Economic Impact: Hedge Funds Beware...

In a recent ACFE study on the impact of an economic recession, the results are eye opening. More than half (55.4 percent) of respondents said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior.

Additionally, about half (49.1 percent) of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27.1 percent) and increased rationalization (23.7 percent).

The survey also found that:

Employees pose the greatest fraud threat in the current economy. When asked which, if any, of several categories of fraud increased during the previous 12 months, the largest number of survey respondents (48 percent) indicated that embezzlement was on the rise.

Layoffs are affecting organizations' internal control systems. Nearly 60 percent of CFEs who work as in-house fraud examiners reported that their companies had experienced layoffs during the past year. Among those who had experienced layoffs, almost 35 percent said their company had eliminated some controls, while 44.2 percent said the layoffs had no effect on controls and only 3.2 percent said their company had increased controls.

Fraud levels are expected to continue rising. Almost 90 percent of respondents said they expect fraud to continue to increase during the next 12 months. Additionally, the fraud most expected to increase is embezzlement.

These results are not too surprising. Internal control systems could be an issue if there are layoffs in the risk management departments or reallocated enterprise resources. The embezzlement schemes come in many forms and they know where and what areas will be neglected in oversight during the economic belt tightening.

Most of these fraudsters are brilliant "con men". They know how to prey on the human factors of greed and fear. Powerful emotions must be monitored by a "Corporate Vigilance" and awareness program. This preempts potential breaches and crisis incidents that will ultimately impact personal and corporate reputations.

Three factors are generally accepted as being necessary for a fraud to occur: pressure, opportunity, and the ability to rationalize illegal behavior. Unfortunately, the presence of each of these factors may rise in periods of economic hardship. Organizations and individuals alike can experience the pressure of increased financial strain. Opportunities for fraud could proliferate as many companies cut their workforces and otherwise reduce expenditures, perhaps leading to reduced internal controls and fewer proactive fraud prevention measures. And bombardments of bad financial news could cause mounting feelings of helplessness, pessimism, and isolation, which may, in turn, allow individuals to rationalize previously unthinkable acts.

So what can you do to detect early the potential existence of a suspected fraudster in your organization without subjecting current employees to retribution or put them into harms way? One effective strategy is to hire an outside entity to perform ongoing interviews and investigations that is independent of the internal audit department or OPS Risk staff. The other step is to compartmentalize the unit in terms of information exchange and to increase overall operational security.

Harry Markopolos, who is responsible for investigating Bernie Madoff for 8 or 9 years did exactly this and for good reason. His team was operating in the field under his direction and was kept secret even while he was talking to the SEC. Why? Some of the off-shore funds Madoff was doing business with were only a few steps removed from organized crime, according to Markopolos. If these firms new that Mr. Madoff was stealing them blind, they could have put some adversarial actions into play.

Once the fraudster gets the indicator that any one is getting close to the point of questioning their behavior, you can bet the evidence will begin to be destroyed or masked. This destruction of evidence can begin with simple deleting of e-mails, documents or the creation of new e-mails or data to mask or cover up the trail of fraudulent activities. This is when the use of Digital Forensic examinations on weekends or evenings while employees are away from the workplace can help reveal the presence of "Anti-Forensics."

The presence of anti-forensic tools to cover their tracks, e-mails or where they are visiting on the Internet might be the first sign that you may have an actual fraud scheme in operational mode. Hidden or encrypted files found on an employees laptop or desktop utilizing unauthorized sofware tools or downloaded freeware is a huge "Red Flag."

It's important for any investigator to consider the human factors and the behavior associated with people under pressure and close to the end of their hidden occupational fraud operation. These typically have been going on for up to 24 months before they are discovered and you can be sure that they have thought about the day when they are finally discovered. The fight or flight mode kicks in at this point and organizations are obligated to mitigate the risks of harm to fellow employees.

Effective Corporate Integrity units in global enterprises require the right internal resources, independent outside expertise and a comprehensive OPS Risk framework to be more successful.

Hedge Funds have been on alert for months now. Marc Dreier, the New York law firm founder accused of defrauding hedge funds by selling $700 million in phony promissory notes, might face life in prison after pleading guilty to fraud charges.

According to prosecutors, victims of the fraud included Amaranth Group Inc., Perella Weinberg Partners, Eton Park Capital Management LP, Concordia Advisors LLC, Novator, Meyer Ventures LLC, Blackstone Group LP’s GSO Capital Partners and Elliott Management Corp.

The case is U.S. v. Dreier, 09-cr-85, U.S. District Court, Southern District of New York (Manhattan).

operational risk

Human Factors: Early-Warning System...

