Memorial Day: The Courage to Serve...

Today is Memorial Day in the United States and Spencer is on his way to Airborne "Jump School" in Ft. Benning, GA as a proud member of the US Army. He gave up going to a nice University of California campus and a few years of fraternity fun to serve his country and took a risk by joining a life long fraternity of men and women who have defended our country. Simultaneously Keith is risking his life serving the US again for the "nth" time in Afghanistan as US Army Lt. Col. (Ret) on another important and vital mission. He gave up a hunting, fishing and teaching lifestyle to help secure certain important real estate utilizing his diplomatic and training skills learned from decades of real-time experience in South East Asia with the Central Intelligence Agency.

Having spent some time with both of these brave and courageous men makes you wonder what they both have in common. What are the attributes of a person who makes a selfless sacrifice to protect and to serve? Whether it's in the military or in public safety, there is something that is in their DNA and not yours. It's something that many of us think about and end up not doing anything about it. When you fill up your gas tank this week or stroll down the outdoor mall you might ask yourself who made all of this possible? The answer is those who have served and those who are serving right now.

Millions across the country will pause Monday afternoon to honor the sacrifices of the American military in observance of the National Moment of Remembrance.

Crowds at Major League baseball stadiums, NASCAR tracks, train stations, malls, stores and even the astronauts aboard the International Space Station will participate in the “National Moment of Remembrance,” which is observed at 3 p.m. every Memorial Day.

"The national Moment of Remembrance is a time for Americans to contemplate those things that bind us together by remembering the legacy of those who died to better our country," Carmella LaSpada, executive director of the White House Commission on Remembrance, said.

"We encourage all Americans, no matter where they are and what they are doing, at 3 p.m. local time on Memorial Day, to stop and give thanks."

The observance is an initiative of the White House Commission on Remembrance, which Congress established in 2000.

The commission encourages Americans to remember the sacrifices of fallen troops and the families they left behind.

So when you return to work tomorrow after your Memorial Day holiday, hopefully you will have had a chance to say a prayer or to at least acknowledge those brave individuals. And it's also a time to evaluate your own work ethic or duty serving as leader of your organization. Are you putting your employees in harms way? What steps or measures are you taking to make sure that they are training and preparing to mitigate operational risks on a daily basis. To have the courage to do the right thing and to keep the organization out of jeopardy. Beware of the cowboy.

From Leadership Lessons of the Navy SEALS


The Cowboy

Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed.

"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation." --LT. CMDR. Jon Cannon


Believe it when he says that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics:

> Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.

> Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.

These are just two of the many facets of fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

You might think that the reason is greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".

operational risk

Hedge Funds: Crystal Ball on Regulation...

Looking into the crystal ball for the future regulation of hedge funds is a cloudy subject and the feds are making statements that would alarm any high net worth investor. So what are the issues with asking for some additional transparency and reporting mechanisms for the 1% who choose to diversify their portfolios?

Why is regulation inevitable? There are a number of factors, including:

• Industry growth and the increasing influence of hedge funds in the capital markets.
• The absence of genuine regulatory oversight.
• The changed political landscape.
• Increased participation by public pension funds and corporate pension plans.
• Continuing instances of fraud and blow-ups.
• The lack of transparency.
• Increasing complexity and concerns of systemic risk.

All of these factors, taken together, have created an environment that is ripe for regulatory oversight. Of course, this does not mean that hedge funds should be regulated. Indeed, there are good arguments that hedge fund regulation is not necessary, and may even be imprudent. Opponents of regulation have argued persuasively that, among other things, hedge funds provide benefits, such as market liquidity, and that regulation will simply drive hedge funds offshore.

As the financial wizards of the global markets figure out ways to keep regulators from asking too many questions the leadership of the companies operating in the hedge fund environment are getting prepared. They are strategically implementing the mechanisms and the controls that any prudent investment management company have in place to deal with the operational risks associated with other main stream institutions in the sector.

So what is on the mind of the SEC and others who oversee the implications of hedge funds that are not being so proactive:

The hedge fund industry, long a Wall Street innovator, has frequently created exotic money-making strategies that have then ballooned in popularity.

But as Neil Brown, director of AIMA and managing director of New York-based Citigroup Alternative Investments, noted, when a profitable arbitrage trade is uncovered, managers then pile onto the trade, and the opportunity to make money gets "arbed away."

This summer's meltdown in convertible bond hedge funds proved a wrenching case in point. Convertible arbitrage managers buy convertible bonds, which are bonds that can be exchanged for a certain amount of a company's common stock, and short the underlying stock of the issuing company to profit from the difference in price between the two securities.

Long considered a safe haven, the strategy posted big losses this year, which forced three big convertible bond hedge funds to close: San Francisco-based Marin Capital Partners, which had $2.2 billion in assets at its peak; Alta Partners, run by San Francisco-based Creedon Keller & Partners, which had about $1.2 billion at its peak; and Minnesota-based EBF & Associates' $669 million Lakeshore International Fund.

Now, hedge funds are coming up with new, more exotic strategies as traditional strategies, such as certain kinds of arbitrage, get overcrowded.

So what? The fact that the markets will regulate itself is a valid point being made around many dinner tables in London, New York City and Shanghai as hedge funds managers can feel the trend of fraud driven regulators breathing down their necks:

Shanghai is setting up a financial task force to counter a rise in cases of fraud and other abuses linked to soaring stock prices, state media reported Tuesday.

The task force, including staff from the securities and banking watchdogs, police and other government agencies, will focus both on combatting illegal share dealings in companies not listed on the bourse and also on the practice of diverting public funds into high-risk investments, the state-run newspaper Shanghai Daily reported.

"Risks are accumulating and we should be well aware of illegal financial activities and make it a priority of our work to clamp down on them," it quoted Feng Guoqin, a Shanghai vice mayor in charge of the task force, as saying.

So why are hedge funds any different than any other alternative investment? The myths are there and they need to be addressed:

MYTH #14: HEDGE FUNDS ARE NOT REGULATED
Hedge funds often are said to be unregulated or lightly regulated. The perception is that hedge funds are cowboys taking advantage of the wild-west financial markets without a sheriff in town.

