Friday, January 27, 2006

Travel Threat: Executive Operational Risk...

Operational Risk Management is a vital component for any Board Member or Corporate Manager who travel internationally.

Company executives who travel extensively on commercial airlines are constantly being subjected to a spectrum of new threats. The latest concern is putting executives in potential harms way with the rise in Avian Flu.

Once these highly compensated and important corporate officers reach a cities destination, there is of course the choice of hotel. Where and where not to stay is now a question many corporate travel departments are asking themselves. How do you know what is the most secure and safe place to stay?

Stratfor provides substantive tips and advice from their intelligence and publications. Terrorist attacks in past years against U.S., Israeli and Australian embassies forced Western countries to harden their diplomatic compounds abroad, turning them into veritable fortresses of security. In response, terrorists began focusing on softer symbols of Western influence, such as large hotels and resorts. By attacking a Marriott, a Hyatt, a Moevenpick or another popular Western chain, the perpetrators can cause mass casualties and gain international media attention -- and all without having to penetrate extreme security.


As a saavy travel department and global corporate security chief already know, there are some other choices that should be considered namely, iJet:

iJET was incorporated in 1999 with a mission of protecting international travelers through the use of our proprietary technology and services platform. That mission has evolved and broadened over time as our Worldcue® Risk Management System has been applied to protecting both employees and other assets of multinational corporations. Today, iJET has over 350 corporate clients that rely on iJET to monitor, protect, and respond to operating risks around the world.

The escalation of terrorism, infectious diseases, and unforeseen natural disasters has forced multinational organizations and their employees to re-evaluate their perception of risk. Such events are often beyond a company's control, yet corporate liability and responsibility to employees and assets continues to increase. As a result, corporations need a fresh approach and new set of tools to meet the operational risk management demands in today's business environment.


This part of the equation is an easy one. Get real-time intelligence while on the go and utilize strategic tools and solutions for risk mitigation along the way. Moreover, travel light and without a huge entourage of large NFL size body guards in tow. You might as well paint a bulls eye on your back.

The hard part of the equation is getting your executives and highly valued employee assets trained and ready. Having all of the "What Could Happen" and "Be Careful of" in your head will not be enough unless you train, practice and test. Many global companies are doing just that, training their employees in threat detection and giving them new skills and strategy to save themselves from potential attacks of all kinds. See Threat Detection and Management to learn how.

Tuesday, January 24, 2006

Supply Chain Risk: Spending Time with The Right People...

What is the largest obstacle within your organization to address risks such as corporate fraud, natural disasters and disruptions to your supply chain?

According to top responses in a recent poll of 600 financial executives accross the United States, the UK and Europe:

33% - Insufficient Time

23% - Inadequate Personnel

19% - Insufficient Budget

13% - Not Viewed as a priority


Does this mean that the Board of Directors has transfered risks using vehicles like insurance? The same study asked what percentage of risk management budgets are allocated to "Risk Control" vs. "Risk Transfer":

Risk Control - 56%

Risk Transfer - 44%


While there are new and innovative new insurance policies being marketed these days, these typically can not cover many of the losses from damaged corporate reputation, a drop in market share or lost sales. As Board of Directors raise the priority above a 13% response, this should cascade to impact the insufficient budget. Now the question remains on how to deal with the "Inadequate Personnel" and "Insufficient Time".

You can hire dedicated people, add additional responsibilities to existing personnel or you can even Insource. In every case, you will need to find more time for planning and training to make sure that new risk controls are implementated and monitored. Without a systematic program that is culturally institutionalized, even these new initiatives will fail.

To quote one of the leading global business continuity membership organizations Survive:

Business Continuity Management is about not making excuses. It's about being wise before the event. It is a state of mind that understands great organizations never moan they didn't do well because of the state of the economy, a fire at the warehouse, an internal fraud, or a strike by a key group of workers. Great organizations do well anyway.

Friday, January 20, 2006

OFAC Compliance: Ensure Your Transactions are Legal...

