Wednesday, March 30, 2005

Corporate Accountability: The New Era of Governance

“No more easy money for corporate criminals -- just hard time.”

George W. Bush signed the Sarbanes-Oxley Act of 2002, the most far-reaching corporate reform legislation since the New Deal in the 30's. The legislation is the result of billion-dollar corporate accounting scandals like Enron, Tyco, and WorldCom, and is designed to send a message to employees that the American public will no longer tolerate corruption in the companies they invest in. Welcome to the new era of corporate governance, where the stakes for wrongdoers has been raised dramatically.

Now with AIG and Warren Buffet under the latest round of questioning, it's further proof we are in a new era of governance.

Spitzer's office and the Securities and Exchange Commission are investigating the questionable use of a product known as finite reinsurance that can be used to make a company appear stronger financially than it really is. The focus of the investigation is a transaction in late 2000 between General Re, a Berkshire affiliate, and AIG, the world's leading insurance company.

Regulators say that the transaction artificially increased AIG's premium reserves, ultimately helping its stock price and its ability to acquire another company.


As Maurice Greenberg, the former CEO of AIG sits and waits for the story to unfold, he must be asking himself how did this happen? In the "New Era of Corporate Governance" the question should be, why did it take so long for it to happen? As stockholders are paying the price of corporate incivility it becomes clear that the real heros in all of this are those in Eliot Spitzer's office.

Without the continuous oversight of our regulators and the people who represent the common stock holder to enforce the law, we will not achieve what we all seek in any business relationship. The truth.

Sarbanes-Oxley and the other laws being chastised by some business executives as over protective and unjust in the quest to reach compliance will eventually achieve their goal. We are almost at the "Breakpoint" in the bottom of the "S" curve where this corporate biologic system will begin to rise and grow again. Where companies investments in education, technology and processes will turn them towards greater investor confidence and therefore greater levels of investment.

The "New Era of Governance" is just around the corner and the companies who continue to see that the investment will eventually pay off will be the real winners.

Sunday, March 27, 2005

Breaking Down Organizational Walls...

The organizational walls are coming down in the risk management department and we have witnessed what Jeremy Ward is advocating in this article. We agree much has to be done to create a collaborative relationship with OPS Risk, INFOSEC, Internal Audit, Security and Finance.

Until recently organisations were able to put operational risk and information security into separate, watertight compartments. Operational risk sat in the audit department and probably reported to the CFO. While information security (if such a function existed) sat in the IT department and reported to the CIO (eventually).

Today this approach is not a true solution to adequate risk management. Today’s information dependent organisation requires the walls of these separate compartments to be broken down.

The most obvious reasons for breaking down the compartments, and the subsequent consequences of failure to do so, are easy to understand. In recent years we have been bombarded with legislation and regulation; such as Basel II (if you’re a bank), the Turnbull report (if you’re quoted on the London Stock Exchange) or the Sarbanes-Oxley Act (if you’re quoted on the New York Stock Exchange). All of these effectively say that if you do not have in place adequate mechanisms for controlling and auditing the flow of information through your organisation; then your company will lose a lot of money, or someone important in it will go to jail – or both.


Operational Risk has much to learn from IT INFOSEC and they have more to learn about the intersections of risk across all the business units. The goal should continue to be to develop a management system that encompasses the entire enterprise.

The conclusion is obvious. Operational risk and information security cannot afford to engage in a battle for who owns the responsibility for business risk. They must agree to a contract of mutual support. Operational risk needs to know more about the threats to, and vulnerabilities of, those vital networked assets; and information security needs to understand more about how to determine the business criticality of the assets for which they are responsible. In short, they need to meet and shake hands over the level three controls.

Monday, March 21, 2005

Better INTEL Can Make a Difference...

In case you missed this announcement from the Financial Services ISAC, the sector has finally figured out that it's really about the relevance of the INTEL that makes a difference, namely iDEFENSE.

iDEFENSE and the Financial Services Information Sharing and Analysis Center (FS/ISAC) today announced a partnership to equip financial services organizations with intelligence and proactive countermeasures to combat critical cyber threats.

The agreement represents a major initiative for FS/ISAC as the organization aims to fulfill its mission of providing members with the highest caliber and most timely analysis on information security threats. Sponsored by the Department of the Treasury, FS/ISAC has more than 900 chartered members, including banks, credit unions, insurance firms, credit card companies and securities firms. Its board members include executives from Bank of America, Wells Fargo, Merrill Lynch, Goldman Sachs and Fannie Mae.

