Risk Visualization: Enterprise Prevention...

When "Corporate Executives" start talking about how to reduce fraud and other critical Operational Risks across the institution, there is going to be plenty of debate.

Where do you focus your resources and investments in order to get the best ROI and economic value?

If you thought the pornographers were the leading ledge of innovation on the AI Internet, there is a new breed of international criminals and corporate attackers that have emerged at the top of the pyramid.

Financial services organizations are taking an enterprise view of global risk prevention to try and keep ahead of these increasingly clever and technology oriented crooks.

Having an enterprise view of holistic risk is the "Holy Grail" and some would say that focusing on the account and not more on the customer is the wrong approach.

What is clear about the online evolution of fraud activity is that social engineering is working in the exploitation game. Hardening all of the systems with two-factor authentication or even IP Geolocation is just part of a layered risk strategy.

Working from within the walls of your institution trying to figure out how to protect your assets and your customers is merely a myopic strategy.

The attackers are moving too fast and have access to the same tools in their labs where they utilize their own methods and processes for exploiting the vulnerabilities in your latest applications.

Now that you have spent millions on implementing that new AML or fraud detection system, are you sleeping any better at night?

"True strategic analysis of risk and the convergence of relevant data makes scenario development, proactive planning and open source intelligence an area that requires consistent attention."

Simulations and evaluation of possible physical and digital exploits that haven't even been detected yet could provide the proactive and preventive advantage you have been seeking.

What is your latest hypothesis?  Have you tested it effectively to determine the likelihood and impact of success? Training and practicing for the unknown and unthinkable puts you and your team in a more resilient mode to survive the next attack. Whether it's through the front door, the suppliers back door or through the copper wire into your customers home or business office, detection is critical.  

Anticipation and deterrence is imperative...

Insider Threat: Corporate Integrity Culture...

Does your organization have a culture of "Corporate Integrity?" One can only wonder how these findings have changed since these results.

The depth and breadth of Operational Risks were apparent over eight years ago in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:

• 57% - Unintentional exposure of private or sensitive data
• 37% - Virus, worms or other malicious code
• 32% - Theft of intellectual property

When asked which electronic crimes were most costly or damaging the results were:

• 38% - Outsiders
• 33% - Insiders
• 29% - Unknown

Regarding the "Insiders" reasons were given for not referring for legal action, the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence, to proceed with either civil or criminal litigation.

So what is really going on with these survey results presented so far? Even though the respondents say that 33% "Insiders", they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents, yet what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study.

This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret.

Regardless of the high tech tools utilized or the systems and controls within the organization, there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insider" threats.

In your particular case, it just may come down to developing more effective situational awareness with your employees.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session.

Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company.

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report incidents and other integrity concerns.

Periodic training throughout an employee's career reinforces awareness and the cost of internal incidents.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one.

If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization...

Information Threat: Battle for Superiority...

What continues to be the greatest economic threat to your organization? Is it "Internal" or "External" to your institution? Could it be both?

Insiders rarely work alone and therefore the nexus with some outside influence, whether it be a person, life factors or some other entity are typically in play.

Is an engineer in R&D copying precious intellectual property information from within the enterprise company, that could be worth hundreds of thousands or even millions to the highest competitive global bidder? Could your small business have an accounting supervisor that has been diverting funds to a private bank account for the past two years?

Would it be possible that a supplier or 3rd party partner is capable of inflating the number of billable hours on a project?

Whether it's IP Theft, Fraud or other white collar corporate malfeasance, these Operational Risks are real and growing at a double-digit percentage rate annually. The greatest economic threat to your organization could be complacency or an apathetic staff, who works without adequate resources and little communication with the Executive "Powerbase".

The compliance and oversight mechanism's are in full swing from the federal governments around the world as highly regulated critical infrastructure organizations are implicated in a myriad of corruption, scandal, ethics and criminal matters.

Litigation is an Operational Risk that many organizations have realized the necessity for more robust internal teams to address the continuous requests for information from the government.

There is one common denominator across all of the insider threats, external forces and other vectors that seem to be attacking our institutions night and day. That common denominator is "Information".

