Sunday, April 29, 2007

Crisis Management: Corporate 4GW...

Crisis Management is getting the increased attention of Board Directors in light of the latest disclosure rules. And Eric Dezenhall's new book is out in collaboration with John Weber and the excerpt is in the latest issue of Board Member. There are 10 crises that are outlined in the article:
  1. Corporate Mission Creep
  2. The Demise of Science
  3. Outspent and Outgunned
  4. Is Junior Covering Your Crisis?
  5. Wall Street War Zone
  6. Everyone's a Pundit
  7. Make 'em Laugh
  8. Your Brand is a Target
  9. Protecting Intellectual Property
  10. The Porous Corporation
Damage Control: Why Everything You Know About Crisis Management Is Wrong. Much of the conventional wisdom about damage control and crisis PR is self-serving, self- congratulatory, self-deceiving—and flat out wrong. And no one knows it better than Eric Dezenhall and John Weber, who have helped countless companies, politicians, and celebrities get out of various kinds of trouble.

If you’re facing a lawsuit, a sex scandal, a defective product, or allegations of insider trading, other PR experts will tell you to stay positive, get your message out, and everything will be just fine. But happy talk doesn’t help much during a real crisis, and it’s easy to lose sight of your real priorities. In a trial, for instance, you might want the whole world to think you’re a wonderful person, but all that matters is whether twelve jurors think you’re guilty.

#10 caught our eye because this discusses the fact that insiders in the organization have a growing powerbase. Fueled with new tools to capture information in real-time and post it to an off site blog or other online location makes the time between the confidential event and the public disclosure become minutes not just hours. Mr. Dezenhall is clear to point out that the new crisis manager is involved in constant monitoring and taking on a more preemptive and preventive mission. Call it "Damage Control" he says.

As the lines begin to blur between corporate roles of crisis management, brand management, public relations, competitive marketing, fraud management and reputation control, so too does the level of Operational Risk. When you have so many individuals responsible for keeping a handle on potential crises as they are uncovered by a tip, a leak or the whistleblower hotline there is an increasing risk of a lack of an effective Incident Management System.

The blogosphere is just another version of the age old online bulletin board on broadband steroids. Skilled journalists who have for years operated in the mainstream media have their own blog on the online site of the offline magazine or newspaper. The power of "Time to Press" is now a matter of the source and the reach of the blog community. Why does Fox Interactive Media own MySpace?

Savvy Board of Directors realize the value of having an open and transparent approach to the governance of the organization. Even as we speak the newest data on executive compensation, perks, bonus or golden parachutes are being published and communicated by online-based data bases. And with all of this transparency and the fact that all of the data is discoverable in an internal investigation or external litigation makes it imperative that management manage this risk proactively. Not after the fact, reactively.

Corporate Risk Intel is nothing new and over the past five years has blossomed into a mandatory high technology business unit within corporate enterprises. The people, processes, systems and tools require a combination of capabilities, expertise and raw instinct. Extensions of Open Source Intel (OSINT) are fueling the internal "Damage Control" department across the globe. The "Porous Corporation" is quickly becoming a modern day forum for survival of the fittest and other Darwinian strategies of "Adaptation".

Over a year ago, this same topic was addressed in adapting to a corporate (4GW) 4th Generation Warfare Paradigm.

Wednesday, April 25, 2007

White Collar Crime: Enduring Truth...

In the 19th century a famous sleuth by the name of Al Pinkerton was quoted:

"A professional should possess the qualifications of prudence, secrecy, inventiveness, persistency, personal courage, and above all, honesty."

Inside the walls of global enterprises are the ticking time bombs waiting for the next opportunity to rationalize their malicious acts upon the organization. Individuals with advanced degrees, outstanding performance and continuous community service are operating just like Al Pinkerton has described, with one exception. Honesty.

White collar criminals are taking the corporate beaches by storm. Backdating once a common practice has now more than 100 companies under investigation. Yet, good old fashioned theft of corporate assets is running at an all time high and internal fraud is now with more tips and leaks a much more easy crime to detect, prosecute and punish. Why do so many companies look the other way and just fire an employee when company wrong doing is uncovered? Reputation.

The phrase "white-collar crime" was coined in 1939 during a speech given by Edwin Sutherland to the American Sociological Society. Sutherland defined the term as "crime committed by a person of respectability and high social status in the course of his occupation." Although there has been some debate as to what qualifies as a white-collar crime, the term today generally encompasses a variety of nonviolent crimes usually committed in commercial situations for financial gain. Many white-collar crimes are especially difficult to prosecute because the perpetrators are sophisticated criminals who have attempted to conceal their activities through a series of complex transactions.