Predictive Intelligence And Analytics From 1SecureAudit Provides Transnational Organizations With A Preemptive Human Factors Early-Warning System

According to Managing Director and Chief Risk Officer of 1SecureAudit, Peter L. Higgins, the complexity of today's extended global enterprises requires a new governance lens to view hidden insider risks and to guide management executives to achieving a defensible standard of care.

"Our newest consulting practice accelerates the time line in identifying employee insider risks and potential threats associated with international client transactions," said Higgins. "Ms. Marcia Branco is launching our new client offering with more than a decade of experience identifying the complex connections between human behavior and corporate operational risk responsibility."

Advocating a "People First" approach, Ms. Branco, vice president, practice director of the Predictive Intelligence and Analytics practice, believes corporate personnel; partners and suppliers represent a tremendous asset and simultaneously a significant legal liability to a business. "People are the primary focal point to better understanding and resolving systemic risk problems within the walls of the enterprise and beyond to the extended supply-chain," said Branco.

The Association of Certified Fraud Examiners affirms "U.S. organizations lose an estimated seven percent of annual revenues to fraud," and insider negligence is the highest cause of data breaches, reports the Ponemon Institute & PGP Corporation. The complexity and quantity of insider threats is growing at the same time as businesses are facing shrinking budgets and mounting pressures to maintain and grow profits with fewer resources. "How successful has your company been at identifying and swiftly addressing issues, conflicts and preventing malfeasance? Whether originating internally from an employee or contractor or at your extended border of partners, suppliers and clients, predictive intelligence is essential?" asks Higgins.

1SecureAudit provides critical assessments, internal investigations, strategy execution and program development. These proactive governance and advisory services generate positive change to business culture, operations and bottom line.

"Our distinctive 'People First' approach examines your organization's human capital assets to gain unique insights on corporate culture, company issues and the workforce's attitude about management and business initiatives. We convert these human factor data into predictive intelligence to preemptively determine how to best shape current and new corporate strategies. Our clients are able to take advantage of short-lived opportunities, attract and retain employees, partners and customers, demonstrate a more defensible standard of care and promote a trustworthy corporate reputation," stated Branco. "Does your organization consistently adhere to and enforce corporate policies, ethical standards and procedures that value your employees and respond to shareholder advocates?"

Working with 1SecureAudit to integrate predictive intelligence in any business strategy and practices is a sound investment that directly contributes to corporate management's, Board of Directors', and shareholders' peace of mind. For more information, visit 1SecureAudit.com or e-mail RDU (at) 1SecureAudit.com.

operational risk

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.

Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

• What policies or procedures do you manage in your department/organization?
• What training do you have on the collection and preservation of "Electronically Stored Information"?
• Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
• Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

operational risk

4GW: Irregular Warfare in the Homeland...

Why is the US House Armed Services Subcommittee holding a hearing soon that is entitled: "Terrorism, Unconventional Threats and Capability on Terrorism and the New Age of Irregular Warfare: Challenges and Opportunities"?

Here is one good reason:

Baitullah Mehsud, the leader of the Pakistani Taliban recently claimed responsibility for the deadly attack that took place at a police academy on Monday in Lahore, Pakistan. But that’s not all. According to Mehsud, the next attack is going to be much closer to home. In a phone interview with the Associated Press, Mehsud indicated that his terrorist organization was planning a devastating attack on Washington D.C. that would “amaze” the world. Heritage analyst James Phillips told Fox News:

It should be taken seriously because [Mehsud] has ordered the deaths of many Pakistanis and Afghans and has a close alliance with Al Qaeda. It’s not too much of a stretch to think he might be involved in an attack on the U.S. if he’s able to get his followers inside the United States. He’s a militant extremist whose threats cannot be ignored.

Though most Americans associate terrorist attacks with bombings, armed ground assaults can just as deadly and disruptive. The most dramatic recent example was the Terrorist attacks that took place in Mumbai, India last November, killing almost 200 people.

Ground assaults are not just a terrorist tactic that might happen over there. Over here, it has been less than two years since six terrorists were thwarted in their attempt to assault Fort Dix in New Jersey.

The 4GW (Fourth Generation Warfare) strategy is well over five years old. We are glad to see that one of the best on this topic will be at the Armed Services hearing on Capitol Hill. Let's hope John Robb gets an opportunity to outline the following:

Differences
Many of the methods used in 4GW aren't new and have robust historical precedent. However, there are important differences in how it is applied today. These include:

• Global -- modern technologies and economic integration enable global operations.
• Pervasive -- the decline of nation-state warfare has forced all open conflict into the 4GW mold.
• Granularity -- extremely small viable groups and variety of reasons for conflict.
• Vulnerability -- open societies and economies.
• Technology -- new technologies have dramatically increased the productivity of small groups of 4GW warriors.
• Media -- global media saturation makes possible an incredible level of manipulation.
• Networked -- new organizational types made possible by improvements in technology are much better at learning, surviving, and acting.