And underlying this is the data and meta data that all to often ends up being the key or clue to finding the "Smoking Gun" and the source or person(s) associated with the scheme or attack on the organization.

Managing information in a mobile and interconnected planet is a major issue in any global company. Providing the tools and the right information faster and more accurately than the competition can be the difference in your own survival on the corporate battlefield.

So how does the CxO suite even begin to address the risks, opportunities and resilience in our demanding "Information-centric" environment?

They believe in having a strong culture of ethics, training and continuous monitoring of employees, systems and their supply chain. They understand the importance of providing the vital resources to the people on the front line of risk management and to make sure that their early warning systems and methods are not compromised.

This breed of CxO's are the new breed of organizational management, that are leveraging information to their most significant advantage:

Whether you are trading in a marketplace, analyzing assets on a map or manufacturing widgets and selling them to qualified buyers, operational risk management begins and ends with information. Managing that information effectively and more accurately than your competition is the name of the game. What have you done today to insure your survivability in the face of the next crisis?

Certainty: Solutions for an Unpredictable World...

As the moon rises on a distant horizon, vital leaders across our globe are gaining new strategic foresight to continuously adapt their enterprise.

The future horizons in the mid-2000's are now on their mind and for good reason.  All of us are operating at increasing speed, in an unpredictable world:

• Computer Virus
• 9/11 2001
• Hurricanes Harvey & Katrina
• Financial Crisis 2007-2008
• Deep Water Horizon
• San Bernardino Attack 2015
• Las Vegas Shooting 2017

What is the certainty that the Operational Risks in the next 20 years, will be a replay of the variety and spectrum of loss events we have witnessed in the past 18 years.  The difference is that they are accelerating.  What have we learned?  What are we doing about it?  How are we changing?  Why?

Solutions for resilience in motion in our "Unpredictable World" span the domains of people, processes, systems and external events.  Operational Risk Management (ORM) is a discipline that can be applied in most any size enterprise including government.

When you are seated around the meeting room with your leadership team, what do you see?  People who are in charge of teams, business units, departments, subsidiaries, portfolio investments and other assets of the enterprise.  You are counting on them to be prepared, to be predictive and to be proactive.  Are they?

You see, after all of the lessons learned and the After Action Reports (AAR) have been written and published, it seems to come back to the fundamentals.  It is history repeating itself.  Will our future world continue to be unpredictable?

If you said yes, then what are you doing about it?  Let's go back to that group of leaders sitting around the conference table.  Who have they engaged outside your enterprise to back them up to help them be more prepared, predictive and proactive?

The truth is, that you are behind the solutions curve.  Even your simple, yet effective Business Continuity Plan is outdated and gathering dust on the bookshelf.  The crisis team is far too preoccupied with the next news story or "Tweet," that may have an impact on the stock price.

The truth is, our unpredictable world is actually certain and we only have a limited amount of time until the next crisis, to prepare and adapt...

Unthinkable: Adapting in New World Disorder...

Will 2018 bring more data breaches, lost laptops and insider threats than 2017?  This is why CSO's, CPO's and corporate General Counsels have their teams working overtime.

When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised organizational intellectual and data assets, the future horizon becomes ever more clear. 

The statistics don't lie.  1579 documented Data Breaches occurred in 2017. Up 44.7% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.  It is the new normal.

The Insider Threat Program (InTP) however, remains a key focus for Operational Risk Management (ORM) professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may have never considered doing something to jeopardize their reputations, may now be up against a wall.

When there is no obvious exit and no way out, people will do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life.

In Joshua Cooper Ramo's book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system:

"A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt".  Being Adaptive.  However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy investigator on how she solved the case and you may hear just that, "I had a hunch."

Talk with a Chief Privacy Officer in any Global 500 company.  You might get them to admit they have a sense that their organization will be the target of an "Insider data breach" incident in the coming year or two.

