02 August 2008

People Risk: Protective Security Professionals...

How long does it take for a lethal attack to occur against an at-risk person? Just 2 Seconds is the latest book by Gavin De Becker. Along with his long time colleagues Tom Taylor and Jeff Marquart they document how to use time and space to defeat adversaries.

There are some compelling insights gained from their research:

  • In the US, attacks are most likely to be undertaken by lone assailants 87% vs. outside the US where attacks are typically the work of multiple assailants 71%.
  • Attacks in the US are about as likely indoors (53%) vs. outdoors (47%)
  • However, 64% of attacks happen when the protected person is in or around the car and 77% of these attacks are successful.

Most of these happen within a distance of 25 feet or less using a handgun. Corporate executives and their Protective Security Detail (PSD) already know these statistics and have trained together for these increasing risks. Many have adopted the LADDER model from Gavin de Becker & Associates training academy:

Logistics
Advance
Distance
Deterrence
Evacuation
Response

The study of the motives and the psychology of why these actors pick their targets and choose the time and place has become a science. The methods and tools to assist corporate security in predictive analytics requires a substantial baseline of historical data and real-world experience. Over 20 years ago Gavin and his team developed the MOSAIC Threat Assessment system. It is now in use with dozens of police and government agencies to help authorities and Protective Security Details to be more proactive and preemptive.

Protective Security Specialist's today are certified professionals utilizing intelligence in combination with the attributes of Time, Mind and Space to provide safe and secure travel for their clients. The science and the art have converged to provide a fusion of data, strategy and ad hoc tactics to ensure the mission is completed without incident. As one example, in the state of Virginia, their training is extensive and encompasses a rigid certification process that begins with:

  1. Administration and Personal Protection Orientation - 3 hours

  2. Applicable Sections of the Code of Virginia and DCJS Regulations - 1 hour

  3. Assessment of Threat and Protectee Vulnerability - 8 hours

  4. Legal Authority and Civil Law - 8 hours

  5. Protective Detail Operations - 28 hours

  6. Emergency Procedures - 12 hours
    • CPR
    • Emergency First Aid
    • Defensive Preparedness

  7. Performance Evaluation - Five Practical Exercises

Golden Seal Enterprises is just one of the certified training schools providing the core and advanced work for becoming a PSS professional in Virginia:

Course Description: Using proven protective detail models, from the real world experience of GSE’s cadre of EP, PSD and PPS Instructors students will learn to use a pro-active process to prevent threats while maintaining the ability to use reactive skills when a threat is present. This is designed to enable students to operate in self-supporting details but will also encompass interfacing with other details, law enforcement, and other security personnel.

Graduates will be able to provide a secure environment for a client through identifying and controlling potential risks while the client is on foot, in a vehicle, or within a structure in dynamic situations. Graduates will also learn procedures to control the effects of unusual incidents in a professional manner to maintain the client's safety and image and a consistent proper working relationship with the client, client's family, and staff. The course content includes classes and discussions as applied to permissive and semi-permissive environments. Includes VA DCJS 32E certification.

Topics Covered: Protective Operations, Terminology, Case Studies, Advances, Detail Organization, Formations, Route Surveys, Surveillance Detection, Communication & Equipment, Transportation, Vehicle Dynamics, Evasive Maneuvers, Motorcades, Vehicle Search, Technical Security, Details Abroad, Protective Detail Firearms, Assassinations, First Responder Medicine, CPR & AED Certifications and Defensive Tactics.


The profession doesn't stop there. Some risk management firms who have these certified individuals on staff go much further in their training and their vetting of employees. We agree and recommend that you add these questions to your due diligence when obtaining Request for Proposals:

  • Review all policy documents the firm has their personnel sign to become a PSS on staff.
  • Review the firms hiring process and the prerequisites to join the firm.
  • Review the operational standards and operating procedures to ensure 24 x 7 x 365 capabilities.
  • Review the 3rd party agreements that encompass any transportation and private aviation suppliers (Netjets)
  • Review the firms technology and communications infrastructure including radios, information systems security controls and privacy countermeasures.

The profession has come a long way and people like Gavin de Becker & Associates have established the baseline for others to compete. High net worth individuals, movie stars, public officials and corporate executives have much at stake and require comprehensive strategy execution.

Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers.



Posted by at No comments:
Labels: , , , , , , , ,

28 July 2008

ESI Risk: Seizing Electronic Evidence...

In this issue of Board Member Magazine, Lisa Ferri reminds us of the importance of the risk of Electronic Evidence.

If the only thing better than learning from your mistakes is learning from the mistakes of others, then directors need to take a lesson from Philip Morris. The tobacco giant was slapped a few years ago with a $2.75 million fine by a federal court. The offense? Wrongful destruction of e-mails, otherwise known in legal circles as spoliation of evidence. The court found that at least 11 Philip Morris executives “at the highest corporate level” were guilty of violating a court order concerning document retention. In other words, they purged and paid the price.

United States of America v. Philip Morris USA Inc., et al. is a cautionary tale of the problems awaiting companies that are either unaware of or unprepared for the world of electronic evidence. The rules governing that world are evolving at warp speed.


In the United States, does an employee need the companies permission to seize your computer at the workplace for electronic evidence? In order to be more informed about this procedure and the legal implications in your enterprise, see CCIPS.

Warrantless workplace searches occur often in computer cases and raise unusually complicated legal issues. The starting place for such analysis is the Supreme Court's complex decision in O'Connor v. Ortega, 480 U.S. 709 (1987). Under O'Connor, the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.


Your compliance or legal office can provide you with the guideance for any employee that is suspected of violating company policies with regard to computers crime or theft of confidential information or intellectual property. The question remains, what policy is in existence today and what methods have been utilized for full disclosure to employees that may impact their rights of privacy on the job?

For more help on this subject see: Best Practices for Seizing Electronic Evidence.

Just remember, Forensics and gathering electronic evidence in a criminal matter is in opposition to your recovery. Once a violation has occured, you can make changes, clean up the problem and get back to normal or you can preserve the crime scene for evidence. It's one or the other. If it's not, then that is when you run into problems. Document retention strategies in combination with Forensic Digital Discovery procedures are critical to any organization that cares to mitigate the ongoing risks of electronic evidence.

Posted by at No comments:
Labels: , , , , , ,

01 July 2008

Directors Q & A: Outside Counsel Risk...

Every Board Member needs to ask "Six Legal Questions" of corporate management because the answers will help you determine what law firms your company should fire, or even consider hiring. This special report by Randy Myers in Corporate Board Member highlights the Operational Risk of litigation and whether you are prepared for offense, defense and the next reputation scandal:

  1. How well do our outside law firms know our business?
  2. Are we prepared to handle litigation against us in the best way?
  3. Under what circumstances should we consider suing another company?
  4. When should we use a big law firm? When are we better off with a small one?
  5. What clues can tell us if our outside lawyers are no longer right for us?
  6. How well will we stand up to scrutiny?