Corporations, Government Agencies and owners of strategic critical infrastructures owned by the private sector are continuing their vigilance in light of the 4GW emergence. More than ever the need for effective OSINT (Open Source Intelligence) gathering at the street level is imperative. Yet all the Humint and sensor based collection of data will not change the myopia of insight unless there is a rapid adoption of the new mantra: "Responsibility to Provide."

The "Responsibility to Provide" statement is rapidly replacing the old and ineffective rule of "Need to Know". Our adversaries realize that our "Need to Know" mentality is one of our greatest vulnerabilities and they will continue to exploit this weakness. Washington, DC is has just emerged from a period of coordination, cooperation and unprecedented effectiveness across legal, political and jurisdictional boundaries. The fact is that the 44th Presidential Inauguration bound together thousands of people across the country to keep our Nations Capital safe and secure in January. This mission was accomplished and the result has been ever so felt by those who were in the middle of the operational command centers, such as WRTAC, the Washington Regional Threat and Analysis Center.

WRTAC provides DC Metro partner agencies and local jurisdictions with a watch command, plus an Open Source Daily Brief of current news articles relating to terrorism, homeland security, critical incident response and public safety. The key factor here is "Relevance" on the ground level to your own community and the local assets needed to raise situational awareness.

If Baitullah Mehsud is telling the truth, then it is not so much a matter of "what" 4GW tactics will be utilized, it is a matter of "when."

operational risk

Compliance: Workplace Security, Ethics & Governance...

Bernie Madoff clones and the 11,000 other unregulated investment advisors across the US will be subjected to increased scrutiny in 2009 and beyond. The SEC, FINRA, US Treasury FINCEN, FBI and the tribe of banking regulators are all gearing up for audits, inspections and more granular forensic accounting examinations.

Fraud and the corruption of corporate America is hard to detect. Even more difficult when the watchdogs are too busy or without the resources to do the job effectively. Post Enron and the whole SOX wave of documentation, controls implementation and testing the Big Four Accounting firms were very busy.

The cases are among a series of recent alleged frauds at financial firms. While they have been handled differently, they have shined a light on loopholes in federal regulations, such as fragmented regulations governing brokers, investment advisers, auditors and other firms. And the cases have underscored obstacles facing authorities, including inadequate resources for detecting wrongdoing and difficulties in gaining access to foreign financial accounts.

"Reform is needed to close the existing regulatory gaps that expose investors to risk," said Richard Ketchum, chief executive of the Financial Industry Regulatory Authority, Wall Street's self-policing agency.

SEC Chairman Mary L. Schapiro is looking to work with lawmakers to overhaul the nation's financial regulatory system. This week, the SEC announced that it would partner with a government-funded research center to study ways to better assess the thousands of tips and complaints that come in each year. The House and Senate plan to consider legislation as early as late spring that would bring all financial activities under federal regulation. The details, however, aren't clear.

At the SEC, Schapiro plans a new focus on spotting fraud and other market manipulation early on. She plans to create a large team to seek out where abuses might be occurring. Then she plans to direct the SEC's limited examination staff toward those places. "We've got to be able to conduct risk assessment that allows us to understand where problems might arise and connect the dots between different problems in different places -- whether they're generated by different products, different firms or different trends in the economy," Schapiro said in a recent interview.

The internal threat to your institution by your own employees who may do you harm, intentionally or not is just a core factor in day to day Operational Risk Management. Where it gets more interesting to plaintiff lawyers is when there is a clear pattern of ignorance or just plain lack of resource allocation or funding to policing the organization. The even more vulnerable facet of the OPS Risk mosaic could be the supply chain of companies and people who represent the vital outsourced functions. How many mission critical components of running your business have you handed over to call centers, ISP and hosting companies, distribution and delivery, back office administration including accounting and payroll?

One of the key areas of due diligence long overlooked at these investment advisers is the supply chain of feeder firms. The alternative investment industry has it's reach into the accountants and tax advisory services for a good reason. They are the ones who prepare your tax returns. Their insight into your cash flow, ability to invest and necessity for potential hedging of tax liability gives them the opportunity to be great referral agents. How many times has your tax advisor recommended you go see a friend in the alternative investment industry?

Creating awareness among the ranks of corporate America that everyone is going to be under the magnifying glass won't change the motivators:

• Money
• Ideology
• Compromise
• Ego

Economic challenges inside the corporation or on the home front can increase exposure to heightened threats in the workplace. These include violence, fraud and product theft at a minimum. However, the greatest asset of value being attacked, stolen and sold to the highest bidder is information. Corporate espionage and good old fashioned competitive intelligence is a 21st century Operational Risk Managers nightmare.