Do you remember signing off on reading and your acceptance of the employee handbook?  When did your organization last make changes to the Corporate Employee policies?  We would start with the updates to the following sections:

• MEDIA CONTACT
• SOCIAL MEDIA POLICY
• REMOTE ACCESS POLICY
• E-MAIL, VOICE MAIL AND COMPUTER NETWORK SYSTEM PRIVACY
• (YOUR ORGANIZATION) RIGHT TO ACCESS INFORMATION
• SYSTEMS USE RESTRICTED TO COMPANY BUSINESS
• FORBIDDEN CONTENT
• PASSWORD SECURITY AND INTEGRITY
• INTERNET ACCEPTABLE USE POLICY
• POLICY ON USE OF SOFTWARE
• COMPANY PROPERTY
• PROTECTION OF TRADE SECRETS/NON-DISCLOSURE OF COMPANY INFORMATION 

Due to the increasing complexity of IT systems, cloud computing, data networks and the hundreds or thousands of laptops and mobile devices circling the globe with company executives and employees is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively.  Proactive Intuition.

Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:

"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”

Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:

• Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
• Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.

These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy

"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."

"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

2014 Reflections: Operational Risk Management Forecast...

As 2014 comes to a close and we look into the future of 2015 it is time to reflect.  After 1000+ blog posts on the topic and discipline of Operational Risk Management (ORM) it seems like a blur.  To start off this final post for the year, we looked back on our last post in December 2013.  It is amazing to see how accurate many of our forecasts were for 2014.

Here are some of the Operational Risk Management blog posts that had the most page views this past year:

Cyber Domain: International Law of Asymmetric Warfare...

Memorial Day 2014: The Risk of Service is Understood...

Insider Threat: CSO Priorities...

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Veterans Day 2014: Leading the Enterprise to Victory...

Courage: Risk of Physical & Moral Fear...

Now for the ORM forecast.  2015 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

operational risk

TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.  Operational Risk Management (ORM) is present in any serious business that makes important "Trust Decisions" on a minute-by-minute basis.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks, can be a very beneficial lesson to all.

Beyond the cost of a breach of data, Operational Risk Management (ORM) professionals understand that human behavior is the reason behind many of these incidents. Employees and supply chain insiders not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer or CISO do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the "Trust Decision" process itself is the place to begin.

Information Governance and the steps that are utilized to ingest or acquire and process that information is also paramount.  Hayley Tsukayama from the Washington Post highlights part of the issue:

Facebook came under fire Thursday from privacy advocates who say that changes to its ad network mark an unprecedented expansion of its ability to collect users' personal data. The advocates are also criticizing the Federal Trade Commission for allowing Facebook to make the changes and argue that the network's size gives it too much knowledge about its users.

Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and so the U.S. government (USG) has ramped up in the past 3 years to address the threat. Combined with other factors associated with legitimate business operations, organized digital crime syndicates have infiltrated the country and is costing the United States billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy continues to be enabled:

Action

• Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
• Prevent or disrupt criminal involvement in emerging and strategic markets.
• Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
• Develop a mechanism that would make unclassified data on TOC available to private sector partners.
• Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
• Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
• Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
• Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
• Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
• Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is continuously working with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public-Private partnerships are in full swing and are making some progress.

In addition, nation state industrial intellectual property theft and economic espionage has eroded our global competitive advantage in several industry segments.  Ellen Nakashima explains:

A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. 

The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm. 

“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.

Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at the risk of your organizations own peril!

operational risk

Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:

• 57% - Unintentional exposure of private or sensitive data
• 37% - Virus, worms or other malicious code
• 32% - Theft of intellectual property

When asked which electronic crimes were most costly or damaging the results were:

• 38% - Outsiders
• 33% - Insiders
• 29% - Unknown

Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:

40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.

So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.

Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders."

 

In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

 

No one that we know of can explain the basis for this process better than Martin T. Biegelman:

"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity."

So what?  

 

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

operational risk

Offshore Strategies: Global Integrity Risk...

Global 500 organizations are managing Operational Risks across their respective enterprises, utilizing a portfolio of controls, tools and strategies.  One of those strategies, is getting more attention by nation states and treasury departments.  Larger than Wikileaks, this ICIJ investigation, is a digital peek behind the offshore strategy that is legal in many jurisdictions across the world:

An anonymous source has provided extensive insights into a worldwide network of tax evaders. 