We have to highlight the commentary on #6 (H. Rodgin Cohen, partner and chairman of New York City-based Sullivan & Cromwell LLP)

Directors must let the compliance office and general counsel know that they are to be informed anytime the company is put under investigation, Cohen says; government regulators and prosecutors expect the board to take a role in such matters. Having a clear policy in place is critical, says attorney Matthew Powers.

There is no cookbook recipe to prepare a company for an investigation. But what directors have to do, says Cohen, is approach any such inquiry with the understanding that in today’s environment, with laws and regulations being rigorously enforced, fighting a government investigation is almost always a bad idea. Companies must be seen as cooperative, he says, which means that they must conduct thorough investigations of their own when alerted to potential wrongdoing and provide the government with whatever it requests. If problems are uncovered, they should move quickly to take remedial action, implement policies and procedures to prevent further troubles, and penalize the people responsible. “If the company fails to take action,” Cohen warns, “it must expect that it will receive harsher punishment.”

He says it makes sense to report suspected violations of the law voluntarily when an internal examination uncovers them. “You’re really rolling the dice if you don’t, because if the government later finds out, it will have no confidence in you. And remember, the government has two ways to find out—on its own or from someone inside the company.” If the government decides it needs to find out on its own, he says, any penalties are likely to be much more painful.


Firing your long time outside firm is not easy and like any third party supplier who has been embedded for years or decades, "Breaking Up is Hard to Do." Every Corporate General Counsel's greatest fear. Have you every received advice that the negative results of an internal investigation needs to be buried, hushed up or even worse, ignored in hopes that nothing will happen?

Corporate Governance is taking on a new resonance in a politically charged election year here in the United States. The Democrats are gearing up for more oversight, investigation and compliance laws focused on areas that the Republicans have been long to scrutinize. Laws that have been gathering momentum in the halls of Capitol Hill are targeting some of the industry sectors that have benefited the most from the Defense Industrial Base windfall.

In a global survey by Fulbright & Jaworkski LLP, 40% of US companies had at least one lawsuit with $20M. or more at risk. 60% had one or more plaintiff class actions pending and 36% say that the government regulators have stepped up their visits.

So if you are on the Board of Directors and you want to be proactive on the upcoming front for litigation, where do you look? The Accounting department. Sales and Marketing. Information Technology. Legal Department. The easy answer may be, who has the most laptops? Brian Krebs talks about the Data Breach problem from The Washington Post blog:

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

The nexus of data, plaintiff law suits and your outside counsel (3rd party suppliers) will be the Board of Directors #1 priority in the next few years. This is the vortex of Operational Risk in the 21st century.

Posted by at 1 comment:
Labels: , , , , , , , ,

25 June 2008

Transnational eCrime: Leaderless Networks...

Transnational crime and the multi-phase process of Collection, Monetization and Laundering is no better illustrated than in this Citibank case of this past year. This week more arrests have occurred as the informants intelligence has been utilized in capturing those who are part of this international criminal network. Kevin Poulson at Wired writes:

The FBI has recently made at least six more arrests in New York -- bringing the total to 10 -- thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear. Six months after the 2007 breach, Wired.com is receiving scattered reports of Citibank customers still suffering mysterious withdrawals from their bank accounts.

The FBI believes the brains behind the operation is a Russian man, who's receiving the lion's share of the profits through international wire transfers and online-payment systems. While Citibank and federal officials are being closed-mouthed about the PIN theft and the ensuing fraud, the Citibank heist provides a rare look at how a single high-value breach reverberates through the international "carding" community of bank-card fraudsters. What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry.


The case is unfolding in the media and the finger pointing will continue on where the breach occurred. Was it on a Citibank network or an outsourced third party supplier of 7-Eleven who operates the retail stores where the ATM's are located? ID Theft is not the real issue here as much as a bold database hack of accounts, PIN's and counterfeiting of ATM cards.

This facet of Operational Risk is another lesson learned about the safety and security of customer data especially when it is outside your own corporate domain. Service Level Agreements (SLA) are too often the only item that is consistently presented as evidence of the due diligence of auditing a third-party processor of customer data. The actual physical audits are few and typically are not done on a rigid schedule. Resources and funding are the excuse more often than a total lack of oversight.

Transnational crimes such as piracy, illegal traffic of drugs and humans, counterfeiting and intellectual property theft or espionage is not new to the Operational Risk Managers of global enterprises and international organizations. What the financial motivations are and where the proceeds are going is potentially the greatest challenge any investigator has on their agenda. Where does it all lead? What does the target plan to do with the money gained from these illegal activities and incidents?

The answer is that there is no single target. The target is a network. And like a starfish, it can reconstitute itself from any severed part; there is no brain. Douglas Farah captures the thinking on why leaderless networks are a continuous threat:


Any one piece of the leaderless network can reconstitute itself with little difficulty, without waiting around for someone to give an order and for that order to move down the chain of command.

Clearly, it seems, there are better and worse individuals within the network, and taking out the really good ones takes something of a toll. And leaderless groups are not highly efficient. But they survive.

If you have a system of enterprising freelance operations acting on impulses (the urge for profit, the urge to carry out attacks, the urge to acquire weapons etc.), these impulses will overlap. The actions will be taken to benefit all parties, and the networks can thrive with no one person making the important decisions.

This strikes me a perhaps the most dangerous mutation that both organized crime groups and terrorist groups (particularly Islamist terror groups, who seem more adept at moving through nerve impulses, without specific orders, than most), can take.

Successfully countering these groups and their growing reach will require a radical new assessment of both strategy and tactics in the military, intelligence community and law enforcement. But that will require a willingness to dump old assumptions and paradigms, something that has not really happened since 9-11.



Posted by at No comments:

18 June 2008

ESI: The Economics of Litigation...

The operational risk and complexity of eDiscovery is increasing and the economic impacts are becoming a Board Room topic of debate. This study from RAND by James N. Dertouzos, Nicholas M. Pace, and Robert H. Anderson opens up some of the serious implications of Electronically Stored Information (ESI) as it pertains to this research:

Business litigants display a mix of optimism and concern about the impact of the new federal rules on e-discovery that went into effect in December 2006. To some extent, the balkanization that marked federal decisions in this area is likely to be reduced, but the core concerns over uncertainty about what are reasonable steps to take in advance of and during litigation remain. Thus, it is apparent that further clarification and development of e-discovery rules that promote efficiency and equity for both defendants and plaintiffs are required. For example, the new federal rules require early and full disclosure of IT systems, but interviewees noted that many lawyers are unfamiliar with the modern and continuously evolving hardware, applications, and internal record-keeping practices of their clients. Lawyers risk significant sanctions for failing to properly carry out e-discovery duties that they may not be equipped to handle. Even technologically savvy attorneys voiced concerns that providing opposing parties with detailed IT “roadmaps” as envisioned under the new rules would lead to discovery demands designed solely to drive up costs. And as corporate clients increasingly move toward internalizing collection, review, and production tasks in order to limit litigation costs, their outside counsel may find themselves with reduced control over the process but nevertheless still vulnerable to sanctions.