Workplace Security, Ethics and Governance programs will continue to be a focus for auditors and inspector generals. A lack of evidence of effective and robust efforts to deter, detect, defend and document withing the confines of the institution could be a differentiator when it comes time for any sentencing guidelines to be considered.

§8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

operational risk

Oversight Risk: Evidence of Compliance...

In light of the tremendous announcements of corporate and financial malfeasance over the past few months, there is a "cramdown" in the works. The US Office of the Special Inspector General for the Troubled Relief Asset Program (SIGTARP) is gearing up.

The Office of the Special Inspector General for the Troubled Asset Relief Program ("SIGTARP") was established by the Emergency Economic Stabilization Act of 2008 ("EESA").

Under EESA, the Special Inspector General has the responsibility, among other things, to conduct, supervise and coordinate audits and investigations of the purchase, management and sale of assets under the Troubled Asset Relief Program ("TARP"). SIGTARP’s goal is to promote economic stability by assiduously protecting the interests of those who fund the TARP programs - i.e., the American taxpayers - by facilitating transparency in TARP programs.

Transparency and effective oversight in the TARP will be accomplished in coordination with other relevant oversight bodies, and by robust criminal and civil enforcement against those, whether inside or outside of Government, who waste, steal or abuse TARP funds.

The Special Inspector General, Neil M. Barofsky, was confirmed by the Senate on December 8, 2008, and was sworn into office on December 15, 2008.

As the new Stimulus Package works it's way to the local and state governments additional oversight will be placed on the bidding, procurement and contracting processes. Compliance with federal and state laws will become ever so vital as funds are applied under TARP in the mortgage markets and "shovel ready" projects are funded for maintenance and repair of critical infrastructures.

As the government ramps up to spend trillions of dollars to revive the economy, loopholes in federal law and a shortage of FBI agents assigned to investigate white-collar crime could lead to a big payday for perpetrators of mortgage fraud and other schemes.

That's the view of lawmakers who want to extend federal fraud laws to private mortgage companies that aren't regulated at the federal level, and provide $155 million a year to the U.S. Justice Department to triple the number of active mortgage-fraud task forces and help the FBI rebuild its white-collar investigation program.

So what should a Chief Compliance Office or Vice-President of Operational Risk Management at an institution be concerned with over the next few years? Get ready. First and foremost, the Board of Directors will be focused on "Corporate Governance Strategy Execution." Public institutions who have most recently taken on the role of becoming a more traditional bank in order to become eligible for government funds are most at risk. Some of these include traditional insurance companies and credit or charge card institutions. This is because they have not had the controls, staff and policy programs in place to effectively deal with all of the new banking regulations and compliance mechanisms the oversight agencies will be scrutinizing during their audits.

Securities and Exchange Commission Chairman Mary Schapiro plans to look into whether the boards of banks and other financial firms conducted effective oversight leading up to the financial crisis, according to SEC officials, part of efforts to intensify scrutiny of the top levels of management and give new powers to shareholders to shape boards.

As she examines what went wrong, Schapiro is also considering asking boards to disclose more about directors' backgrounds and skills, specifically how much they know about managing risk, said the officials,

As new sources of funding flow to the organizations for redistribution to consumers or small businesses the oversight process must be implemented up front. The human factors will play a tremendous role in how ethics are either applied consistently or are absent all together, in day to day operations. Boards of Directors will ensure that corporate management are injecting the correct amount of corporate governance and compliance management oversight to keep human behavior and red flags in check. Operational Risk Managers will be busy expanding their breadth and reach into the corporate enterprise for years to come.

operational risk

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:^[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.

Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.

operational risk

Vigilance: Human Factors of Complacency...

Two days from now, Washington, DC will be in the midst of a historic Presidential Inauguration and President Obama will be moving into his new house on Pennsylvania Avenue.

The day after, on January 21, 2009 our Operational Risk Managers from across the spectrum of government will be looking to set their respective agendas for the next four years. The outgoing administration is quickly getting their new offices set up with lobby shops and law firms to continue their power agendas. Some are headed to the private sector, to return to their roots in business.

Regardless of the complexity and the change factors associated with all of the political fan fare, there are still "Black Swan" risks to our economic and global vitality. These operational risks continue to interface with Homeland Security, the Department of Defense (DoD), Treasury, Justice, and the State Department priorities. It all exists with great anticipation.

The United States will continue it's quest to secure the homeland from foreign and domestic terrorism. She will defend our allies against the aggression by other rogue states or countries in political turmoil. She will work harder than ever before to help other nations rebuild or build the foundations for economic stability, democracy and the rule of law. So what has or will change in the next four years in the context of Operational Risk Management?

