Wednesday, April 27, 2005

Terrorism Risk...

For a copy of the 2005 Aon Terrorism Risk Map Click here to visit their site. It has their risk ratings for every territory in the world.

The Teorrism Risk Map shows that participation in the US-led Iraq coalition has increased terrorism risk in countries such as Australia, Poland and Estonia. There is concern that Al-Qaida and other international terrorist organizations could take advantage of anti-western sentiment and launch terrorist attacks in these countries in future. Businesses which originate from these countries should also be aware of threats to their operations and personnel abroad as evidenced by incidents such as the terrorist attack on the Australian embassy in Indonesia, the recent bombing of a British theater and school in Qatar and the thwarted plot to blow up the Italian embassy in Lebanon.

"Terrorism is not a new threat and many international businesses have to date been rightly pre-occupied with the risks facing their operations in the Middle East, Africa and the Gulf. Although companies do need to be aware of the global picture, the 2005 map highlights the need for vigilance in so called 'safer' European countries," commented Paul Bassett, executive director in Aon's Crisis Management division.

"Companies must acquire as much knowledge as possible about the risks they face and their exposure to those risks in order to minimize the human and financial impact of such attacks. Businesses can then assess how best to allocate their expenditure on insurance and counter terrorism risk management procedures effectively," he added.


What does all of this mean? It means that now more than ever the insurance industry is going to look more closely at the risk of your people and property being in harms way. And if they are, then what is being done to mitigate those risks. It all comes down to what the insurance companies want from you as a client. To buy more insurance. If that is all you do, then you have missed several other strategic and tactical means for protecting your organizations vital assets.

Monday, April 25, 2005

CEO's vs. Boards...

There is another interesting perspective in this months Corporate Board Member Magazine regarding the trust factor between the CEO and the Board of Directors.

It seems that there is still a major battle going on here with some companies but the question is why does it exist? More and more the shareholders are upset with performance and other key issues and they are putting the pressure on Directors to act. What is a shareholder to think when the annual shareholders meeting becomes a one-way conversation and the Q & A is herded into the last 15 minutes and there is no longer a live mic on the floor. If there are suspected hostile or threatening entities in the audience then security should do their duty and remove these individuals. However, when the executive management are clearly shutting down a meaningful open dialogue with the shareholders, then the Board of Directors should be questioned on their allegiance.

Of course there are many examples of where the Chairman of the Board is still the CEO and this is one topic for another date. What is interesting in the debate on the anxiety between the executives and the board these days is this:

After nearly three years of fallout from Sarbanes-Oxley, plus the frightening realization that directors may be held financially liable for their oversight failures, boards are no longer looking at their CEOs with wonder. In fact, they’re downright skeptical. “Trust in the CEO is not at the levels it used to be,” says Richard Koppes, a director of Apria Healthcare and Valeant Pharmaceuticals International. Adds Philip Burguieres, chairman emeritus of Weatherford International and a former CEO of Panhandle Eastern Corp. and Cameron Iron Works: “The element of trust seems to be gone. A few guys have done great harm.”

Obviously the vast majority of CEOs are trustworthy, but all have been slimed to some extent by the scandals of recent years. In 2003 a joint BusinessWeek/Harris Poll survey found that nearly 80% of Americans believed that CEOs of large companies put their own interests before those of workers and shareholders.

To say that boards don’t trust the CEO is not to say that they suspect dishonesty. If they did, turnover at the top of the corporate totem pole would be even higher than it is. Last year 663 CEOs decamped to other jobs, retired, or were fired, down from the high-water mark of 1,106 in 2000, according to Challenger Gray & Christmas, an outplacement firm that keeps track of these peregrinations. Rather, what boards fear is that their CEO isn’t leveling with them, that all information that directors receive about the company is filtered through the CEO’s ego.

When McKinsey & Co., a management consulting firm, surveyed 150 directors in 2004, 81% said that the CEO largely or completely controlled and shaped what board members learned about the company. Only 30% said they felt they really knew what was going on. Directors want to take more control of the information they are getting, and that’s a direct challenge to the CEO’s power.