Media in more than 30 countries are currently sifting through a mountain of data.
260 gigabytes of documents - that's the printed equivalent of 500,000 copies of the Bible. 

This is the massive amount of data that was passed on more than a year ago by an anonymous whistleblower to the International Consortium for Investigative Journalism (ICIJ) in Washington. More than two million emails and other confidential documents sketch a picture of a dubious shadow world. More than 130,000 people from 170 countries are alleged to have secreted their money in tax havens. Analyzing the data is a mammoth task that is still nowhere near completion.

The governance and the transparency that a global enterprise displays to its shareholders, employees and the governments is continuously at stake.  Some countries are considered more corrupt and global organizations operating in that part of the world, shall be more aware of the risks of doing business there.

Some other interesting revelations:

• The largest shares of the people setting up offshore accounts live in China, Hong Kong, Taiwan, Russia or another former Soviet republic. 
• In turbulent Greece, both the upper and middle class are increasingly keeping their money in undeclared accounts — a situation that finance officials have since vowed to investigate.
• A number of the world’s largest collectors use offshore accounts to buy and sell art without paying taxes. 
• Offshore accounts are popular in Russia, where President Vladimir Putin has repeatedly asked politicians to stop using them: the deputy prime minister’s wife and top managers of Russian military contractors and government-controlled companies are thought to have secret offshore investments. 
• Offshore accounts are a major source of investment in China and Russia. China’s second-largest source of capital investment is the British Virgin Islands.
• You can read the full ICIJ report here.

Billionaires and politicians are hedging risks on the advice of tax attorneys, accountants and the financial strategies that are as old as tax laws.  Inside the private business compliance and legal departments, lie a vast staff of dedicated personnel who are tasked with mitigating risks to the organization.  Some global enterprises such as Siemens AG have paid the price, of a governance architecture that was in failure.  Today, those lessons learned are still being taught even as others are implicated in alleged wrong doing:

IBM Says Justice Department Investigating Bribe Allegations
By Sarah Frier on May 03, 2013

International Business Machines Corp. (IBM) is being probed by the U.S. Justice Department over corruption allegations in Poland, Argentina, Bangladesh and Ukraine, adding to bribery charges from the Securities and Exchange Commission. 

The Justice Department is investigating whether IBM violated the Foreign Corrupt Practices Act, the company said in an April 30filing (IBM). In Poland, the department is focusing on a transaction that the Polish Central Anti-Corruption Bureau already was studying, the company said. It involves allegations of a former IBM employee selling to the Polish government. 

The Justice Department probe adds scrutiny in new territory as IBM tries to settle with the SEC over activity in China and South Korea. The global reach of the investigation indicates that this isn’t an isolated matter, said Charles Elson, corporate-governance professor at the University of Delaware. 

“If it happens in one country, you can say it’s an individual,” Elson said. “If it happens in multiple, you have to ask, is it systemic? And how well was the compliance program put in place to prevent it?”

So what can a General Counsel, VP of Operational Risk, Chief Risk Officer or even the Audit Committee do, in light of these continuous incidents?  The trust that any person or organization has with its bankers, outside counsel, compliance subject matter experts, accounting advisory and management consultants is at stake.  The integrity of the entire global payments and economic ecosystem is at risk.  This source of systemic risk to governments, global enterprises, stock markets and average consumers is growing beyond control.

What can be done?  The serious conversation going on right now between your independent counselors  continues to focus on trust and the people who are behind that trust.  You have got to have that serious conversation as a CEO, not with your first line of management Vice-Presidents, but several layers below them in the corporate hierarchy.  Believe us when we say, as the CEO, you can't see two layers below you, where all of the real work on daily transactions is getting done everyday.  You are not on the front lines, where deals are being made and information is being exchanged that can have a material impact on daily business.

