Legal Ecosystem: Survival of the Fittest...

The life cycle of monetary policy and financial fraud is being mapped once again in concert with new investigations into corporate malfeasance. As economic trends run their systemic course so do the highs and lows of human behavior to create new schemes to defraud customers, partners and even fellow employees.

Prosecutors in the Eastern District of New York in Brooklyn are stepping up their scrutiny of players in the subprime-mortgage crisis, focusing on Wall Street firms and mortgage lenders, the Wall Street Journal said on its Web site.

A task force of federal, state and local agencies will look into potential crimes ranging from mortgage fraud by brokers to securities fraud, insider trading and accounting fraud, the Journal said.

The Federal Bureau of Investigation is already targeting major corporate insiders and criminal groups in its investigation of fraud in the mortgage lending industry. The FBI has said it is investigating 19 companies in mortgage cases.

The formation of the task force amplifies efforts already under way in Brooklyn, where prosecutors are investigating whether investment bank UBS AG (UBSN.VX: Quote, Profile, Research) improperly valued its mortgage-securities holdings, the report said.

Also being investigated are the circumstances surrounding the failure of two hedge funds at Bear Stearns Cos (BSC.N: Quote, Profile, Research), which collapsed last summer because of losses tied to mortgage-backed securities, the report said.

Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. Grace Duffield and Peter Grabosky have captured the four main categories of fraud in their paper, "The Psychology of Fraud."

• Fraud committed against an organisation by a principal or senior official of that organisation
• Fraud committed against an organisation by a client or employee
• Fraud committed against one individual by another in the context of face-to-face interaction
• Fraud committed against a number of individuals through print or electronic media, or other indirect means

Now the IT departments will be buzzing as they will be under orders to preserve e-mail archives as evidence as soon as notices arrive on the doorsteps of not only the large funding institutions themselves, but the hundreds of organizations in the corporate supply-chain.

The duty to preserve attaches immediately once the company is on notice. Once an investigation or lawsuit is reasonably anticipated or a complaint is received, the requirement to preserve materials attaches and preservation efforts need to be undertaken as soon as possible. There are no cases that provide definitive guidance as to how quickly litigation hold notices must be sent once the duty is triggered, but any such case will be evaluated in hindsight, i.e., after relevant materials have been destroyed, and very little if any delay is likely to be tolerated by the courts.

Let's do some simple math here. Multiply the number of banking branches x the number of mortgage brokers for each branch x the number of appraisal firms and you start to understand the magnitude of the volume of data. While some larger banking institutions have centralized underwriting operations for all of the branches, they still rely on a supply-chain of small businesses in the local market to address the valuations and appraisals of property.

The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

"Survival of the fittest" is sometimes claimed to be a tautology. The reasoning is that if one takes the term "fit" to mean "endowed with phenotypic characteristics which improve chances of survival and reproduction" (which is roughly how Spencer understood it), then "survival of the fittest" can simply be rewritten as "survival of those who are better equipped for surviving"

operational risk

Corporate Governance: Testing for Organizational Disease...

In our continuing series on Security Governance we now turn to Corporate Governance: Testing for Organizational Disease.

It's been three years since a 25 year sentence was handed down in the Worldcom corporate governance and fraud case, it's obvious that prosecuting white collar crime cases is a real challenge.

In the HealthSouth Corp. fraud trial, the jury made a different decision and the CEO was acquited.

Some lawyers suggested white-collar cases are inevitably difficult to present to jurors, whether they live in Birmingham or New York. "It's different from a drug deal or a bank robbery," said Donald Stern, a Boston attorney who was formerly that city's top federal prosecutor. "It's not obvious that a crime has been committed."

What the Board of Director's and Executive Management do know is that it's time to make some more changes in Corporate Governance initiatives. The relationships with the shareholders is bound to continue to be a challenge for any management team and they realize that they must be creating a culture full of ethics and risk management principles.

At the end of the day it comes down to the evidence presented to the jury. And the evidence is typically a presentation of information utilizing forensic methods of discovery. Dr. Thomas R. O'Connor at NCWC has some interesting background on the subject of "Investigative Methods of Forensic Accounting."

Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.

Red Flags of Organizational Behavior:

1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.

2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.

3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.

4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.

5. Poor computer security -- the organization doesn't seem to care about computer security, has slack password controls, hasn't invested in antivirus, firewalls, IDS, logfiles, data warehousing, data mining, or the budget and personnel assigned to IS. Simultaneously, the organization seems over-concerned with minor matters, like whether employees are downloading music, chatting, playing games, or viewing porn.

6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.

As we move forward on strategies for improving ethics and protecting corporate assets it's clear that educating board members and employees to the symptoms of corporate disease can be a key initiative. That education and awareness program could be the beginning of a whole new era of high performing companies. And for that matter, the programs effectiveness may be the first test of any organizations health.

operational risk

Rule-Set Reset: Evidence Life Cycles...

Here are a few of the "Top of Mind" topics these days at the nexus of Legal Risk and "Defining the New Rules Sets" for Information Management and Digital Forensics. What is a "Rule-Set Reset"?

When a crisis triggers your realization that your world is woefully lacking certain types of rules, you start making up those new rules with a vengeance (e.g., the Patriot Act and the doctrine of preemption following 9/11). Such a rule-set reset can be a very good thing. But it can also be a very dangerous time, because in your rush to fill in all the rule-set gaps, your cure may end up being worse than your disease.

• The Computer as Witness--What The Courts Allow.
• Improper and Negligent Records Hold Practices.
• Calculating Settlement Values in a Digital World..
• Economics of Electronic Discovery.
• Evaluating Outside Law Firms: Competing for Client Revenue.
• Discovering the Legal Value of Electronic Information.
• Chain of Custody Controls and Vulnerabilities.
• Logs, Metadata and Backups.
• Evidence Life Cycle Management.
• Operational Risks in Existing Corporate Information Management Practices.

These topics and more are worth investing time, resources and manpower for vital learning, education and convergence within the legal department of your institution. Why? Just ask Waters Edge Consulting. Because just preparing for ESI custodian depositions under Rule 30(b)(6) will not be enough for your team to win these days. It's going to take substantially more investment in governance strategy execution within the ranks of the CIO, CSO and General Counsel in the aftermath of the sub-prime "Armageddon."

Today, many organizations have Enterprise Records Management (ERM) systems that provide clear guidelines for data retention and destruction. In addition, organizations facing frequent lawsuits often use Electronic Data Discovery (EDD) vendors and outside counsel to process and review electronically stored information (ESI) during discovery.

Unfortunately, neither solution creates a framework that recognizes all data as potential evidence and puts a consistent methodology in place for handling it efficiently and cost effectively.