EVIDENCE:
Hedge funds are required to comply with every rule, regulation, and law that affects virtually all investors in the public and private financial markets. Further, hedge funds are subjected to a variety of investor-related laws and regulations that impact who can qualify to invest with hedge funds. Additionally, there are a variety of state and federal laws that can require some managers to register as investment advisors—thereby invoking a series of additional regulations and requirements, including periodic regulatory examinations and filings. When the topic of regulation arises in the hedge fund industry, managers are far from being cavalier about the existing and continually proposed regulatory requirements.

operational risk

Cyber Terrorism: Attack on a Nations State...

The attack on the Critical Infrastructure of the nation state of Estonia over the past few weeks should be a wake-up call to governments across the globe. The facts are coming out in the mainstream media this week about the origins of the attack and the magnitude of the event. Yet the real lesson to be learned here goes deep into the chasm of having "Cried Wolf" too many times and the resulting ignorance of a major threat in the making.

Young men paying cash to learn how to fly large Boeing airliners and not worried about landings. Does this ring a bell?

Peter Finn of the Washington Post Foreign News Service has identified much of the real issue at stake here:

This small Baltic country, one of the most wired societies in Europe, has been subject in recent weeks to massive and coordinated cyber attacks on Web sites of the government, banks, telecommunications companies, Internet service providers and news organizations, according to Estonian and foreign officials here.

Computer security specialists here call it an unprecedented assault on the public and private electronic infrastructure of a state. They say it is originating in Russia, which is angry over Estonia's recent relocation of a Soviet war memorial. Russian officials deny any government involvement.

How many more of these "Botnet" attacks will be necessary for the public, the media and the government to realize that this is the beginning of a new generation of warfare that will be fought using "Zeros and Ones" as increasing effective ammunition against your enemy. Whether it be a nation state or your business competitor, large Distributed Denial of Service (DDOS) attacks can be rented on the Internet by the hour. So how big a network of "Bots" is necessary to disrupt a nation state like Estonia?

Roughly 1 million unwitting computers worldwide were employed, said Jaak Aaviksoo, Estonia's minister of defense. Officials said they traced bots to the United States, China, Vietnam, Egypt and Peru. By May 1, Estonian Internet service providers were forced to disconnect all customers for 20 seconds to reboot their networks.

Disruptions of all kinds are giving Chief Security Officers (CSO) head aches and heart attacks as the economic impact of spoof e-mail and DDOS attacks wreak havoc beyond the network to the financial markets. The attacks could be the work of competitors or more likely the coordinated, well planned and funded mission of a worthy criminal or terrorist adversary:

Apple (Quote) shares dropped 3 percent to $104.63 in afternoon trading as ultimately false rumors of iPhone and Mac OS X Leopard delays spread across the Internet.

The plummet started when technology news blog Engadget.com reported Apple pushed iPhone's launch from June to October and Mac OS X Leopard from October to January. Ryan Block, the post's author, cited an "authority" for a source.

It turns out that "authority" was a forged e-mail sent to thousands of Apple employees at 9:09 a.m. this morning. It was eventually leaked to Block who posted at 11:49.

What impact does the media and information leaks have on the market value of your company? How do you as a CSO, CEO or Chief Risk Officer mitigate the risk of this kind of "Social Engineering" ploy to manipulate your stock price? The answer is not more software or some kind of fancy new device for analyzing network traffic.

The answer is education and enhanced monitoring of information. It's also making sure that your institution has prepared for and tested the resiliency of the organization for such a scenario. The Department of Homeland Security has been exercising for major incidents of the magnitude described against Estonia for years. The next event is scheduled for the spring of 2008 and is know as CyberStorm II. In this exercise the scenario will involve both physical disruption and the digital origin of vulnerability exploits. The lessons learned will be a public and private partnership discussion for years to come.

The Case Studies of the Estonia attack and the Apple spoof are being written as we speak and the output is what any CSO should be seeking. Increased awareness and education of it's employees, customers and suppliers. Without effective learning, the resiliency of the enterprise is in jeopardy.

operational risk

Defensible Standard of Care: Legal Risk...

A "Defensible Standard of Care" is a hot topic these days around the Board of Directors Audit Committee conference table. Information Security standards are consistently being discussed by the CIO and CSO in the context of compliance. So where is the nexus? Why is it so critical to enabling the enterprise business resilience of a global institution?

The answers lie in the fundamental understanding that the Board of Directors and the "C" Suite are both working towards the same focal point. Their motive is almost identical. To be able to provide the evidence and the testimony that keeps their integrity and reputation intact. To understand this nexus, first we must provide the definitions:

What is ISO/IEC 27001:2005?

ISO/IEC 27001:2005 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.

ISO/IEC 27001:2005 covers the following topics:

• Security policy - This provides management direction and support for information security
  
• Organization of assets and resources - To help you manage information security within the organization
  
• Asset classification and control - To help you identify your assets and appropriately protect them
  
• Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
  
• Physical and environmental security - To prevent unauthorized access, damage and interference to business premises and information
  
• Communications and operations management - To ensure the correct and secure operation of information processing facilities
  
• Access control - To control access to information
  
• Systems development and maintenance - To ensure that security is built into information systems
  
• Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
  
• Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

ISO/IEC 27001:2005 is the updated version of the world renowned British Standard for Information Security Management Systems, BS 7799-2:2002.

This Information Security Management System (ISMS) is simply that, a published set of guidelines and controls. Useless without the support of the correct tools, methodologies and people to make it come alive and incorporated into the culture of the organization. This requires an adaptive and resilient framework for managing change.

A "Defensible Standard of Care" comes alive within this ISO 27001 standard:

Clause A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

Clause A.15.1.3 Protection of organizational records

Control
Important records shall be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements.

In the United States, as well as many other countries, a party involved in civil litigation is responsible for preserving any potentially relevant evidence, including materials that may lead to the discovery and production of other relevant evidence, beginning when the party knew a lawsuit had been filed, or had a reasonable basis to believe that litigation would occur.

Effective December 1, 2006, the United States Federal courts adopted revised Rules of Civil Procedure that confirm the importance and admissibility of Electronically Stored Information (ESI) as evidence in civil litigation. As lawyers and the courts begin to operate under the new Rules, company officers responsible for demonstrating the reliability of their corporate electronic records are rapidly moving into the “firing zone”.

The reason is entirely adversarial: if a hostile lawyer can discover uncontrolled risks that compromise the reliability or integrity of a company’s electronic records, then the value of those records as evidence declines and the potential for how the case will be resolved, whether in the courtroom or through settlement, is altered. In response, a company must be prepared to demonstrate their ESI has been managed pursuant to a defensible standard of care.