You see, it really all still comes back to people communicating information ethically.  How and when people act on that information.  Why people behave the way they do when they learn the information.  As a CEO in charge of a global enterprise you will never have the transparency or the integrity being controlled from HQ on the executive floor, or on your executive analytic GRC dashboard.  Your only chance is to reach those people, who are at the source of doing business in your line processes, not staff, but "line".  The "line" is the life blood of daily business commerce and the power base for making a difference on how business is done and the integrity behind it.  The future of your enterprise depends on these people, communicating information that is true, validated and researched to uncover any possible errors, omissions or other ethical issues.

The power base of the global economy is constantly changing.  The risks to the economic enterprise continues and the investigations are just beginning.  Offshore strategies are at the core of global integrity risk.

operational risk

Workplace Trust: Integrity, Ethics & Legal Risk...

Operational Risk Management professionals wonder about the "Tone at the Top" and decisions at the latest Board of Directors meetings to ignore or investigate a whistleblowers claims of ethics or governance violations in the workplace.

The financial services companies have for years been the target of scrutiny for claims of fraud, mistreatment of consumers and violations of several U.S. federal regulations many under further examination by the SEC.  As time goes on in the evolution of maleficence you will find examples of wrong doing in other private sector areas, such as the Defense Industrial Base (DIB), Retail and Information Technology (IT).  Think about your own company and ask yourself how you treat and respond to the 800 number Ethics Line and those who staff the Internal Audit, Risk Management or Information Security departments.  Are these enablers or impediments to your future success?  Your answer may be a clue to the issue at hand.

The professionals in the Inspector Generals office, the Operational Risk Management department and the General Counsels office are also there for a good reason.  Think about them as the last "Thin Blue Line" between your company becoming a success or falling into a cultural abyss that will plague the institution for decades.  Steven Pearlstein explains from the Washington Post:

Steven Pearlstein: How could SAIC miss this? By Steven Pearlstein, 

Last week in these pages, The Post ran a profile of John Jumper, the straight arrow former Air Force general who was brought in as chief executive of local contracting giant SAIC in the wake of an embarrassing overbilling scandal involving bribery, kickbacks, foreign shell corporations and a safe deposit box stuffed with $850,000 in cash. 

A year ago company officials were publicly denying that there were any problems at all with its contract to build a new timecard system for New York City, which by then was so late and so over budget that “CityTime” had become a frequent target for the New York tabloids and political embarrassment for Mayor Michael Bloomberg. 

It was just last June that SAIC executives and directors first informed shareholders that there might be a little $2.5 million overbilling problem with the contract and that federal prosecutors had brought criminal charges against six employees of an SAIC subcontractor. Shareholders had to read deep into Note 9 of that quarterly report to learn that there might be “a reasonable possibility of additional exposure to loss that is not currently estimable” that “could have a material adverse impact” on the company’s finances.

This episode by one DIB contractor, was not the first nor will it be the last.  One has to ask whether the advice these companies are getting from their outside counsel is always the right course of action.  The government and the internal risk management departments are going to be continuously deluged with new whistleblower claims.  Not just because new laws are in place to protect them and to provide them with the incentives to come forward.  It is because good people are sick and tired of having their organizations reputation tarnished and their respective ethical practices being jeopardized by a few bad cowboys or rogue actors.  Yet now, the Retail sector is being taught a serious lesson regarding a potential FCPA violation by Wal-Mart.  David Barstow at the NYT has this to report:

By DAVID BARSTOW 

Published: April 21, 2012  MEXICO CITY — 

In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country. 

The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico. 

Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”

Mitigation of Operational Risks in the workplace, such as fraud and corruption is different than it is outside the enterprise.  The difference is, that corporate executives do not always believe that their own employees would behave this way.  They could be naive to the reasons why fraud finds its way into the psyche of some of the organizations must trusted officers.  Corruption and the signs that an organization has lost its way from a place of cultural integrity and one that condones others to look the other way or for many to help perpetuate schemes of wrong doing, requires a massive organizational transformation.  A transformation that is lead by focused and talented Operational Risk professionals.

But most of all, even if you have these professionals on your team already, there are still some important ingredients to achieving your own "Defensible Standard of Care":

1.  If you think you have funded the risk management department in your enterprise adequately, you haven't.  Do not confuse your outside audit function with your internal risk management function. 

