Operational Risk Management: Discipline and Professional Development...

You know that the discipline of Operational Risk Management has finally reached the minds of global executives and Board of Directors, when you see growth in the organizations that have established a Board-level Executive in charge of Operational Risk Management (ORM).

The ORM discipline has now spanned several primary critical infrastructure sectors of the global economy for over a decade, including Energy, Financial Services, Information Technology, Defense Industrial Base and others who are highly regulated by government.

Global organizations such as BP as one example, have found the necessity of new Operational Risk capabilities. This is to produce a prudent and consistent strategy after a Gulf of Mexico Macondo Blowout, in other parts of the planet where deep water drilling is still a vital solution.

Goldman Sachs and the other band of brothers in the global financial crisis of the decade past, have reinvested in more prudent Operational Risk Management strategies. The books that have been written outlining the risks of people taking on derivatives of one type or another to hedge the marketplace have been prolific.

IBM, Google, Apple, AWS and Cisco have capitalized on "Operational Risk Management" and its focus on business continuity planning (BCP), continuity of operations planning (COOP) and the facilitation of utilizing cloud computing to enhance the resilience factor of critical systems.
The pervasive growth of people however, utilizing social networking in the workplace, has created its own set of OPS Risk challenges.

Spear phishing, targeted fraud schemes such as Business E-mail Compromise (BEC) and sophisticated software exploits, can be attributed in many cases to the plethora of personal information the criminals and intelligence activities have to work with.

Social engineering, economic espionage and other transnational criminal activities are continually perpetuated by the security and privacy failures of the critical infrastructure industries.

The Defense Industrial Base including the US Navy, US Marines, US Army, US Air Force and our Coast Guard, know the value of effective Operational Risk Management. The discipline is a core aspect of their cultures and is continuously tested and measured on a daily basis.

On the flight line or on the base, these branches of the military use ORM to save lives and protect valuable assets worth millions of dollars every day.

As the Board of Directors focus on ORM across the globe, one can only wait and see how it will impact the discipline of the individuals themselves.

We trust that our practitioners will continue their own quest for expanding the portfolio of thinking and to see that the right people are at the table, to assist in ORM direction and continued global success.

Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management (ORM) outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company.  This risk culture maturity, is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.

"What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision, that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team, that you will jeopardize the overall mission."

The ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem, is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office, partner or entire agency of government.

Companies need to put in place oversight of strategic partners, vendors and service providers to ensure that those support organizations are meeting their own risk standards. A company should share its risk management guiding principles with third-party suppliers or partners to influence their decision-making process. Risks and controls should be a consideration when choosing new partners, and they should be re-evaluated on a regular basis to help avoid the potential of vicarious liability by the poor decisions of an alliance partner.

The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizational culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors ecosystem. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

Enlightened individuals who are multi-dimensional and are comprised of a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture, with the right combination of business objectives, resources and highly detailed mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution.

The root cause of Business Assurance and Resilience is the Risk Culture.

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

Algo Bots: The Risk of Human Error...

What "Trust Decisions" did you make this past week?  How fast did you make them?  The ability to manage an entire portfolio of operational risks in a daily routine is daunting.  How do you prioritize? What Operational Risk Management (ORM) process will you engage in, with so many uncertain outcomes?  Why will you sit up in bed at 3AM, to read the latest alert on your smartphone?

In October of 2012, this ORM blog discussed the topic of "Algo Bots" and "Dark Pools".  Machine language talking to other machines, to make optical network speed decisions and more precise, "Trust Decisions."  What is the risk of a low probability and high consequence incident when humans are taken out of the equation?  Dave Michaels of Bloomberg explains the current focus:

Mary Jo White’s blueprint for imposing tighter controls on high-frequency traders and some of the murky venues they inhabit stops short of a crackdown. 

The U.S. Securities & Exchange Commission’s plan, unveiled by White in a speech this week, advanced some new ideas while borrowing heavily from existing proposals and measures that already have support on Wall Street. While stock exchanges, rapid-fire traders and private trading venues known as dark pools all would come under new scrutiny, White didn’t embrace the kind of tighter restraints that have been enacted in countries such as Australia and Canada. 

White isn’t acting in a vacuum. She is responding to political pressures raised by an investigation by the New York attorney general into whether speed traders prey on slower-moving investors as well as a book by Michael Lewis, “Flash Boys,” that condemned the role of exchanges and brokers in enabling unfairness. She announced the initiatives even as she said U.S. markets aren’t rigged and serve the goals of retail and institutional investors.

As an Operational Risk Management (ORM) professional, you have to stay on the edge.  You must imagine the future and dive into the current R&D of innovation.  Being a futurist is staying on the bleeding edge of technology and this is just one facet of the risk mosaic.  The other and more human factor oriented component are the TTP's.  Tactics, Techniques and Procedures (TTP) are what you need your own "Opposition Research" team to be studying.  This is your opportunity to gather the intelligence on your competition and simultaneously look at your own vulnerabilities.  Sam Mamudi and Keri Geiger explain:

The U.S. Securities and Exchange Commission cited Wedbush Securities Inc. and Liquidnet Holdings Inc. for violations of stock market rules, taking tangible steps a day after Chairman Mary Jo White outlined her plan to improve Wall Street trading. 