"The increasingly sophisticated and aggressive cyber threat landscape requires new solutions and approaches to ensure that our members and their customers are fully protected," said Byron Yancey, FS/ISAC’s executive director. "This partnership is a turning point for the security of America’s financial infrastructure: a new front line of defense against cyber attacks."

iDEFENSE’s "flash" cyber intelligence reports will fuel FS/ISAC’s national "urgent" and "crisis" alerts, the first time the industry group has leveraged proprietary threat data to protect the sector. The company is the leading provider of cyber security intelligence for Global 2000 companies, 8 of the top 10 financial services providers and the U.S. government. It engages 170 analysts to research thousands of new malicious codes, software vulnerabilities and hacker activity in 31 countries and 13 languages.

"Electronic criminals inherently have an advantage against their targets — they have the funding, knowledge, creativity and element of surprise to strike first," said John Watters, president and CEO of iDEFENSE. "The key is to mobilize and share actionable intelligence before attacks strike, combining vigilant intelligence gathering and immediate delivery."


Having first hand knowledge of the iDEFENSE operation and the Archer platform that powers the FSISAC, they are well on their way to having the best possible chance to mitigate risks in their organizations.

Friday, March 18, 2005

CIO: Head of ERM?

Are CIO's as executives best positioned to champion enterprise risk management? This article by Allan Holmes has some merit. Who should chair the ERM committee?

Steve Randich, CIO with Nasdaq, relies on regular tests of his data center's business continuity plans to remind his staff that ERM is a core principle for the organization. About 3,300 companies are listed on the Nasdaq, which processes about 20,000 transactions a second and receives information from about 350,000 desktops and workstations worldwide. If Nasdaq can't operate its transaction systems, it has to close the market. "We're then out of business," says Randich.

After 9/11, it took four months for Nasdaq to permanently relocate its New York City offices. The data center was able to continue operating (although the government shut down the markets for four days), but Randich realized that the company needed a more detailed risk management plan. Nasdaq's new plan included the extra equipment it would need (such as desktops and Internet access), procedures for communicating with employees and alternative work sites in case of a disaster.


We agree that the CIO should be part of the Enterprise Risk Management Committee although we don't agree they should be the chair. If there is any one person that should be considered, it would be the head of Operational Risk. Think of them as the most capable of knitting together the intersections of the physical and digital world, along with the human aspects of internal and external events.

Savvy Operational Risk Managers understand the intersections of various kinds of risk that the organization is facing. That includes the companies in the supply chain and the "Go-to-Market" plans for new marketing and sales initiatives. While the CIO is a key component and certainly data touches almost every aspect of the organization, the CIO may overlook some key facets of the ERM matrix.

If you don't have someone who is in charge of Operational Risk, maybe it's time to appoint or hire an executive for this vital position.

Tuesday, March 15, 2005

Security Governance rivals SOX Section 404...

All enterprises confront a category of unforeseen risk. Such risks hinge on events that “might happen,” but haven’t been considered by the organization and, therefore, yield too little information to disseminate to stakeholders. However, stakeholders can demand a management system for Security Governance that is comprehensive, proactive and relevant. The management system, as provided by executives, board members and oversight committees, includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. The system also incorporates a top management strategic policy that focuses on managing risk for Security Governance while reflecting the location, assets and purpose of the organization, enterprise or entity.

In establishing a process for risk assessment, the organization should consider:

· Impact, in the event the risk event is realized;
· Exposure to the risk on a spectrum from rare to continuous, and
· Probability based upon the current state of management controls.

An organization will encounter dynamic strategic security risks. Its executives must use the management system to identify and assess these risks, develop a strategy for dealing with them to achieve Security Governance.

Security Governance is evolving rapidly and taps the thinking of various standards organizations, including OECD, BSI, NIST, ISSA, GAISP, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, it must weight the attitudes of the employees and stakeholders.

Unless these stakeholders fully understand the motivation behind tasks and guidelines, the system will fail. The organization that embraces change and introduces a Security Governance framework that manages not only the foreseen human risks but also the unforeseen will greatly enhance its chance of survival. Culture plays a paramount role in the risk for Security Governance because:

1. Any changes in risk management may require changes in the culture and

2. The current culture is a dramatic influence on current and future security initiatives.


Internal controls can provide reasonable assurance that an organization will meet its intended goals. Yet people (Human Factors) will fail an organization in material errors, losses, fraud and breaches of laws and regulations. People will generate constant change, and this cumulative uncertainty mandates a resilient management system for Security Governance that controls risk.