Evidence Lifecycle Management (ELM) is such a framework. An ELM system, such as MatterSpace from WorkProducts, provides:

• Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
• Role-based collaboration and communications that drive all case-specific ESI activities
• Auditing and reporting of all ESI communications and events, including litigation holds

ELM bridges the gap between ERM and EDD, speeding up ESI delivery while reducing the risk and cost of ESI processing and legal review.

A prudent governance execution strategy would include a ratio of new learning, education and policy development combined with the correct tools and managed services. Yet how do you determine the right recipe for your institution? After all, you are unique and unlike any other organization out there.

The fact is that it has to be customized to your exact size, exposures and vulnerabilities. You first have to establish the baseline and develop the foundation for making the right decisions in the right order. Most importantly, it has to be co-designed with the legal team and the custodians of the information if you are to ever find any chance of success. Underlying all of the dialogue on who a particular matter relates to and where the information is located brings up another area that is imperative to the overall resilience of the organization. Continuity of Operations.

At the end of the day, this is what you are really buying. True DataVaulting means exchanging the headaches and liability of maintaining your own backups for the simplicity and convenience of contractually backed Service Level Agreements (SLAs).

Without effective DataVaulting, DRP and overall Continuity of Operations as an underlying foundation for managing the life cycle and longevity of your institutions records, you may already be subjected to the increased risk of fines and non-compliance sanctions from FINRA or the SEC.

The correct Business Resilience Architecture begins with a firm statement of applicability for your institution. The statement of applicability (SOA) is the architectural blueprint that identifies controls that are pertinent to your environment, and explains how and why they are appropriate. The SOA is derived from the output of a comprehensive operational risk assessment and development of an enterprise wide "Early Warning System."

Centre-left leaders from around the world called on Saturday for urgent reform of global financial institutions to prevent a recurrence of the credit crisis.

About a dozen leaders, brought together by Prime Minister Gordon Brown, issued a communique urging the International Monetary Fund to help develop an effective early warning system to guard against financial risks to the global economy.

Australian Prime Minister Kevin Rudd said the world had to learn the lessons from the credit crisis, sparked eight months ago by massive default on U.S. sub-prime mortgage debt.

"Too often in the past when these sorts of events have occurred ... the lessons are lost. The lessons must be learned and applied, otherwise we will face a very rocky future indeed," Rudd told a news conference after the "Progressive Governance" conference outside London.

The leaders, also including South African President Thabo Mbeki, New Zealand Prime Minister Helen Clark and Austrian Chancellor Alfred Gusenbauer, gathered just before key Group of Seven and IMF meetings in Washington next week which will discuss the financial turbulence.

Also attending were the heads of the IMF, World Trade Organisation (WTO), the African Development Bank and several U.N. agencies.

operational risk

Volatility: Enemy #1...

Organizations implement Operational Risk solutions to lower "volatility" in earnings growth and return on capital. The focus on volatility is because no institution likes to see peaks and valleys in their earnings or their return on capital. A steady and consistent growth curve without "Volatility" is the goal by many steadfast organizations.

Contrary to the goal of minimized "volatility" there are also those who feed off of the chaos and the large swings between these highs and lows in the marketplace and with specific companies in vital sectors of the financial economy. Will a Blueprint for Regulatory Reform be the answer?

As a hedge fund investor, can you explain what the strategy is for your investment fund? Do you know what your money is being invested in? Does your hedge fund manager provide transparency on calculating your return on funds invested? What was the reason you invested in alternative investments to begin with?

Carrying this analogy to the operational processes within your organization, the goal is to keep the processes running smoothly. When people or systems deviate from the agreed upon "Rule Sets" then change ensues along with the volatility of the performance measures. Errors, Omissions and systemic "glitches" are the catalysts to volatility that creates fear, uncertainty and doubt. Do you understand the Math? When the process gets to this stage and people don't trust the rules anymore, you are on the brink of a failure and impending loss, in dollars or peoples lives.

Operational Risk Management is a discipline that is emerging in corporate ranks because it has already proven that it saves lives. The regulators and inspector generals are going to demand it. The "Rule Sets" of playing business in the financial, health care and energy sectors are not the only ones being subjected to this increased scrutiny and renewed focus on OPS Risk. Now the Defense Industrial Base (DIB) and the Defense Department are under increased oversight at the highest echelons of the Pentagon as a result of a failure in Operational Risk Management.

Last week, the Department of Defense learned that four non- nuclear nose cone assemblies and their associated electrical components for a ballistic missile where mistakenly shipped to Taiwan in the fall of 2006. These items were originally shipped in March 2005 from F.E. Warren Air Force Base in Wyoming to the Defense Logistics Agency warehouse at Hill Air Force Base in Utah. There are no nuclear or fissile materials associated with these items.

Upon learning of the error, the U.S. government took immediate action to acquire positive control of the components and arranged for their safe and secure recovery to the United States. These items have now been safely returned to the United States.

Lessons learned are being discussed in the ranks of the U.S. Treasury Department and the Department of Defense all relating to the failure of people, processes, systems and or external events. Operational Risk is all around us and now ready for prime time focus in terms of strategy execution, implementation and measurement.

Whether you utilize Operational Risk Management (ORM) in the Defense Industrial Base or in the Financial Services sector it's important to revisit what it is NOT:

Operational Risk is Not:

• About avoiding risk
• A safety only program
• Limited to complex-high risk evolutions
• A program -- but a process
• Only for on-duty
• Just for your boss
• Just a planning tool
• Automatic
• Static
• Difficult
• Someone else’s job
• A well kept secret
• A fail-safe process
• A bunch of checklists
• Just a bullet in a briefing guide
• “TQL”
• Going away

The goal of Risk Management is not to eliminate risk, but to manage risk so the mission can be accomplished with minimum impact. We manage risk to operate, not avoid risk as a means to prevent loss.

operational risk

Offshoring Risk: Increased Fed Oversight...

The risk of offshoring is a growing concern. If this study by Deloitte is correct, your valuable and private financial information is likely to be off shore already.

Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.

The banking industry has a list of Offshoring Risks that is in need of greater care and oversight.

Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:

Country Risk: political, socio-economic, or other factors may amplify any of the traditional outsourcing risks, including those listed below.

Operations/Transaction Risk: weak controls may affect customer privacy.

Compliance Risk: offshore vendors may not have adequate privacy regulations.

Strategic Risk: different country laws may not protect "trade secrets."

Credit Risk: a vendor may not be able to fulfill its contract due to financial losses.

It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations. Part of a standardized procedure should include:

• Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;
• Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;
• Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and
• Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.

We recommend that your CSO, CCO and General counsel revisit your last audit on high risk outsourced relationships such as customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.

operational risk

Information Risk: The Zero's & One's Don't Lie...

The Bear Stearns implosion has been predicted as a casualty of failed hedge funds. These entities are less regulated than banks and don't have to keep a minimum capital reserve. The limits on the amount of leverage they utilize can sometimes come back to burn you.