As a result, adherence to Clause A.15.1.3 includes protecting records that become important to litigation and assuring their continued integrity and availability. For these purposes, information security practices are indispensable, and the failure to apply and extend those practices to relevant evidential materials can create a material risk for many companies.

And this risk extends well beyond the inner sanctum of the legal department, internal audit and information technology. This risk reaches into the outside counsel the company has retained for defense litigation. How many law firms are under retainer at your institution? Do they have an effective set of standards, methodologies and programs to handle your next ESI request? In the game of litigation only the most agile and preemptive strategies will prevail.

So how do you understand and determine how adept your outside counsel is when it comes to ESI and eDiscovery? Now it's time for your own investigation, audit and request for information. You have to develop the same kind of process for evaluation of outside legal counsel as you do for the next set of financial auditors or outsourced disaster recovery vendor. It's imperative that you look at enterprise content management and the records administration controls within your Information Security and Operational Risk Management framework to see how it supports a Defensible Standard of Care. The Nexus of Information Security and The Law. Here are 8 Survival Strategies courtesy of Jeffrey Ritter at Waters Edge Consulting:

• Start a Dialogue.
• Be Prepared to Bear Witness.
• Be Prepared to Preserve.
• Define "Not Reasonably Accessible".
• Demonstrate "Routine Good Faith Operation".
• Prepare to Deal with eDiscovery vendors.
• Prepare your lawyers "In and Out".
• Protect your records at the Law Firms.

Institutions wishing to achieve a defensible standard of care for protecting business sensitive data such as intellectual property, financial records, customer data and business records will find the Waters Edge Protocol a welcome advantage in streamlining the effort required to tailor requirements, policy, processes, and implementation plans to meet their business needs.

operational risk

IT Audit: Communicating with the CEO...

In the latest issue of ITAudit, Jackie Bassett is right on target. She has clearly identified the items necessary to close the gap of communicating to top management before, during and after an Information Technology Audit. A key component of any prudent Operational Risk Management Program:

At its most basic level, an IT security audit is a systematic evaluation of a company's IT security infrastructure that measures how well security policies, procedures, and controls conform to a set of established criteria. Today's internal auditors know that the true value of an IT security audit to an organization goes beyond compliance. By successfully communicating their IT security audit recommendations, auditors can have a major influence on corporate strategy. Unfortunately, many auditors find there is little guidance to help them communicate audit results and recommendations to senior-level managers when preparing for the IT security audit. Consequently, conveying IT security recommendations can be one of the most challenging parts of an internal auditor's job. However, with a little preparation and knowledge, auditors can enhance the way they communicate IT security audit results as well as provide recommendations senior managers can relate to, understand, and implement.

What can the board of directors do to make sure that their CEO has moved to a place focused on mitigating operational risks to enhance opportunities and long term strategy?

Fundamentally, the first task is to make sure that the CEO has a management system in place for operational risk. What is needed is a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organisation’s operational risk enterprise architecture (OREA).

Let’s break OREA down this a little further to get a better view of some of the specific operational attributes:

People
Employee fraud, misdeed, unauthorised activity, loss/lack of personnel and employment law.

Process
Payment/settlement, delivery/selling, documentation/contract, valuation/pricing, internal/external reporting and compliance.

Systems
Technology investment, development, access, capacity, failures and security breach.

External
Legal liability, criminal activities, outsourcing, suppliers / insourcing, disasters / infrastructure, regulatory/political.

The attributes of operational risk are the same key areas that need to have metrics created for measurement and auditing. Performance management, Balanced Scorecard and other methodologies for managing, monitoring and continuous improvement need to be implemented so the boards of directors have a way to get timely alerts, updates and reporting.

The operational risk enterprise architecture (OREA) is a management framework that requires a process approach embedded with the legacy of our quality initiatives of the past several decades. The reason is because of the threat of change itself. The P-D-C-A model (plan – do – check – act) is appropriate for application to this process approach and threat of a constantly changing corporate environment:

Plan
Establish policy, objectives, targets, processes and procedures for managing operational risks to deliver results in accordance with the organisations business objectives.

Do
Implement and operate the policy, controls, processes and procedures.

Check
Assess and measure in applicable areas while reporting results to management for review.

Act
Take corrective and preventive actions based on results to continually improve the OREA framework.

Operational risk management is getting the attention of organizations outside of the major banks at a rapid pace. Board of directors in any industry will soon realize that the successful CEO of the future will be a master of building a culture with effective operational risk management systems at its core.

Furthermore, interpreting how enforcement of IT security controls and policies can strengthen connections with customers and suppliers, how authorization processes can preserve intellectual property, or how separation of duties can drive innovative new business processes demonstrates to senior managers that internal auditors are an invaluable company resource and asset.

operational risk

Crisis Management: Corporate 4GW...

Crisis Management is getting the increased attention of Board Directors in light of the latest disclosure rules. And Eric Dezenhall's new book is out in collaboration with John Weber and the excerpt is in the latest issue of Board Member. There are 10 crises that are outlined in the article:

1. Corporate Mission Creep
2. The Demise of Science
3. Outspent and Outgunned
4. Is Junior Covering Your Crisis?
5. Wall Street War Zone
6. Everyone's a Pundit
7. Make 'em Laugh
8. Your Brand is a Target
9. Protecting Intellectual Property
10. The Porous Corporation

Damage Control: Why Everything You Know About Crisis Management Is Wrong. Much of the conventional wisdom about damage control and crisis PR is self-serving, self- congratulatory, self-deceiving—and flat out wrong. And no one knows it better than Eric Dezenhall and John Weber, who have helped countless companies, politicians, and celebrities get out of various kinds of trouble.

If you’re facing a lawsuit, a sex scandal, a defective product, or allegations of insider trading, other PR experts will tell you to stay positive, get your message out, and everything will be just fine. But happy talk doesn’t help much during a real crisis, and it’s easy to lose sight of your real priorities. In a trial, for instance, you might want the whole world to think you’re a wonderful person, but all that matters is whether twelve jurors think you’re guilty.

#10 caught our eye because this discusses the fact that insiders in the organization have a growing powerbase. Fueled with new tools to capture information in real-time and post it to an off site blog or other online location makes the time between the confidential event and the public disclosure become minutes not just hours. Mr. Dezenhall is clear to point out that the new crisis manager is involved in constant monitoring and taking on a more preemptive and preventive mission. Call it "Damage Control" he says.