Lawyers who are modernizing their efforts to review documents are partnering with new boutique firms to accomplish this because they have the tools and the technology subject matter expertise. However, these efforts may be increasing the cost of litigation to corporate clients even though the automation and outsourcing is enhancing their process of review and relevancy. This is because the lawyers are still charging their clients for manual review by associates in the firm who charge by the hour in most cases in excess of $300/hr.

eDiscovery and the costs and benefits of litigation are a constant dialogue on the golf course, the skybox and the private rooms of fine dining in New York, Washington, DC and most major metro areas. The reason has to do with the "Mathematics of Litigation".

The previous discussion makes it clear that e-discovery, by changing costs, creating new risks, and altering the flow of information, could alter litigant incentives to file suit, settle cases, and go to trial. For example, several interviewees claimed that the significant burdens of e-discovery outweighed the benefits of going to trial, especially in low-stakes cases. Thus, they were fearful of an increase in lawsuits of questionable merit in which defendants would settle rather than incur the costs of discovery. Viewed from another perspective, plaintiffs may choose to settle cheaply, dismiss their own cases, request less, or refrain from filing in the first place if their own costs of discovery (whether as producer or requestor) overwhelm the value of their claims.

The trend line for eDiscovery is clear. Corporations are bringing the eDiscovery mechanism in-house and are integrating the legal department with savvy staff in the IT ranks. Outside counsel will continue to remain a key aspect of the litigation process but are quickly being asked to take more traditional roles in the case. Outsourcing the automation tasks to the law firm will only increase the complexity and the potential liability of ESI related episodes or incidents.

Posted by at No comments:
Labels: , , , , , , , ,

30 May 2008

OPS Risk: Searching for Answers...

When you search on the Internet for "Operational Risk Management" in different search engines, you are destined to get some similar and yet different results. The algorithms utilized to determine who ends up at the top or bottom of that first page of results, depends on the creators perspective and their interpretation of "Relevance".

Let's take a quick test to demo what we mean. Here are the links to search on "Operational Risk Management" from Google, Yahoo, Microsoft Live and Ask. Compare them and you will witness how the results are different:

Google
Yahoo
Microsoft Live
Ask

On this particular day, this blog was the #1 link on Microsoft Live and Ask. #9 link on Google. #2 link on Yahoo. And when you use the engine that utilizes all of these at once, Metacrawler, this Operational Risk Blog is the #1 link.

So What? So why does this matter. What matters to us, is that we cover the topics and questions people are searching for, in the context of "Operational Risk Management". Whether you are in the military, business or government doesn't really matter. Here are a few of the latest items that you have been searching for from six different continents, when you ended up landing at this site:

  • assessing operational risk for telecom phone service
  • operations risk
  • biocode accident records
  • cii operational risk managment
  • challenges faced by fraud investigators 2008
  • branch banking "operational resilience"
  • kyc in credit department abn amro bank of pakistan
  • corporate policy risk management
  • real and potential threat to corporate governance
  • risk records management
  • airport operational "risk management strategy"
  • risk management blog
  • "risk management" scuba audit washington
  • references to voip in iso 17799
  • ops risk
  • operational risk failure lockheed martin
  • different types of audits, pci, patriot act, level of difficulty
  • operational risk management fund of funds
  • basel ii operational readiness checklist
  • "authentication risk"
  • what is operation risk
  • operational risk management human resources
  • operational risk in funds management
  • operational risk data retention
  • operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events

In a sea of words, sites and the vast depth of the Internet all we are seeking is relevance. We seek the answer to a question or to add context to an idea or hypothesis. In many cases, we are just curious and want to learn more about Operational Risk.

Sorting through the links for the relevance to your question is getting easier as the subject matter becomes more cohesive and converges. However, the subject of "Operational Risk Management" can mean a very broad thing to a banker and a very precise discipline to a Brigadier General in the US Marine Corps. The object is to have a neutral ground to converge on the "change" factors associated with new threats, vulnerabilities and ways to mitigate these to a level of tolerance for your particular mission.

In the near future this blog will open it's ability for readers to share their comments and stories about Operational Risk Management. We look forward to hearing your first hand accounts about how you are applying the science and the art of OPS Risk in your particular risk environment.

Posted by at No comments:
Labels: , , ,

23 May 2008

Intelligence Sharing: Responsibility to Provide...

The "Need to Know" is now finally becoming extinct. Intelligence Communities around the globe are ever so slightly changing their behavior. The Office of the Director of National Intelligence (ODNI) has released it's Information Sharing Strategy:

The Office of the Director of National Intelligence is announcing the first-ever strategy to improve the ability of intelligence professionals to share information, ultimately strengthening national security.

The "Responsibility to Provide" attitude combined with a "Rule-set" reset could get the entities moving the right direction. Risk Managers in institutions in the private sector have been grappling with this business issue for decades. The reality that the FBI, NSA, CIA and DHS are sharing more effectively will only be evident in actual behaviors, not technology.

The new mantra "Responsibility to Provide" will be repeated over and over but where is the evidence? The culture shift is predicated on the ability to manage risks associated with mission effectiveness and disclosure of sensitive information. A Trusted Environment.

This new information sharing model is not revolutionary and requires the same care with privacy, information security and civil liberties that we all expect when it comes to personal identifiable information. Adding new incentives to share information or rewards for doing so will soon be the norm and the behavior changes will be evident. Great care will be given to the ability to protect sources and methods of collection.

Creating a "Single Information Environment" (SIE) will improve the ability for analysts and investigators to get access earlier and to discover what exists. Enhancing collaboration across the IC community will be a strategic goal and has been a dream for over two years.

So let's go back to the "Trust Model" for a minute:
  • Governance: The environment influencing sharing.
  • Policy: The "rules" for sharing.
  • Technology: The "capability" to enable sharing.
  • Culture: The "will" to share.
  • Economics: The "value" of sharing.

A 500 day plan is now in place. The integration has now been reemphasized. Let's make sure that our vigilance continues and on this Memorial Day weekend, our spirits are reenergized.

Posted by at No comments:
Labels: , , , ,

08 May 2008

Legal Ecosystem: Survival of the Fittest...

The life cycle of monetary policy and financial fraud is being mapped once again in concert with new investigations into corporate malfeasance. As economic trends run their systemic course so do the highs and lows of human behavior to create new schemes to defraud customers, partners and even fellow employees.