Wedbush, which the SEC said is among the five biggest Nasdaq Stock Market traders, failed to vet clients who broke the law as they placed billions of dollars of transactions in the stock market, the regulator said. Two current and former Wedbush executives, Jeffrey Bell and Christina Fillhart, were also targeted in the complaint. 

Liquidnet, one of the biggest independent dark pool operators, agreed to pay a $2 million fine for not living up to client secrecy standards on its private trading platform.

So what?  The Rise of the Machine Traders:

In the beginning was Josh Levine, an idealistic programming genius who dreamed of wresting control of the market from the big exchanges that, again and again, gave the giant institutions an advantage over the little guy. Levine created a computerized trading hub named Island where small traders swapped stocks, and over time his invention morphed into a global electronic stock market that sent trillions in capital through a vast jungle of fiber-optic cables. 

By then, the market that Levine had sought to fix had turned upside down, birthing secretive exchanges called dark pools and a new species of trading machines that could think, and that seemed, ominously, to be slipping the control of their human masters. Dark Pools is the fascinating story of how global markets have been hijacked by trading robots--many so self-directed that humans can't predict what they'll do next.

So how do you mitigate the potential risk of a rogue algorithm? Some have devised a mechanism called a circuit-breaker. In other words, an alarm that something is not normal. Let's slow down until we can understand what is going on here. What are some other ways that we could potentially address the threat or the vulnerability? Was the "Flash Crash" a weak signal of a pending melt down of the complete system?

Or is this just the next natural phase of the future growth curve.  Who will you put your faith in for your next "Trust Decisions"...

operational risk

Offshore Strategies: Global Integrity Risk...

Global 500 organizations are managing Operational Risks across their respective enterprises, utilizing a portfolio of controls, tools and strategies.  One of those strategies, is getting more attention by nation states and treasury departments.  Larger than Wikileaks, this ICIJ investigation, is a digital peek behind the offshore strategy that is legal in many jurisdictions across the world:

An anonymous source has provided extensive insights into a worldwide network of tax evaders. 

Media in more than 30 countries are currently sifting through a mountain of data.
260 gigabytes of documents - that's the printed equivalent of 500,000 copies of the Bible. 

This is the massive amount of data that was passed on more than a year ago by an anonymous whistleblower to the International Consortium for Investigative Journalism (ICIJ) in Washington. More than two million emails and other confidential documents sketch a picture of a dubious shadow world. More than 130,000 people from 170 countries are alleged to have secreted their money in tax havens. Analyzing the data is a mammoth task that is still nowhere near completion.

The governance and the transparency that a global enterprise displays to its shareholders, employees and the governments is continuously at stake.  Some countries are considered more corrupt and global organizations operating in that part of the world, shall be more aware of the risks of doing business there.

Some other interesting revelations:

• The largest shares of the people setting up offshore accounts live in China, Hong Kong, Taiwan, Russia or another former Soviet republic. 
• In turbulent Greece, both the upper and middle class are increasingly keeping their money in undeclared accounts — a situation that finance officials have since vowed to investigate.
• A number of the world’s largest collectors use offshore accounts to buy and sell art without paying taxes. 
• Offshore accounts are popular in Russia, where President Vladimir Putin has repeatedly asked politicians to stop using them: the deputy prime minister’s wife and top managers of Russian military contractors and government-controlled companies are thought to have secret offshore investments. 
• Offshore accounts are a major source of investment in China and Russia. China’s second-largest source of capital investment is the British Virgin Islands.
• You can read the full ICIJ report here.

Billionaires and politicians are hedging risks on the advice of tax attorneys, accountants and the financial strategies that are as old as tax laws.  Inside the private business compliance and legal departments, lie a vast staff of dedicated personnel who are tasked with mitigating risks to the organization.  Some global enterprises such as Siemens AG have paid the price, of a governance architecture that was in failure.  Today, those lessons learned are still being taught even as others are implicated in alleged wrong doing:

IBM Says Justice Department Investigating Bribe Allegations
By Sarah Frier on May 03, 2013

International Business Machines Corp. (IBM) is being probed by the U.S. Justice Department over corruption allegations in Poland, Argentina, Bangladesh and Ukraine, adding to bribery charges from the Securities and Exchange Commission. 

The Justice Department is investigating whether IBM violated the Foreign Corrupt Practices Act, the company said in an April 30filing (IBM). In Poland, the department is focusing on a transaction that the Polish Central Anti-Corruption Bureau already was studying, the company said. It involves allegations of a former IBM employee selling to the Polish government. 

The Justice Department probe adds scrutiny in new territory as IBM tries to settle with the SEC over activity in China and South Korea. The global reach of the investigation indicates that this isn’t an isolated matter, said Charles Elson, corporate-governance professor at the University of Delaware. 

“If it happens in one country, you can say it’s an individual,” Elson said. “If it happens in multiple, you have to ask, is it systemic? And how well was the compliance program put in place to prevent it?”

So what can a General Counsel, VP of Operational Risk, Chief Risk Officer or even the Audit Committee do, in light of these continuous incidents?  The trust that any person or organization has with its bankers, outside counsel, compliance subject matter experts, accounting advisory and management consultants is at stake.  The integrity of the entire global payments and economic ecosystem is at risk.  This source of systemic risk to governments, global enterprises, stock markets and average consumers is growing beyond control.