As the lines begin to blur between corporate roles of crisis management, brand management, public relations, competitive marketing, fraud management and reputation control, so too does the level of Operational Risk. When you have so many individuals responsible for keeping a handle on potential crises as they are uncovered by a tip, a leak or the whistleblower hotline there is an increasing risk of a lack of an effective Incident Management System.

The blogosphere is just another version of the age old online bulletin board on broadband steroids. Skilled journalists who have for years operated in the mainstream media have their own blog on the online site of the offline magazine or newspaper. The power of "Time to Press" is now a matter of the source and the reach of the blog community. Why does Fox Interactive Media own MySpace?

Savvy Board of Directors realize the value of having an open and transparent approach to the governance of the organization. Even as we speak the newest data on executive compensation, perks, bonus or golden parachutes are being published and communicated by online-based data bases. And with all of this transparency and the fact that all of the data is discoverable in an internal investigation or external litigation makes it imperative that management manage this risk proactively. Not after the fact, reactively.

Corporate Risk Intel is nothing new and over the past five years has blossomed into a mandatory high technology business unit within corporate enterprises. The people, processes, systems and tools require a combination of capabilities, expertise and raw instinct. Extensions of Open Source Intel (OSINT) are fueling the internal "Damage Control" department across the globe. The "Porous Corporation" is quickly becoming a modern day forum for survival of the fittest and other Darwinian strategies of "Adaptation".

Over a year ago, this same topic was addressed in adapting to a corporate (4GW) 4th Generation Warfare Paradigm.

operational risk

White Collar Crime: Enduring Truth...

In the 19th century a famous sleuth by the name of Al Pinkerton was quoted:

"A professional should possess the qualifications of prudence, secrecy, inventiveness, persistency, personal courage, and above all, honesty."

Inside the walls of global enterprises are the ticking time bombs waiting for the next opportunity to rationalize their malicious acts upon the organization. Individuals with advanced degrees, outstanding performance and continuous community service are operating just like Al Pinkerton has described, with one exception. Honesty.

White collar criminals are taking the corporate beaches by storm. Backdating once a common practice has now more than 100 companies under investigation. Yet, good old fashioned theft of corporate assets is running at an all time high and internal fraud is now with more tips and leaks a much more easy crime to detect, prosecute and punish. Why do so many companies look the other way and just fire an employee when company wrong doing is uncovered? Reputation.

The phrase "white-collar crime" was coined in 1939 during a speech given by Edwin Sutherland to the American Sociological Society. Sutherland defined the term as "crime committed by a person of respectability and high social status in the course of his occupation." Although there has been some debate as to what qualifies as a white-collar crime, the term today generally encompasses a variety of nonviolent crimes usually committed in commercial situations for financial gain. Many white-collar crimes are especially difficult to prosecute because the perpetrators are sophisticated criminals who have attempted to conceal their activities through a series of complex transactions.

The most common white-collar offenses include: antitrust violations, computer and internet fraud, credit card fraud, phone and telemarketing fraud, bankruptcy fraud, healthcare fraud, environmental law violations, insurance fraud, mail fraud, government fraud, tax evasion, financial fraud, securities fraud, insider trading, bribery, kickbacks, counterfeiting, public corruption, money laundering,embezzlement, economic espionage and trade secret theft. According to the federal bureau of investigation, white-collar crime is estimated to cost the United States more than $300 billion annually.

A true Operational Risk Management professional has to operate as Al Pinkerton described and with even more capabilities than in his day. They have competencies and subject matter expertise to address:

• Identification
• Assessment
• Design
• Implementation
• Audit
• Supervision

You have to ID the corporate assets to protect and the threats to those assets. You then have to determine the likelihood of occurrence. What are the impact to organization from a loss? One must also have knowledge and expertise in accounting, auditing, interviewing, investigation, legal elements, digital forensics, reporting, testifying and communicating. Not only does the OPS Risk professional today require honesty, it also requires much more.

Hiring good people is the constant headache of every manager in every industry in every part of the world, and bankers have probably complained about the situation the loudest. But if a bank makes a bad hire, the pain will only be felt years later when it comes out in the newspapers that both the employee and several million dollars have gone missing.

The situation should be avoidable, but the fact is that nobody can really know who it is that they are hiring. Consider the case of one senior banker, who was ready to hire a new personal assistant. Besides being the best candidate for the job, he had once known the applicant when he had worked at her previous company. Through a chance meeting with one of his old co-workers at that bank, he found out that his applicant had been fired for embezzlement, although the information had not been made public.

Actual levels of internal fraud across the industry are a closely guarded secret, although each banker will have a good idea how much it costs his or her own bank. While it is commonly agreed that the cost of internal fraud greatly exceeds that lost on credit card and other fraud, expensive systems required by regulators to manage fraud throw a monkey wrench into the works.

Whether you are in search of the facts or are rendering an opinion, the way you operate and behave within your organization and in front of those individuals you are in pursuit of, remains the same. You are a "Citizen Soldier". This means that you are not influenced by the politics nor the power of those who may try to pursuade you to see it their way. You see it as it is and your mission is to uncover the real truth and only the truth. Reputations are at stake. Lives will be changed forever. But the truth will endure.

operational risk

ECM Security: Trusted Information...

When it comes to Enterprise Content Management (ECM), security is an issue that continues to challenge most vendors. John Newton is in search of topics this week at AIIM that address the security needs of the market place:
Content Log

• Common identity. There needs to be a common way of addressing identity between different services whether those services are in the enterprise or outside.
• Common Models for Rights Management. The big, looming problem in content is the fact that huge numbers of users are adding, accessing or updating an even larger number of pieces of content.
• Distributed Directory Services. Identity is not sufficient for determining roles or entitlements.
• Mashup Frameworks for Security. Mashups, the integration of different systems at the browser level, represent the fastest-growing and easiest mechanism to weld systems together. Almost all mashups have no notion of security and only work on public systems.
• Search and Security. As search becomes increasingly federated, such as through the OpenSearch API, managing identity and entitlements on content becomes very problematic.

Whether John will find the answers is questionable. And that is exactly the issue when it comes to hosting or managing enterprise information. Almost a year ago before Stellant (Sealed Media) was purchased by Oracle, their survey of 29 CIO's who had invested more than $1M. in ECM had these as their top priorities:
The concerns were ranked on a scale of one to eight, eight being the most important.