Prosecutors in the Eastern District of New York in Brooklyn are stepping up their scrutiny of players in the subprime-mortgage crisis, focusing on Wall Street firms and mortgage lenders, the Wall Street Journal said on its Web site.

A task force of federal, state and local agencies will look into potential crimes ranging from mortgage fraud by brokers to securities fraud, insider trading and accounting fraud, the Journal said.

The Federal Bureau of Investigation is already targeting major corporate insiders and criminal groups in its investigation of fraud in the mortgage lending industry. The FBI has said it is investigating 19 companies in mortgage cases.

The formation of the task force amplifies efforts already under way in Brooklyn, where prosecutors are investigating whether investment bank UBS AG (UBSN.VX: Quote, Profile, Research) improperly valued its mortgage-securities holdings, the report said.

Also being investigated are the circumstances surrounding the failure of two hedge funds at Bear Stearns Cos (BSC.N: Quote, Profile, Research), which collapsed last summer because of losses tied to mortgage-backed securities, the report said.

Fraud, like other crimes of opportunity, have three common attributes:

  1. A growing supply of motivated offenders
  2. The availability of prospective or ideal targets
  3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. Grace Duffield and Peter Grabosky have captured the four main categories of fraud in their paper, "The Psychology of Fraud."

  • Fraud committed against an organisation by a principal or senior official of that organisation
  • Fraud committed against an organisation by a client or employee
  • Fraud committed against one individual by another in the context of face-to-face interaction
  • Fraud committed against a number of individuals through print or electronic media, or other indirect means

Now the IT departments will be buzzing as they will be under orders to preserve e-mail archives as evidence as soon as notices arrive on the doorsteps of not only the large funding institutions themselves, but the hundreds of organizations in the corporate supply-chain.

The duty to preserve attaches immediately once the company is on notice. Once an investigation or lawsuit is reasonably anticipated or a complaint is received, the requirement to preserve materials attaches and preservation efforts need to be undertaken as soon as possible. There are no cases that provide definitive guidance as to how quickly litigation hold notices must be sent once the duty is triggered, but any such case will be evaluated in hindsight, i.e., after relevant materials have been destroyed, and very little if any delay is likely to be tolerated by the courts.

Let's do some simple math here. Multiply the number of banking branches x the number of mortgage brokers for each branch x the number of appraisal firms and you start to understand the magnitude of the volume of data. While some larger banking institutions have centralized underwriting operations for all of the branches, they still rely on a supply-chain of small businesses in the local market to address the valuations and appraisals of property.

The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

"Survival of the fittest" is sometimes claimed to be a tautology. The reasoning is that if one takes the term "fit" to mean "endowed with phenotypic characteristics which improve chances of survival and reproduction" (which is roughly how Spencer understood it), then "survival of the fittest" can simply be rewritten as "survival of those who are better equipped for surviving"

Posted by at No comments:
Labels: , , , , , , , , , , ,

28 April 2008

Corporate Governance: Testing for Organizational Disease...

In our continuing series on Security Governance we now turn to Corporate Governance: Testing for Organizational Disease.

It's been three years since a 25 year sentence was handed down in the Worldcom corporate governance and fraud case, it's obvious that prosecuting white collar crime cases is a real challenge.

In the HealthSouth Corp. fraud trial, the jury made a different decision and the CEO was acquited.

Some lawyers suggested white-collar cases are inevitably difficult to present to jurors, whether they live in Birmingham or New York. "It's different from a drug deal or a bank robbery," said Donald Stern, a Boston attorney who was formerly that city's top federal prosecutor. "It's not obvious that a crime has been committed."


What the Board of Director's and Executive Management do know is that it's time to make some more changes in Corporate Governance initiatives. The relationships with the shareholders is bound to continue to be a challenge for any management team and they realize that they must be creating a culture full of ethics and risk management principles.

At the end of the day it comes down to the evidence presented to the jury. And the evidence is typically a presentation of information utilizing forensic methods of discovery. Dr. Thomas R. O'Connor at NCWC has some interesting background on the subject of "Investigative Methods of Forensic Accounting."

Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.


Red Flags of Organizational Behavior:

1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.

2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.

3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.

4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.

5. Poor computer security -- the organization doesn't seem to care about computer security, has slack password controls, hasn't invested in antivirus, firewalls, IDS, logfiles, data warehousing, data mining, or the budget and personnel assigned to IS. Simultaneously, the organization seems over-concerned with minor matters, like whether employees are downloading music, chatting, playing games, or viewing porn.

6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.


As we move forward on strategies for improving ethics and protecting corporate assets it's clear that educating board members and employees to the symptoms of corporate disease can be a key initiative. That education and awareness program could be the beginning of a whole new era of high performing companies. And for that matter, the programs effectiveness may be the first test of any organizations health.

Posted by at No comments:
Labels: , , , , , , , , , , ,

06 April 2008

Rule-Set Reset: Evidence Life Cycles...

Here are a few of the "Top of Mind" topics these days at the nexus of Legal Risk and "Defining the New Rules Sets" for Information Management and Digital Forensics. What is a "Rule-Set Reset"?

When a crisis triggers your realization that your world is woefully lacking certain types of rules, you start making up those new rules with a vengeance (e.g., the Patriot Act and the doctrine of preemption following 9/11). Such a rule-set reset can be a very good thing. But it can also be a very dangerous time, because in your rush to fill in all the rule-set gaps, your cure may end up being worse than your disease.

  • The Computer as Witness--What The Courts Allow.
  • Improper and Negligent Records Hold Practices.
  • Calculating Settlement Values in a Digital World..
  • Economics of Electronic Discovery.
  • Evaluating Outside Law Firms: Competing for Client Revenue.
  • Discovering the Legal Value of Electronic Information.
  • Chain of Custody Controls and Vulnerabilities.
  • Logs, Metadata and Backups.
  • Evidence Life Cycle Management.
  • Operational Risks in Existing Corporate Information Management Practices.

These topics and more are worth investing time, resources and manpower for vital learning, education and convergence within the legal department of your institution. Why? Just ask Waters Edge Consulting. Because just preparing for ESI custodian depositions under Rule 30(b)(6) will not be enough for your team to win these days. It's going to take substantially more investment in governance strategy execution within the ranks of the CIO, CSO and General Counsel in the aftermath of the sub-prime "Armageddon."

Today, many organizations have Enterprise Records Management (ERM) systems that provide clear guidelines for data retention and destruction. In addition, organizations facing frequent lawsuits often use Electronic Data Discovery (EDD) vendors and outside counsel to process and review electronically stored information (ESI) during discovery.

Unfortunately, neither solution creates a framework that recognizes all data as potential evidence and puts a consistent methodology in place for handling it efficiently and cost effectively.

