Thursday, October 29, 2009

Legal Risk: The Art of Compliance...

Risk Management is on the mind's of Corporate Directors and in some interesting places according to a recent poll by PWC and Corporate Board Member Magazine:

How has your personal risk as a director changed in the past 12 months?

Increased 69%
No change 30%
Decreased 1%

Some risks are tough to name...

What keeps you up at night?

Unknown risks 59%

...while others are identifiable.

Do you think regulators are more likely to investigate your company?

Yes 71%

Do you think there'll be an increase in shareholder suits?

Yes 65%

If 71% of the directors surveyed think that regulators are more likely to investigate the company where does that feeling come from? Is it the fact that the SEC and others such as the FTC, OCC and others are gearing up to facilitate greater oversight than in past years? Is it the lack of internal focus on creating a systemic Risk Management Framework? Could it be the amount of toxic assets that are still on the balance sheet? The answer is yes, yes, and yes.

So what can Directors do to make sure that management and the company are ready when the "Feds" come to town? The answer may well lie in the ability to show a history and evidence of doing the right thing and doing it with extreme diligence.

For good or bad—okay, mainly for bad, most respondents agree—the government as boardroom-player-cum-active-investor will be around for a foreseeable spell.

Regulation will rise...

Do you think there will be a big increase in regulation?

Yes 91%
No 2%

Of that 91%, 54% “strongly agree” with the premise that there’ll be more regulation, 37% “agree.”

...and spread.

Do you think other companies will have to adopt rules that the government has imposed on those receiving financial help?

Yes 54%
No 20%

Nearly 45% of the respondents say no amount of government control, whether more or less than what we got, could have prevented the severity of the economic crisis.

No to Uncle Sam as paymaster

Respondents are against the feds’ having a say in setting executive pay.

Are government limits on executive compensation justified?

No 88%

Should the government impose further limitations on pay?

No 97%

Should comp be left to the board?

Yes 76%


The only hope for "Achieving A Defensible Standard of Care" in your institution could be what Siemens and other wrongdoers have discovered. Spending hundreds of millions of dollars on "Compliance" might be a good thing when the time comes to differentiate yourself in the marketplace and negotiate with the government. Especially if you are a global enterprise doing business in countries that don't exactly have the best reputation with transparency and the rule of law. Here is what Chairman of the Supervisory Board of Siemens AG, Gerhard Cromme had to say on their efforts to date:

Wherever wrongdoing was proved beyond a doubt, we immediately took the necessary actions. Wherever there were systemic weaknesses, we identified them and corrected them. Where the necessary resources were lacking, we provided them. These demanding efforts have paid off: Today Siemens has a clear, transparent structure that no longer allows any gray areas with respect to responsibility. At the same time, these structures make Siemens more efficient, more cost-effective, and thus more competitive. The authorities took into consideration our unflinching desire to do whatever was necessary for a fresh start in determining the size of the penalties and the duration of the proceedings.


Operational Risk encompasses the actions taken by Siemens that includes the new centralized systems for payments, disbursements and other accounting functions that were previously in business units outside of Germany. This consolidation and integration of systems was not easy but represents that a discovery in the vulnerability of controls with a decentralized system warranted the investment in a new way of doing business.

Only time will tell whether any companies Board of Directors efforts to spend more resources on "The Art of Compliance" will make a difference to the regulators, investigators and litigators. One could probably bet that over time it will make a difference. But only if the "Tone at the Top" is commensurate with the actions being asked of the employees and stakeholders, doing the day-to-day tasks running the risk operations of the enterprise.

Thursday, October 01, 2009

Remote Digital Forensics: Complacency Risk...

Operational Risk Management commands a spectrum of disciplines within the global corporate enterprise. While convergence of responsibility, accountability and resources is taking place the internal threats continue to flourish. Why? How could a Chief Security Officer (CSO) not be aware of a specific threat to the institution by unknown subjects half way around the world? The transnational organized crime syndicates that target our weakest organizations know that they don't share information between departments, business units or even shared services within the enterprise. Does your CSO get a briefing from the CISO or CIO / INFOSEC staff on what the latest threats mean to you, such as cyber heists using ACH fraud?

This complacency is an internal threat that continues to amaze many and reinforces what few people truly understand about risk management. The adversaries utilize asymmetric strategy against unsophisticated targets to perpetuate their crimes and overall threats to people, processes, systems and deposit accounts. They are the modern day equivalents of "Bonnie & Clyde", Al Capone with a dash of Al Gonzales all rolled up into a massive threat that is increasing exponentially:

Two Romanian Citizens Extradited to the United States to Face Charges Related to Alleged Phishing Scheme

A phishing scheme uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers, and Social Security numbers. Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions, or other companies.

The investigation leading to the indictment stemmed from a citizen’s complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People’s Bank. In fact, the e-mail message directed victims to a computer in Minnesota that had been compromised, or “hacked,” and used to host a counterfeit People’s Bank Internet site. During the course of the investigation, it was determined that the defendants had allegedly engaged in similar phishing schemes against many other financial institutions and companies, including Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay, and PayPal.


Risk Management 101 talks to the X and Y axis with X representing the frequency of risk and Y representing the severity (impact) of the risk. So using the four quadrant model, the lower right box is where low risk times high frequency incidents occur. In the upper left box is where high risk times low frequency incidents occur. Got it.

As a CSO in your organization, where do you spend your time, resources and personnel in terms of their training, awareness and work efforts? Think about it for a minute. Most of you would probably say, "Well we focus on the High Frequency times High Risk incidents, the upper right box of the Risk Management model." Practice and prepare for the incidents that happen often and you will have employees who have no clue on what to do the day that something from that upper left box impacts your organization. The HIGH RISK x LOW FREQUENCY incidents are where you remain most vulnerable.

Arlington Man Sentenced 36 Months for $40 Million Ponzi Scheme

ALEXANDRIA, VA—Preston David Pinkett II, age 70, of Arlington, Va., was sentenced to 36 months in prison for engaging in a massive Ponzi scheme that raised more than $40 million in fraudulent payments from investors. Pinkett was also sentenced to three years of supervised release and ordered to pay $18,774,989 in restitution.


The two years that most frauds are conducted before they are discovered tells most risk managers that even effective accounting and audit controls can't catch these white collar criminals before it's too late. The high risk low frequency incidents are the greatest impact on your institution and yet little or no resources, training or attention is paid to these threats to your reputation and economic livelihood.

Now let's take this step further into what practices you have with exiting employees from your business. Are you conducting exit interviews? Are you examining all of the employee's digital assets for the presence of anti-forensics or the ex-filtration or theft of sensitive, proprietary trade secrets or intellectual property from the corporation? Both of these steps are necessary regardless of the person leaving and the circumstances why they are leaving your institution.

The utilization of "Remote Digital Forensics" and other centralized shared services such as this can provide your Business Units and even suppliers with capabilities that they don't need to staff internally. The technologies and resources exist today to address the stealth of fraud, the crisis stemming from industrial espionage or the disgruntled employee stalking those who they perceive as the reason for their dismissal.

An effective internal approach to high tech and advanced Operational Risk Management as it pertains to the rapidly changing landscape of smart, educated and daring people shall include a robust intelligence and audit capacity. Without it, the transnational eCrime syndicates or the internal employee threat will prey on your vulnerabilities of complacency, lack of training and apathetic approach to the design, configuration or implementation of your systems.