It's almost like the feeling when you lose a loved one, to some catastrophic event. Or hear the news from a co-worker that your boss is being indicted for some corporate financial malfeasance. There is a feeling of despair and uncertainty. The event and sudden impact brings on a form of decision paralysis. Everyone starts to question each other and there is a tremendous amount of finger pointing on what could have prevented or what caused the incident to occur.

What will change for Operational Risk and managing the current and yet to know "What If's" is that it can't be ignored any longer. In analyzing the 1-in-a-100-year event, people have to go far beyond the mathematical equations and start looking at human behavior. Operational Risk managers across our international governments and business will now realize that even the "Human Factors" in Operational Risk can't always be counted.


Writers Wilber and Smith from the Washington Post have this to say about a vital component of our continued national risk management vigilance:

"A special federal appeals court yesterday released a rare declassified opinion that backed the government's authority to intercept international phone conversations and e-mails from U.S. soil without a judicial warrant, even those involving Americans, if a significant purpose is to collect foreign intelligence.

The ruling, which was issued in August but not made public until now, responded to an unnamed telecommunications firm's complaint that the Bush administration in 2007 improperly demanded information on its clients, violating constitutional protections against unreasonable searches and seizures. The company complied with the demand while the case was pending.

In its opinion, a three-judge panel of the U.S. Foreign Intelligence Surveillance Court of Review ruled that national security interests outweighed the privacy rights of those targeted, affirming what amounts to a constitutional exception for matters involving government interests "of the highest order of magnitude."

Our greatest threat to national security or business and global economic welfare may well come down to the ability to mitigate complacency and a lack of vigilance. A high degree of complacent people, working in an environment of non-vigilance, could set the stage for those human factors to play a major role in exploiting our vulnerabilities as a business and a nation.

The weight of protecting our nation from economic tidal waves and well trained non-state actors is a tremendous responsibility. Operational Risk Management will continue to be a vital aspect of all the existing and new decision makers over the next four years. Becoming ever vigilant and eliminating complacency will keep us from falling victim to the risk of "Human Factors". Gods speed to the 44th Presidency!

operational risk

Managing the Business Risk of Fraud...

Operational Risk Management is in full swing at distressed institutions as the TARP funds continue to flow to these needy corporations. One thing is certain; you can expect increased oversight. The risk management mechanisms to determine how and where funds are being utilized will be the focus. Anti-fraud planning and investigative projects are on the radar of the Board of Directors and the Audit committee chair. The US government Anti-Fraud Task Force is gearing up:

Six more U.S. government agencies, including the Federal Reserve, will take part in a federal anti- fraud task force to strengthen its focus on uncovering mortgage and securities crimes.

Deputy Attorney General Mark Filip announced the expansion yesterday of the President's Corporate Fraud Task Force, which was formed in 2002. Joining the group are the Federal Housing Finance Agency, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Department of Housing and Urban Development and the Office of Inspector General for the financial industry rescue program approved last year by Congress.

"These new members reflect the breadth and depth of the mortgage crisis that we are now confronting and the urgency of the task before us," Filip said in a statement.

Current members of the task force include the heads of the Securities and Exchange Commission and the Commodity Futures Trading Commission.

Gil Soffer, associate deputy attorney general, said the task force expansion would let FBI officials coordinate with monitors of the Troubled Asset Relief Program.

"To be able to bring in our resources and to be able to tap into our expertise and to be able to work with our investigators and our prosecutors when there's criminal activity afoot, it's a tremendous boon" to TARP investigators, he said in an interview.

Congress passed the $700 billion TARP rescue package in October, and lawmakers have said oversight is needed to ensure the funds aren't misused.

The business of Fraud Risk Management has been spelled out for years and continues to be a high priority. Most Fortune 50 organizations have established sophisticated frameworks for addressing compliance, ethics and governance in their organizations. However, the question remains how well they understand their respective roles, responsibilities and jurisdictions. This organizational challenge is no different than the battle between the physical security and information security domains who are now converging. The ACFE, AICPA and the Institute of Internal Auditors have released their latest Practical Guide for Managing the Business Risk of Fraud. Here are the key principles:

Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud. Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

• Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
• Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
• Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
• Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
• Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

Operational Risk Management issues still exist in Tier II organizations who have market caps below $1B. in assets and are more vulnerable. This is typically due to the lack of resources and extensive staff devoted to a an enterprise wide program that incorporates the mission from the Board of Directors and the "Tone-at-the-Top". 2009 will be busy and you can bet the General Counsel and CxO's will be burning the midnight oil.

operational risk

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

• Organizational Security
• Information Security Infrastructure: Cooperation between organizations
• Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
• Asset classification and control
• Information Classification: Information labelling and handling
• A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
• Personnel Security
• Responding to security incidents and malfunctions: Reporting security weaknesses
• Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
• Communications and operations management
• Operational procedures and responsibilities: External facilities management
• Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
• Exchanges of information and software: Security of electronic mail
• A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
• Access Control
• Monitoring system access and use: Monitoring system use
• Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
• Business Continuity
• Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
• Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
• Compliance
• Compliance with legal requirements: Collection of evidence
• Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:

• Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
• Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.