The most common white-collar offenses include: antitrust violations, computer and internet fraud, credit card fraud, phone and telemarketing fraud, bankruptcy fraud, healthcare fraud, environmental law violations, insurance fraud, mail fraud, government fraud, tax evasion, financial fraud, securities fraud, insider trading, bribery, kickbacks, counterfeiting, public corruption, money laundering,embezzlement, economic espionage and trade secret theft. According to the federal bureau of investigation, white-collar crime is estimated to cost the United States more than $300 billion annually.

A true Operational Risk Management professional has to operate as Al Pinkerton described and with even more capabilities than in his day. They have competencies and subject matter expertise to address:

  • Identification
  • Assessment
  • Design
  • Implementation
  • Audit
  • Supervision
You have to ID the corporate assets to protect and the threats to those assets. You then have to determine the likelihood of occurrence. What are the impact to organization from a loss? One must also have knowledge and expertise in accounting, auditing, interviewing, investigation, legal elements, digital forensics, reporting, testifying and communicating. Not only does the OPS Risk professional today require honesty, it also requires much more.

Hiring good people is the constant headache of every manager in every industry in every part of the world, and bankers have probably complained about the situation the loudest. But if a bank makes a bad hire, the pain will only be felt years later when it comes out in the newspapers that both the employee and several million dollars have gone missing.

The situation should be avoidable, but the fact is that nobody can really know who it is that they are hiring. Consider the case of one senior banker, who was ready to hire a new personal assistant. Besides being the best candidate for the job, he had once known the applicant when he had worked at her previous company. Through a chance meeting with one of his old co-workers at that bank, he found out that his applicant had been fired for embezzlement, although the information had not been made public.

Actual levels of internal fraud across the industry are a closely guarded secret, although each banker will have a good idea how much it costs his or her own bank. While it is commonly agreed that the cost of internal fraud greatly exceeds that lost on credit card and other fraud, expensive systems required by regulators to manage fraud throw a monkey wrench into the works.

Whether you are in search of the facts or are rendering an opinion, the way you operate and behave within your organization and in front of those individuals you are in pursuit of, remains the same. You are a "Citizen Soldier". This means that you are not influenced by the politics nor the power of those who may try to pursuade you to see it their way. You see it as it is and your mission is to uncover the real truth and only the truth. Reputations are at stake. Lives will be changed forever. But the truth will endure.

Wednesday, April 18, 2007

ECM Security: Trusted Information...

When it comes to Enterprise Content Management (ECM), security is an issue that continues to challenge most vendors. John Newton is in search of topics this week at AIIM that address the security needs of the market place:
Content Log


  • Common identity. There needs to be a common way of addressing identity between different services whether those services are in the enterprise or outside.
  • Common Models for Rights Management. The big, looming problem in content is the fact that huge numbers of users are adding, accessing or updating an even larger number of pieces of content.
  • Distributed Directory Services. Identity is not sufficient for determining roles or entitlements.
  • Mashup Frameworks for Security. Mashups, the integration of different systems at the browser level, represent the fastest-growing and easiest mechanism to weld systems together. Almost all mashups have no notion of security and only work on public systems.
  • Search and Security. As search becomes increasingly federated, such as through the OpenSearch API, managing identity and entitlements on content becomes very problematic.
Whether John will find the answers is questionable. And that is exactly the issue when it comes to hosting or managing enterprise information. Almost a year ago before Stellant (Sealed Media) was purchased by Oracle, their survey of 29 CIO's who had invested more than $1M. in ECM had these as their top priorities:

The concerns were ranked on a scale of one to eight, eight being the most important.
  1. Guarantee ISO 17799 compliance: 6.03
  2. Protection of intellectual property during offshoring or outsourcing: 5.52
  3. Protection of high- and executive-level communications: 4.79
  4. Improvement of workflow-process automation: 4.41
So what?

If you are an ECM vendor and you only have so many bucks to spend on development of the next generation of your software, what are you going to add and what are you going to fix? So why is number one and two so important to CIO's who have invested so much money in their platforms?