1. Guarantee ISO 17799 compliance: 6.03
2. Protection of intellectual property during offshoring or outsourcing: 5.52
3. Protection of high- and executive-level communications: 4.79
4. Improvement of workflow-process automation: 4.41

So what?

If you are an ECM vendor and you only have so many bucks to spend on development of the next generation of your software, what are you going to add and what are you going to fix? So why is number one and two so important to CIO's who have invested so much money in their platforms?

Some of the answers can be found in the root cause of their concerns. We found some relevant discussion in a position paper entitled:

W3C Workshop on Transparency and Usability of Web Authentication by Jeffrey Ritter & Said Tabet

Statement of Issues: The conflict between the potential of Web Services and the inadequacy of web authentication is potentially best described as “a failure to communicate”. As enterprises extend and evolve into more dynamic, real-time facilities, central operations require the ability to express their security requirements in greater detail than can be currently enabled. Corporations must define and adhere to increasingly large directories of requirements in the management of their internal security controls; requiring compliance with those controls by participants in the extended enterprise is becoming essential.

Corporate operations increasingly distribute their computing and data processing requirements across a network of third party services, some of which are engaged and employed for controlled, finite sessions. But those third parties, for so long as they are processing data and functioning as part of the operating whole of the primary corporation, are being pressured to demonstrate their adherence to the security controls of their customers. This requirement is an expression of a requirement for trustworthiness—to be engaged as a part of the extended enterprise is to be trusted to perform in compliance with the applicable controls.

The enterprise who has exposure to continuous litigation is evaluating new ways to look at 3rd Parties who manage their information and this includes law firms. When you hand over management of critical and legally binding information to a 3rd party, trust is a key component of that decision. So how do you know if your law firm(s) and database marketing companies such as Merkle, Inc. or other outsourced service providers have the trustworthiness to be part of your extended enterprise? The fact is you don't unless you require the new and existing parts of the information supply chain in your organization to operate as one seamless trusted entity.

The greatest economic risk companies face with electronic discovery is choosing the wrong law firm. Under the new Federal Rules of Civil Procedure, the amounts at stake are not just legal fees or settlement costs; searching for and recovering electronic business records causes productivity losses and threatens revenue. Bottom line, selecting a law firm that is ill-prepared to effectively manage electronic discovery can cost enormously - internal records preservation and production costs are considered one of the largest uncontrolled expenses in corporate America.

So how do you select the right firm?

For corporations, Evaluating the Electronic Discovery Capabilities of Outside Law Firms: A Model Request for Information and Analysis provides corporate law departments, records management and IT departments an invaluable tool to ensure that the legal risks of e-discovery are competently addressed by their outside law firms.

Here is a peek at the line up so far this year by just one government regulator, the SEC.

operational risk

Workplace Violence: Hokies in Mourning...

As the details of the event unfolds at Virginia Tech, one is reminded that violence of such magnitude is an operational risk in universities and colleges across the globe.

The Virginia Tech shooting occurred on April 16, 2007 at Blacksburg in the U.S. state of Virginia. At least 32 people were killed, including the gunman, with at least 28 injured,^[2] making it the deadliest school shooting in United States history.

As the evidence is collected and the investigations determine what could have prevented such a tragic incident there will also be questions about the response. Workplace violence or campus violence is similar in nature from the standpoint that you plan and prepare for such random incidents. The point is that it may never happen but if it does, are you prepared?

Were the three bomb threats in advance of the incident just active surveillance by the shooter? What proactive measures were taken by law enforcement between the first shooting and the second scene where a majority of the deaths occured? The measures taken on that multi-hour timeline will be scrutinized to find out why the buildings on campus were not secured. Was a crisis plan enacted from the point of the first incident and if so, how effective was it?

A few details emerged from the news conference. At 7:15 a.m., an emergency 911 call came in to University police department about a shooting at a campus building, West Ambler Johnston, a dormitory for about 900 freshman students. About three hours later it was followed by a second shooting at a classroom in a science and engineering building on the opposite end of campus, Norris Hall. The shooter died there, the police said.

Suicide bombers and those with a death wish are the ultimate threat. No level of security or proactive measures can defeat this kind of attack. This fact has been proven over the past few decades on and off the battle field. In the aftermath we can only hope that more is done to heighten awareness about "At Risk Behavior" whether it be in school or at work. The cues and clues that bring people to a point of violence are usually noticed by fellow students or co-workers. However, once the event takes place, those individuals who noticed these behavioral warning signs feel the worst about the incident.

The behavior psychologist's will tell you that the signs are there, you just didn't recognize them in time. Besides the obvious drug or alcohol abuse warning signs, some are more subtle.

Other problematic behavior also can include, but is not limited to:
• Increasing belligerence
• Ominous, specific threats
• Hypersensitivity to criticism
• Recent acquisition/fascination with weapons
• Apparent obsession with a supervisor or coworker or employee grievance.
• Preoccupation with violent themes
• Interest in recently publicized violent events
• Outbursts of anger
• Extreme disorganization
• Noticeable changes in behavior
• Homicidal/suicidal comments or threats

Once the determination is made what motivated this individual to carry out this act today, we will use that information. It will become a new or even repeated warning sign that we have become complacent to in our day to day interactions with others on the job or in the class room.

How will the new crisis programs and workplace violence programs be communicated across the nation incorporating these lessons learned? To begin the process of finding out what is in place and what needs to be done, here is a very relevant self-audit from The National Institute for the Prevention of Workplace Violence.

Workplace Violence Prevention Audit Questions:

1. Has a specific management level person been designated as the person responsible for coordinating the company's workplace violence prevention initiative?
2. Has an integrated workplace violence prevention team (also known as Threat Management or Threat Assessment Team) effort been established that includes representatives from the following functions: security, occupational safety & health, risk management, legal, public relations/corporate communications, human resources and operations management?
3. Does the company have a workplace violence prevention policy?
4. If a written workplace violence policy exist, does it include provisions addressing how to deal with domestic violence in the workplace, mobbing and bullying behaviors?
5. Does the company have a written plan describing how the workplace violence prevention plan will be implemented?
6. Has a pre-established emergency protocol been put in place with local law enforcement and a specific individual (and back up) been designated to contact the police during a critical incident?
7. Have all managers been trained in workplace violence prevention?
8. Have all employees been trained in workplace violence prevention?
9. Does the company have a policy prohibiting the possession of weapons on the company's premises and while an employee is performing their job?
10. Has the company conducted an organizational violence assessment to determine if 'the common factors of violence prone organizations' are present?
11. Has the company conducted a Facility Risk Assessment of all of it work areas?
12. Does the company have a process and procedure in place for conducting Individual Threat Assessments?
13. Has the company pre-identified and pre-qualified an external workplace violence expert and critical incident debriefing team to assist the organization, if needed?
14. Are their known workplace violence hazards that employees are exposed to, and/or are similar businesses or companies in your industry or geographic area known for having workplace violence hazards?