The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

operational risk

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:

“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “nützliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.

The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

• · Systems for monitoring and auditing
• · Incident response and reporting
• · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

operational risk

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.

Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

operational risk

ID Risk Management: Protective Intelligence Factors...

The root cause of the safety and security threat to corporate personnel and assets can be traced back to an identity of someone. It can be said that protective intelligence utilizing the proper Operational Risk Management framework will mitigate the impact of a successful attack. Whether the intelligence is based upon monitoring or proactive and preemptive factors to be alerted to any threat actors who wish to do us harm; you still have to have a valid identity of the "unsub."

Today as you walk into your employer, you may be happy that you are there. This is your sanctuary away from the threat at home. Your work place provides a potential "safe zone" for the next 8 to 10 hours until the work day is over and you have to return to an environment filled with physical and emotional violence. The growing workforce of women in today's corporations are faced with an increasing challenge to keep their jobs and to mask the problems on the home front.

Simultaneously, those who are the root cause of much of the domestic violence are also walking into the same corporation. Who would know that they are the same people that have never been convicted of a crime and yet are beating their wife or girl friend at home? The point is that in your corporate environment today you have a mix of both kinds of people that are the potential threats to your organizational security and safety. Workplace violence is an Operational Risk that requires a proactive protective intelligence mechanism operating on a 24/7 basis. The identities of your employees may be known upon hire, but their changing profiles over the course of their career could change dramatically. Let's illustrate the true picture with some real incidents.

The US Bureau of Labor Statistics has data on 5,488 workplace fatalities in the US in 2007. 610 were homicides, 491 of these were shootings. 22% of these homicides involved former employees yet 43% were current employees. The remaining incidents were committed by non-employees. Understanding the red flags on your current employees and those who have left the organization is the focus here. Your Operational Risk Framework should incorporate the processes, systems and tools to mitigate this relevant internal threat in the enterprise.

The implications of effective identity management go far beyond the operational risks associated with the work place. ID Management encompasses the following domains:

• Public Safety: Identity theft, cyber crime, computer crime, organized criminal groups, document fraud and sexual predator detection
• National Security: Cyber security and cyber defense, human trafficking and illegal immigration, terrorist tracking and financing
• Commerce: Mortgage fraud and other financial crimes, data breaches, e-commerce fraud, insider threats and health care fraud
• Individual Protection: Identity theft and fraud

The research and development community has been focused of late on the use of biometrics. For access controls and other ways to validate true identities; these tools and systems for authentication are vital. Yet the stolen identity to fraudulently obtain a drivers license, passport or visa comes back to our root cause issue. Dr. Gary Gordon and his team at CAIMR are on the right track:

Those challenges, aggravated by the rapid changes in our society, include identity theft and fraud, cyber crime, computer crime, travel and immigration document fraud, and data breaches. They impact individuals, public safety, commerce, government entitlement programs, and national security. As the concept of an identity (or entity) expands in the physical and digital worlds, determining if the person claiming an identity is really that person becomes critical to conducting business, providing access to services and systems, and tracking cyber criminals and terrorists. Responding to these challenges requires a collective effort by the key thought leaders from the public and private sectors, working in concert with academe.

The Center's mission is to conduct applied research in order to provide pragmatic outcomes, utilizing a multi-disciplined approach that draws on the expertise of its diverse members. The results will be specific and measurable, whether they are in the form of industry or law enforcement best practices, technologies, policy adjustments, or training and educational materials.

The Center's purpose is to convene key stakeholders and marshal their respective strengths to help solve very challenging societal problems. Our partners include organizations such as the United States Secret Service, the United States Marshals Service, LexisNexis, VISA, Cogent Systems, Indiana University, Intersections, Wells Fargo & Company, and Fair Isaac Corporation. Our government/law enforcement partners must adapt to quickly evolving identity fraud and cyber crimes. As such, they must understand current attack vectors and prepare for future ones. They need to become more proactive by improving investigations and enhancing training. Corporations are faced with many challenges, including increased fraud losses, compliance and regulatory oversight, and enhancing products and improving services to keep up with the rapidly changing environment. The academic research community is challenged with gaining access to key data sets, tight funding budgets, a limited ability to interact with corporate and government decision makers, and the need to infuse their curricula with cutting-edge research.

Establishing effective tripwires and situation awareness begins with people and may be augmented by technologies and software. CCTV, biometrics and other access controls can become the catalyst for a complacent environment and is no replacement for effective training, education and scenario exercises with personnel.