The risks facing organizations today go way beyond the typical issues you hear about in the Board of Directors meeting or the Audit committee conference calls. The risk of a systemic failure of the corporation is at it's roots a failure of the way information is collected, processed and delivered. Think about the simple process of sales forecasting and you begin to see where the root problem is. At each step of the roll-up and the chain of management there is another layer of guess work and sanitization. If a Board member ever got the chance to ride in the field with a seasoned sales rep and also attend a district sales meeting during a pipeline analysis then they would begin to understand why the CEO is guarding the "Corporate Fort" at all costs.

Thursday, April 21, 2005

Here is How to Protect Your Organization...

Rob Norton's cover story on Risk is a great primer to what corporate executives and board members around the globe have known for some time.

Crooked managers. Changing technology. Financial surprises. Who knows what company-killers lie ahead? Here’s how directors can protect themselves.

No single four-letter word is more likely to raise a board’s collective blood pressure these days than risk. The recent parade of corporate scandals can be blamed in part on a lack of effective systems to recognize and manage risk—not just insurance matters but broad operational and financial hazards to the enterprise. Now risk management has risen to the top of the agenda for many directors. Often the job falls under the authority of the audit committee, but some U.S. boards, including that of MCI (formerly WorldCom), have appointed special risk management committees. The boards of several European and Canadian companies have adopted formal processes aimed at alerting directors to the extent to which the outfits are exposed to risk and how it is managed.

The risks that blew up in the faces of boards at companies such as WorldCom, Enron, and Parmalat all come under the general category of operational risk, broadly defined as the danger of loss resulting from inadequate or failed internal processes, people, or systems, or from external events. These can include:

• Unscrupulous managers.
• Business interruptions caused by terrorism, war, or natural disaster.
• Supply-chain breakdowns.
• Changing technology.
• Increased competition.


Fortunately, the article mentions "Supply Chain Risk" as an area that needs more scrutiny as companies continue to increase offshoring and outsourcing to gain competitive advantages. This area of Operational Risk is a growing concern by not only shareholders, but the plaintiffs who follow the aftermath of Eliot Spitzer's investigations.

A significant business disruption (SBD) will occur at your organization each day, week, and month this year. The question remains that of what you are already doing to manage these inevitable incidents. We suggest a "4D" approach:

Deter

Detect

Defend

Document


This "4D" Managed Services approach to managing Operational Risk provides the initial framework for creating a strategic enterprise risk management (ERM) initiative in the organization. Each area has it's own tools, systems and processes yet each is connected to the Risk Nervous System via the 1SecureAudit Operational Risk Enterprise Architecture. (OREA)

OREA utilizes a proven and systematic approach for risk assessment, data capture, risk treatment and reporting. To facilitate efforts to transform the organization into one that has lower volatility of earnings growth and is more secure, 1SecureAudit co-designs the Operational Risk Enterprise Architecture (OREA), a business-based framework for organizational-wide improvement.

People
· Employee Fraud / Malice
· Unauthorized Activity
· Rogue Trading
· Employee Misdeed
· Employment Law
· Loss/lack of personnel

Processes
· Payment / Settlement
· Delivery / Selling
· Documentation / Contract
· Valuation / Pricing
· Internal / External Reporting
· Compliance

Systems
· Technology Investment
· Development
· Access
· Capacity
· Failures
· Security Breach

External
· Legal Liability
· Criminal Activities
· Outsourcing
· Suppliers / Insourcing
· Disasters / Infrastructure
· Regulatory / Political

OREA is constructed through a collection of interrelated “reference meta models” designed to facilitate cross-lines of business analysis and the identification of duplicative processes, departments, gaps, and opportunities for collaboration within and across lines of business (LOB). This OREA and Business Reference Model is intended for use in analyzing investments in Operational Risk projects and other capital assets. It also serves as a foundation for the development of a broader architecture that can serve as the platform for a comprehensive budget and performance reporting system that supports enterprise wide business risk integration and change management initiatives.

Wednesday, April 20, 2005

VoIP, WiMAX: Business Resilience

What about the risks of VoIP? In case you haven't seen a presentation from Lucent Technologies recently, you should.

As a witness to their latest presentation in Washington, DC on "How Next Generation Networks Can Impact Business Resilience", there are some very interesting trends and capabilities here now and on the horizon worth exploring.