The questions will remain for years to come as the answers are discovered in conference rooms and court rooms across the country. Was this the wake-up call that we all needed? And for those who are seeking proven solutions to this Operational Risk, consider Defywire.

operational risk

In Search of Answers: OPS Risk Intel...

When it comes to Operational Risk, what is on your mind? These are just a few recent inquiries from around the globe:

• operational risk consultant
• plausible deniability risk mitigation
• operational risk and causes for information technology department
• digital forensics plus ediscovery software
• operational risk management in bank
• hedge risk asian tsunami
• bbc programmes advice on insurance companies covering anti terrorist cover
• hsac navy seals
• metrobank and trust company philippines risk managment practice
• passmark passes fdic audit
• gsk italy germany executive's supply chain quality assurance manufacturing
• define issues and action plans orm
• ethical prior the implemention of disaster response
• operational risk management dulles airport
• Business Crisis and Continuity Management (BCCM)
• invision, deloitte, risk, root cause analyses
• bs 25999 part1
• system malfunction hurricane katrina critical infrastructure
• fraud risk management vs. compliance investigation
• "opinion letter" "disaster recovery"
• the newest trends in operational risk for public sector
• north carolina department of revenue real estate investment trust voluntary disclosure
• parmalat crisis management
• public sector operational risk management
• bank of america sas 70
• example document retention policy homebuilder
• fbi justice report sedona mortgage fraud
• operation risk management test answers
• suibin zhang
• authenticol systems boulder
• helicopter detecting grow ops
• using ipsonar opinion
• pneumonia, operational risk
• reasons for enterprise risk management assessment
  
  

If you are like us, we see some real "nuggets" of intel in these searches. One observation is that Operational Risk is diverse and it's facets are complex. The interdependencies of people, processes, systems and external events combined with the legal implications makes this discipline ever more sought after in the ranks of enlightened institutions.

So why would somebody be looking for information on plausible deniability risk mitigation?

Over a year ago Bruce Schneier had this to say:

Deniable File System

Some years ago I did some design work on something I called a Deniable File System. The basic idea was the fact that the existence of ciphertext can in itself be incriminating, regardless of whether or not anyone can decrypt it. I wanted to create a file system that was deniable: where encrypted files looked like random noise, and where it was impossible to prove either the existence or non-existence of encrypted files.

This turns out to be a very hard problem for a whole lot of reasons, and I never pursued the project. But I just discovered a file system that seems to meet all of my design criteria -- Rubberhose:

Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available.

The devil really is in the details with something like this, and I would hesitate to use this in places where it really matters without some extensive review. But I'm pleased to see that someone is working on this problem.

Next request: A deniable file system that fits on a USB token, and leaves no trace on the machine it's plugged into.

So what? Why would an Operational Risk Professional be concerned about a USB token that leaves no trace on the machine it's plugged into? We think you get the big picture here. So are there any other nuggets of intel worth exploring in this latest list of searches?


What about Business Crisis and Continuity Management (BCCM)? When it comes to a crisis, there are numerous sources that impact your Operational Risk Strategy:

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future. Hopefully you understand that the operational risk spectrum is wide as it is deep. Keeping your fingers on the pulse of what people are concerned about could be as simple as this quick exercise in "search terms analysis."

operational risk

Ethics: The Tone at the Top...

Have you had your annual check-up? Is the health of your organization improving or on the way to a potential loss of reputation?

The Board of Director's are consistently talking about how they can create the correct "Tone at the Top" when it comes to ethics and compliance. Global corporations realize the importance of these issues in order to create a focus on competitive advantage and other new "Carrots" rather than the old motivators of fear, uncertainty and doubt (FUD Factor). Employees who are "Beaten with a Stick" in order to comply with federal laws and state rules of conduct are looking for new vision and new methods to improve the health of organizational ethics. An interview with Perry Minnis, Alcoa's Director of Ethics and Compliance highlights this point:

Organizations have always confronted ethics problems, but it seems that only in the last 25 years or so that ethics has grown from an academic discipline into a mandatory department at most corporations. How has this happened?

I believe the heightened awareness can be attributed to several factors: the defense contracting scandals during the Reagan Administration; the issuance, in the early 1990s, of the Federal Sentencing Guidelines, which established criteria for assessing the completeness of ethics and compliance programs; the emergence of high profile scandals - Enron, Tyco, WorldCom, etc.; and the passage of the U.S. Sarbanes-Oxley Act and the associated provisions of the New York Stock Exchange and SEC requirements. Plus companies now have a general sense that a reputation for ethical behavior is a competitive advantage. It engenders customer loyalty and employee allegiance.

Mr. Minnis and other officers like him who are charged with creating the right "Tone at the Top" must cooperate with a multitude of players within the enterprise to address this cultural awareness. Part of this strategy should include the check-up for fraud and the signs that it may be present in certain business units or processes within the organization.

In this Fraud Prevention Check-up tool we are especially pleased to see question number 7:

To what extent has the entity established a process to detect, investigate and resolve potentially significant fraud? Such a process should typically include proactive fraud detection tests that are specifically designed to detect the significant potential frauds identified in the entity’s fraud risk assessment. Other measures can include audit “hooks” embedded in the entity’s transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading edge fraud detection methods include computerized e-mail monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.

The use of automated tools to help prevent fraud from occuring will continue to be just that, a tool. It's imperative that anyone utilizing such mechanisms for early warning remember the taxonomy for an "Incident:"

"Attackers use tools to exploit vulnerabilities to create an action on a target that produces an unauthorized result to obtain their objective."