Evidence Lifecycle Management (ELM) is such a framework. An ELM system, such as MatterSpace from WorkProducts, provides:

  • Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
  • Role-based collaboration and communications that drive all case-specific ESI activities
  • Auditing and reporting of all ESI communications and events, including litigation holds

ELM bridges the gap between ERM and EDD, speeding up ESI delivery while reducing the risk and cost of ESI processing and legal review.


A prudent governance execution strategy would include a ratio of new learning, education and policy development combined with the correct tools and managed services. Yet how do you determine the right recipe for your institution? After all, you are unique and unlike any other organization out there.

The fact is that it has to be customized to your exact size, exposures and vulnerabilities. You first have to establish the baseline and develop the foundation for making the right decisions in the right order. Most importantly, it has to be co-designed with the legal team and the custodians of the information if you are to ever find any chance of success. Underlying all of the dialogue on who a particular matter relates to and where the information is located brings up another area that is imperative to the overall resilience of the organization. Continuity of Operations.

At the end of the day, this is what you are really buying. True DataVaulting means exchanging the headaches and liability of maintaining your own backups for the simplicity and convenience of contractually backed Service Level Agreements (SLAs).

Without effective DataVaulting, DRP and overall Continuity of Operations as an underlying foundation for managing the life cycle and longevity of your institutions records, you may already be subjected to the increased risk of fines and non-compliance sanctions from FINRA or the SEC.

The correct Business Resilience Architecture begins with a firm statement of applicability for your institution. The statement of applicability (SOA) is the architectural blueprint that identifies controls that are pertinent to your environment, and explains how and why they are appropriate. The SOA is derived from the output of a comprehensive operational risk assessment and development of an enterprise wide "Early Warning System."

Centre-left leaders from around the world called on Saturday for urgent reform of global financial institutions to prevent a recurrence of the credit crisis.

About a dozen leaders, brought together by Prime Minister Gordon Brown, issued a communique urging the International Monetary Fund to help develop an effective early warning system to guard against financial risks to the global economy.

Australian Prime Minister Kevin Rudd said the world had to learn the lessons from the credit crisis, sparked eight months ago by massive default on U.S. sub-prime mortgage debt.

"Too often in the past when these sorts of events have occurred ... the lessons are lost. The lessons must be learned and applied, otherwise we will face a very rocky future indeed," Rudd told a news conference after the "Progressive Governance" conference outside London.

The leaders, also including South African President Thabo Mbeki, New Zealand Prime Minister Helen Clark and Austrian Chancellor Alfred Gusenbauer, gathered just before key Group of Seven and IMF meetings in Washington next week which will discuss the financial turbulence.

Also attending were the heads of the IMF, World Trade Organisation (WTO), the African Development Bank and several U.N. agencies.

Posted by at No comments:
Labels: , , , , , , , , ,

31 March 2008

Volatility: Enemy #1...

Organizations implement Operational Risk solutions to lower "volatility" in earnings growth and return on capital. The focus on volatility is because no institution likes to see peaks and valleys in their earnings or their return on capital. A steady and consistent growth curve without "Volatility" is the goal by many steadfast organizations.

Contrary to the goal of minimized "volatility" there are also those who feed off of the chaos and the large swings between these highs and lows in the marketplace and with specific companies in vital sectors of the financial economy. Will a Blueprint for Regulatory Reform be the answer?

As a hedge fund investor, can you explain what the strategy is for your investment fund? Do you know what your money is being invested in? Does your hedge fund manager provide transparency on calculating your return on funds invested? What was the reason you invested in alternative investments to begin with?

Carrying this analogy to the operational processes within your organization, the goal is to keep the processes running smoothly. When people or systems deviate from the agreed upon "Rule Sets" then change ensues along with the volatility of the performance measures. Errors, Omissions and systemic "glitches" are the catalysts to volatility that creates fear, uncertainty and doubt. Do you understand the Math? When the process gets to this stage and people don't trust the rules anymore, you are on the brink of a failure and impending loss, in dollars or peoples lives.

Operational Risk Management is a discipline that is emerging in corporate ranks because it has already proven that it saves lives. The regulators and inspector generals are going to demand it. The "Rule Sets" of playing business in the financial, health care and energy sectors are not the only ones being subjected to this increased scrutiny and renewed focus on OPS Risk. Now the Defense Industrial Base (DIB) and the Defense Department are under increased oversight at the highest echelons of the Pentagon as a result of a failure in Operational Risk Management.

Last week, the Department of Defense learned that four non- nuclear nose cone assemblies and their associated electrical components for a ballistic missile where mistakenly shipped to Taiwan in the fall of 2006. These items were originally shipped in March 2005 from F.E. Warren Air Force Base in Wyoming to the Defense Logistics Agency warehouse at Hill Air Force Base in Utah. There are no nuclear or fissile materials associated with these items.
Upon learning of the error, the U.S. government took immediate action to acquire positive control of the components and arranged for their safe and secure recovery to the United States. These items have now been safely returned to the United States.
Lessons learned are being discussed in the ranks of the U.S. Treasury Department and the Department of Defense all relating to the failure of people, processes, systems and or external events. Operational Risk is all around us and now ready for prime time focus in terms of strategy execution, implementation and measurement.

Whether you utilize Operational Risk Management (ORM) in the Defense Industrial Base or in the Financial Services sector it's important to revisit what it is NOT:

Operational Risk is Not:

  • About avoiding risk
  • A safety only program
  • Limited to complex-high risk evolutions
  • A program -- but a process
  • Only for on-duty
  • Just for your boss
  • Just a planning tool
  • Automatic
  • Static
  • Difficult
  • Someone else’s job
  • A well kept secret
  • A fail-safe process
  • A bunch of checklists
  • Just a bullet in a briefing guide
  • “TQL”
  • Going away

The goal of Risk Management is not to eliminate risk, but to manage risk so the mission can be accomplished with minimum impact. We manage risk to operate, not avoid risk as a means to prevent loss.

Posted by at No comments:
Labels: , , , , , , ,

27 March 2008

Offshoring Risk: Increased Fed Oversight...

The risk of offshoring is a growing concern. If this study by Deloitte is correct, your valuable and private financial information is likely to be off shore already.

Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.


The banking industry has a list of Offshoring Risks that is in need of greater care and oversight.

Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:

Country Risk: political, socio-economic, or other factors may amplify any of the traditional outsourcing risks, including those listed below.

Operations/Transaction Risk: weak controls may affect customer privacy.

Compliance Risk: offshore vendors may not have adequate privacy regulations.

Strategic Risk: different country laws may not protect "trade secrets."

Credit Risk: a vendor may not be able to fulfill its contract due to financial losses.

It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations. Part of a standardized procedure should include:

  • Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;
  • Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;
  • Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and
  • Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.


We recommend that your CSO, CCO and General counsel revisit your last audit on high risk outsourced relationships such as customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.