What can be done?  The serious conversation going on right now between your independent counselors  continues to focus on trust and the people who are behind that trust.  You have got to have that serious conversation as a CEO, not with your first line of management Vice-Presidents, but several layers below them in the corporate hierarchy.  Believe us when we say, as the CEO, you can't see two layers below you, where all of the real work on daily transactions is getting done everyday.  You are not on the front lines, where deals are being made and information is being exchanged that can have a material impact on daily business.

You see, it really all still comes back to people communicating information ethically.  How and when people act on that information.  Why people behave the way they do when they learn the information.  As a CEO in charge of a global enterprise you will never have the transparency or the integrity being controlled from HQ on the executive floor, or on your executive analytic GRC dashboard.  Your only chance is to reach those people, who are at the source of doing business in your line processes, not staff, but "line".  The "line" is the life blood of daily business commerce and the power base for making a difference on how business is done and the integrity behind it.  The future of your enterprise depends on these people, communicating information that is true, validated and researched to uncover any possible errors, omissions or other ethical issues.

The power base of the global economy is constantly changing.  The risks to the economic enterprise continues and the investigations are just beginning.  Offshore strategies are at the core of global integrity risk.

operational risk

Risk Appetite: In Search of the Perfect...

Operational Risk in the corporate enterprise is on the rise and savvy CxO's recognize it. The continuous and advanced schemes, attacks, reputation crises and regulatory compliance changes has the executive suite on full alert.

The global news cycle, financial markets in turmoil and a seemingly upset weather pattern on "Planet Earth" has OPS Risk professionals on ready standby. It's 24 x 7 x 365 responding to new threats and a growing set of domino effects as incidents are more interconnected and have substantial new interdependent relationships.

Operational risk is a serious concern not only to traditional and alternative investment managers, but also to their clients and the organizations that regulate buy-side firms. In worst-case scenarios, an investment firm’s failure to identify and mitigate operational risk can result in significant direct costs and a devastating loss of reputation. It may take years to reassure investors, regulators, and trading partners that the firm is well-managed. So what exactly is operational risk? Castle Hall Alternatives calls it “risk without reward.” The Basel Committee on Banking Supervision (Basel II) defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” and states that the definition is intended to include legal risk but exclude reputational risk, and lists as examples events ranging from data entry errors to earthquakes.¹ But operational risk is not something that can be easily identified by a generic checklist, nor is there a single, universally applicable approach to mitigating the operational risks to which a given firm is exposed.

A generic check list is by all means not the way to approach most Operational Risks yet starting with a standard framework of controls and optimizing from there is a good start. Certainly the natural catastrophe risk mitigation exercise whether the tornado or earthquake has a foundation in the kinds of preparedness that can assist those caught in the vortex or the fault line of destruction. Yet how could a check list really help with a threat that is adapting to your environment on the fly and creating new obstacles to mitigate the risk before you?

Kerry Dewey was a finance officer for a small nonprofit in the Pacific Northwest. She was having a bad day, but it got worse when her local bank called her to inquire about the validity of a recent funds transfer for just under $10,000 from the nonprofit’s account to an account at an Alabama bank. Moments before, the Alabama bank had contacted Kerry’s bank because its policy is to investigate any transfer that’s close to, but less than, $10,000 – an amount that fraudsters commonly use to avoid currency transaction reporting.

Kerry’s bank stopped the transfer after she assured them that no one in her organization initiated the funds transfer. The episode prompted Kerry to review the nonprofit’s banking transactions in the past few days. She uncovered five other illegitimate transfers that totaled close to $50,000, and each transfer went to a different payee. Fortunately, her bank was able to contact the banks where the funds were transferred, and those banks were able to stop the transferred monies from being withdrawn by the fraudsters. Kerry had opened a very dangerous e-mail.

This case is fictional, but it’s representative of a relatively new “spear-phishing” e-mail scam that has recently emerged as a significant source of revenue for cyber criminals.

As you can see the Small-to-Medium-Enterprise (SME) and other businesses that might have a single person responsible for payroll, accounting and acting as corporate controller are just as vulnerable to the Operational Risks as the large hedge funds, Global Money Center institutions and Corporate Enterprises of the Fortune 500.

The pervasive and constantly evolving components of Operational Risk now require a substantial blend of people, software and management systems. Those savvy CxO's now realize that Operational Risk Management is something that is not being dealt with solely by the CFO, CRO, CIO or CSO in it's entirety. Therefore, the silo's of risk management within the organization are themselves a "substantial risk" to the overall enterprise risk management aspiration. The "Insider" who watches these silos manage their domains and fiefdoms with the goal of keeping it all within the unit or department or section realize that their scheme or attack will have little chance of detection for months, even years.

This is why the Office of Inspector General in government is so necessary and is so feared. This is why the outside auditors or independent investigators are so feared. This is why these two mechanisms for mitigating risks are typically too late and discover something that in the end, most people had a hunch was going on anyway. It's a perpetual cycle that won't end anytime soon and will keep our organizations searching for that eternal balance of a "Perfect Risk Appetite".

operational risk

Black Swan: Consumer Financial Protection Bureau...