Archaic and ineffective name searching technology is still in use today across all levels of intelligence agencies and law enforcement. Names remain the single most important means for identifying persona non grata at our borders. Biometrics are only useful the second time you meet someone. Everyone in the world knows how easily security at America’s borders can be circumvented — except Americans.

Language Analysis Systems is the world's recognized leader in providing multi-cultural name recognition software solutions for mission critical applications. We have worked with U.S. Intelligence and Border Protection agencies for nearly two decades, developing a revolutionary and patent-pending approach to name matching and searching, going far beyond simplistic Soundex and key-based approaches. We offer a variety of proven commercial products to government, law enforcement, and commercial organizations that solve a multitude of name related problems.


How else can this technology be used to help our DHS with the war on terror? Are you a U.S. business? If you are, then you must comply with OFAC especially if you are a financial institution, mortgage broker, car dealer, boat dealer, real estate agency or insurance broker.

OFAC administers and enforces economic and trade sanctions against targeted foreign countries, terrorism sponsoring organizations and international narcotics traffickers.

Pay attention. Dutch bank giant ABN Amro Bank , has agreed to pay a total of $80 million in US fines for violating regulations to prevent money-laundering, regulators and the bank said last month.

The Financial Crimes Enforcement Network at the Treasury Department said that ABN's "serious, longstanding and systemic" problems allowed people from Russia and other former Soviet republics to move $3.2 billion to shell companies in the United States from August 2002 to September 2003.

Investigations by state and federal officials also found that the Chicago and New York branches of the bank participated in wire transfers and trade transactions from 1997 to 2004 that violated economic sanctions on Libya and Iran.

ABN AMRO said on Monday that it recognises that serious mistakes were made and accepts the sanctions.


There are now dozens of software solutions and programs available to help with compliance of BSA and AML compliance. The question is, which one is right for your organization? If you do not have a step in your customer or client acquisition process that intersects with compliance then you are at significant risk.

Sales and business development personnel, business development or broker networks must be able to have a high degree of confidence that the business or person they are creating the quotation or proposal for is not an SDN, or Specially Designated National.

Are you an insurance company who uses a network of brokers? What are you doing to implement the policies and programs to comply with this new requirement:

The final rules apply to insurance companies that issue or underwrite certain products that present a high degree of risk for money laundering or the financing of terrorism or other illicit activity. The insurance products subject to these rules include:

• permanent life insurance policies, other than group life insurance policies;

• annuity contracts, other than group annuity contracts;

• any other insurance products with features of cash value or investment features.

At minimum, insurance companies subject to the rule requiring an anti-money laundering program must establish a program that comprises four basic elements:

• A compliance officer who is responsible for ensuring that the program is implemented effectively;

• Written policies, procedures, and internal controls reasonably designed to control the risks of money laundering, terrorist financing, and other financial crime associated with its business;

• Ongoing training of appropriate persons concerning their responsibilities under the program; and

• Independent testing to monitor and maintain an adequate program.

Thursday, January 19, 2006

Scenario Analysis: The Value of the Hypothesis...

In the December 2005 issue of OpRisk and Compliance Magazine Dean Lamble from Hewlett-Packard has this to say in the article on "Planning for Disaster":

Key areas will include security, evolving threats of terrorism, and how to cope with a pandemic outbreak such as bird flu. Companies will be paying far more attention to how the contingency plans perform when tested. Compliance continues to be a key concern, with increasing legislation directing responsibility to the board.

More than 25,000 banks around the world will work to comply with Basel II over the next five years. One of its most controversial aspects is the inclusion of Operational Risk Management. While banks have attempted to manage operational risks for many years, now for the first time they must measure it.


Most money center banks have already achieved high levels of competency with capturing loss events and with risk self-assessments. Scenario analysis and KRI (Key Risk Indicators) is still a distant goal. OPS Risk is still a maturing discipline and regulators are allowing some flexibility here. However, financial institutions are still stuck to some degree on imagining incidents that have not occured to them in the past. Probabilities are not low just because they haven't happen to your institution historically.