Angry Bear Stearns Co Inc shareholders have wasted no time in bringing legal claims following the company's stunning stock collapse and $2-a-share fire sale to JPMorgan Chase & Co.

At least one federal lawsuit in New York seeking class- action status for alleged securities fraud was filed on Monday by an investor contending the company hid its true financial condition from shareholders.

"Who Knew What When" is the focus of the legal mechanism now in full swing as investigators at the SEC and other federal regulators begin their forensic examinations and interviews. Eliot Spitzer is finally a back story after his demise in the FINCEN money laundering investigation:

But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI’s charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).

The nexus of eDiscovery, Data Mining and Operational Risk Management are in the news as these incidents are unraveled. The information and evidence from the data analysis will reveal the truth and those caught shredding documents or deleting files will no doubt become part of one of these inquiries.

Even today at 2AM JP Morgan Chase was searching Google with the terms "information operations risk management" and landed here on this Operational Risk Management Blog. Then they "Out Clicked" to A Defensible Standard of Care in hopes of finding answers to their questions.

The law suits and the lawyers are busy these days with the Federal Rules of Civil Procedure (FRCP) as they defend ongoing data breaches and bad behavior by employees and interested 3rd parties:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

If the latest economic studies are correct, that's going to cost about $98.00 per record on the low side when it comes to the amount of money that these organizations will spend (unless insured) to clean up this operational risk related incident.

New York State has a new Governor at the same time the Bears are descending on Wall Street:

David A. Paterson became New York’s 55th Governor on March 17, 2008. In his first address as Governor, Paterson spoke about the challenges New York faces and his plan for New York’s future.

This month it's New York in the news but our prediction is that California will soon be next to capture the nations headlines. The legal buzzards are soaring overhead...

operational risk

Policing The Globe: Transnational Risk...

The nature of transnational crime today can be broken down into three fundamental steps. Collection, Monetization and Laundering. This is not anything new yet the evolution of "Policing The Globe" has made dramatic leaps in the past few years. New Legal Attaches (Legats), Memorandums of Understanding with INTERPOL and other national law enforcement entities has created an increased coordination and cooperation across borders and continents.

Data warehousing, convergence of records data and more sophisticated methods for link analysis from companies such as i2 has made the detection and investigation of potential incidents more effective.

When the Collection phase is focused on harvesting Personal Identifiable Information (PII) for the purpose of ID Theft using Botnets or other cyber-related ploys the consumer will consistently suffer the direct effects. The retail banking institutions will be the ultimate target of the next phase of the criminal life cycle, the Monetization phase.

Using PII to gain access to bank accounts is taking on different forms these days, especially during times of economic hardship. The HELOC refinancing trends are upon us and at the same time the unsuspecting homeowner may be giving up vital equity that still exists in their loans or lines of credit, to criminal elements. Once any of these scams and frauds are completed the funds are quickly turned into cash using wire transfers, ACH and or even the old reliable ATM using 3rd parties. And it doesn't even have to go this far, when you can sell PII for cents or dollars per record in terms of it's quality and whether the targets have a stellar credit score or deep equity.

And finally we find that funds are then turned around into other business ventures to help conceal the source or origin of the proceeds, so that the money goes through the enevitable Laundering phase.

Now let's look at it through the lens of an OPS Risk perspective?

"Pirates, bandits, and smugglers have bedeviled governments since time immemorial. Politicians and media today obsess over terrorism and trafficking in drugs, arms, people and money. Far less is said or known, however, about the expanding global reach of the police, prosecutors, and agencies like Interpol and Europol charged with targeting transnational crime."

Peter Andreas and Ethan Nadelmann in their book, "Policing The Globe: Criminalization and Crime Control in International Relations" provide analysis and bridge the connections between justice and politics.

To what degree does your institution actually initiate proactive due diligence on your own, to try and identify who is attacking your organization or your assets? The nexus with Operational Risk has to do with the legal compliance and transnational agreements with other nations on what the "Rules of the Game" are for privacy, investigations and obtaining evidence. More importantly what are the coordination and cooperation activities with your own domestic and the foreign jurisdictions for a prosecution strategy, especially if you have employees and operations in-country?

This morning an explosive device was detonated in front of a defense recruiting office in Times Square, New York City by a bicyclist. This incident could be a precursor to a potential terrorist suicide attack or most likely, just a disgruntled war activist. A few days earlier, domestic Ecoterrorism is suspected in the burning of three high value homes in the Seattle, Washington area.

"The mention of a bicyclist raised possible links to a May 2005 bombing at the British Consulate and an Oct. 26 explosion at the Mexican Consulate," the New York Daily News notes. "In both cases, police said, the suspect was possibly riding a bicycle when hollowed-out grenades - filled with black powder and a fuse - were tossed into the consulates. No arrests were made in those attacks."

Whether the ID theft crimes are committed online collecting zeros and ones from unsuspecting consumers or businesses without the proper controls in place or the direct physical attack on specific or symbolic assets, the transnational question is in the forefront of many peoples minds.

While it's too early to try and connect these two incidents to the same individuals or to countries outside the United States, one thing is certain. The laws, tools and capabilities of International Law Enforcement are accelerating at a more rapid pace, as new operational risks emerge on a global scale. Politics will in some cases, try to influence the agenda and to unleash sanctions that diplomats and State Departments will work on collaboratively to achieve preemptive law enforcement agendas.

Here then are some of the steps the State Department said Barbados had taken in recent years to prevent fraud and money laundering:

• Extended the money laundering laws to cover offenses other than those involving drugs.
• Forced financial institutions to report suspicious transactions that may involve criminal activities, such as terrorism.
• Enabled the police to pursue "all potential prosecutions" of money laundering.

Placed the burden of proof on accused persons to demonstrate that property in their possession was "derived from a legitimate source". Failure to do so could lead to a presumption that it was acquired through illegal means.

The transnational ecosystem of crime control and international relations will continue to be a challenging arena for global enterprises. Ensuring that Operational Risk Teams are well equipped to provide assistance to investigators, law enforcement and government agencies is essential. Simultaneously preparing your employees for their inevitable exposure to these cases, law suits and incidents is a proactive strategy executives are actively investing in.

Liechtenstein remains vulnerable to money-laundering despite efforts by authorities to tighten regulations, International Monetary Fund and Council of Europe experts said Wednesday.

The tiny Alpine principality, currently at the heart of an international tax evasion scandal, offers "discreet and flexible legal structures, strict bank secrecy and favourable tax arrangements," the IMF said in a report.

Around 90 percent of Liechtenstein's financial services business is provided to non-residents, it noted.

"By it's nature, Liechtenstein's financial sector business creates a particular money laundering risk," the IMF said.

operational risk

Lessons Learned: The Impact of Executive Decisions...

