August of that year, Sherron Watkins, an Enron vice president, had sent an anonymous memo to Lay that read, "I am incredibly nervous that we will implode in a wave of accounting scandals."

Of course, that's exactly what happened. After the company's demise, the investigating U.S. Congress discovered Watkins' memos to Lay and other top executives. (After sending the memos, she had met with Lay with no results.) Watkins was soon lauded as an "internal whistle-blower," brought before Congressional and Senate hearings to testify against her former bosses, and heralded by TIME magazine as a "Person of the Year," with WorldCom's Cynthia Cooper and the FBI's Coleen Rowley.

With the chaos going on in sub-prime lending in the United States, the concern is that suddenly the liquidity that fueled this past boom is about to "Go South". Will there be any issues that surface about the fraud imposed upon consumers over the terms and conditions of the loans they signed to become part of the American Dream? Are there any "Sherron Watkins" sitting there in their offices today wondering how they can become the next "Whistleblower" to make it to the cover of Time Magazine?

Only time will tell whether any of the volatility in these companies has a ripple effect in markets for the long term. Yet the culture that exists today inside those organizations must be tense and certainly there are a handful who wish there was a way they could make it all go away. So what advice would Sherron have for anyone feeling this way at their institution in a role of Operational Risk Management?

If you ever were to go back to a corporate executive position, what kinds of things would you ensure would be set in place before you took the job?

In addition to the zero tolerance policy I've already mentioned for ethically challenged employees, I'd be sure that the company had a mechanism for bad news to get to the top and had effective policies and procedures for dealing with that bad news. I would also verify that the company's control and risk personnel had autonomy and equal power with top revenue executives. I would want to see that top management values the control and risk management function. I would want to make sure they recognize that control and risk personnel will not be the most popular and that the problems the company avoids as a result of the work of these groups will never be quantified.

Think about what she is saying here. Control and risk personnel need to have equal power with the executives who are bringing in the revenue. This means that the powerbase of the sales and marketing team would need to be on par with the Internal Audit and Risk Management executives. This culture shift is harder to achieve than one would think. The ego's aside, the people who make it their job to worry about losses and to mitigate risks day in and day out are just not used to waving the big black flag of doom. Everybody loves to hear that the business has been won, the competition defeated and the company just closed the biggest "Deal" in it's history. Let the spin doctors in Marcom get the Press Releases flying!

It has been said before, the tone starts at the top. The CEO and Board of Directors who are cognizant of the neccesity for effective risk management objectives must also create a balanced powerbase at the top to balance the "revenue generators" with the "loss mitigators." So who are some of these people who deserve a greater exposure to this new born culture shift:

• Director of Information Security promoted to CISO. (Chief Information Security Officer)
• Director of Corporate Facilities to CSO. (Chief Security Officer)
• Director of Regulatory Affairs to CCO. (Chief Compliance Officer)
• Director of Privacy to CPO. (Chief Privacy Officer)
• Director of Human Resources to CHO. (Chief Humanity Officer)
  

If the CEO thinks that this is too many chiefs in the "C" Suite, then what about the idea of creating the Executive Office of Operational Risk Management (ORM). This would be on par with the Chief Financial Officer and might even include the Chief Information Officer. The top ORM officer would be on par with the EVP of Sales or Marketing and unlike the Chief Operations Officer (COO) would be focused on the effectiveness of risk controls and not so much on the efficiency or uptime of corporate processes. What does Sherron think the moral is?

You've been asked this one numerous times, I'm sure, but what's the moral of the story?

Being an ethical person is more than knowing right from wrong. It is having the fortitude to do right even when there is much at stake.

operational risk

Whistleblower: The FCPA & Voluntary Disclosure...

Operational Risks involving people are happening everyday in your organization. It may be going on for a day, a week and sometimes years. But at some point someone has to tell someone before it gets violent or the company loses any more corporate assets.

What is the anonymous phone number at your organization to phone in the "Whistleblower" information? Who is responsible for the follow through on investigations? How can you insure against employee confidentiality and any possible reprisals?

In most cases the call is by phone and not by some other method. It is rarely a hoax and the hotline is keeping tabs on the subordinate / management battle over half of the time.

What's the best way for an employee to blow the whistle on fraud or related infractions? The most popular way seems to be via hotlines or similar reporting tools. According to a joint report from the CSO Executive Council, an organization of corporate and government security executives, and The Network (a hotline provider), almost two-thirds of the nearly 200,000 reports it studied were made via hotlines without first alerting anyone in management.

Few of those alerts prove to be false alarms. The study, which tracked incidents at 500 organizations over the past four years, found that 65 percent of the reports were serious enough to warrant investigation, while 46 percent led to some type of action being taken. Corruption and fraud accounted for 10 percent of the incidents, well behind personnel-management situations (51 percent). Company and professional-code violations accounted for 16 percent and employment-law violations 11 percent.

Compliance with an effective Whistleblower program is just the beginning of developing a culture that has a zero tolerance for the kinds of risks that make an HR manager or General Counsel have constant nightmares. This is certainly the case on the front lines where business is being transacted and deals are being cut on a global basis. Is there sufficient due diligence to determine whether any party in the transaction is not in violation of the Foreign Corrupt Practices Act (FCPA)?

By definition, FCPA crimes generally occur thousands of miles outside of the United States. Why would counsel advise a corporate client to bring such activities to the attention of the SEC or the DOJ? Is it necessary to self-report when, as a good corporate citizen, the client has investigated thoroughly, corrected the problem, and taken substantive remedial measures including firing the wrongdoers and correcting the financials?

Having the possibility of a deferred prosecution agreement is the strategy utilized more often than you would think these days. In any case, SOX requires a Whistleblower program, and the next phone call may have to do with that last big deal that closed last quarter. Why Voluntary Disclosure?

The DOJ's "Principles of Federal Prosecution of Business Organizations," commonly known as the "Thompson memorandum" and published in 2003 on the heels of SOX, also played a significant role in the surge of voluntary disclosures. The Thompson memorandum placed an "increased emphasis" on a company's cooperation with the government when considering whether to prosecute. Voluntary disclosures were an important part of that cooperation.

At the end of the day all of the auditing will never catch the people that know the system. That is why the anonymous phone number can make all the difference in mitigation of significant risks to your enterprise.

operational risk