Posted by at No comments:
Labels: , , , , , , ,

18 March 2008

Information Risk: The Zero's & One's Don't Lie...

The Bear Stearns implosion has been predicted as a casualty of failed hedge funds. These entities are less regulated than banks and don't have to keep a minimum capital reserve. The limits on the amount of leverage they utilize can sometimes come back to burn you.

Angry Bear Stearns Co Inc shareholders have wasted no time in bringing legal claims following the company's stunning stock collapse and $2-a-share fire sale to JPMorgan Chase & Co.

At least one federal lawsuit in New York seeking class- action status for alleged securities fraud was filed on Monday by an investor contending the company hid its true financial condition from shareholders.


"Who Knew What When" is the focus of the legal mechanism now in full swing as investigators at the SEC and other federal regulators begin their forensic examinations and interviews. Eliot Spitzer is finally a back story after his demise in the FINCEN money laundering investigation:

But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI’s charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).

The nexus of eDiscovery, Data Mining and Operational Risk Management are in the news as these incidents are unraveled. The information and evidence from the data analysis will reveal the truth and those caught shredding documents or deleting files will no doubt become part of one of these inquiries.

Even today at 2AM JP Morgan Chase was searching Google with the terms "information operations risk management" and landed here on this Operational Risk Management Blog. Then they "Out Clicked" to A Defensible Standard of Care in hopes of finding answers to their questions.

The law suits and the lawyers are busy these days with the Federal Rules of Civil Procedure (FRCP) as they defend ongoing data breaches and bad behavior by employees and interested 3rd parties:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.


If the latest economic studies are correct, that's going to cost about $98.00 per record on the low side when it comes to the amount of money that these organizations will spend (unless insured) to clean up this operational risk related incident.

New York State has a new Governor at the same time the Bears are descending on Wall Street:

David A. Paterson became New York’s 55th Governor on March 17, 2008. In his first address as Governor, Paterson spoke about the challenges New York faces and his plan for New York’s future.

This month it's New York in the news but our prediction is that California will soon be next to capture the nations headlines. The legal buzzards are soaring overhead...

Posted by at No comments:
Labels: , , , , , , , , , , ,

06 March 2008

Policing The Globe: Transnational Risk...

The nature of transnational crime today can be broken down into three fundamental steps. Collection, Monetization and Laundering. This is not anything new yet the evolution of "Policing The Globe" has made dramatic leaps in the past few years. New Legal Attaches (Legats), Memorandums of Understanding with INTERPOL and other national law enforcement entities has created an increased coordination and cooperation across borders and continents.

Data warehousing, convergence of records data and more sophisticated methods for link analysis from companies such as i2 has made the detection and investigation of potential incidents more effective.

When the Collection phase is focused on harvesting Personal Identifiable Information (PII) for the purpose of ID Theft using Botnets or other cyber-related ploys the consumer will consistently suffer the direct effects. The retail banking institutions will be the ultimate target of the next phase of the criminal life cycle, the Monetization phase.

Using PII to gain access to bank accounts is taking on different forms these days, especially during times of economic hardship. The HELOC refinancing trends are upon us and at the same time the unsuspecting homeowner may be giving up vital equity that still exists in their loans or lines of credit, to criminal elements. Once any of these scams and frauds are completed the funds are quickly turned into cash using wire transfers, ACH and or even the old reliable ATM using 3rd parties. And it doesn't even have to go this far, when you can sell PII for cents or dollars per record in terms of it's quality and whether the targets have a stellar credit score or deep equity.

And finally we find that funds are then turned around into other business ventures to help conceal the source or origin of the proceeds, so that the money goes through the enevitable Laundering phase.

Now let's look at it through the lens of an OPS Risk perspective?

"Pirates, bandits, and smugglers have bedeviled governments since time immemorial. Politicians and media today obsess over terrorism and trafficking in drugs, arms, people and money. Far less is said or known, however, about the expanding global reach of the police, prosecutors, and agencies like Interpol and Europol charged with targeting transnational crime."

Peter Andreas and Ethan Nadelmann in their book, "Policing The Globe: Criminalization and Crime Control in International Relations" provide analysis and bridge the connections between justice and politics.

To what degree does your institution actually initiate proactive due diligence on your own, to try and identify who is attacking your organization or your assets? The nexus with Operational Risk has to do with the legal compliance and transnational agreements with other nations on what the "Rules of the Game" are for privacy, investigations and obtaining evidence. More importantly what are the coordination and cooperation activities with your own domestic and the foreign jurisdictions for a prosecution strategy, especially if you have employees and operations in-country?

This morning an explosive device was detonated in front of a defense recruiting office in Times Square, New York City by a bicyclist. This incident could be a precursor to a potential terrorist suicide attack or most likely, just a disgruntled war activist. A few days earlier, domestic Ecoterrorism is suspected in the burning of three high value homes in the Seattle, Washington area.

"The mention of a bicyclist raised possible links to a May 2005 bombing at the British Consulate and an Oct. 26 explosion at the Mexican Consulate," the New York Daily News notes. "In both cases, police said, the suspect was possibly riding a bicycle when hollowed-out grenades - filled with black powder and a fuse - were tossed into the consulates. No arrests were made in those attacks."

Whether the ID theft crimes are committed online collecting zeros and ones from unsuspecting consumers or businesses without the proper controls in place or the direct physical attack on specific or symbolic assets, the transnational question is in the forefront of many peoples minds.

While it's too early to try and connect these two incidents to the same individuals or to countries outside the United States, one thing is certain. The laws, tools and capabilities of International Law Enforcement are accelerating at a more rapid pace, as new operational risks emerge on a global scale. Politics will in some cases, try to influence the agenda and to unleash sanctions that diplomats and State Departments will work on collaboratively to achieve preemptive law enforcement agendas.

Here then are some of the steps the State Department said Barbados had taken in recent years to prevent fraud and money laundering:

  • Extended the money laundering laws to cover offenses other than those involving drugs.
  • Forced financial institutions to report suspicious transactions that may involve criminal activities, such as terrorism.
  • Enabled the police to pursue "all potential prosecutions" of money laundering.

Placed the burden of proof on accused persons to demonstrate that property in their possession was "derived from a legitimate source". Failure to do so could lead to a presumption that it was acquired through illegal means.

The transnational ecosystem of crime control and international relations will continue to be a challenging arena for global enterprises. Ensuring that Operational Risk Teams are well equipped to provide assistance to investigators, law enforcement and government agencies is essential. Simultaneously preparing your employees for their inevitable exposure to these cases, law suits and incidents is a proactive strategy executives are actively investing in.

Liechtenstein remains vulnerable to money-laundering despite efforts by authorities to tighten regulations, International Monetary Fund and Council of Europe experts said Wednesday.