2.  If you don't understand how your 800 number ethics line works and the outsourced organization that runs this, then you need to do so immediately. 

3.  If you have a favorite outside counsel to help you with investigations, it might be time for a check up.  Even more importantly, it might be time to get your outside counsel firms and your outside audit firms invited to a meeting of the minds on corporate integrity. 

4.  If you find any indications that 1 through 3 have been ignored, pushed aside or been giving you a false sense of security, then you might consider making a career change.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.

operational risk

Too Big to Fail: Basel III to ID Theft...

Now that the Basel III wheels are in motion and the "Top 29" vital Global banking institutions have been identified, Operational Risk Management is on everyones mind. The capital reserves will continue to assist them in becoming more resilient to the systemic volatility ahead. Are you feeling the uncertainty starting to disappear? Not for a minute.

As these banking institutions try to withstand the economic impact of a nation state failure like Greece, the consumers who are the customers of the "Top 29" too big to fail, are being simultaneously barraged and systemically targeted by international crime rings. Identity thieves have set up transnational operations, that will continue to plague millions of consumers at these same banking institutions. Their own governments continue to try and deal with the nexus of criminal elements, consumer privacy and law enforcement. How bad is it for the U.S. Treasury, as one example:

Identity theft involving tax fraud is increasing faster than law enforcement and government officials can deal with it, according to testimony today before a House oversight subcommittee. Identity theft to scam fraudulent tax refunds from the government has increased 100 percent in just three years.

”As of Aug. 31 of this past year, IRS incident tracking reports indicated that the numbers of taxpayers affected by identity theft has more than doubled since 2008 to over 580,000 taxpayers this year alone,” said J. Russell George, Treasury Department inspector general for tax administration.

The crime has become too easy. It’s like a party, according to Rep. Richard Nugent, R-Fla., whose district has a problem with tax-related identity theft.

“Tampa Police Department has busted what the lawbreakers call ‘make it rain’ parties, where criminals get together in a hotel room with Internet access and file fake return after fake return,” Nugent told the committee.

How does paying out billions of dollars to these fraud crime rings using your social security number and date of birth increase the operational risks on our banking institutions? Everyone who is a consumer at one of these banks who is a victim of fraud, will one day deal with the aftermath. If the fraudsters are filing a fraudulent tax return that impacts you, then the odds are that you may end up paying a higher interest rate and this will not be the only place they are using your ID Theft misfortune for financial gains.

For the victims of tax fraud identity theft, the people who had fraudulent tax returns filed in their names, getting the problem fixed and their lawful refund paid could take a year and a half.

“A typical path for an identity theft refund case that is not complex may take as long as 18 months to resolve,” said J. Russell George, Treasury Department Inspector General for tax administration.

The cost of dealing with Identity Theft has so many dimensions. The protection of Personal Identifiable Information (PII). The fact that the IRS and law enforcement have difficulty sharing information on the consumers themselves due to privacy laws. The technology and online Internet forums for buying and selling fraudulent identities is prevalent. The continuous salvo of attacks on financial institutions to compromise the cyber defenses that they have established is a 24 x 7 battle.

To exacerbate the problem, the "Death Master File" (DMF) is the genesis for much of the Identity Theft and tax fraud when this information gets into the wrong hands. The U.S. Social Security Administration has been publishing this list of 90 million dead Americans since 1980 to help the "Top 29" fight fraud. At the same time, the Identify Theft fraudsters are using the same data to perpetuate their schemes:

Identity thieves are cashing in on dead children across the nation, stealing their Social Security numbers to collect fraudulent tax refunds from the Internal Revenue Service.

Grieving families — including the Watters family of Lake Forest — say their anguish is amplified by the realization that the crooks get help from an unexpected source: the Social Security Administration’s “Death Master File,” which records and lists information about everyone who dies in the United States.

Armed with the deceased child’s Social Security number and other personal information, crooks falsely claim them as dependents and have the refunds routed to them.

One reason that the financial institutions, government agencies and law enforcement are going in circles is because "Operational Risk Management" processes and tools are still not as robust as they could be. As the Basel III regulatory mandates kick in along with other new laws, methods and tools, all of the impacted parties will get better at deterring, detecting, defending and documenting in this complex information age.