The Lucent approach to VoIP security is largely based on standards, many of which Lucent and its "innovation engine," Bell Labs, have helped to develop and shape. For instance, the International Organization for Standardization offers ISO 17799,which provides recommendations for information security management and provides a common basis for developing organizational security standards and effective security management practices. Similarly, the International Telecommunications Union's X.805 standard defines a security architecture for systems providing end-to-end communications.And NRIC,the Network Reliability and Interoperability Council, provides best practices guidance in a number of areas that relate to VoIP operations.

Lucent, with its unmatched telecom heritage and broad experience can be a partner in helping develop actionable plans and in implementing successful VoIP security programs based on these standards. Lucent's best practices include security policies that outline expected behavior and security awareness of users, administrators, managers and other employees as well as security assessments to pinpoint security gaps, and to determine what is happening in practice rather than simply what may be documented in policies.


You have to keep in mind who Lucent's customer base really is. The Regional Bell Operating Companies (RBOC), MCI, AT&T as well as all of the major wireless providers make up the majority of their client base. They will have advance notice of what providers are launching new technologies when, and they will have plenty of non-disclosure about who they think is the best vendor. It sure is refreshing to talk with a company who is all about capability and soundness of technologies. How the provider ends of servicing the customer is another topic.

On another front, they predict that by 2008 about 60% of laptops will be shipping with WiMAX.

The WiMAX Forum™ is working to facilitate the deployment of broadband wireless networks based on the IEEE 802.16 standard by helping to ensure the compatibility and inter-operability of broadband wireless access equipment. The organization is a nonprofit association formed in June of 2001by equipment and component suppliers to promote the adoption of IEEE 802.16 compliant equipment by operators of broadband wireless access systems.

Principles:
WiMAX Forum is comprised of industry leaders who are committed to the open interoperability of all products used for broadband wireless access.

Support IEEE 802.16 standard
1. Propose and promote access profiles for their IEEE 802.16 standard
2. Certify interoperability levels both in network and the cell
3. Achieve global acceptance
4. Promote use of broadband wireless access overall

Monday, April 18, 2005

The Risk Barometer...

The Risk Barometer may be changing if this latest survey is correct:

The most significant issues facing business today, according to respondents to the first Risk Barometer survey, are reputational risk (defined as the threat of any event that can damage a company's reputation) and regulatory risk (defined as problems caused by new or existing regulations). These two risk categories received the highest scores in the Risk Barometer, indicating that they are seen as more significant issues than market risk, foreign exchange risk and country risk by the majority of executives in the survey. The third most significant threat cited by executives is IT network risk, which encompasses network security breaches and IT systems failure.


The natural hazards category is decreasing as a priority in the eyes of these risk managers predominately from the financial services sector as this is being covered primarily by insurance. Also, the frequency of events is a factor here. Reputation and Regulatory Risk are both areas that need attention in the enterprise and managers are finding it more challenging to put the correct controls and measures in place to mitigate these two growing threats to the organization.

Tuesday, April 12, 2005

CFO's vs. SOX 404...

The battle lines are heating up as more and more companies delay their reports on performance. The lines are being drawn in the sand over whether the SOX 404 compliance mandates are just too much for some finance and IT departments to handle. And the CFO Executive Board is shouting that this Sarbanes-Oxley Act is the reason we are losing jobs.

Candice S. Miller is now in the hot seat as the Republican from Michigan becomes the new chair of the House Government Reform subcommittee on regulatory affairs. Her first agenda item is the impact of regulation on US manufacturing. The CFO's in America are waving the white flag as they pretend to be drowning in regulatory compliance issues. The question now is whether all of this hard work on SOX 404 and other laws will ultimatley benefit corporate America. The answer is yes.

In the long run not only will the investor's win, so to will the executives who have devoted so much time and energy into regulatory and legal compliance. As stewards of the enterprise and overseers of their own corporate sandbox, they will soon realize the investment in their own organization has been a prudent one.

For more on the CFO Point of View, see this proprietary report by the CFO Executive Board.

The report includes the predictions of a proprietary model the CFO Executive Board built to estimate the impact of Section 404 compliance activities on the US economy.

A key finding reveals that unless senior corporate executives take extraordinary measures to ensure that Section 404 compliance efforts do not crowd out key managerial activities and R&D investments, these requirements threaten both economic growth and job creation. More specifically, the report concludes that Section 404, as implemented, could retard job creation by more than 300,000 jobs and slow GDP growth by nearly 0.5 percent during the next three years.