A hypothesis is the place to begin.

hy·poth·e·sis ( P ) Pronunciation Key (h-pth-ss) n. pl. hy·poth·e·ses (-sz)

1. A tentative explanation for an observation, phenomenon, or scientific problem that can be tested by further investigation.

2. Something taken to be true for the purpose of argument or investigation; an assumption.

3. The antecedent of a conditional statement.


If an event has happened to another insitution is it so improbable that it could also happen to your own firm? The starting point for effective scenario analysis is the intelligence and the external data that provides the evidence of such an incident. Then the goal is to gain "insight" on how it could happen and what the impact would be in your own environment. Capture of data on extreme events is imperative even if only one $10M. event has occured in the last ten years.

Today, an audio tape from Osama bin Laden has been posted on the Internet along with a transcript of his comments. The authenticity is being validated as he has not been heard from for over one year. Has your scenario analysis included potential events of the magnitude of the 7/7 bombings in London or the 11/9 Amman Jordan suicide attacks on three Western hotels?

"Bruce Newsome, a terrorism researcher at the think tank RAND, said the plot carried out by four men in London is a "likely model for future U.S. attacks." The bombers, all British citizens, had no criminal records, weren't on any watch lists and had no extremist pasts. (A fifth man, believed to be the mastermind of the plot, has been arrested in Egypt.) Tracking such potential perpetrators is nearly impossible because there are no warning signs, Newsome said."


Somewhere in your contingency planning and scenario analysis there must be hypothetical loss events on the magnitude beyond our imagination.

Tuesday, January 17, 2006

You've Been Indicted. The Most Feared Words in the Boardroom...

Over two years ago this corporate governance article appeared in Corporate Board Member Magazine.

June 25, 2003
You've Been Indicted. The Most Feared Words in the Boardroom

By Peter L. Higgins


Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

* Systems for monitoring and auditing
* Incident response and reporting
* Consistent enforcement including disciplinary actions


Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

The answer lies in the human factors of what motivates people’s behavior. This requires programs, controls and good old fashioned vocational counseling. However, the real facts are that all of these alone will not be able to stem the tides of corporate malfeasance.

A guest column by Jacob Blass
President, Ethical Advocate
highlights the past few years:

The number of companies around the world that reported incidents of fraud increased 22% in the last two years according to the 2005 biennial survey by PriceWaterhouseCoopers (PWC), which interviewed more than 3,000 corporate officers in 34 countries. In England, a recent Ernst & Young survey of the Times Top 1000, indicated the average cost of each fraud exceeded $200,000.
But fraud is not the only problem. There's also misconduct, unethical behavior, lying, falsification of records, sexual harassment, and drug and alcohol abuse.

PWC found that “accidental” ways of detecting fraud, such as calls to hotlines or tips from whistleblowers, accounted for more than 33% of the cases. Internal audits were responsible for detecting fraud about 26% of the time.


If these latest figures are correct than this means that 59% of the detection was a result of effective operational risk management. Let's just hope that the remainder is the result of corporate managers and leaders doing their job to mitigate new risks on a daily basis.

As indicated, the great manager can impact the lives of tens or hundreds of people in your company. Conversely, the uncivil manager can wreak havoc with a similar numbers of lives. The position of management is ever so powerful to influence those around them.

Your company wide compliance initiative has the elements that provide guidance for creating a program that the government is likely to look favorably upon. The problem is that these same criteria inadvertently communicate the message that implies building a program based on this formula is enough. It isn’t.


Maybe it’s time the Board of Directors looked into who is managing the organization into a future of civil or uncivil destiny. We have a clear choice.

Wednesday, January 11, 2006

HSAC: Private Sector Information Sharing Task Force...

At first glance the room full of Homeland Security Advisory Council members looked like any other agency briefing. C-Span setting the stage for people to look good and say the right thing for the public record. Items such as we need to use a systematic risk management approach to funding and we should replace the word "Protection" with the word "Resiliency" were the highlights. And underneath, the audience was disturbed by the presentations because of it's lack of solid recommendations.