In the mean time, consumer beware. Look long and hard at the "Top 29" list and decide if you need to move your funds to somewhere else. And before you do, look at the online banking login page for that institution. Are they still using only a single factor user name and password? Multi-factor authentication is not fool proof, yet it does tell us whether the institution is serious about Operational Risks in the area of Information Security. This is a key indicator of their ability and capability to try and keep your data out of the hands of the transnational eCrime rings.

Finally, you have to take the monitoring of your own Identity, and all of your family members identities seriously. It will be far more proactive, than anything else that will be done by governments or financial institutions alone. Regardless how fast they implement the latest tools and technology the fraudsters are moving just as fast. By adding your own diligence on top of the banking institution, government agency or other entity (Doctors / Lawyers / Dentists/ Insurers) that may have your Personal Identifiable information, you are decreasing your odds of becoming an Identity Theft and fraud victim.

Financial risks for the banks and the consumers will continue to be the current state-of-play. Basel III alone will not eliminate the threat of failure or the possibility of a serious bank fraud. Monitoring services or checking your credit report on a quarterly basis, will not keep the ID Theft criminals from stealing your PII. Implementing both on a proactive and pervasive basis will make a positive difference over time. This is what Operational Risk Management is all about, in the global institution board room and at your own home office.

operational risk

Integrity & Ethics: Whistleblower Risk...

Operational Risk Management in your organization may be in need of a more robust awareness campaign.  Malfeasance and ethical wrongdoing is continuously perpetuated in the workplace when those who are victims or witnesses refuse to speak up. Many fear the retaliation by supervisors or other co-workers. This study emphasizes the issue at hand:

Labaton Sucharow LLP yesterday announced the results of its nationwide Ethics & Action Survey. Conducted by ORC International between November 17-20, the survey questioned 1,000 Americans on their knowledge of wrongdoing in the workplace and willingness to come forward and report it. With significant financial rewards and strengthened anti-retaliation and anonymity protections offered under Dodd-Frank, an overwhelming 78% of respondents indicated they would report wrongdoing in the workplace if it could be done anonymously, without retaliation and result in a monetary award. In fact, more than one-third (34%) of respondents knew about wrongdoing in the workplace. However, 68% were unaware that the Securities and Exchange Commission (SEC) has a new Whistleblower Program designed to protect and reward individuals who report violations of the federal securities laws.

This kind of Operational Risk doesn't have to involve insider trading or the SEC to be an issue.  Do you have a controlling boss or a bully in the organization who uses their position of power to get what they want at any cost or to force you to look the other direction?  What kind of facts point to their behaviors and the actions by others that contribute to a caustic and toxic work place setting or to further perpetuate the situation?  Whether it is your Fortune 500 public company or your tiny 501(c)3 non-profit does not matter.  When over one-third of the respondents of the ORC Ethics and Action Survey knowingly ignore or are afraid to report incidents of wrongdoing or ethics violations the culture is broken and in need of repair.  The people who have the fiduciary duty to see that this kind of behavior is deterred also have the responsibility to provide the tools and the mechanism for those being victimized and those who are observing the malfeasance to anonymously defend themselves.

So what should you do as an Operational Risk professional to make sure this doesn't happen to the people in your respective organization?  Here is a good start:

Many corporations have internal compliance programs for corporate misconduct. These programs are, in theory, designed to provide an audience for workers who want to report unethical or illegal corporate conduct. Whether to utilize internal compliance reporting procedures is not an easy question to answer. As a general proposition, some believe that where the wrongdoing is pervasive—as in the case of securities fraud—an internal compliance program will not provide an adequate means of redress. Some believe that where the issue involves massive overbilling to the Government, or an allegation that a corporation is receiving significant dollars in unlawful revenue through fraudulent conduct, the internal compliance system will not work.

It's imperative that you also become aware of and communicate to employees and volunteers what their rights are outside the formal processes that are in place within the organization. Sometimes the nature of the ethics violations will not easily fall into the category for the internal compliance department.