While the ethics and compliance department teams up with the IT and Security departments to create the policies and implement the tools to deter, detect and defend against fraud, the opposing force is also gaining ground. Hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs are using their own tools to test and to exploit your vulnerabilities.

The three areas that you need to focus on continue to be:

• Design
• Implementation
• Configuration

Whether it is through physical attack, information exchange, user commands, scripts, programs, autonomous agents, toolkits or data taps you can be assured that these tools are being utilized to exploit you. They are being directed at the design, implementation or configuration of your "Controls" in order to achieve the action they desire:

• Probe
• Scan
• Flood
• Authenticate
• Bypass
• Spoof
• Read
• Copy
• Steal
• Modify
• Delete

All of these actions are directed at their target. Accounts, people, processes, data, components, computers, networks or internetworks. They are looking for and unauthorized result:

• Increased Access
• Disclosure of Information
• Corruption of Information
• Denial of Service
• Theft of Resources

And sadly, when you boil it down to the reasons or objectives they seek to achieve; it usually falls into one of four categories:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

Once you understand the entire taxonomy of an "Incident" you are far better equipped to prevent and preempt attacks on your valuable corporate assets. Equally as important is the "Tone at the Top" to set the foundation for an environment that employees embrace and will protect at all costs.

operational risk

DRP: Document Retention Policy...

Corporate Fraud is nothing new and seems to be going in cycles. Now we are back to the days of the real estate financing and mortgage lending wrong doing but this time it might be a larger issue than the past. When this issue gets on the docket over at the Daily Caveat, you can bet this is not going to be a trivial matter.

Atlanta-based Beazer Homes USA is facing scrutiny from the FBI over allegedly fraudulent practices in the company's mortgage lending business. Beazer, a public company, operates as a home builder in 21 states.

The bureau's report said mortgage fraud comes in two broad varieties: "fraud for profit," which is largely committed by industry insiders and involves practices such as falsely inflating property values, and "fraud for housing," which is committed by borrowers and involves actions such as acquiring a house under false pretenses.

The bureau said it is cooperating with trade associations representing mortgage bankers and the government-sponsored companies that purchase mortgages, Fannie Mae and Freddie Mac, to raise awareness of mortgage fraud.

Whenever you have boom times, you can bet that the opportunities and the malfeasance will be higher and that the investigations won't gear up until well after the peak. Even if the situation has equalized and the market place is doing all the right things to adjust, you still need to put a light on those who are prone to bad behavior.

Operational Risk is all about internal and external fraud mitigation. The tools, cues and clues that an OPS Risk professional utilizes are all after the truth and for the future good of all impacted by these serious loss events.

Fraud

A risk difficult to model is fraud. Booms tend to induce fraud, misrepresentation and scandals. To quote Bagehot again:

"The good times of too high price almost always engender much fraud."

Or the great economic historian, Charles Kindleberger:

"The propensity to swindle grows parallel with the propensity to speculate during a boom. The implosion of an asset price bubble always leads to the discovery of fraud and swindles."

And now the search begins for evidence. The evaluation of the Document Retention Policy (DRP) at Beazer Homes will no doubt be a subject of discussion today and for weeks to come. If they are like most prudent organizations who have completed their DRP and have employees educated on day one of their employment, it should be crystal clear:

Here is some sample language from a standard DRP:

Our records include virtually all of the records you produce as an ABC Corporation employee. Such records can be in electronic or paper form. Thus, items that you may not consider important, such as interoffice emails, desktop calendars and printed memoranda are records that are considered important under this policy. If you are ever uncertain as to any procedures set forth in this policy (e.g., what records to retain or destroy, when to do so, or how) it is your responsibility to seek answers from ABC Corporation’s DRP Manager.

The goals of this DRP are to:

• Retain important documents for reference and future use;
• Delete documents that are no longer necessary for the proper functioning of ABC Corporation;
• Organize important documents for efficient retrieval; and
• Ensure that you, as an ABC Corporation employee, know what documents should be retained, the length of their retention, means of storage, and when and how they should be destroyed.

Yes, a policy about destruction of documents. This is where many organizations fail to mitigate the risk of data theft or even eDiscovery of data that could become relevant in a future investigation. However, these days, everybody is saving everything and for what looks like could be a very long time.

"If a lawsuit is filed or imminent, or a legal document request has been made upon ABC Corporation, ALL RECORD DESTRUCTION MUST CEASE IMMEDIATELY.

"ABC Corporation’s DRP Manager may suspend this DRP to require that documents relating to the lawsuit or potential legal issue(s) be retained and organized. A critical understanding of this section is imperative. Should you fail to follow this protocol, you and/or ABC Corporation may be subject to fines and penalties, among other sanctions."

The phone has just got to be ringing off the hook over at Stratify!

operational risk

Global Risk: Resilience & Interdependencies...

It's no surprise that spending will be up in 2007 on Operational Risk Management. In a recent AMR Research study, OPS Risk will increase dramatically:

The study reveals 46% of firms surveyed plan to implement or evaluate technologies for risk management in the next one to two years.

The emergence of risk management as a critical practice is based on the business need for global sourcing strategies, increasingly complex contract manufacturing relationships, and the greater number of natural and political events that can disrupt the supply chain, according to AMR.

Supplier failure and continuity of supply is the Number 1 risk factor for 28% of firms, the survey says. Events such as the Enron scandal, 9/11, health scares such as SARS and avian flu threats, the Asian tsunami and Hurricanes Katrina and Rita have forced companies to re-evaluate their preparations for catastrophes and unplanned events.

Other survey results include:

* 33% of firms have dedicated budget line items for supply chain risk management activities.

* 54% of firms plan to increase their budgets for risk management over the next 12 months.

* The top areas of application spending to support supply chain risk management are sales and operations planning, inventory optimization, business intelligence and supply chain visibility and event management applications.

After all, risk managers have figured out that a holistic Enterprise Risk Management approach with a firm discipline in Operational Risk is paying off. The strict focus on just compliance with SOX or Basel II is myopic.

Cristiana Báez-Safa, Managing Director in Marsh's FINPRO (Financial and Professional Services) Practice, noted: "Many large European financial institutions have changed the direction of their operational risk projects as often as two or three times since starting their compliance efforts."

"From simply taking a narrow view, 'what can I do to comply with Sarbanes-Oxley and Basel II?', for example, risk managers in the financial services sector are now asking themselves how they can help improve business process efficiency, reduce operating costs and mitigate the risks that concern the Board most."