The Consumer Financial Protection Bureau has been born out of the 2,300 pages of the final US Federal Financial regulation of 2010. The tone on what and how the CFPB operates is spelled out in the legislation and Operational Risk Managers are actively scouring the fine print to determine the compliance and legal ramifications. Yet the new Director's leadership may spell out the impact more than any of the new rules. The WSJ enlightens us:

The legislation says the bureau's purpose is to "regulate the offering and provision of consumer financial products or services." Details are left largely up to the new director, who would serve a five-year term. The law creates offices for research, tracking consumer complaints, consumer financial literacy and fair lending, among others.

Among the director's first tasks will be refining the agency's mission. Critics and supporters, though agreeing on the importance of the new agency, differ on what will constitute success.

Institutions will be adjusting their behavior to the new rules and it will be adjusting to how it continues to do proprietary trading. It's hedge fund ownership is now limited to 3% and the "Volcker Rule" is the same percentage for trading Tier 1 capital. The entire financial services industry is essentially gearing up for more of the same with minor adjustments on how it implements it's various risk management strategies. So what has changed and what will change?

Large banks and their supply chains will be looking for new ways to leverage their ability to improve margins. And when you look for ways to improve margins, you raise rates add more fees and incrementally gain a tremendous avenue for increased cash flows. Enterprise Risk Management will try to find a way to hedge against the "Black Swan" event from ever happening again. Even today, the business is still in the dark on the mathematical equations that caused the last implosion of world markets and the unraveling of the financial trust that is the foundation for the system to operate with efficiency and market speed.

Going forward the risk management professionals will be dissecting the final law to determine how it will impact their business, institution or agency for the next few years. As business owners and corporate institutions begin to see what direction the new Consumer Financial Protection Bureau (CFPB) chief will be taking, they will be devoting resources and budgets to adjust to these market changes.

And while all of this is evolving in the open and transparent world of finance you can bet that the next "Black Swan" event is on the horizon. As "Operational Risk Managers" who witness the speed and the complexity everyday in the trading pits, software development units and on the white boards of countless conference rooms will tell you; the next one is out there:

"A Black Swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was." Nassim Nicholas Taleb, from his book The Black Swan - The Impact of the Highly Improbable

Sens. Chris Dodd (D., Conn.) and Blanche Lincoln (D., Ark.) are trying to calm the fury among bankers and business groups over a last-minute change to the financial overhaul bill that critics now say could upend the way companies hedge against risk.

In the early hours of Friday June 25, Democrats altered a key provision to the derivatives section of the financial overhaul bill. It has a completely different meaning depending on who you ask. Some believe the language would require all people engaging in derivatives contracts to post “margin,” or more costs to engage in a deal. Others believe it would apply only to big banks and major derivatives dealers. The difference could swing billions of dollars one direction or another.

The confusion stems from a part of the section, tucked into the 2,300-page financial overhaul bill, that says margin requirements “shall” be set against “all” uncleared swaps. Some companies believe they should be exempted because they aren’t risky derivatives speculators, and fear it will drive up their costs. Several companies and business groups have said the language is such a glaring mistake that it could undermine the entire derivatives market, particularly for companies using these products simply to hedge risk.

But the language is in sections of the bill setting rules for “swap dealers,” which are essentially banks or large derivatives traders regulators plan to place tougher restrictions on. Depending on how it is interpreted, the language could apply only to those “swap dealers.”

Regardless, the confusion has led to an uproar…

operational risk

Memorial Day: Vigilance Reminder...

What does Memorial Day mean this weekend in the United States? A time to reflect on all those who have served and sacrificed their lives for our freedom and continued way of life. At the same time it is an opportunity to look into the minds of those who will determine the future course for our security strategy. The U.S. National Security Strategy articulates this future vision. How does Secretary of State Clinton see the new strategy?

The strategy calls on the United States to build its economy “and to shape the global system so that it is more conducive to meeting our overriding objectives: security, prosperity, the explanation and spread of our values, and a just and sustainable international order,” Clinton said.

The threats are diverse, the secretary of state continued, and include terrorism, proliferation of weapons of mass destruction and the means to deliver them, climate change, cybersecurity, energy security and many others. Responding to these threats, she said, also produces opportunities, new modes of cooperation, new capacities to improve lives and tangible efforts to bridge great gaps in understanding.

“We are in a race between the forces of integration and the forces of disintegration, and we see that every day,” Clinton said. “And part of our challenge is to define American leadership in relevant terms to the world of today and tomorrow, and not merely looking in the rearview mirror, which makes it very hard to drive forward.”

If you are sitting in a "Mud Hut" in Kandahar right now or standing on the grave of a loved one in "Section 60" at Arlington National you could be asking yourself, what does this all mean to me?

The thoughts and words of world leaders may change about what is the proper way to go about the "Global Housekeeping" this year or decade yet it will never change the threat that continues to be our greatest Operational Risk. The human beings on the planet that get up every morning to fight on the battlefield, find food and water for their family, commute to a chaotic and quiet room in a major city to read, analyze and think about new information or even pray to their god, have the same vulnerability.

A complacent point of view. A lack of vigilance to help defeat the evil behavior of other humans, prepare for the hazards thrown at us by mother nature and the will to utilize civility in our approach to solving all of the problems before us. Complacency is the greatest operational risk before us.

com·pla·cen·cy

–noun, plural -cies.

1.

a feeling of quiet pleasure or security, often while unaware of some potential danger, defect, or the like; self-satisfaction or smug satisfaction with an existing situation, condition, etc.