The tiny Alpine principality, currently at the heart of an international tax evasion scandal, offers "discreet and flexible legal structures, strict bank secrecy and favourable tax arrangements," the IMF said in a report.

Around 90 percent of Liechtenstein's financial services business is provided to non-residents, it noted.

"By it's nature, Liechtenstein's financial sector business creates a particular money laundering risk," the IMF said.


Posted by at No comments:
Labels: , , , , , , , , , , , ,

27 February 2008

Lessons Learned: The Impact of Executive Decisions...

In times of economic downturn the Operational Risks within your institution will begin to rise. Enron, Worldcom and HealthSouth are the few names people recognize as the major casualties of the last significant dip in our economy. When times get tough, people get desperate and try to keep the schemes and any red flags from being discovered.

So what are some of the areas that encompass Operational Risk:

  • Internal Fraud - bribery, misappropriation of assets, tax evasion, intentional mismarking of positions
  • External Fraud - theft of information, hacking damage, third-party theft and forgery
  • Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  • Clients, Products, & Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  • Damage to Physical Assets - natural disasters, terrorism, vandalism
  • Business Disruption & Systems Failures - utility disruptions, software failures, hardware failures
  • Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Cynthia Cooper has written a new book "Extraordinary Circumstances: The Journey of a Corporate Whistleblower" about her honorable quest to find the truth at Worldcom. Her quote in the March/April issue of Fraud Magazine says it all:

"Listen to your instinct. If people are acting out of character or appear to be working to head you in another direction, step back and ask yourself why. Continue to ask for support and dig until you're satisfied that you've gotten it right."

Beyond Cynthia's first person account to give the reader her emotional perspectives, Operational Risk Management professionals realize that their role and the job they have been trained to do is not always a "Pleasant" experience. This is why all of the training and education is so important and the rehearsals are absolutely imperative. Testing, evaluating and testing some more is the norm. Understanding what "Normal" looks like, takes time and persistence. Yet without it, our horizon for positive change could be in jeopardy.

With many of the "Lessons Learned" books now published from the last economic dip, who will be next to blow the whistle or expose the real risks that some companies are hiding from the Board of Directors and the shareholders. The class action lawyers are even gathering their evidence on the possibility of cashing in on predatory lending practices:

A federal appeals court is nearing a decision on a battle between Chevy Chase Bank and a Wisconsin couple that could for the first time enable homeowners across the country to band together in class-action lawsuits against mortgage firms and get their loans canceled.

The case is alarming Wall Street 's biggest banks, which could bear the hefty cost of reimbursing all mortgage interest, closing costs and broker fees to groups of homeowners who uncover even minor mistakes in their loan documents. After a federal judge in Milwaukee ruled last year that the Wisconsin couple had been deceived and other borrowers could join their suit, Chevy Chase Bank appealed to the circuit court in Chicago.

So what we have are markets that are volatile. Bankers who are raising the stakes for borrowers. And naive consumers who are facing higher prices across the board. The time for increased vigilance is in front of us all. From the Board Room to the Court Room it's time that we spend more time looking at the interdependencies and realize that risk is more than a prediction.

During these times, it's worth revisiting this post on Fear: The Elements of Prediction.

Posted by at No comments:
Labels: , , , , , , , , , ,

21 February 2008

Hedge Funds: Focus on Sound Practices...

So what is on the mind of Hedge Fund Managers in these days of "volatility" and uncertainty? Afterall the CFOs and COOs at hedge funds and fund of funds must have some questions about best practices for auditing their funds' operations, and mitigating the most common forms of operation risk.

Top industry practitioners and industry advisors will discuss these topics at THE HEDGE FUND OPERATIONAL RISK MANAGEMENT SUMMIT Strategies for Stress Testing and Hedging Operational Risks:
  • New auditing standards – an operational due diligence checklist
  • Methods for attaining greater transparency while protecting strategies
  • Financing your operations – key considerations for managing operational risk
  • Implementation of disaster recovery strategies
  • The role of operational due diligence in your risk management strategy
  • Current issues in regulation and compliance
  • Updates on tax risk management and international tax compliance
  • Understanding methodologies for hedge fund ratings
  • ERISA – new info for hedge fund operations
  • Best practices for managing counterparty risk
The speakers and panelist's are prominent leaders in banking, alternative investments and the usual suspects of lawyers and accountants. Yet there is one item in the list that stands out. The topic of ERISA and new info for hedge fund operations. Among other things, ERISA provides that those individuals who manage plans (and other fiduciaries) must meet certain standards of conduct. The law also contains detailed provisions for reporting to the government and disclosure to participants. There also are provisions aimed at assuring that plan funds are protected and that participants who qualify receive their benefits.

Hedge Funds CxO's are thinking more about implementation of disaster recovery strategies. We know that they have been planning for it since the day the doors opened somewhere in Greenwich, yet now the vital topic of "Implementation" is at the forefront of the discussion.

In the context of Operational Risk Management with hedge funds, the goal is no different even while the feds may not have all the new regulations in place or the laws on the books. After all, the industry as a whole is just now getting their new leader in place to lobby "The Hill". The Managed Funds Association (MFA) has announced their new President, Mr. Baker .

Oversight and transparency will be a continuous topic for regulators. Yet as managers of several trillion dollars in assets, there are some important and vital practices that will gain momentum within the ranks of the Alternative Investments Industry.

We are pleased to see that Section I of the MFA Sound Practices Guidance includes Information Technology Controls:

The Recommendations also include information technology (“IT”) guidance in order to control changes to any software applications, data, and IT infrastructure and to maintain proper security therein. Finally, the Recommendations in Section 1 provide guidance on relationships with third-party service providers that perform key business functions, such as calculating net asset value (“NAV”) or monitoring risk.

And beyond the normal rules around "Ethics" and best practices associated with the code of conduct in the financial services industry, Hedge Funds must realize that they are not hedging their Operational Risk by outsourcing to 3rd Parties. They are still responsible for the oversight of these 3rd Parties and the extent to which they are in compliance with all federal and state laws.

V. PERFORMANCE OF INVESTOR IDENTIFICATION AND
OTHER AML PROCEDURES BY THIRD PARTIES

A. Relationships between the Hedge Fund Manager and Third Parties

This section should address the fact that the U.S. Department of Treasury has recognized the ability of a Hedge Fund or Hedge Fund Manager to contractually delegate the implementation and operation of certain aspects of its AML compliance program to third parties (e.g., fund administrators, IAs, CPOs, CTAs, broker-dealers, and futures commission merchants), although the Hedge Fund and Hedge Fund Manager remain fully responsible for the program.

With so much riding on the hedge funds industry and it's importance to the performance of the markets, it's everyones wish that the CxO's implement robust compliance and ethics programs to support their Operational Risk Management Frameworks.

Posted by at No comments:
Labels: , , , , , , , , , ,

12 February 2008

Business Survival: Anticipating Breakpoints...