In times of economic downturn the Operational Risks within your institution will begin to rise. Enron, Worldcom and HealthSouth are the few names people recognize as the major casualties of the last significant dip in our economy. When times get tough, people get desperate and try to keep the schemes and any red flags from being discovered.

So what are some of the areas that encompass Operational Risk:

• Internal Fraud - bribery, misappropriation of assets, tax evasion, intentional mismarking of positions
  
• External Fraud - theft of information, hacking damage, third-party theft and forgery
• Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
• Clients, Products, & Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
• Damage to Physical Assets - natural disasters, terrorism, vandalism
• Business Disruption & Systems Failures - utility disruptions, software failures, hardware failures
• Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Cynthia Cooper has written a new book "Extraordinary Circumstances: The Journey of a Corporate Whistleblower" about her honorable quest to find the truth at Worldcom. Her quote in the March/April issue of Fraud Magazine says it all:

"Listen to your instinct. If people are acting out of character or appear to be working to head you in another direction, step back and ask yourself why. Continue to ask for support and dig until you're satisfied that you've gotten it right."

Beyond Cynthia's first person account to give the reader her emotional perspectives, Operational Risk Management professionals realize that their role and the job they have been trained to do is not always a "Pleasant" experience. This is why all of the training and education is so important and the rehearsals are absolutely imperative. Testing, evaluating and testing some more is the norm. Understanding what "Normal" looks like, takes time and persistence. Yet without it, our horizon for positive change could be in jeopardy.

With many of the "Lessons Learned" books now published from the last economic dip, who will be next to blow the whistle or expose the real risks that some companies are hiding from the Board of Directors and the shareholders. The class action lawyers are even gathering their evidence on the possibility of cashing in on predatory lending practices:

A federal appeals court is nearing a decision on a battle between Chevy Chase Bank and a Wisconsin couple that could for the first time enable homeowners across the country to band together in class-action lawsuits against mortgage firms and get their loans canceled.

The case is alarming Wall Street 's biggest banks, which could bear the hefty cost of reimbursing all mortgage interest, closing costs and broker fees to groups of homeowners who uncover even minor mistakes in their loan documents. After a federal judge in Milwaukee ruled last year that the Wisconsin couple had been deceived and other borrowers could join their suit, Chevy Chase Bank appealed to the circuit court in Chicago.

So what we have are markets that are volatile. Bankers who are raising the stakes for borrowers. And naive consumers who are facing higher prices across the board. The time for increased vigilance is in front of us all. From the Board Room to the Court Room it's time that we spend more time looking at the interdependencies and realize that risk is more than a prediction.

During these times, it's worth revisiting this post on Fear: The Elements of Prediction.

operational risk

Hedge Funds: Focus on Sound Practices...

So what is on the mind of Hedge Fund Managers in these days of "volatility" and uncertainty? Afterall the CFOs and COOs at hedge funds and fund of funds must have some questions about best practices for auditing their funds' operations, and mitigating the most common forms of operation risk.

Top industry practitioners and industry advisors will discuss these topics at THE HEDGE FUND OPERATIONAL RISK MANAGEMENT SUMMIT Strategies for Stress Testing and Hedging Operational Risks:

• New auditing standards – an operational due diligence checklist
• Methods for attaining greater transparency while protecting strategies
• Financing your operations – key considerations for managing operational risk
• Implementation of disaster recovery strategies
• The role of operational due diligence in your risk management strategy
• Current issues in regulation and compliance
• Updates on tax risk management and international tax compliance
• Understanding methodologies for hedge fund ratings
• ERISA – new info for hedge fund operations
• Best practices for managing counterparty risk

The speakers and panelist's are prominent leaders in banking, alternative investments and the usual suspects of lawyers and accountants. Yet there is one item in the list that stands out. The topic of ERISA and new info for hedge fund operations. Among other things, ERISA provides that those individuals who manage plans (and other fiduciaries) must meet certain standards of conduct. The law also contains detailed provisions for reporting to the government and disclosure to participants. There also are provisions aimed at assuring that plan funds are protected and that participants who qualify receive their benefits.

Hedge Funds CxO's are thinking more about implementation of disaster recovery strategies. We know that they have been planning for it since the day the doors opened somewhere in Greenwich, yet now the vital topic of "Implementation" is at the forefront of the discussion.

In the context of Operational Risk Management with hedge funds, the goal is no different even while the feds may not have all the new regulations in place or the laws on the books. After all, the industry as a whole is just now getting their new leader in place to lobby "The Hill". The Managed Funds Association (MFA) has announced their new President, Mr. Baker .

Oversight and transparency will be a continuous topic for regulators. Yet as managers of several trillion dollars in assets, there are some important and vital practices that will gain momentum within the ranks of the Alternative Investments Industry.

We are pleased to see that Section I of the MFA Sound Practices Guidance includes Information Technology Controls:

The Recommendations also include information technology (“IT”) guidance in order to control changes to any software applications, data, and IT infrastructure and to maintain proper security therein. Finally, the Recommendations in Section 1 provide guidance on relationships with third-party service providers that perform key business functions, such as calculating net asset value (“NAV”) or monitoring risk.

And beyond the normal rules around "Ethics" and best practices associated with the code of conduct in the financial services industry, Hedge Funds must realize that they are not hedging their Operational Risk by outsourcing to 3rd Parties. They are still responsible for the oversight of these 3rd Parties and the extent to which they are in compliance with all federal and state laws.

V. PERFORMANCE OF INVESTOR IDENTIFICATION AND
OTHER AML PROCEDURES BY THIRD PARTIES

A. Relationships between the Hedge Fund Manager and Third Parties

This section should address the fact that the U.S. Department of Treasury has recognized the ability of a Hedge Fund or Hedge Fund Manager to contractually delegate the implementation and operation of certain aspects of its AML compliance program to third parties (e.g., fund administrators, IAs, CPOs, CTAs, broker-dealers, and futures commission merchants), although the Hedge Fund and Hedge Fund Manager remain fully responsible for the program.

With so much riding on the hedge funds industry and it's importance to the performance of the markets, it's everyones wish that the CxO's implement robust compliance and ethics programs to support their Operational Risk Management Frameworks.

operational risk

Business Survival: Anticipating Breakpoints...

"The final plunge of the most powerful and dreaded firm on Wall Street in the roaring eighties came with astonishing speed. Like the abrupt fall of the Berlin Wall thousands of miles away, the collapse suddenly confirmed what everyone in the financial world could already feel in the wind: A new era had arrived."
Business Week cover story on 2.26.90

Many excellent companies have fallen from grace, not because they ignored their customers or lacked superior management skills, but because business conditions shifted beneath them. In an environment of fluctuating markets, proliferating technologies, and changing political frontiers, the management challenge is no longer to manage only growth. Now managers must cope with breakpoints, or sudden shifts in the rules of the game.