Some of the answers can be found in the root cause of their concerns. We found some relevant discussion in a position paper entitled:

W3C Workshop on Transparency and Usability of Web Authentication by Jeffrey Ritter & Said Tabet

Statement of Issues: The conflict between the potential of Web Services and the inadequacy of web authentication is potentially best described as “a failure to communicate”. As enterprises extend and evolve into more dynamic, real-time facilities, central operations require the ability to express their security requirements in greater detail than can be currently enabled. Corporations must define and adhere to increasingly large directories of requirements in the management of their internal security controls; requiring compliance with those controls by participants in the extended enterprise is becoming essential.

Corporate operations increasingly distribute their computing and data processing requirements across a network of third party services, some of which are engaged and employed for controlled, finite sessions. But those third parties, for so long as they are processing data and functioning as part of the operating whole of the primary corporation, are being pressured to demonstrate their adherence to the security controls of their customers. This requirement is an expression of a requirement for trustworthiness—to be engaged as a part of the extended enterprise is to be trusted to perform in compliance with the applicable controls.

The enterprise who has exposure to continuous litigation is evaluating new ways to look at 3rd Parties who manage their information and this includes law firms. When you hand over management of critical and legally binding information to a 3rd party, trust is a key component of that decision. So how do you know if your law firm(s) and database marketing companies such as Merkle, Inc. or other outsourced service providers have the trustworthiness to be part of your extended enterprise? The fact is you don't unless you require the new and existing parts of the information supply chain in your organization to operate as one seamless trusted entity.

The greatest economic risk companies face with electronic discovery is choosing the wrong law firm. Under the new Federal Rules of Civil Procedure, the amounts at stake are not just legal fees or settlement costs; searching for and recovering electronic business records causes productivity losses and threatens revenue. Bottom line, selecting a law firm that is ill-prepared to effectively manage electronic discovery can cost enormously - internal records preservation and production costs are considered one of the largest uncontrolled expenses in corporate America.
So how do you select the right firm?

For corporations, Evaluating the Electronic Discovery Capabilities of Outside Law Firms: A Model Request for Information and Analysis provides corporate law departments, records management and IT departments an invaluable tool to ensure that the legal risks of e-discovery are competently addressed by their outside law firms.

Here is a peek at the line up so far this year by just one government regulator, the SEC.

Monday, April 16, 2007

Workplace Violence: Hokies in Mourning...

As the details of the event unfolds at Virginia Tech, one is reminded that violence of such magnitude is an operational risk in universities and colleges across the globe.
The Virginia Tech shooting occurred on April 16, 2007 at Blacksburg in the U.S. state of Virginia. At least 32 people were killed, including the gunman, with at least 28 injured,[2] making it the deadliest school shooting in United States history.

As the evidence is collected and the investigations determine what could have prevented such a tragic incident there will also be questions about the response. Workplace violence or campus violence is similar in nature from the standpoint that you plan and prepare for such random incidents. The point is that it may never happen but if it does, are you prepared?

Were the three bomb threats in advance of the incident just active surveillance by the shooter? What proactive measures were taken by law enforcement between the first shooting and the second scene where a majority of the deaths occured? The measures taken on that multi-hour timeline will be scrutinized to find out why the buildings on campus were not secured. Was a crisis plan enacted from the point of the first incident and if so, how effective was it?

A few details emerged from the news conference. At 7:15 a.m., an emergency 911 call came in to University police department about a shooting at a campus building, West Ambler Johnston, a dormitory for about 900 freshman students. About three hours later it was followed by a second shooting at a classroom in a science and engineering building on the opposite end of campus, Norris Hall. The shooter died there, the police said.

Suicide bombers and those with a death wish are the ultimate threat. No level of security or proactive measures can defeat this kind of attack. This fact has been proven over the past few decades on and off the battle field. In the aftermath we can only hope that more is done to heighten awareness about "At Risk Behavior" whether it be in school or at work. The cues and clues that bring people to a point of violence are usually noticed by fellow students or co-workers. However, once the event takes place, those individuals who noticed these behavioral warning signs feel the worst about the incident.

The behavior psychologist's will tell you that the signs are there, you just didn't recognize them in time. Besides the obvious drug or alcohol abuse warning signs, some are more subtle.