She also indicated that "the longer-term trends in operational risk management are greater penetration and coordination of risk management across all facets of the business; more detailed scenario planning in key areas of potential exposure; and tailored risk transfer solutions for operational risk."

Local risks can become global risks depending on the severity and connectedness to other interdependencies. We have already witnessed the impact of such events as hurricanes on gas refining operations in the US Gulf Coast Region and the impact on transportation costs. Under regulation of sub-prime mortgages by the federal agencies may have a long-term effect on capital liquidity accross the globe.

And there are many others according to the World Economic Forum 2007 Global Risks Report, :

Economic
• Oil price shock/energy supply interruptions
• US current account deficit/fall in US$
• Chinese economic hard landing
• Fiscal crises caused by demographic shift
• Blow up in asset prices/excessive indebtedness

Environmental
• Climate change
• Loss of freshwater services
• Natural catastrophe: Tropical storms
• Natural catastrophe: Earthquakes
• Natural catastrophe: Inland flooding

Geopolitical
• International terrorism
• Proliferation of weapons of mass destruction (WMD)
• Interstate and civil wars
• Failed and failing states
• Transnational crime and corruption
• Retrenchment from globalization
• Middle East instability

Societal
• Pandemics
• Infectious diseases in the developing world
• Chronic disease in the developed world
• Liability regimes

Technological
• Breakdown of critical information infrastructure (CII)
• Emergence of risks associated with nanotechnology

These risks over the next ten years are the global in nature and have significant interdependencies. The breakdown of CII and Transnational Crime and Corruption are far more likely to occur than a Pandemic however not quite as costly in US loss exposure.

With all the talk about prioritization and upstream mitigation, how do you know that you spending your resources in the right place? When will the next incident occur? Finally, what interdependencies will come into play?

One approach is to improve resilience, allowing the system to cope with a range of unexpected manifestations. Such “downstream mitigation” recognizes that not all events can be predicted and prevented.

Enabling Global Business Resilience is the name of the game and those organizations who understand it and can implement effectively will be our next generations survivors.

operational risk

Corporate Fraud: Revenue vs. Risk...

It's been over five years now since the "Black Monday" at Enron. Volatility in the markets over the sub-prime mortgage industry has investors a little nervous. Operational Risk Executives are hoping that this is not a deja vu moment.

Though the main Enron characters have received their prison sentences, there's no closure for corporate fraud. Sherron Watkins, Enron's sentinel, describes the debacle's details and warns that it could happen again.

Dec. 3, 2001. Black Monday. The day that Enron declared bankruptcy. CEO Ken Lay had left a voice mail on the phones of all Enron employees asking they come into the office regardless. Nearly 5,000 were called to a massive meeting and told that the paychecks that they had recently received would be their last. Three weeks before Christmas.

In August of that year, Sherron Watkins, an Enron vice president, had sent an anonymous memo to Lay that read, "I am incredibly nervous that we will implode in a wave of accounting scandals."

Of course, that's exactly what happened. After the company's demise, the investigating U.S. Congress discovered Watkins' memos to Lay and other top executives. (After sending the memos, she had met with Lay with no results.) Watkins was soon lauded as an "internal whistle-blower," brought before Congressional and Senate hearings to testify against her former bosses, and heralded by TIME magazine as a "Person of the Year," with WorldCom's Cynthia Cooper and the FBI's Coleen Rowley.

With the chaos going on in sub-prime lending in the United States, the concern is that suddenly the liquidity that fueled this past boom is about to "Go South". Will there be any issues that surface about the fraud imposed upon consumers over the terms and conditions of the loans they signed to become part of the American Dream? Are there any "Sherron Watkins" sitting there in their offices today wondering how they can become the next "Whistleblower" to make it to the cover of Time Magazine?

Only time will tell whether any of the volatility in these companies has a ripple effect in markets for the long term. Yet the culture that exists today inside those organizations must be tense and certainly there are a handful who wish there was a way they could make it all go away. So what advice would Sherron have for anyone feeling this way at their institution in a role of Operational Risk Management?

If you ever were to go back to a corporate executive position, what kinds of things would you ensure would be set in place before you took the job?

In addition to the zero tolerance policy I've already mentioned for ethically challenged employees, I'd be sure that the company had a mechanism for bad news to get to the top and had effective policies and procedures for dealing with that bad news. I would also verify that the company's control and risk personnel had autonomy and equal power with top revenue executives. I would want to see that top management values the control and risk management function. I would want to make sure they recognize that control and risk personnel will not be the most popular and that the problems the company avoids as a result of the work of these groups will never be quantified.

Think about what she is saying here. Control and risk personnel need to have equal power with the executives who are bringing in the revenue. This means that the powerbase of the sales and marketing team would need to be on par with the Internal Audit and Risk Management executives. This culture shift is harder to achieve than one would think. The ego's aside, the people who make it their job to worry about losses and to mitigate risks day in and day out are just not used to waving the big black flag of doom. Everybody loves to hear that the business has been won, the competition defeated and the company just closed the biggest "Deal" in it's history. Let the spin doctors in Marcom get the Press Releases flying!

It has been said before, the tone starts at the top. The CEO and Board of Directors who are cognizant of the neccesity for effective risk management objectives must also create a balanced powerbase at the top to balance the "revenue generators" with the "loss mitigators." So who are some of these people who deserve a greater exposure to this new born culture shift:

• Director of Information Security promoted to CISO. (Chief Information Security Officer)
• Director of Corporate Facilities to CSO. (Chief Security Officer)
• Director of Regulatory Affairs to CCO. (Chief Compliance Officer)
• Director of Privacy to CPO. (Chief Privacy Officer)
• Director of Human Resources to CHO. (Chief Humanity Officer)
  

If the CEO thinks that this is too many chiefs in the "C" Suite, then what about the idea of creating the Executive Office of Operational Risk Management (ORM). This would be on par with the Chief Financial Officer and might even include the Chief Information Officer. The top ORM officer would be on par with the EVP of Sales or Marketing and unlike the Chief Operations Officer (COO) would be focused on the effectiveness of risk controls and not so much on the efficiency or uptime of corporate processes. What does Sherron think the moral is?

You've been asked this one numerous times, I'm sure, but what's the moral of the story?

Being an ethical person is more than knowing right from wrong. It is having the fortitude to do right even when there is much at stake.

operational risk