"When you consider that Sarbanes-Oxley was drafted in only a few months, it's not surprising that companies have experienced serious, unexpected problems and high costs in complying with these new requirements," says Scott Bohannon, executive director of the CFO Executive Board

Of course, not all the news is bad.

Friday, April 08, 2005

Terrorism Risk Management

In light of the fact that the insurance industry is still immature in their models due to a lack of actuarial data the real estate financiers are considering alternative approaches to risk mitigation and management. For example, tools for the assessment of terrorism vulnerabilities exist today that could be introduced into the cycle of due diligence. As these tools are adopted to assess and help reduce the risk of unknown man-made events, the lenders and the insurers will converge on these new models to help rate structures and critical infrastructure in terms of their exposure to terrorism risk.

Due diligence requires detailed property inspections and audits to provide sound advice to key decision makers on the state of a real estate property. Vulnerability to terrorist attack will become, if it isn’t already, a critical component of due diligence. The individuals and firms that provide these solutions must be multi-faceted in operations, security and building systems in order to provide a comprehensive and fair report. This assessment should include the operational procedures and hazard mitigation programs of the building to determine the overall vulnerability to a combination of both natural and man-made events.

Asset Identification & Valuation
Priorities for protecting both physical and information assets is obtained through a comprehensive process for enterprise risk management. You must identify the relative importance and value of assets whether they are people, processes, systems or facilities. Three primary actions must take place:

1. Identification and Definition of core business processes to sustain the organization in business (sales, customer service, accounting)

2. Identification of critical business infrastructure assets such as:
o Personnel to run the functions and facilities
o Information systems and data
o Life safety systems and safe havens
o Security systems

3. Assign a relative protection priority
o High – Loss or damage would have grave consequences for extended time
o Medium – Loss or damage would have serious consequences for a moderate time
o Low – Loss or damage would have minor consequences for a short period of time

Threat Assessment
Once this is completed a thorough threat assessment must take place. This is a continuous process of information gathering, analysis and testing. There are five key elements associated with threat profiles definition and analysis factors:

1. Existence – who or what are hostile to the assets
2. Capability – who or what weapons or means have been used in the past
3. History – what and how often has this occurred in the past
4. Intention – what outcomes or goals does the threat agent hope to achieve
5. Targeting – what is the likelihood that surveillance is being performed on the assets


Next a set of Event Profiles for the threat scenarios must be created. These detailed profiles describe the mode, duration and extent of an incident event as well as mitigating or exacerbating conditions that may exist.

The output of the threat assessment is the determination of threat rating to each hazard and to each asset in the priorities for protection. Assigning a threat rating could be as easy as using high, medium and low as long as you have specifically defined what each one is and also with the use of expert judgment.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount. CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises. Now that threats to government and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Wednesday, April 06, 2005

Operational Risk: BPO Relationships...

Researchers at the McCombs School of Business are working on empirical studies ("Global Sourcing and Value Chain Unbundling", "An Empirical Analysis of Information Processing Requirements in BPO Relationships") that investigate key decision variables in the choice of BPO relationship structure and form. They argue that the primary questions that managers must address to design and effectively manage a BPO relationship include the following:

1. What are the unique operational risks and challenges associated with outsourcing a particular business process? What demands does the outsourced process place on agent capabilities?

2. What governance model will help the firm address these challenges and architect a sustainable relationship that meets its outsourcing objectives?




If you are like most organizations you rely on a portfolio of 3rd parties to supply you with products, services and labor. These supply chain relationships are a key aspect of effective risk mitigation in your enterprise. Here are a few BS 7799 controls to consider:

Section:10.5.5 Outsourced Software Development
Description: Where software development is outsourced, the following points should be considered:
a. licensing arrangements, code ownership and intellectual property rights (see 12.1.2);
b. certification of the quality and accuracy of the work carried out;
c. escrow arrangements in the event of failure of the third party;
d. rights of access for audit of the quality and accuracy of work done;
e. contractual requirements for quality of code;f. testing before installation to detect Trojan code.