"The final plunge of the most powerful and dreaded firm on Wall Street in the roaring eighties came with astonishing speed. Like the abrupt fall of the Berlin Wall thousands of miles away, the collapse suddenly confirmed what everyone in the financial world could already feel in the wind: A new era had arrived."
Business Week cover story on 2.26.90

Many excellent companies have fallen from grace, not because they ignored their customers or lacked superior management skills, but because business conditions shifted beneath them. In an environment of fluctuating markets, proliferating technologies, and changing political frontiers, the management challenge is no longer to manage only growth. Now managers must cope with breakpoints, or sudden shifts in the rules of the game.

So has this deja vu moment reminded us that the Drexel Burnham Lambert implosion could be replaced with a new corporate name in the year 2008. Junk bonds were a financial instrument that were utilized for leveraged buy out financing. Then a "Breakpoint" occurred. Paul Strebel in his 1992 book entitled "Breakpoints: How Managers Exploit Radical Business Change" explains:

"Breakpoints, or sudden radical shifts in the rules of the business game, may shape the course of an industry, or of a company, but they need not be as dramatic as the junk bond story."

If you are the Chief Risk Officer (CRO) at a major institution facing sleepless nights these days then you are not alone. Just make sure that you "Tivo" the moment so that you can replay it in another decade, around the year 2015. If the last major breakpoint took 18 years then the next one should occur in about half the time. Do you have your finger on the pulse of change and potential breakpoints in your organization? Can you anticipate the next one in time to have the correct actions and plans to mitigate the impact on your enterprise?

Certainly there will always be those incidents and crises that are unknown and sudden. And how you recover during these times could save your reputation:

ZURICH (Reuters) - Credit Suisse (CSGN.VX: Quote, Profile, Research) trimmed full-year subprime writedowns to 2.0 billion Swiss francs (932 million pounds) but its stock fell as investors took fright at the bank's remaining exposure to the credit crisis.

The bank also reported a 49 percent fall in fourth-quarter profit from continuing operations to 1.33 billion francs, slightly below analysts' expectations, as losses in its huge asset management business eroded results.

Subprime writedowns in the fourth quarter were 1.26 billion francs, Credit Suisse said, though hedging earlier in the year had helped it lower its full-year charges for bad credits from an estimate of 2.2 billion francs made earlier.


The Blackberry mobile e-mail service has returned to normal after a breakdown on Monday afternoon wiped out the service across the US and Canada.

The Blackberry device, owned by Canadian firm Research in Motion, is popular among business people who rely on it to keep in touch with the office.

The service began to fail at about 1530 EST (2030 GMT) and users struggled to retrieve information for three hours.

The firm said no messages were lost and apologised for the problems.


Whether the CRO encounters the wrath of financial instruments at a breakpoint in the martetplace or hours of downtime on the corporate lifeblood of information exchange does not matter. Operational Risk is pervasive and creates discontinuity that impacts employees, customers and shareholders. The only answer is a resilient framework for anticipating and addressing "Change" or in other words, incidents.

Having a taxonomy for change in your organization is imperative to gaining insight on potential incidents whether they be [high frequency-low consequence] or [low frequency high consequence] events. So what is the potential aftermath without this taxonomy:

  • Companies have myopia in viewing the actual breakpoint in front of them
  • The company fails to capture the opportunity and exploit the breakpoint
  • A rare company actually creates a competitive breakpoint

The analysis with your organization begins with the understanding of what your adversaries are utilizing as tools, to exploit your vulnerabilities. Your future Business Survival depends on it.

Posted by at No comments:
Labels: , , , , , , ,

05 February 2008

ESI Lessons Learned: CREDO & Qualcomm...

Qualcomm Inc. v. Broadcom Corp., Case No. 05cv1958 (BLM) (S.D. Cal.), issued on January 7, 2008, should be a major wake-up call for corporate litigants. (The U.S. District Court for the Southern District of California) This case is about electronically stored information (ESI) and the ability to manage and produce the correct records at the time requested.

Evidence Lifecycle Management (ELM) is imperative in the context of Governance Strategy Execution within the halls of corporate legal departments. Having an Operational Risk Framework to address legal matters is the "Holy Grail" for many Audit Committees of global Fortune 50 institutions and the General Counsel. What are some of the elements of enterprise ELM? To start:

  • Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
  • Role-based collaboration and communications that drive all case-specific ESI activities
  • Auditing and reporting of all ESI communications and events, including litigation holds

Duane Morris LLP has this to say about the Qualcomm case:

Emphasizing that it is the responsibility of attorneys (both in-house counsel and retained counsel) to make certain that their clients carry out an effective and comprehensive document search, the court noted that "[p]roducing 1.2 million pages of marginally relevant documents while hiding 46,000 critically important ones does not constitute good faith and does not satisfy either the client's or attorney's discovery obligations." The court suggested that in-house counsel have a duty to confirm the veracity of any signed papers produced during discovery.

The district court's solution was to order Qualcomm to implement a "comprehensive Case Review and Enforcement of Discovery Obligations ('CREDO') program" which, at a minimum, includes:

(1) identifying the factors that contributed to the discovery violation, (2) creating and evaluating proposals, procedures, and processes that will correct the deficiencies identified in subsection (1), (3) developing and finalizing a comprehensive protocol that will prevent future discovery violations, (4) applying the protocol that was developed in subsection (3) to other factual situations, such as when the client does not have corporate counsel, when the client has a single in-house lawyer, when the client has a large legal staff, and when there are two law firms representing one client, (5) identifying and evaluating data tracking systems, software, or procedures that corporations could implement to better enable inside and outside counsel to identify potential sources of discoverable documents, and (6) any other information or suggestions that will help prevent discovery violations.

The court ordered that the attorneys submit a proposed protocol for the court to evaluate and revise, if necessary. While the district court's immediate goal was to remedy this specific instance of misconduct, the court hoped that its opinion would be a "road map" for electronic discovery and would "assist counsel and corporate clients in complying with their ethical and discovery obligations and conducting the requisite 'reasonable inquiry.'"

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The Board of Directors have learned their lesson turning over the entire process to outside counsel. The trend of outsourcing the many tasks and duties assigned to the discovery and admissibility of (ESI) is coming to an end. Soon the General Counsel will be standing up the internal "Task Force" to identify and produce in a reliable and cost-effective manner. The trend is gaining momentum and law firms are getting more "Requests for Information" (RFI) on their true electronic discovery capabilities.

Establishing "A Defensible Standard of Care" within the enterprise continues to be the ultimate goal. While some law firms have started to offer services to determine the readiness of their clients for large ESI cases, more corporate institutions are reversing the economic process associated with E-Discovery and asking:

"What are the Electronic Discovery Capabilities of our outside counsel?"

Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)