So has this deja vu moment reminded us that the Drexel Burnham Lambert implosion could be replaced with a new corporate name in the year 2008. Junk bonds were a financial instrument that were utilized for leveraged buy out financing. Then a "Breakpoint" occurred. Paul Strebel in his 1992 book entitled "Breakpoints: How Managers Exploit Radical Business Change" explains:

"Breakpoints, or sudden radical shifts in the rules of the business game, may shape the course of an industry, or of a company, but they need not be as dramatic as the junk bond story."

If you are the Chief Risk Officer (CRO) at a major institution facing sleepless nights these days then you are not alone. Just make sure that you "Tivo" the moment so that you can replay it in another decade, around the year 2015. If the last major breakpoint took 18 years then the next one should occur in about half the time. Do you have your finger on the pulse of change and potential breakpoints in your organization? Can you anticipate the next one in time to have the correct actions and plans to mitigate the impact on your enterprise?

Certainly there will always be those incidents and crises that are unknown and sudden. And how you recover during these times could save your reputation:

ZURICH (Reuters) - Credit Suisse (CSGN.VX: Quote, Profile, Research) trimmed full-year subprime writedowns to 2.0 billion Swiss francs (932 million pounds) but its stock fell as investors took fright at the bank's remaining exposure to the credit crisis.

The bank also reported a 49 percent fall in fourth-quarter profit from continuing operations to 1.33 billion francs, slightly below analysts' expectations, as losses in its huge asset management business eroded results.

Subprime writedowns in the fourth quarter were 1.26 billion francs, Credit Suisse said, though hedging earlier in the year had helped it lower its full-year charges for bad credits from an estimate of 2.2 billion francs made earlier.

The Blackberry mobile e-mail service has returned to normal after a breakdown on Monday afternoon wiped out the service across the US and Canada.

The Blackberry device, owned by Canadian firm Research in Motion, is popular among business people who rely on it to keep in touch with the office.

The service began to fail at about 1530 EST (2030 GMT) and users struggled to retrieve information for three hours.

The firm said no messages were lost and apologised for the problems.

Whether the CRO encounters the wrath of financial instruments at a breakpoint in the martetplace or hours of downtime on the corporate lifeblood of information exchange does not matter. Operational Risk is pervasive and creates discontinuity that impacts employees, customers and shareholders. The only answer is a resilient framework for anticipating and addressing "Change" or in other words, incidents.

Having a taxonomy for change in your organization is imperative to gaining insight on potential incidents whether they be [high frequency-low consequence] or [low frequency high consequence] events. So what is the potential aftermath without this taxonomy:

• Companies have myopia in viewing the actual breakpoint in front of them
• The company fails to capture the opportunity and exploit the breakpoint
• A rare company actually creates a competitive breakpoint

The analysis with your organization begins with the understanding of what your adversaries are utilizing as tools, to exploit your vulnerabilities. Your future Business Survival depends on it.

operational risk

ESI Lessons Learned: CREDO & Qualcomm...

Qualcomm Inc. v. Broadcom Corp., Case No. 05cv1958 (BLM) (S.D. Cal.), issued on January 7, 2008, should be a major wake-up call for corporate litigants. (The U.S. District Court for the Southern District of California) This case is about electronically stored information (ESI) and the ability to manage and produce the correct records at the time requested.

Evidence Lifecycle Management (ELM) is imperative in the context of Governance Strategy Execution within the halls of corporate legal departments. Having an Operational Risk Framework to address legal matters is the "Holy Grail" for many Audit Committees of global Fortune 50 institutions and the General Counsel. What are some of the elements of enterprise ELM? To start:

• Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
• Role-based collaboration and communications that drive all case-specific ESI activities
• Auditing and reporting of all ESI communications and events, including litigation holds

Duane Morris LLP has this to say about the Qualcomm case:

Emphasizing that it is the responsibility of attorneys (both in-house counsel and retained counsel) to make certain that their clients carry out an effective and comprehensive document search, the court noted that "[p]roducing 1.2 million pages of marginally relevant documents while hiding 46,000 critically important ones does not constitute good faith and does not satisfy either the client's or attorney's discovery obligations." The court suggested that in-house counsel have a duty to confirm the veracity of any signed papers produced during discovery.

The district court's solution was to order Qualcomm to implement a "comprehensive Case Review and Enforcement of Discovery Obligations ('CREDO') program" which, at a minimum, includes:

(1) identifying the factors that contributed to the discovery violation, (2) creating and evaluating proposals, procedures, and processes that will correct the deficiencies identified in subsection (1), (3) developing and finalizing a comprehensive protocol that will prevent future discovery violations, (4) applying the protocol that was developed in subsection (3) to other factual situations, such as when the client does not have corporate counsel, when the client has a single in-house lawyer, when the client has a large legal staff, and when there are two law firms representing one client, (5) identifying and evaluating data tracking systems, software, or procedures that corporations could implement to better enable inside and outside counsel to identify potential sources of discoverable documents, and (6) any other information or suggestions that will help prevent discovery violations.

The court ordered that the attorneys submit a proposed protocol for the court to evaluate and revise, if necessary. While the district court's immediate goal was to remedy this specific instance of misconduct, the court hoped that its opinion would be a "road map" for electronic discovery and would "assist counsel and corporate clients in complying with their ethical and discovery obligations and conducting the requisite 'reasonable inquiry.'"

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The Board of Directors have learned their lesson turning over the entire process to outside counsel. The trend of outsourcing the many tasks and duties assigned to the discovery and admissibility of (ESI) is coming to an end. Soon the General Counsel will be standing up the internal "Task Force" to identify and produce in a reliable and cost-effective manner. The trend is gaining momentum and law firms are getting more "Requests for Information" (RFI) on their true electronic discovery capabilities.

Establishing "A Defensible Standard of Care" within the enterprise continues to be the ultimate goal. While some law firms have started to offer services to determine the readiness of their clients for large ESI cases, more corporate institutions are reversing the economic process associated with E-Discovery and asking:

"What are the Electronic Discovery Capabilities of our outside counsel?"

operational risk

OPS Risk Case Study: Societe Generale

In the aftermath of alleged fraud at French bank Societe Generale the Operational Risk Management team are shaking their heads. Was this an internal fraud? In analyzing the time line of events so far one has to read between the lines:

Preliminary charges have been filed against Jerome Kerviel, the trader blamed for huge losses at French bank Societe Generale.

He will be investigated for breach of trust, falsifying documents and breaching computer security - but not for fraud.

His lawyer, Elisabeth Meyer, called the judges' decision a "great victory" as Mr Kerviel was released on bail.