Other problematic behavior also can include, but is not limited to:
• Increasing belligerence
• Ominous, specific threats
• Hypersensitivity to criticism
• Recent acquisition/fascination with weapons
• Apparent obsession with a supervisor or coworker or employee grievance.
• Preoccupation with violent themes
• Interest in recently publicized violent events
• Outbursts of anger
• Extreme disorganization
• Noticeable changes in behavior
• Homicidal/suicidal comments or threats

Once the determination is made what motivated this individual to carry out this act today, we will use that information. It will become a new or even repeated warning sign that we have become complacent to in our day to day interactions with others on the job or in the class room.

How will the new crisis programs and workplace violence programs be communicated across the nation incorporating these lessons learned? To begin the process of finding out what is in place and what needs to be done, here is a very relevant self-audit from The National Institute for the Prevention of Workplace Violence.


Workplace Violence Prevention Audit Questions:
  1. Has a specific management level person been designated as the person responsible for coordinating the company's workplace violence prevention initiative?
  2. Has an integrated workplace violence prevention team (also known as Threat Management or Threat Assessment Team) effort been established that includes representatives from the following functions: security, occupational safety & health, risk management, legal, public relations/corporate communications, human resources and operations management?
  3. Does the company have a workplace violence prevention policy?
  4. If a written workplace violence policy exist, does it include provisions addressing how to deal with domestic violence in the workplace, mobbing and bullying behaviors?
  5. Does the company have a written plan describing how the workplace violence prevention plan will be implemented?
  6. Has a pre-established emergency protocol been put in place with local law enforcement and a specific individual (and back up) been designated to contact the police during a critical incident?
  7. Have all managers been trained in workplace violence prevention?
  8. Have all employees been trained in workplace violence prevention?
  9. Does the company have a policy prohibiting the possession of weapons on the company's premises and while an employee is performing their job?
  10. Has the company conducted an organizational violence assessment to determine if 'the common factors of violence prone organizations' are present?
  11. Has the company conducted a Facility Risk Assessment of all of it work areas?
  12. Does the company have a process and procedure in place for conducting Individual Threat Assessments?
  13. Has the company pre-identified and pre-qualified an external workplace violence expert and critical incident debriefing team to assist the organization, if needed?
  14. Are their known workplace violence hazards that employees are exposed to, and/or are similar businesses or companies in your industry or geographic area known for having workplace violence hazards?
The questions will remain for years to come as the answers are discovered in conference rooms and court rooms across the country. Was this the wake-up call that we all needed? And for those who are seeking proven solutions to this Operational Risk, consider Defywire.

Friday, April 13, 2007

In Search of Answers: OPS Risk Intel...

When it comes to Operational Risk, what is on your mind? These are just a few recent inquiries from around the globe:

  • operational risk consultant
  • plausible deniability risk mitigation
  • operational risk and causes for information technology department
  • digital forensics plus ediscovery software
  • operational risk management in bank
  • hedge risk asian tsunami
  • bbc programmes advice on insurance companies covering anti terrorist cover
  • hsac navy seals
  • metrobank and trust company philippines risk managment practice
  • passmark passes fdic audit
  • gsk italy germany executive's supply chain quality assurance manufacturing
  • define issues and action plans orm
  • ethical prior the implemention of disaster response
  • operational risk management dulles airport
  • Business Crisis and Continuity Management (BCCM)
  • invision, deloitte, risk, root cause analyses
  • bs 25999 part1
  • system malfunction hurricane katrina critical infrastructure
  • fraud risk management vs. compliance investigation
  • "opinion letter" "disaster recovery"
  • the newest trends in operational risk for public sector
  • north carolina department of revenue real estate investment trust voluntary disclosure
  • parmalat crisis management
  • public sector operational risk management
  • bank of america sas 70
  • example document retention policy homebuilder
  • fbi justice report sedona mortgage fraud
  • operation risk management test answers
  • suibin zhang
  • authenticol systems boulder
  • helicopter detecting grow ops
  • using ipsonar opinion
  • pneumonia, operational risk
  • reasons for enterprise risk management assessment

If you are like us, we see some real "nuggets" of intel in these searches. One observation is that Operational Risk is diverse and it's facets are complex. The interdependencies of people, processes, systems and external events combined with the legal implications makes this discipline ever more sought after in the ranks of enlightened institutions.

So why would somebody be looking for information on
plausible deniability risk mitigation?

Over a year ago Bruce Schneier had this to say:

Deniable File System

Some years ago I did some design work on something I called a Deniable File System. The basic idea was the fact that the existence of ciphertext can in itself be incriminating, regardless of whether or not anyone can decrypt it. I wanted to create a file system that was deniable: where encrypted files looked like random noise, and where it was impossible to prove either the existence or non-existence of encrypted files.