With the system in place, the board of directors soon realizes that managing risk for Security Governance rivals Section 404 of Sarbanes-Oxley as a key to success. In fact, without Security Governance, rules won’t matter and the stakeholders will again ask: How could this happen to us?

Monday, March 14, 2005

Business Benefits of BS 7799 Compliance...

Here are several business benefits of implementing BS 7799 as a management system for achieving compliance in organizations that are highly regulated:

BS 7799 brings your organization to compliance with legal, regulatory, and statutory requirements including HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, CFR21:Part 11, EU-Directive, and many others...

Market differentiation due to positive influence on company prestige, image and external goodwill parameters, as well as a possible effect on the asset or share value of the company

Demonstrates credibility and trust – satisfaction and confidence of stakeholders, partners, and customers

Reduced liability risk; demonstrates due diligence; lower rates on insurance premiums

Increases vendor status of your organization · Increase in overall organizational efficiency

Minimizes internal and external risks to business continuity· Management sets the example for appropriate security/privacy practices


The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

·Public perception
·Unethical dealings
·Regulatory or civil action
·Failure to respond to market changes
·Failure to control industrial espionage
·Failure to take account of widespread disease or illness among the workforce
·Fraud
·Exploitation of the 3rd party suppliers
·Failure to establish a positive culture
·Failure in post employment process to quarantine information assets upon termination of employees

Frankly, corporate directors have their hands full managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

BS 7799, so what? So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Friday, March 11, 2005

Get Ready for Section 6302...

In the latest US legislation to help prevent terrorist financing, the Intelligence Reform and Terrorism Prevention Act of 2004 is doing just that. Including Section 6302:

SEC. 6302. REPORTING OF CERTAIN CROSS-BORDER TRANSMITTAL OF
FUNDS.
Section 5318 of title 31, United States Code, is amended by
adding at the end the following new subsection:
‘‘(n) REPORTING OF CERTAIN CROSS-BORDER TRANSMITTALS OF
FUNDS.—
‘‘(1) IN GENERAL.—Subject to paragraphs (3) and (4), the
Secretary shall prescribe regulations requiring such financial
institutions as the Secretary determines to be appropriate to report
to the Financial Crimes Enforcement Network certain
cross-border electronic transmittals of funds, if the Secretary determines that reporting of such transmittals is reasonably necessary
to conduct the efforts of the Secretary against money
laundering and terrorist financing.
‘‘(2) LIMITATION ON REPORTING REQUIREMENTS.—Information
required to be reported by the regulations prescribed under
paragraph (1) shall not exceed the information required to be
retained by the reporting financial institution pursuant to section
21 of the Federal Deposit Insurance Act and the regulations
promulgated thereunder, unless—
‘‘(A) the Board of Governors of the Federal Reserve System
and the Secretary jointly determine that a particular
item or items of information are not currently required to
be retained under such section or such regulations; and
‘‘(B) the Secretary determines, after consultation with
the Board of Governors of the Federal Reserve System, that
the reporting of such information is reasonably necessary to
conduct the efforts of the Secretary to identify cross-border
money laundering and terrorist financing.


Translation please. Get ready for additional reporting to the Financial Crimes Enforcement Network in the near future. See FinCEN

Thursday, March 10, 2005

Offshore Outsourcing Revisited...

The risk of offshoring is a growing concern. If this study by Deloitte is correct, your valuable and private financial information is likely to be off shore already.

Deloitte estimates that $356 billion, or 15 percent, of the financial service industry's current cost base is expected to move offshore within the next five years. Further, the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis. Competitive pressures are the primary motivator for financial institutions to move higher-risk functions offshore.


The banking industry has a list of Offshoring Risks that is in need of greater care and oversight.

Domestic outsourcing and offshoring share most risk characteristics. However, the more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing. Offshoring also introduces an element of country risk to the outsourcing process. In particular, geographic distance from the function and timing lags in reporting heighten the potential risk exposures. Significant offshoring risk areas include:

Country Risk: political, socio-economic, or other factors may amplify any of the traditional outsourcing risks, including those listed below.

Operations/Transaction Risk: weak controls may affect customer privacy.

Compliance Risk: offshore vendors may not have adequate privacy regulations.

Strategic Risk: different country laws may not protect "trade secrets."

Credit Risk: a vendor may not be able to fulfill its contract due to financial losses.