What happened later in the closed door session is where the rubber meets the road and serious work gets done. Yet the take away was this. After reading the 80 page report from the Private Sector Information Sharing Task Force there was one recommendation that stood out.

DHS should respond to private sector concerns about liability risks associated with sharing security information with DHS. This is why they recommend that the Critical Infrastructure Information Act (CIIA) should be fully implemented. If this could ever be clarfied and the legal counsels of the private sector gave it a major blessing then we would be well on our way to achieving a greater degree of safety, security and peace of mind.

In fact, Attachment D of the report goes so far as to list the categories of information that the government is seeking from the private sector on the critical infrastructure that they own. The number one item on the list is "Cyber Threats to U.S. Infrastructure". The number two item is "Terrorism".

It's no surprise that these are the two largest threats to the U.S. in the eyes of the task force.

Friday, January 06, 2006

OPS Risk: An Ocean of Continuous Change...

In the latest issue of OpRisk & Compliance Magazine Eric Holmquist from Advanta makes the case for the Small to Medium sized institution. His brilliance continues and it's one of the reasons why we are an Advanta customer. They understand and practice OPS Risk hands down.

Overseeing an operational risk programme never ceases to fascinate me. There are aspects to op risk that are overwhelmingly unique from any other risk discipline. As I have said previously, it has the most moving parts. It involves every single person in the company, without exception. It is constantly in motion, involving an ever-changing set of assumptions and forces. And it is, ironically, sometimes unfortunately, and perhaps more importantly, the most intuitive.


Eric singles out the large mistake many organizations have made. Certification of controls for SOX 404 misses many of the OP risk factors and is all to focused on the financial control itself. Operational Risk assessments properly look at the potential and the likelihood of failures in the process so far, as well as potential threats to the process in a high moving parts environment.

The hint in his article about evaluation of core processes under the "heat lamp" is most critical. When people and systems are concerned, there are all too many opportunities for a failure and potential losses to occur. And those people are exactly who are the ones to be in the drivers seat to analyze those places that the proper tools in the right hands could exploit a known vulnerability. They may not know all of the ways to mitigate the threat, yet they are where you are going to get your "intuition" on what could happen.

As Eric says, "Operational Risk is constantly in motion", and assumptions change as often as the weather.


As the discipline of OPS Risk matures in the white collar world of Wall Street and the blue collar world of small community banking one thing is certain. No one will ever be able to predict or provide a scenario analysis that prepares exactly for the next incident. Mother Nature may act the same over and over to some degree and that helps us think in terms of magnitudes and categories. What about the person sitting in the next office who makes a random decision to inflate last months expense report? What about that electrical fire in the storage room?

Those who can master the art of change and rapidly adapt as unforeseen events occur will be here tomorrow to take on that next unplanned scenario.

Wednesday, January 04, 2006

Security vs. Privacy: A Public Private Paradox...

If your are interested in what is on the minds of some of the PowerBase for information security and privacy you need to look no further. The comments and posts on Bruce Schneier's weblog tell the truth. His post on the Top Ten Privacy concerns from EPIC, (The Electronic Privacy Information Information Center)has created some very interesting points.

And to add to the concerns, comments and controversy is this:

Cyber Security Industry Alliance (CSIA), the only advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems, today called on the federal government to assert greater leadership in the protection of our information infrastructure in 2006. Its release of the "National Agenda for Government Action on Information Security" identifies 13 specific actions required to improve information security for consumers, industry, and governments globally. As part of the Agenda, CSIA also provides a report of the government's limited progress in information security in 2005 and releases a new "Digital Confidence Index" that reflects the public's lack of confidence in our nation's critical infrastructure.


What is the paradox? The feds may need to show more leadership yet the private sector owns a majority of the critical infrastructure. Any lack of confidence should be an indicator that the private sector hasn't invested enough money and resources in information security and protection of our country's vital corporate assets.