Societe Generale says his actions cost it 4.9bn euros ($7bn; £3.7bn).

Under French law, a formal investigation does not automatically guarantee that a trial will follow.

Societe General and Paris prosecutors had been pressing for a more serious charge of fraud against Mr Kerviel, but this accusation was thrown out by the judges tasked with investigating this case.

Risk Management 101 and "Segregation of Duties" will be at the forefront of OPS Risk discussions as the facts come out from the digital forensics examinations. The "Insider" has once again made the headlines and the book of lessons learned:

He said Mr. Kerviel claimed to have made his first fictitious transactions at Société Générale in late 2005, shortly after moving to the bank’s trading desk from a previous job in the risk-management department.

Three years ago it all began. And so goes the typical story line on the epic tales of fraud in the years past and the decades to come. Effective oversight and risk management walks a fine line between enabling innovation and insight and mitigating errors, omissions and significant losses. One thing is certain, the "Insider" threat in your organization exists today, tomorrow and next week. It's not going away regardless of the number of controls, personnel or systems put in place to eradicate it's existence in your institution.

Whether this incident will end up in the Fraud Museum is yet to be determined. What is more certain is that traders around the globe are under a new spot light and renewed scrutiny by oversight investigators. The goal now is to make sure that the combination of people, processes, and systems are fine tuned to the right tolerance levels and triggers for alerts. Only then will the correct balance occur between risk and reward.

What will certainly be an outcome of the investigation is the number of other people that will be implicated, either directly or indirectly by the incident itself. Stay tuned to this "Operational Risk Management" case study for more lessons learned.

operational risk

IPR Risk: Beijing Olympics 2008 & Beyond...

The global corporate security directors have been planning for the 2008 Olympic Games in China for well over a year now. Company employees of Fortune 500 institutions who are in the intellectual property and branding departments have been working feverishly for even longer. What do the two have in common?

Safety, Security and Intellectual Property Rights (IPR) Protection to name a few. The stakes are tremendous and the world's stage for sports and marketing is coming soon to a web site, cell phone and e-mail in your control. These Operational Risks are growing especially to Corporate Travelers and other Executive Management who have engaged in negotiations and business deals for the past 24 months. Let's put some of this into context:

China Customs is committed to providing Beijing Olympic Games with good service in all respects and is entitled to conduct control over Olympic materials entering or leaving China Customs territory (hereafter referred to as the territory) in accordance with relevant laws and regulations. This notice applies to the completion of Customs formalities and the payment of Customs duties and the taxes collected by Customs on behalf of other government departments for importation of all materials entering or leaving the territory (hereafter referred to as the inward and outward materials) for the Olympic Games, Paralympics, testing-games, torch relay and other related activities during Beijing Olympic Games and its preparation period. The time for Beijing Olympic Games and its preparation period refer to the time starting from January 1st,, 2007 to October 17th,, 2008.

This is a facet of the puzzle that corporate marketing and operations management have ironed out for the most part. However, what is being addressed from another Intellectual Property perspective is another question. The Digital Age is certainly upon us and this brings a heightened sensitivity to the strategy for employees who plan on visiting China, before, during and after the Olympic Games in 2008.

Companies often have negotiated contractual obligations to protect confidential and trade secret information of customers, vendors, and business partners. Companies aggressively guard against theft or loss of intellectual property, however, the loss of sensitive employee and customer information can be just as damaging. Lose trust with your customer and you may lose the customer. Additionally, the media and public are paying increased attention to privacy breaches. Companies risk significant public embarrassment—not to mention potential litigation—if they fail to appropriately safeguard private and confidential information. Courts nationwide are also taking an increasingly intolerant view of companies that fail to take reasonable efforts to protect sensitive employee and customer data. The digital age has significantly increased the risk of data losses.

Security Advisory and OPS Risk Consulting firms have been gearing up for challenges global corporations face in the next six months. Increasing awareness, educating and training employees while testing the soundness of legal and security policies is just the beginning:

“The next wave of global coordinated attacks blends physical, logical and cyber exploits – specifically targeting high-value intellectual property and customer information around the world,” said Watters, iSIGHT Partners’ Founder, Chairman & CEO. “This trend will dominate the future threat landscape.”

John Watters knows the stakes and understands the magnitude of the digital challenges faced by corporate entities across the globe. In the wake of the speeding boat towards brand presence and intellectual property rights management, lies another common and misunderstood threat. It's called "guanxi".

Understanding this threat in the context and relevance to corporate stakeholders is vital. The focus on developing a vigilant strategy for interacting with business partners in China is imperative. Prudent CSO's and GC's are well on their way to rolling out the legal programs and security management training to mitigate the risks to their employees and their precious corporate secrets. This is the result of some very well known cases involving counterfeiting and enforcement of trademarks and intellectual property.

What might be less well known, is how digital information is being removed without your knowledge from devices such as laptops, cell phones and PDAs such as a Blackberry while you walk through the hotel lobby or the airport waiting area. Here is some easy advice and a simple strategy as you contemplate your intineary for the Olympic Games. Leave it at home, locked up in your corporate office.

operational risk

Fraud Preemption: Global Integrity Management...

The top ORM challenges for 2008 are starting to emerge. Oprisk & Compliance has their top ten and we would agree with most of them, especially "Legal Risk" in light of the growing subprime exposure. Our forecast is for continued convergence of the risk management functions within the institution, along with increased automation in places that human-based tasks can produce errors. These same trends will continue as we investigate the qualitative components of analyzing risk.

Analysis of qualitative data by quantitative methods is a tremendous opportunity for the Operational Risk Management profession. And for the bottom line. HSBC has invested heavily in understanding customer behavior through new systems initially designed for fraud detection and now being leveraged beyond compliance to address more effective customer service. Getting to top line revenue discussions from the center of OPS Risk units is now a given. A single framework to reduce IT systems costs while simultaneously providing new found Market Intelligence is the latest game plan.

The U.S. regulatory environment is going to get a new injection of investigators, forensic accountants and aggressive federal oversight not seen for many years. The writing is on the wall already for the hedge fund industry. They are already gearing up with the potential hiring of a political heavyweight to head up their industry non-profit on Capitol Hill.

Hedge funds are multimillion-dollar investment pools designed for wealthy individuals. They have grown enormously in recent years, collecting more than $1 trillion, seizing control of underperforming companies and increasingly drawing money from gigantic pension funds, including those of government employees. There are about 9,000 hedge funds in the country.

For years, they barely registered on the Washington agenda. But now that they are so large and aggressive, federal regulators, state authorities and lawmakers have been clamoring to learn more about them, including whether fraud and risky trading flourish in their secretive operations.

In the traditional consumer banking sector customers are leaving institutions in droves that have not implemented multi-factor authentication. The fact is that criminals have moved online and their fraud schemes are growing exponentially, except in places like Singapore. This simple set of statistics says it all.