It is currently standard FFIEC examination procedure for examiners to review outsourcing arrangements during examinations. Part of a standardized procedure should include:

Identifying and reviewing contracts between financial institutions and data service providers that allow for subcontracting or subsequent outsourcing to occur;

Determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract;

Determining if the financial institution is aware of the subsequent outsourcing and the location of the outsourcing; and

Determining if the financial institution has procedures for monitoring all outsourcing arrangements to ensure adequate controls are in place or the service provider has proper procedures and controls to monitor their outsourcing arrangements.


We recommend that your CSO, CCO and General counsel revisit your last audit on high risk outsourced relationships such as customer data-base type work, including mortgage servicing and customer-assistance/help-desk services.

Tuesday, March 08, 2005

You've Been Indicted: The Most Feared Words in the Board Room...

Lew Platt, Chairman at Boeing has done the right thing.

An explicit e-mail led to the downfall of Boeing chief executive Harry Stonecipher, who had been called from retirement to boost the US aerospace giant’s tainted image, it was revealed today.

And if this article by an anonymous CSO is correct, then "Doing the Right Thing" could only be about the rules and policies set down by the ethics committee. Right?

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."


Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

· Systems for monitoring and auditing
· Incident response and reporting
· Consistent enforcement including disciplinary actions


Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

That’s when I really learned that this game of business is just about the human factors. It’s really not about the controls, the monitoring or even the awareness programs. It’s about being a model manager, and a model human being.

The odds are it will be the human factors that are going to be what gets you on the steps of the local federal building. And it all comes back to good old-fashioned management 101.

As indicated, the great manager can impact the lives of tens or hundreds of people in your company. Conversely, the uncivil manager can wreak havoc with a similar numbers of lives. The position of management is every so powerful to influence those around them.

Your company wide compliance initiative has the elements that provide guidance for creating a program that the government is likely to look favorably upon. The problem is that these same criteria inadvertently communicate the message that implies building a program based on this formula is enough. It isn’t.

Friday, March 04, 2005

Fraud: #1 Operational Risk...

We could not agree more with Ron Hagenbaugh in his article in Corporate Boardmember.

To conduct an effective fraud risk assessment follow these steps:

1. Organize and define the assessment objectives with company management and your internal audit committee. Form a team of fraud and control experts, and get senior management and audit committee buy-in: Ask them to communicate their endorsement and sponsorship of both the process and a strong anti-fraud program to the entire organization.

2. Determine the business and accounting process(es) to be assessed and investigated. Usually, the initial processes selected are those where fraud or abuse has previously occurred or that management has identified as critical business processes that may be susceptible to fraud or abuse.

3. Identify potential schemes and scenarios specific to the process(es) to be examined against current controls. Fraud schemes and scenarios should be selected based on the specific business process, the industry, physical location of the process operation and any known frauds or abuses concerning the process.

4. Determine the likelihood of a fraud occurring within each scheme and scenario. The Public Company Accounting Oversight Board has defined risk levels as remote, more than remote or reasonably possible, and probable. If assessing a public company, assess the risk levels in relation to SOX compliance efforts.

5. After the fraud risks for individual processes have been identified, documented, and rated as to risk level, match the controls within each process to the identified fraud risks. Determine the effectiveness of each control in preventing or providing a means of early detection for the fraud risk. Group the risks as to their probability of occurring within the process.

6. Estimate the probable loss in dollars should the fraud or abuse occur. Try to place a value on loss of reputation if that is a possible outcome.

7. Prepare recommendations for strengthening controls and present to management.


One big question on fraud is this. Has Sarbanes-Oxley been any help? A recent survey by Oversight Systems has some interesting statistics:

Of those surveyed, 79 percent report having stronger internal controls as a result of SOX compliance. Nearly three quarters (74 percent) say their companies realized a benefit from SOX compliance. When asked to identify the benefits from SOX, the survey reports that:

* 46 percent say SOX compliance ensures the accountability of individuals involved in financial reports and operations

* 33 percent say SOX compliance decreases the risk of financial fraud
* 31 percent say they have reduced errors in their financial operations
* 27 percent say SOX improvements in the accuracy of financial reports
* 25 percent say SOX compliance empowers the board audit committee by providing it with deeper information, and

* 20 percent say SOX strengthens investors’ view of the company.

However, the bottom-line benefits of SOX compliance seem fuzzier when the group was asked what impact SOX compliance had on shareholder value. Many, 37 percent, of those surveyed say SOX increased shareholder value because investors know they operate as an ethical business, and 25 percent report that SOX boosts shareholder value by building overall confidence in the market. However, 33 percent say SOX compliance created a cost burden that suppresses stock prices, and 14 percent feel that SOX decreased their ability to pay out dividends because compliance expenses are a significant drain on earnings (respondents could select all that applied).