It is the reason there are so many people still scratching their heads on such topics as:

• AIG
• Bernie Madoff
• SEC
• Freddie Mac
• Fannie Mae
• Conficker
• Umar Farouk Abdulmutallab
• Qods Force (IRGC-QF)
• Zeus
  
• Faisal Shahzad
• ‘Volume Algo’
• Deep Water Horizon

And the list goes on. Memorial Day each year is a dedication to those who have served our country and still are serving our country. The operational risks are many and they are not slowing down. This Memorial Day 2010 requires that we all make the pledge to purge ourselves of any complacent attitudes. Our vigilance is the last opportunity we all have to make a difference on this planet.

operational risk

Quants: Fear and Loathing in Computer Code...

The Operational and Systemic risk is still lurking in the zero's and one's masking itself in the mathematical blur of algorithms designed by the "Quants". Is "SkyNet" just a few lines of computer code away from creating an incident that no insider can reverse?

Jeremy Grant and Michael Mackenzie of FT are establishing an argument discussed on this blog soon after the economic meltdown began to take place:

Not long after lunchtime one day on the New York Stock Exchange three years ago, unusual things started to happen. Hundreds of thousands of “buy” and “sell” messages began flooding in, signalling for orders to be made and simultaneously cancelled.

The volume of messages sent in was so large that the traffic coming into the NYSE from thousands of other trading firms slowed, acting as a drag on the trading of 975 shares on the board.

The case was made public only last month when the disciplinary board of the NYSE fined Credit Suisse for failing adequately to supervise an “algorithm” developed and run by its proprietary trading arm – the desk that trades using the bank’s own money rather than clients’ funds.

Algorithms have become a common feature of trading, not only in shares but in derivatives such as options and futures. Essentially software programs, they decide when, how and where to trade certain financial instruments without the need for any human intervention. But in the Credit Suisse case the NYSE found that the incoming messages referred to orders that, although previously generated by the algorithm, were never actually sent “due to an unforeseen programming issue”.

It was a close call for the NYSE. Asked if the exchange could have been shut down as it was bombarded with false trades, an exchange official says: “If you had multiplied this many times you’d have had a problem on your hands.”

The Operational Risks associated with the software computer code and the development of the trading algorithms is at the center of the still untouched regulation of how financial products are designed. Once the SEC get's educated on a market practice that is creating substantial systemic risk then the wheels of monitoring and potential "Cramdown" begins to take place.

The difficulty is that responsibility for risk controls does not lie entirely with exchanges and trading platforms. Much of it rests instead with brokers, which increasingly provide access to such venues under an arrangement known as “sponsored access” whereby any trading firm that is not a member of an exchange can “piggyback” on a broker’s membership to gain direct access to an exchange. Until recently, before the SEC clamped down on the practice, traders were able to use a form of this process – “naked access” – to gain access to exchanges without brokers conducting pre-trade risk checks to ensure their algorithms were functioning properly.

In the latest books written by "Reporters" on the so called "Quant risk" going on within the ranks of trading firms across the globe, the focus is on the people themselves more than the systems. Comparing poker players to bridge players is only a small part of the issue at hand with regard to a quantitative traders point of view and mathematical orientation.

Imagine for a moment the complexity of the software systems that now control the trading mechanisms across the world. From Hong Kong to Wall Street, London to Tokyo, the software is written to accomplish tasks that the human is not capable of executing in the multi-split seconds that it takes for buyers to match sellers. One only has to spend a few weeks or a month inside the software coding life cycle management process within the walls of a JP Morgan, Goldman Sachs or Credit Suisse to better understand the Operational Risks that exist for the market as a whole.

The sheer complexity of the systems software code alone is enough to give an uneducated eTrader worry over whether the portfolio they are managing with their retirement nest egg is going to get destroyed by the likes a a super "Cyber Algorithm" designed to out smart and out think that last strategy from the previous nights episode of MSNBC's "Jim Kramer."

The next economic crisis will not be a war of who had toxic assets in their asset portfolio's. It will be a single line of computer code that initiated a sequence of risk mitigation strategies to hedge against another previously executed trade the month before. And because of the error that creates this cyber incident, the market detects a new "Fear Factor" on the horizon.

How about a little Deja Vu:

All of us have been watching the gyrations of Wall Street and the stock market in recent days. With the collapse of Bear Stearns and Lehman, the "rescue" of the failing Fannie Mae-Freddie Mac, and the bail-out of AIG, many people wonder, "Have investors completely lost their minds?" Well, the answer may be, "Sometimes". Here's how we might look at anxious investing during a time of market volatility, uncertainty, bad news, and fear.

How does the anxious investor think? Let's consider two possible investors--- one who is reasonably optimistic and the other who is pessimistic.

operational risk

26 Wall Street: Risk Management Ground Zero...

Today President Obama speaks from the same place in Wall Street that the U.S. government has some of it's roots as a nation. The topic on this anniversary of the demise of Lehman Brothers is risk management. This ground zero of managing credit, market and operational risk in one of the financial capitals of the globe brings several topics to the discussion table. Liz Moyer makes the point:

It's been a year since the $600 billion bankruptcy filing of Lehman Brothers and the financial market meltdown that forced the government into a multitrillion-dollar rescue of the U.S. banking system.