The benefits of two-factor authentication have been proven in other jurisdictions. In 2005, the Monetary Authority of Singapore (MAS) dictated the use of :

• Something you know: A passphrase
• Something you have: A security token device

The impact has been dramatic. In 2004, banks in Singapore lost $356,000 USD to Internet fraud that was reported. Twelve months later after implementation of two-factor authentication, the number was $5,000 USD. Organizations today in the U.S. that have implemented these capabilities will be grabbing market share, as they roll out these fraud busting measures in front of their competitors.

Fraud is at the core of Operational Risk matters and whether it's the internal employee manipulating your internal control environment or the external transnational crime syndicate flogging your customers with spam, really doesn't matter. What has your "Red Team" told you is at stake this week? The vulnerabilities they have discovered utilizing the new tools or techniques to exploit the changes in your design, implementation or configuration are real. Here is just one latest example:

To the annals of creative bank heists add this: Two Washington area banks turned over more than $850,000 in less than 24 hours this week to someone who impersonated a cash courier and claimed to be filling in for the regular guys.

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

Once they catch this guy it will all come back to a classic Operational Risk failure. In this case, there are two banks who are getting some fresh reminders about process and procedures at the branch level. Yet whether we have multi-factor authentication online or in the branch with the armored car driver, the issue remains the same. The consumer and the merchants will continue to pay for this in the long run. Why are they still trying to authenticate people instead of the transaction?

"To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity, which is in the best position to mitigate the risk, responsible for that risk. And that means making the financial institutions liable for fraudulent transactions."

Once institutions realize that they need to focus on a culture of compliance and build robust fraud detection and prevention programs, the losses may start to dwindle. Only however, if they are properly organized, deployed and funded. And finally, these integrated initiatives must include a substantial investment in systems and a systemic automation mechanism to drive awareness. Microsoft is one organization who is on the leading edge of implementing effective Global Integrity Management.

operational risk

2007: The Year of Living Dangerously...

What a year 2007 has been for Operational Risk Management. Looking back over the past 365 days, brings visions of significant accomplishment and historical failures. Reflection on what has worked can sometimes bring out the emotions and the evidence of our most vivid encounters with risk. You can't see risk. You can only witness the effectiveness of your work in the aftermath of incidents as a result of your people, processes, systems or external events. That measurement or metrics is why the loss event databases are growing. So we can keep score.

Unfortunately, many are trying to keep score so that they can justify additional funding and resources for their pet projects or new initiatives. The Board of Directors and executive management needs something to judge whether the programs and the efforts for managing risk in the enterprise are working. Sometimes the quantitative must be taken in context with the qualitative measures to see the entire landscape of operational risk across your environment:

Here are just a few National Security milestones in the United States this past year:

• PROTECT AMERICA ACT: In August, the President signed the Protect America Act of 2007, which closed critical intelligence gaps that threatened the safety of our Nation. The Protect America Act (PAA) modernized the Foreign Intelligence Surveillance Act of 1978 (FISA) to provide our intelligence community essential tools to acquire important intelligence information about foreign terrorists abroad who want to harm America. Unfortunately, critical provisions of the PAA expire on February 1, and Congress must act to keep our Nation safe by making these tools permanent and provide meaningful liability protection for companies who are believed to have assisted the Government after 9/11.
• BORDER SECURITY: The Administration has taken steps within existing law to secure our borders more effectively. In 2007, we exceeded our goal of 145 miles of fencing at the border, and are on track to strengthen the border with 18,300 Border Patrol agents, 370 miles of fencing, 300 miles of vehicle barriers, additional cameras and radar towers, and three additional unmanned aerial vehicles by the end of 2008. The Administration has also instituted a policy of "catch and return," ensuring that all removable aliens caught trying to cross the border illegally are held until they can be returned to their home countries.
• IMMIGRATION ENFORCEMENT: In 2007, ICE removed roughly 240,000 illegal aliens, made over 850 criminal arrests, and fined or seized more than $30 million following worksite investigations. The Department of Homeland Security has issued a "No-Match" regulation to help employers ensure their workers are legal and help the Government identify and crack down on employers who knowingly hire illegal workers. Unfortunately, this useful regulation is being held up by misguided litigation.
• COUNTERTERRORISM: Working with our partners overseas, U.S. efforts to combat terrorism have contributed to the arrest of terrorist suspects and have disrupted plots aimed at both the United States and its allies. For example, in September, U.S. and German authorities disrupted a major terrorist plot resulting in the arrest of three suspects who were planning to attack a U.S. military base in Germany as well as Frankfurt International Airport. In June, the United States worked with authorities in Trinidad to arrest four men suspected of planning to blow up fuel tanks and a fuel pipeline at the John F. Kennedy International Airport.
• NATIONAL STRATEGY FOR HOMELAND SECURITY: In October, the President issued an updated National Strategy for Homeland Security, which is serving to guide, organize, and unify our Nation's homeland security efforts. The Strategy articulates our approach to secure the Homeland over the next several years, reflects our increased understanding of the threats confronting the United States, incorporates lessons learned from exercises and real-world catastrophes, and articulates how we should ensure our long-term success by strengthening the homeland security foundation we have built.
• 9/11 COMMISSION ACT: On August 3, the President signed the "Implementing Recommendations of the 9/11 Commission Act of 2007." This legislation protects Americans from being unduly prosecuted for reporting activity that could lead to acts of terrorism, and takes steps to modernize the VISA Waiver Program, particularly the additional security measures. The President continues to work with Congress to advance security and foreign policy objectives by allowing greater flexibility to bring some of our closest allies into the program.

In other events across the globe we witnessed how risks continue to challenge even the most prepared nations:

• Virginia Tech joined the annals of US gun atrocities when a student killed 32 people and then turned the weapon on himself in what was the country's worst shooting rampage.
• Three days after Gordon Brown became prime minister, and a day after two car bombs were found in London, Scotland experienced its first terrorist attack since Lockerbie. Two alleged Islamic extremists, one a doctor, drove a Jeep into the security bollards at the entrance of a busy Glasgow Airport on the first Saturday of the local school holidays. The car carried explosive gas canisters and although it burst into flames on impact, most of the containers remained intact. A few bystanders were injured, and were treated at nearby Royal Alexandra Hospital where one of the alleged terrorists worked. The driver of the car, Kafeel Ahmed, 27, died a month later from his burns, and others suspected of being involved in the attack were apprehended on the M6. All the suspects in the case were foreign recruits to the NHS.
• The credit crunch arrived. Northern Rock became the most high-profile British victim of a crisis sparked by low-income American homeowners who'd been lent money they could never afford to pay back. Northern Rock was forced to apply to the Bank of England for emergency funds, in what was to become one of the biggest financial crises in a generation. Cue panic, cue queues.
• A human chain of depositors formed at branches as bank customers attempted to reclaim their money. There was some very un-British behaviour, with police called to one branch when a couple staged a sit-down in an attempt to recover their £1m deposit. They left empty-handed. The run on Northern Rock caused the Treasury to pledge that no-one would lose their shirt, a promise which has so far cost £24 billion in lending to the troubled institution. The sheen of middle class security was wiped off property prices as people began to sniff a recession. It was the first of many indicators that Britain was still a nation divided by class, education and income.
• The most significant event of the year, for the future of the planet, came this month when the Arctic Ocean melted back to a record low point. The extreme melt rate was not predicted by any supercomputer or climate change scenario and scientists began to think that an educated guess for an ice-free Arctic summer might be 2030, well within most of our lifetimes.
• Six foreign-born men are charged in what authorities say was a plot to attack the Fort Dix Army base in New Jersey.
• Pakistani army commandos capture the Red Mosque in a 35-hour battle; the cleric who led the mosque's violent anti-vice campaign is among those killed.
• A strong earthquake in northwestern Japan causes malfunctions at the world's most powerful nuclear power plant, including radioactive water spilled into the Sea of Japan.
• Minneapolis bridge collapses into the Mississippi River during evening rush hour; 13 people are killed.
• Mattel recalls 9 million Chinese-made toys because of lead paint or tiny magnets that could be swallowed.
• Magnitude-8 earthquake strikes Peru, causing more than 500 fatalities.
• A B-52 bomber armed with six nuclear warheads flies cross-country unnoticed, in serious breach of nuclear security; Air Force later punishes 70 people.
• Hurricane Felix slams into Nicaragua's coast, the first time two Category 5 Atlantic hurricanes hit land in the same year.
• Osama bin Laden appears in a video for the first time in three years, telling Americans they should convert to Islam if they want the war in Iraq to end.
• Citigroup Inc. CEO Charles Prince resigns as company loses billions in debt crisis.
• Suicide bombing kills six parliament members in Afghanistan; a U.N. report later says some of the 77 total victims were killed by gunfire from panicked bodyguards, not the bomb.
• Cyclone Sidr strikes Bangladesh with 150 mph winds, killing more than 3,200 and leaving millions homeless.
• Oil prices peak at $99.29 a barrel.
• CIA director says interrogations of two top terror suspects in 2002 were videotaped but the tapes were destroyed later to prevent leaks; lawmakers and courts investigate whether evidence was destroyed.
• President Pervez Musharraf lifts a six-week state of emergency he says was imposed to save Pakistan from destruction from an unspecified conspiracy.
• Opposition leader Benazir Bhutto is assassinated in Pakistan by an attacker who shot her after a campaign rally and then blew himself up. The attack and rioting after her death claim at least 29 more lives.

These events over the course of 2007 illustrate the breadth and depth of the operational risks we face in the next few years. Climate change, terrorism, market volatility and human behavior will continue to challenge us as professionals. So as we embark on a new journey into 2008 what resolutions will we make? What have we learned about risk? Can it be managed?

One event not mentioned above may be a clear warning for a threat still unimagined in it's capacity to cripple the entire planet.

Cyber security experts quoted in the McAfee report believe 99 per cent of attacks on government systems go unnoticed. But one attack this year that could not be overlooked was launched against the Baltic nation of Estonia, and that incident serves as a warning for other nations. The report calls the Estonia attack in April 2007 "the first real example of nation states flexing their cyber-warfare capabilities".

Estonian computers for government, banks and news organisations were hit with what is known as a distributed denial of service attack - that is, they were bombarded with so many requests they couldn't function.

First the mobile fails. Intermittent black spots are nothing new but you haven't had so much as an SMS from motormouth Michael in hours or anything from Jen who always calls with arrangements for Tuesday's movie by now.

You resign yourself to catching up on email and the frustrations mount with each minute on an unresponsive computer. Has the whole world stopped?

You resist the urge to slam the door as you head to the nearest ATM and the walk does you good ... until you key in your pin number. The machine is so sluggish it seems to take forever but eventually the screen responds. The news is worse than you thought. Your balance is: $0. It's as worrying as it is wrong. No mobile, no mail, no money.

You want to throw your hands in the air - and surrender is a more appropriate response than you suspect. You've lost a war you didn't even know was being waged.

The war of the future, according to an international look into cyber crime, could well be waged online. And the dangers are magnifying as governments and organised groups hone their abilities to spy on each other and attack critical pieces of public infrastructure with an arsenal of e-weapons.

operational risk

FRE 502: Evidence & Digital Discovery...

What could the implications of this ruling be for employees in New York state? Scott v Beth Israel Med. Ctr. Inc.

The writing is on the wall with the attorney-client privilege and Federal Rules of Evidence 502. A review of current e-mail policy may also be in order at your institution if you plan on achieving "A Defensible Standard of Care."

On December 11, 2007, Senator Patrick Leahy, Chair of the Senate Judiciary Committee, introduced S. 2450, a bill adding new Evidence Rule 502 to the Federal Rules of Evidence. The legislation addresses waiver of the attorney-client privilege and work product protection and is identical to proposed Evidence Rule 502, which was approved by the Judicial Conference of the United States and transmitted to Congress for its consideration in September 2007.

Here are comments by the BLT:

If approved, the legislation would allow litigants to avoid waiving privilege on inadvertent disclosures if parties took reasonable efforts to vet the documents and asked for the return of any privileged information in a timely manner.

"The surging use of email and other electronic media has forced parties to spend billions of dollars and countless hours to guard against the unintentional release of such information," Leahy's office reported. Specter added that the new rule would help ensure that "the wheels of justice will not become bogged down in the mud of discovery.”

Stephen D. Whetstone, Esq. of Stratify says this:

Given the increased risks and costs, it is no surprise that many companies are trying to wrest control over the discovery process. More companies are now directing outside their counsel to leverage technology to automatically organize huge data collections, help understand foreign languages and detect privilege and thereby drive down the costs and mistakes that result from fatigued human review. The rule-makers get it, too. The Advisory Committee Notes to proposed FRE 502 provide: "Depending on the circumstances, a party that uses advanced analytical software application and linguistic tools in screening for privilege and work product may be found to have taken 'reasonable steps' to prevent inadvertent disclosure."

In short, in the 12 months since adoption of the new discovery rules, the sky did not fall. But, for some, it grew darker and more expensive to prop up.

In case you haven't noticed your CIO in the General Counsel's office lately, you soon will. The use of automated tools for Electronic Content Management (ECM) have converged with the tools for Disaster Recovery Management (DRM). In the middle of the pile of documents, email and other electronically stored information (ESI) is something called effective Records Management.

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.

"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

operational risk