Section:11.1.2 Business Continuity and Impact Analysis
Description:
Business continuity should begin by identifying events that can cause interruptions to business processes, including suppliers, e.g. equipment failure, flood and fire. This should be followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). Both of these activities should be carried out with full involvement from owners of business resources and processes. This assessment considers all business processes, and is not limited to the information processing facilities.Depending on the results of the risk assessment, a strategy plan should be developed to determine the overall approach to business continuity. Once this plan has been created, it should be endorsed by management.

Section:12.1 Compliance with Legal Requirements
Description:
Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and for information created in one country that is transmitted to another country (i.e. trans-border data flow).

Strategic Impact: An important concept that binds the above process attributes is the strategic impact of the outsourced process. It is likely that a strategically important business process shares strong interdependencies with other business processes in the firm and is marked by relatively higher volatility and specificity. A process of strategic importance enables the company to provide a "fundamental customer benefit" and make a contribution to perceived customer value. Such processes in the firm are substantially superior to those of competitors and help the firm create new products, services and process improvements in the future. The risks associated with such information- and knowledge-intensive business processes include information poaching and loss of competitive advantage. This is especially pronounced if the provider services other clients in the same business domain as the outsourcing firm.

Monday, April 04, 2005

US National Preparedness: TOPOFF 3

Now that DHS has reemphasized the need for the National Preparedness Goal in the U.S., it must be time for the TOPOFF-3 exercise.

The U.S. Department of Homeland Security announced April 1 2005 the publication of the Interim National Preparedness Goal (“Goal”). The Goal will guide federal departments and agencies, state, territorial, local and tribal officials, the private sector, non-government organizations and the public in determining how to most effectively and efficiently strengthen preparedness for terrorist attacks, major disasters, and other emergencies.

“In our complex free society, there is no perfect solution to address every security concern,” said Secretary of Homeland Security Michael Chertoff. “But by working together collectively to analyze threats, understand our capabilities, and apply resources intelligently, we can manage risk. The National Preparedness Goal will help us meet this objective.”


The Top Officials exercise (TOPOFF) will be comprised of local, state and national personnel estimated at around 10,000 people. The price around $16M. will produce real-time scenarios in New Jersey and Connecticut. One will be a biohazard and the other a chemical related incident.

The drills will be monitored by top U.S. Homeland Security officials from a command center in Washington, as well as regional centers in New Jersey and Connecticut.

Although no real weapons or bio-agents will be used, officials will respond as if it's the real thing: flooding the area with investigators and first responders in haz-mat suits, dispatching fleets of ambulances to hospitals across the state, and dealing with throngs of "victims" piling up outside emergency rooms.


The lessons learned will be many. The large businesses in the areas of the drill will soon realize that "Shelter-in-Place" may be a reality soon and should take this time to practice themselves. Remember, it may be hours or days before you can leave your office safely. Now is the time to replenish your supplies, food, water and emergency first aid kits.

Do you think you're spending too much time with your team planning? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

Friday, April 01, 2005

Is Today April Fools Day?

Now that Corillian is merging with InteliData you can be assured that more banks will see their sales reps. They have also recently partnered with Quova to assist in a more comprehensive and integrated offering for anti-phishing solutions.

As banks continue to try and tackle the ID Theft and Phishing threats to operations, the technology is only a part of the puzzle.

The strategy for monitoring, detection and enforcement must be mult-faceted and involve a combination of technologies. More importantly, you must do as Microsoft has done to find out who is behind these crimes. Let's assume you have very deep pockets.

Microsoft has filed 117 civil lawsuits against alleged phishers trying to scam Microsoft customers out of personal information such as credit card numbers.

The lawsuits, filed in Washington, identify large-scale scam operations and seek damages from so-called phishing operations. Phishers typically send out spam e-mail, made to look like official e-mail from a real e-commerce company, asking recipients to click on a link and update their personal information. The link takes consumers to a website that mimics the look of the real company, but collects personal information for ID thieves to use.

The new lawsuits - Microsoft has previously gone after two other phishing schemes - target unnamed defendants who sent spam e-mail and put up websites targeting Microsoft services such as MSN and Hotmail.

Through them, Microsoft will issue subpoenas and attempt to uncover the names of the people behind them, as well as identify support operations such as Web hosting services and mass e-mail services, said Microsoft lawyer Aaron Kornblum.



Is today April Fools Day? Forget about Phishing. It's time to worry about Pharming.