But for all the talk and hand wringing (and billions in direct government equity stakes in major banks and loan and debt guarantees) there's also been little real progress on how, or if, Washington might regulate its way out of this kind of mess in the future. Don't expect that to change anytime soon, as markets become more, not less, complex and interconnected.

If the American public has witnessed substantial up hill battles with reform for health care, they can be assured that the "Financial Services" lobby will be even stronger. The regulation of institutions such as so called alternative investment firms (hedge funds) has many of them already leaving the U.S. for safer havens overseas. The trading will continue and the people behind the unique investment vehicles are getting even more creative. Investors are now buying up the pools of insurance products that have to payout upon peoples deaths. Life insurance settlements are being bundled and sold just as toxic mortgages and the bets are on with these products, just as they were with the housing market. Are people living longer or dying sooner? I guess that depends on where you live, what you eat and what your family history is.

The creativity of trading new and exotic products will continue and the watch dogs will have their hands full trying to figure out where to regulate and what agency should have the oversight. Free market capitalism as the regulator has already proven that it doesn't work. Consolidation of agencies that focus on the regulation and compliance enforcement of the financial services and investment industry is a tremendous risk in itself. The systemic root cause of the greed, compensation exploitation and the financial product innovation lies with some very smart people. The same people who can make a major difference in managing risk in their institutions going forward.

Regardless of the instruments that are invented for trading and the people who trade them, they all rely on one thing. Software and escalating requirements for more computing power, Terabytes and Petabytes of storage and the operational risks associated with information moving around the planet at almost light speed. Information and bits of data that can influence decisions on the buy or sell strategies, is only as good as the mathematics and the algorithms coded into software.

The oversight of future financial products and the ability to take new offers to the market must have people looking at the math and the code. The systemic risks that erupted in the world markets over a year ago are a result of a complexity of systems and the speed of change in our connected economy. All of the transparency, accountability and reform of compensation packages will not impact the zeros and ones that make up the sophistication of the trading markets.

A single consumer financial protection agency will make the consumer feel better that the government is looking after them. It will modify behavior in the innovation and it may even close the gaps in the current rule sets. However, the operational risks associated with the confidentiality, integrity and assurance of information will continue to rise. These risks are consistently displayed in the public press and websites such as the Identity Theft Resource Center:

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

• Data on the Move
• Accidental Exposure
• Insider Theft
• Subcontractors
• Hacking

Yet operational risks such as these are only a piece of the total risk management equations as it pertains to Wall Street, International Banking and the so called systemic risks talked about today as the Washington Post says:

Warning that "history cannot be allowed to repeat itself," President Obama urged Wall Street on Monday to help jump-start a stalled effort to overhaul the U.S. financial regulatory system and head off a potential reprise of the U.S. economic crisis.

Visiting New York on the first anniversary of the nation's biggest bankruptcy, Obama used a speech at Federal Hall at 26 Wall St., site of George Washington's 1789 inauguration, to rally support for regulatory reform and call on the financial community to take responsibility for avoiding the abuses and failures that led the nation into a financial crisis last year and triggered a global recession.

Our greatest threat is complacency as was indicated today in the context that we do nothing as a result of the failures of people, processes, systems and external events.

operational risk

Proactive Risk Strategy: Transnational Asset Forfeiture...

Effective strategy execution and the application of intelligence to gain increased mission efficiency is the name of the game. The public / private convergence of people, processes, systems and the fusion of relevant international incidents data establishes the playing field. The threats to the very fabric of our economic and security well-being is directly tied to the rule of law, the safety of the environment and the ability for capital to be invested with prudent risk management mechanisms in place.

If any component of this fabric becomes frayed or torn, this vulnerability threatens the overall resiliency of this "Transnational Ecosystem". The homeostasis of the "Transnational Ecosystem" is dependent on the factors associated with it ability to gain new energy, (food, water, power, money) and to continually "Adapt" to it changing environment. The ability to adapt rapidly within this ecosystem will determine who the winners are and also the survivors. So what is a good example of this "Transnational Ecosystem" that we can apply to public / private convergence and Operational Risk Management?

Although pioneered in the USA, there now appears to be a global trend to use stand-alone civil proceedings as a means of recovering the proceeds of crime in the hope that they will be more effective than proceedings that are ancillary to and dependent on a criminal prosecution. Recent examples of jurisdictions that have introduced civil forfeiture legislation include Italy, South Africa, Ireland, the United Kingdom, Fiji, the Canadian Provinces of Ontario, Alberta, Manitoba, Saskatchewan and British Columbia, Australia and its individual States, and Antigua and Barbuda. In addition, the Commonwealth has produced model provisions to serve as a template for jurisdictions that wish to introduce such legislation.

This trend towards civil forfeiture has been prompted by the nature of organized crime. Organized crime heads use their resources to keep themselves distant from the crime that they are controlling and to mask the criminal origin of their assets. For this reason it has become extremely difficult to carry out successful criminal investigations leading to the prosecution and conviction of such individuals, with the result that finances derived from crime are often effectively out of the reach of the law and are available to be used to finance more crime. Such peaceful enjoyment of the proceeds of crime damages public confidence in the rule of law and provides harmful role models. This has led to a recognition that criminal confiscation regimes may be inadequate and ineffective in certain cases.