So even "A Decade After the Fall of Enron" the laws and the rules provide us with a false sense of security from the corporate and workplace malfeasance that so many U.S. citizens are being subjected to on a daily basis.  And based upon the current-state-of-play around the beltway in Washington, DC you can expect that the coordination and cooperation is increasing by the minute.

The increased collaboration among the alphabet soup of enforcement and regulatory agencies is also due to a collateral effect of the current financial crisis: declining agency budgets. In the current downward budget cycle, agencies are working in concert more than ever before. This trend is exacerbated by a change in the mission of the FBI in the post-Sept. 11, 2001, world, shifting resources to counterterrorism and creating a need for other agencies to play an increased role. The overarching lesson from this increased collaboration is clear: Gone are the days that inside or in-house counsel can assume that the state or federal agency with whom they are dealing is acting alone; it is increasingly likely there are additional state or federal agencies involved, resulting in overlapping criminal, civil or regulatory exposure.

If you are charged with the position of the Senior Operational Risk professional in your organization, this topic of wrongdoing in the workplace can not be overlooked any longer.  It is not too late to create a "Defensible Standard of Care" and to turn the word "Integrity" into a cultural pursuit for all to aspire to, before it is too late.

operational risk

Occupational Fraud Risk: UBS Rogue Trader...

Kweku Adoboli, is no different than any other person who commits fraud. At UBS, this trader understood the controls that were in place to prevent the kind of naked unhedged bets that he was making in the market. UBS or any other firm is subjected to the testing by those people who are looking for the method and opportunity to circumvent the controls to commit fraud. Motivation is another topic.

In other words, this case very closely resembles that of Bernard Madoff, the man who has been described as the investment equivalent of Charlie Manson. Madoff told his clients, business partners and regulators that he was trading in a whole variety of stocks—when in fact the trades never took place. They were simply made up—as were the phony gains to client portfolios.

Here it seems that Adoboli was also able to simply make up trades and cover up the fact that he was not hedging. His trades involved UBS's funds, rather than that of clients. But if you are a UBS wealth management client you have to at least wonder whether any part of your portfolio is based on trades that were never actually made. If Adoboli could do it, certainly others could as well.

Now the question needs to be asked to their auditors. How is this possible? What controls failed and why? The analysis of the incident will slowly unfold and other firms in the industry will be examining the method and process that was utilized at UBS to perpetuate this fraud over the course of three years. When a fraud of this size is finally revealed, it is no different than the others that have preceded it. Many will ask about the systemic Operational Risk issues that may be prevalent within the UBS culture.

Three years ago it all began. And so goes the typical story line on the epic tales of fraud in the years past and the decades to come. Effective oversight and risk management walks a fine line between enabling innovation and insight and mitigating errors, omissions and significant losses. One thing is certain, the "Insider" threat in your organization exists today, tomorrow and next week. It's not going away regardless of the number of controls, personnel or systems put in place to eradicate it's existence in your institution.

Whether this incident will end up in the Fraud Museum is yet to be determined. What is more certain is that traders around the globe are under a new spot light and renewed scrutiny by oversight investigators. The goal now is to make sure that the combination of people, processes, and systems are fine tuned to the right tolerance levels and triggers for alerts. Only then will the correct balance occur between risk and reward.

What will certainly be an outcome of the investigation is the number of other people that will be implicated, either directly or indirectly by the incident itself.

Jerome Kerviel of Societe Generale and Bernard Madoff, will have a new member for the multi-billion dollar fraud club, Kweku Adoboli. What do all of them have in common according to the Association of Certified Fraud Examiners (ACFE) in the Report to the Nations:

Perpetrators of Fraud

• High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.
• More than 80% of the frauds in our study were committed by individuals in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing.
• More than 85% of fraudsters in our study had never been previously charged or convicted for a fraud-related offense. This finding is consistent with our prior studies.
• Fraud perpetrators often display warning signs that they are engaging in illicit activity. The most common behavioral red flags displayed by the perpetrators in our study were living beyond their means (43% of cases) and experiencing financial difficulties (36% of cases).

operational risk