Protective Intelligence is the front line for early warning and proactive measures to interdict the loss of corporate assets. Having the correct combination of human and technology capabilities will create the most effective means for a myriad of incidents internal to the work place. Application of these these same measures of countersurveillance, monitoring of identities and the lawful use of systems will provide the red flags necessary to preempt incidents external to the institution. In the 21st century, "soft targets" in our critical infrastructure will continue to be exploited for their vulnerabilities:

India picked up intelligence in recent months that Pakistan-based terrorists were plotting attacks against Mumbai targets, an official said Tuesday, as the government demanded that Islamabad hand over suspected terrorists believed living in Pakistan.

A list of about 20 people — including India's most-wanted man — was submitted to Pakistan's high commissioner to India on Monday night, said India's foreign minister, Pranab Mukherjee.

India has already demanded Pakistan take "strong action" against those responsible for the attacks, and the U.S. has pressured Islamabad to cooperate in the investigation. America's chief diplomat, Secretary of State Condoleezza Rice, will visit India on Wednesday.

The Indian government faces widespread accusations of security and intelligence failures after suspected Muslim militants carried out a three-day attack across India's financial capital, killing 172 people and wounding 239.

operational risk

Virtual Truth: False Information Risk...

How does "False Information" impact the risk to your organization? Decisions based upon faulty or inaccurate information is the root of many of the systemic failures of catastrophic history. The Titanic, Challenger Shuttle and Three Mile Island nuclear incident can all be attributed to the integrity of vital information.

Fast forward to the financial crisis and the past decade of consumer credit expansion strategies. What data have you been collecting from US consumers or clients about their personal identifiable information attributes? The Information Age has drawn us into a more dangerous business operating environment as these digital assets have become another commodity to be sold in an international market place, to the highest bidder. Are you ready when the federal "Suits" or the local LEO's (Law Enforcement Officer) knock on your door in pursuit of the truth:

The Fair Credit Reporting Act (FCRA) spells out rights for victims of identity theft, as well as responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records — such as applications for credit — relating to the theft of their identity. Indeed, victims can authorize law enforcement officers to get the records or ask that the business send a copy of the records directly to a law enforcement officer. The businesses covered by the law must provide copies of these records, free of charge, within 30 days of receiving the request for them in writing. This means that the law enforcement officials who ask for these records in writing may get them from your business without a subpoena, as long as they have the victim’s authorization.

The financial integrity of your future as a business and as a consumer is at stake. Christopher Burns brings this to light in a dramatic fashion in his new book; Deadly Decisions:

"First, it is often extremely difficult to validate, corroborate, or verify the information we are dealing with, except by comparing it to the other information we are dealing with. And often the whole system is contaminated by misunderstanding, bad data and false assumptions that are hard to spot. The truth test rarely works. And second, the real issue of truth is not whether you or I should believe this or that, it is what we believe together. The truth that matters is group truth, and where we get into trouble is when a whole organization--a company, a community, a nation--starts to act on information that has been gathered from many sources and processed by many people but has come to contain significant elements that are false."

Beyond "Red Flags" imposed on business, the LEO community is starting to acquire what it needs for more effective deterence and enforcement mechanisms. The ID Theft Enforcement and Restitution Act of 2008 is providing prosecuters with the tools to address cyber extortion schemes such as the Express Scripts Case:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

Now the clients themselves are receiving extortion demands directly from the criminal elements behind this latest critical incident. Express Scripts has hired a new Senior Compliance Counsel to start December 1 and one of the Board of Directors has tapped a unit of his former company to provide ID Theft professional services. It looks like they are heading in the right direction.

Trusted Information is at the core of current global trading, business transactions and the fabric of our own personal identities. False information and knowledge is what creates operational risk factors that can change a whole company or the integrity of a whole nation. Systems that comprise vast databases of "so called" trusted information are at our fingertips being utilized to make coherent and effective decisions. Yet what may be the more catostrophic Operational Risk beyond the simple stealing of information is the potential opportunity for the destruction of vital information.

The vulnerability of our institutions and the critical infrastructure of the United States economy is ever more at risk of a systemic loss. While our stolen data will continue to be sold to the highest bidder on a global platform for trading, the 4GW "Non-State" actors will change their modus operandi. This is a given.

Trusted Information systems that have certified integrity and the oversight controls to ensure the highest level of virtual truth is the "Holy Grail." The degree to which these same systems include false knowledge is our most complex problem for business and government in the next decade.

operational risk

General Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:

In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."

Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.

operational risk

AML: Transnational eCrime Ecosystem...