Traditionally, the use of OPS Risk strategies associated with civil asset forfeiture have their intersection with AML (Anti-Money Laundering) and Terrorist Financing. Moving money on a global basis utilizing the modern day "Hawala" or informal value transfer system requires smart people and sophisticated systems. Putting the person at the right place with the right evidence is the investigators "Holy Grail" yet there are other effective means for increasing that resiliency in the ecosystem.

The financial meltdown and economic crisis has impacted both the "Boy Scouts" and the "Wise Guys" on how to continue to prosper. The use of such tools such as Asset Forfeiture in combination with timely intelligence both Open Source and proprietary can provide the means for another effective Operational Risk strategy in a public / private consortium. The cooperation, coordination and collaboration of banking, hedge funds, broker dealers, insurance companies and private equity firms with federal and state task forces is a growing trend.

The mantra "Need to Know" is quickly being replaced with "A Responsibility to Provide" in the intelligence community and soon to be in the ranks of the financial private sector as it pertains to adapting to the transnational ecosystem. One good example of this momentum can be found in the rapidly growing education and awareness programs focused on this very subject:

Mission Statement

AssetForfeitureWatch.com is the indispensable source of news, information and training for law enforcement professionals and others working in the asset forfeiture field. At AssetForfeitureWatch.com, we understand that turning the proceeds of crime against criminals is one of the most powerful tools law enforcement agencies have for keeping communities safe, eliminating corruption, and crippling cross-border criminal enterprises. In offering training and education, an annual conference, live and Web seminars and an interactive community, AssetForfeitureWatch.com keeps its members on the leading edge of asset forfeiture strategy and practice.

The goal is to utilize the existing international legal framework to improve the resiliency of the "Transnational Ecosystem." Beyond the banking institutions are the governments and countries themselves who must make their decisions about their own business and commerce models. These havens across the globe will continue to exist because they don't have manufacturing capacity, IT outsourcing services or a port for trading and exporting raw materials. Therefore, they will continue to cater to the needs of suspect enterprises, non-state actors and even some rogue nations states.

So what is the lesson here? Reading between the lines. Assets in your portfolio, on your books, in the warehouse or even in your personal possession may soon be the property of a government entity near you.

operational risk

Economic Impact: Hedge Funds Beware...

In a recent ACFE study on the impact of an economic recession, the results are eye opening. More than half (55.4 percent) of respondents said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior.

Additionally, about half (49.1 percent) of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27.1 percent) and increased rationalization (23.7 percent).

The survey also found that:

Employees pose the greatest fraud threat in the current economy. When asked which, if any, of several categories of fraud increased during the previous 12 months, the largest number of survey respondents (48 percent) indicated that embezzlement was on the rise.

Layoffs are affecting organizations' internal control systems. Nearly 60 percent of CFEs who work as in-house fraud examiners reported that their companies had experienced layoffs during the past year. Among those who had experienced layoffs, almost 35 percent said their company had eliminated some controls, while 44.2 percent said the layoffs had no effect on controls and only 3.2 percent said their company had increased controls.

Fraud levels are expected to continue rising. Almost 90 percent of respondents said they expect fraud to continue to increase during the next 12 months. Additionally, the fraud most expected to increase is embezzlement.

These results are not too surprising. Internal control systems could be an issue if there are layoffs in the risk management departments or reallocated enterprise resources. The embezzlement schemes come in many forms and they know where and what areas will be neglected in oversight during the economic belt tightening.

Most of these fraudsters are brilliant "con men". They know how to prey on the human factors of greed and fear. Powerful emotions must be monitored by a "Corporate Vigilance" and awareness program. This preempts potential breaches and crisis incidents that will ultimately impact personal and corporate reputations.

Three factors are generally accepted as being necessary for a fraud to occur: pressure, opportunity, and the ability to rationalize illegal behavior. Unfortunately, the presence of each of these factors may rise in periods of economic hardship. Organizations and individuals alike can experience the pressure of increased financial strain. Opportunities for fraud could proliferate as many companies cut their workforces and otherwise reduce expenditures, perhaps leading to reduced internal controls and fewer proactive fraud prevention measures. And bombardments of bad financial news could cause mounting feelings of helplessness, pessimism, and isolation, which may, in turn, allow individuals to rationalize previously unthinkable acts.

So what can you do to detect early the potential existence of a suspected fraudster in your organization without subjecting current employees to retribution or put them into harms way? One effective strategy is to hire an outside entity to perform ongoing interviews and investigations that is independent of the internal audit department or OPS Risk staff. The other step is to compartmentalize the unit in terms of information exchange and to increase overall operational security.

Harry Markopolos, who is responsible for investigating Bernie Madoff for 8 or 9 years did exactly this and for good reason. His team was operating in the field under his direction and was kept secret even while he was talking to the SEC. Why? Some of the off-shore funds Madoff was doing business with were only a few steps removed from organized crime, according to Markopolos. If these firms new that Mr. Madoff was stealing them blind, they could have put some adversarial actions into play.

Once the fraudster gets the indicator that any one is getting close to the point of questioning their behavior, you can bet the evidence will begin to be destroyed or masked. This destruction of evidence can begin with simple deleting of e-mails, documents or the creation of new e-mails or data to mask or cover up the trail of fraudulent activities. This is when the use of Digital Forensic examinations on weekends or evenings while employees are away from the workplace can help reveal the presence of "Anti-Forensics."