This turns out to be a very hard problem for a whole lot of reasons, and I never pursued the project. But I just discovered a file system that seems to meet all of my design criteria -- Rubberhose:

Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available.

The devil really is in the details with something like this, and I would hesitate to use this in places where it really matters without some extensive review. But I'm pleased to see that someone is working on this problem.

Next request: A deniable file system that fits on a USB token, and leaves no trace on the machine it's plugged into.

So what? Why would an Operational Risk Professional be concerned about a USB token that leaves no trace on the machine it's plugged into? We think you get the big picture here. So are there any other nuggets of intel worth exploring in this latest list of searches?


What about Business Crisis and Continuity Management (BCCM)? When it comes to a crisis, there are numerous sources that impact your Operational Risk Strategy:

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future. Hopefully you understand that the operational risk spectrum is wide as it is deep. Keeping your fingers on the pulse of what people are concerned about could be as simple as this quick exercise in "search terms analysis."

Friday, April 06, 2007

Ethics: The Tone at the Top...

Have you had your annual check-up? Is the health of your organization improving or on the way to a potential loss of reputation?

The Board of Director's are consistently talking about how they can create the correct "Tone at the Top" when it comes to ethics and compliance. Global corporations realize the importance of these issues in order to create a focus on competitive advantage and other new "Carrots" rather than the old motivators of fear, uncertainty and doubt (FUD Factor). Employees who are "Beaten with a Stick" in order to comply with federal laws and state rules of conduct are looking for new vision and new methods to improve the health of organizational ethics. An interview with Perry Minnis, Alcoa's Director of Ethics and Compliance highlights this point:

Organizations have always confronted ethics problems, but it seems that only in the last 25 years or so that ethics has grown from an academic discipline into a mandatory department at most corporations. How has this happened?

I believe the heightened awareness can be attributed to several factors: the defense contracting scandals during the Reagan Administration; the issuance, in the early 1990s, of the Federal Sentencing Guidelines, which established criteria for assessing the completeness of ethics and compliance programs; the emergence of high profile scandals - Enron, Tyco, WorldCom, etc.; and the passage of the U.S. Sarbanes-Oxley Act and the associated provisions of the New York Stock Exchange and SEC requirements. Plus companies now have a general sense that a reputation for ethical behavior is a competitive advantage. It engenders customer loyalty and employee allegiance.

Mr. Minnis and other officers like him who are charged with creating the right "Tone at the Top" must cooperate with a multitude of players within the enterprise to address this cultural awareness. Part of this strategy should include the check-up for fraud and the signs that it may be present in certain business units or processes within the organization.

In this Fraud Prevention Check-up tool we are especially pleased to see question number 7:

To what extent has the entity established a process to detect, investigate and resolve potentially significant fraud? Such a process should typically include proactive fraud detection tests that are specifically designed to detect the significant potential frauds identified in the entity’s fraud risk assessment. Other measures can include audit “hooks” embedded in the entity’s transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading edge fraud detection methods include computerized e-mail monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.

The use of automated tools to help prevent fraud from occuring will continue to be just that, a tool. It's imperative that anyone utilizing such mechanisms for early warning remember the taxonomy for an "Incident:"

"Attackers use tools to exploit vulnerabilities to create an action on a target that produces an unauthorized result to obtain their objective."

While the ethics and compliance department teams up with the IT and Security departments to create the policies and implement the tools to deter, detect and defend against fraud, the opposing force is also gaining ground. Hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs are using their own tools to test and to exploit your vulnerabilities.

The three areas that you need to focus on continue to be:

  • Design
  • Implementation
  • Configuration
Whether it is through physical attack, information exchange, user commands, scripts, programs, autonomous agents, toolkits or data taps you can be assured that these tools are being utilized to exploit you. They are being directed at the design, implementation or configuration of your "Controls" in order to achieve the action they desire:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
All of these actions are directed at their target. Accounts, people, processes, data, components, computers, networks or internetworks. They are looking for and unauthorized result:

  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
And sadly, when you boil it down to the reasons or objectives they seek to achieve; it usually falls into one of four categories:

  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
Once you understand the entire taxonomy of an "Incident" you are far better equipped to prevent and preempt attacks on your valuable corporate assets. Equally as important is the "Tone at the Top" to set the foundation for an environment that employees embrace and will protect at all costs.