The Operational Risk threat matrix from "Advance Fee Fraud", "Nigerian Letter (419) Fraud, Foreign Lottery/Sweepstakes Fraud and "Overpayment Fraud" is still growing exponentially. During our current economic crisis, the spike in these consumer Mass Marketing schemes is to be expected. Global Anti-Money Laundering (AML) operations are in high gear at home and abroad.

The "Transnational Economic Crime Ecosystem" is thriving and the major phases of the environment continue to be a major challenge for global financial institutions and law enforcement:

1. Collection
2. Monetization
3. Laundering

Let's take a closer look at "Overpayment Fraud":

Overpayment Fraud - Victims who have advertised some item for sale are contacted by buyers who remit counterfeit instruments, in excess of the purchase price, for payment. The victims are told to cash the payments, deduct any expenses, and return or forward the excess funds to an individual identified by the buyer, only to discover they must reimburse their financial institution for cashing a counterfeit instrument.

The predominantly transnational nature of the mass marketing fraud crime problem presents significant impediments to effective investigation by any single agency or national jurisdiction. Typically, victims will reside in one or more countries, perpetrators will operate from another and the financial/money services infrastructure of numerous additional countries utilized for the rapid movement and laundering of funds. For these reasons, the FBI is uniquely positioned to assist in the investigation of these frauds through its network of Legal Attache offices located in over 60 U.S. embassies around the world. By leveraging its global presence and network of liaison contacts, the FBI has successfully cooperated with other domestic and foreign law enforcement agencies to combat, disrupt, and dismantle international mass marketing fraud groups.

Despite the best inter-agency enforcement efforts to combat mass farketing fraud, the FBI remains cognizant of the fact that the only enduring remedy for this crime problem lies in consumer education and fraud prevention programs. Towards this end, the FBI has not only produced its own mass marketing fraud prevention pamphlet but coordinates on other public information efforts with the DOJ, FTC, and the USPIS. The FBI also supports a consumer fraud prevention website in conjunction with the USPIS which can be located on the web at: http://www.lookstoogoodtobetrue.gov.

While the number of Mass Marketing Fraud cases has declined over the past few years, the number of new money laundering cases has risen to over 500 in FY 2007 alone. This is to some degree as a result of the cooperation being given to law enforcement by the financial instituions themselves. And for good reason. There is a new sheriff in town.

(Reuters) - A U.S. tax investigation into UBS AG (UBSN.VX: Quote, Profile, Research, Stock Buzz) is concentrating on senior and midlevel executives and bankers, and could result in one or more indictments, the New York Times said, citing people briefed on the matter.

Investigators are sifting through more than 70 names and related account details of American clients provided by UBS over the last few months to the Justice Department, which has passed the details to the Internal Revenue Service for further scrutiny, the paper said.

The Justice Department and the IRS plan to build both civil and criminal tax-evasion cases against some of the clients, the people told the paper.

The U.S. tax investigation risks compounding damage to UBS's reputation at a time it has been forced to make bigger writedowns than any other European bank in the credit crisis.

The U.S. Department of Justice is investigating UBS over offshore services provided to U.S. clients from 2000 to 2007 to find out whether UBS helped wealthy Americans dodge taxes. The Swiss bank was singled out by U.S. President-elect Barack Obama as one of the banks who helped "tax cheats." It decided earlier this year to stop offering offshore Swiss bank accounts to U.S. citizens.

Yet the collection phase of mass marketing fraud is not about "70" or a "100" UBS clients who are trying to cheat on their taxes. It is still about the millions of phishing and spam messages that circle the digital globe in search of their targets or prey. These illusive criminal organizations behind this organized cybercrime wave are continually exploiting the vulnerabilities of our financial institutions and our own human behavior.

"Merchandise Mules" are being recruited by the hundreds if not thousands to reship goods outside North America. These criminals are utilizing stolen identities and credit cards to purchase goods on eCommerce sites and eBay and then requesting to ship the goods overseas. Unfortunately, those who are elderly or even just down on their economic luck fall victim to this tremendous economic crime tsunami:

Much of the modern organized crimes are very similar to the old. The most significant transformation from the streets to cyberspace has enlarged the territory of individuals and organized groups.

Enabled by the Internet, criminals can operate in cyberspace where less governance, a transnational stage, and a multitude of transactions to monitor complicate surveillance and enforcement. From counterfeiting drugs and software to identity theft and credit-card fraud, illegal transactions are increasingly infiltrating legitimate businesses where counterfeited goods and money laundering are buried in the billions of legitimate computer transactions made daily around the globe.

Counterfeited products are rising through global distribution via Internet sites. According to the World Health Organization, 50 percent of the medicines sold online are counterfeit.

The expanse of international criminal activity has been followed with an increase in prosecution through cooperating international law enforcement agencies willing to join the fight against globalized crime.

operational risk