The presence of anti-forensic tools to cover their tracks, e-mails or where they are visiting on the Internet might be the first sign that you may have an actual fraud scheme in operational mode. Hidden or encrypted files found on an employees laptop or desktop utilizing unauthorized sofware tools or downloaded freeware is a huge "Red Flag."

It's important for any investigator to consider the human factors and the behavior associated with people under pressure and close to the end of their hidden occupational fraud operation. These typically have been going on for up to 24 months before they are discovered and you can be sure that they have thought about the day when they are finally discovered. The fight or flight mode kicks in at this point and organizations are obligated to mitigate the risks of harm to fellow employees.

Effective Corporate Integrity units in global enterprises require the right internal resources, independent outside expertise and a comprehensive OPS Risk framework to be more successful.

Hedge Funds have been on alert for months now. Marc Dreier, the New York law firm founder accused of defrauding hedge funds by selling $700 million in phony promissory notes, might face life in prison after pleading guilty to fraud charges.

According to prosecutors, victims of the fraud included Amaranth Group Inc., Perella Weinberg Partners, Eton Park Capital Management LP, Concordia Advisors LLC, Novator, Meyer Ventures LLC, Blackstone Group LP’s GSO Capital Partners and Elliott Management Corp.

The case is U.S. v. Dreier, 09-cr-85, U.S. District Court, Southern District of New York (Manhattan).

operational risk

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.

Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

• What policies or procedures do you manage in your department/organization?
• What training do you have on the collection and preservation of "Electronically Stored Information"?
• Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
• Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

operational risk

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

• Organizational Security
• Information Security Infrastructure: Cooperation between organizations
• Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
• Asset classification and control
• Information Classification: Information labelling and handling
• A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
• Personnel Security
• Responding to security incidents and malfunctions: Reporting security weaknesses
• Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
• Communications and operations management
• Operational procedures and responsibilities: External facilities management
• Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
• Exchanges of information and software: Security of electronic mail
• A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
• Access Control
• Monitoring system access and use: Monitoring system use
• Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
• Business Continuity
• Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
• Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
• Compliance
• Compliance with legal requirements: Collection of evidence
• Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:

• Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
• Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.

The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

operational risk

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.

Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

operational risk

Human Psyche: Transparency of Risk Profiles...

In a July 2008 a global Economist Intelligence Unit survey; 71% of the financial services executives admitted that their Enterprise Risk Management (ERM) strategy has not been fully implemented. 59% of the 316 executives say that the current credit crisis has put a high magnification microscope on their risk management activities and strategy.

Corporate executives might think that compliance would be a driving factor behind the need to break down the silos in the enterprise and become a more holistic risk management culture. This could not be farther from the truth. People are the only factor when it comes to addressing culture. However, the failing organizations have it upside down. They have been so focused on the sophisticated mathematics, they have lost sight of what really changes the culture more rapidly and pervasively. Leadership and culture. Human behavior working towards greater transparency of risk profiles and the management of reputation will work miracles compared to the "Hedge Quants" trying to manipulate the algorithms to obtain the desired results. We want to trust the data, but can we? The credit scoring applications can't keep up with the pace of the market changes.

The ERM strategy of the future needs to be focused on changing peoples behavior to impact "Reputation", as opposed to just another regulatory hammer to gain compliance. Therefore, Operational Risk Management and enhancing the perception of confidence in the "eye of the customer", will provide the peace of mind that is required to keep the flow of trust in the global markets. The Board of Directors policy implementation on risk management and developing a culture of ERM to better manage the implications of reputation is the top item on the upcoming meeting agendas.

Most shocking in the survey results are that financial institutions with $100B. in assets or greater; only 55% have someone in the dedicated task of "Chief Risk Officer". This means that 45% do not have a dedicated person who can see the entire ERM porfolio of risk. Institutions under $100.B in assets are in even worst shape.

In what is by far the largest bank failure in U.S. history, federal regulators seized Washington Mutual Inc. and struck a deal to sell the bulk of its operations to J.P. Morgan Chase & Co.

The collapse of the Seattle thrift, which was triggered by a wave of deposit withdrawals, marks a new low point in the country's financial crisis. But the deal, as constructed by the Federal Deposit Insurance Corp., could hold some glimmers of hope for the beleaguered banking system because it averts any hit to the bank-insurance fund.

Instead, J.P. Morgan agreed to pay $1.9 billion to the government for WaMu's banking operations and will assume the loan portfolio of the thrift, which has $307 billion in assets. The full cost to J.P. Morgan will be much higher, because it plans to write down about $31 billion of the bad loans and raise $8 billion in new capital. All WaMu depositors will have access to their cash, but holders of more than $30 billion in debt and preferred stock will likely see little if any recovery.

Walking throught the halls at the FDIC several months ago, this writer could almost smell the fear that was building. How are we going to deal with the new "tsunami of failed financial institutions" in the coming months? What will the domino effect be on customers psyche? Now, there are even fingers being pointed at the mechanisms for ensuring transparency to investors and customers:

Ultimately, those who blame fair-value accounting for the current crisis are guilty of the financial equivalent of shooting the messenger. Fair value does not make markets more volatile; it just makes the risk profile more transparent.

We should be pointing fingers at those at Lehman Brothers, AIG, Fannie Mae, Freddie Mac and other institutions who made poor investment and strategic decisions and took on dangerous risks. Blame should not be paced on the process by which the market learned about them.

operational risk