SOX may be expensive, yet we are confident that as most executives realize that this is not another Y2K exercise, they will invest even more wisely in the years to come.

Tuesday, March 01, 2005

DHS - Time to Use The Carrot Instead of the Stick...

The US Department of Homeland Security - PSO (Private Sector Office) has begun it's push to get the private sector to do it's share with the "Carrot" instead of the "Stick."

Homeland Security officials in the Bush administration are considering ways to use the insurance industry as a free-market-friendly vehicle to drive chemical facilities, food companies, utilities, and other businesses to take greater precautions against terrorist attacks without heavy-handed new regulations.

The concept of using insurance to spur companies to spend on counterterrorism measures may solve a vexing homeland security problem: Despite improvements the government has made to upgrade security at public facilities since the 2001 Al Qaeda attacks, 85 percent of American infrastructure is privately owned and underprotected.

Any attack on chemical, ground transportation, banking, food, energy, or utility sectors could cause massive destruction and cripple the economy. But companies have lobbied hard to defeat legislation to force them to upgrade their security practices, finding allies among free-market Republicans in Congress.

Proponents hope the insurance proposal will be a sweeping solution to the impasse. The basic idea would be to have the government or each industry develop a minimum set of security "best practices." Then, insurers would audit companies for compliance with those standards, with the power to reduce premiums for those who comply.


Current Situation

The private sector has a fragmented approach to critical infrastructure preparedness in a new “all hazards” worldview. Each trade association with an interest in protecting commercial buildings, malls, hotels and other soft targets is creating policy and direction for its respective membership based on political agendas and other influences by local government and regional initiatives. Local jurisdictions are equally fragmented and looking for funding to train additional CERT (Corporate Emergency Response Team) volunteers and are still waiting for significant funding to have a real impact on their high profile properties. DHS Private Sector Office (PSO) has launched “Ready Business” and is working closely with critical infrastructure sectors to help coordinate communication between constituents and coalitions such as the National Capital Region. In the mean time, our preparedness level is not increasing at an acceptable pace due to a number of issues.

Desired Situation
The private sector needs a rapid and more effective program to extend the DHS Ready campaign for Business into the nation’s critical infrastructures. One way to do this is to use a combination of 15,000+ “Feet on the Street” InfraGard citizen soldiers and cooperation with key industry groups and the real estate sector would provide the framework for rapid implementation of preparedness training and exercises. A smart approach is a “Train-the-Trainer” methodology to provide key incident command, emergency communications, evacuation, first aid, and shelter-in-place skills and knowledge transfer to selected InfraGard members in major metro areas. Working in concert with local officials, members of the Real Estate ISAC and InfraGard Certified Trainers, building owners, landlords and tenant businesses can be trained to handle an “All Hazards” threat scenario. Each identified soft target building or critical infrastructure facility will have a local plan that is rolled up by geographic proximity to its nearest firehouse or emergency response unit and exercised in tandem.

Frank Cilluffo, who until 2003 served as President Bush's special assistant for homeland security, said he is fascinated by the idea of offering less expensive insurance against terrorism to companies that take appropriate precautions. He said it would constitute "a business case for homeland security to ensure that the private sector is fulfilling its share of their responsibility."

The system would encourage companies to protect against limited threats, such as truck bombs or internal sabotage, and the government would guard against greater threats, such as nuclear terrorism.

"Hopefully, these steps, which will be incentivized and/or mandated, will raise the bar higher and improve our countermeasures against terrorism," said Cilluffo, now head of the Homeland Security Policy Institute at George Washington University. "This is not the panacea. This is not the solution. But it takes us a whole lot closer."


In a recent survey conducted by Robert Half Management Resources the top two areas of potential vulnerability and concern cited by CFOs are disaster recovery (37%) and the security of information systems (24%). A common theme between these exposures is the need to better identify and understand the full range of risks that companies face today and the need for all organizations to develop new ways to more effectively manage these risks. By developing cross-company approaches for addressing all areas of risk, companies will begin to move toward a systematic, enterprise risk management process that most effectively reduces risk and controls cost.

"These two top areas of vulnerability in the eyes of a Chief Financial Officer stem from the perceived weaknesses in the organizations readiness and from the constantly evolving regulatory pressures to comply with new laws," said Peter L. Higgins, Managing Director of 1SecureAudit. "Operational Risks that evolve from inadequate or failed processes, people, systems or from external events are on the CFOs mind, and this includes acts of terrorism."