Tuesday, June 22, 2010

Workplace Privacy: Ontario Prevails on Data Audit...

Operational Risk Management professionals in corporate America have been following the Quon vs. City of Ontario case for five plus years. Now the Supreme Court of the United States has ruled 9-0 to increase the clarity on the new age of electronic privacy in the workplace. The LA Times explains:

Washington…In its first ruling on the rights of employees who send messages on the job, the Supreme Court rejected a broad right of privacy for workers Thursday and said supervisors may read through an employee's text messages if they suspect the work rules are being violated.

In a 9-0 ruling, the justices said a police chief in southern California did not violate the constitutional rights of an officer when he read the transcripts of sexually explicit text messages sent from the officer's pager.

In this case, the high court said the police chief's reading of the officer's text messages was a search, but it was also reasonable.

Police Sgt. Jeff Quon had sued the chief and the city of Ontario, California after he learned the chief had read through thousands of text messages he had sent to his wife and a girl friend. Quon won in the 9th Circuit Court of Appeals, but lost in the Supreme Court Thursday.


The scope of the investigation by the employer was not unreasonable and within the scope of determining whether the large amount of text messages was work related. What kind of corporate risk initiatives will be impacted by this ruling?

As corporations continue to battle the "Insider" risk associated with occupational fraud, workplace violence related stalking or sexting, industrial espionage, corruption and violations of acceptable use policies this case will become an example. What will continue to be the challenge for OPS Risk professionals who are responsible for internal monitoring, digital asset audits and insider investigations of potential malfeasance is the scope and reasonable nature of the case.

Get ready for a rush to the local Verizon Wireless or AT&T store for your own personal PDA or iPhone due to Justice Kennedy's ruling:

What’s more, Kennedy suggested that privacy in the modern age has more than one meaning.

“Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. And employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated. “


If you are the CxO responsible for the auditing of digital assets within the enterprise, or the responsible party for insuring privacy in the workplace it's time to convene a two day workshop to review. Take a few days to bring the legal, privacy, IT and business unit deal makers to the same hotel resort country club to converge on this vital issue. The Operational Risks associated with executive communications that were previously thought to be private may be monitored and audited anytime when company assets are being utilized.

The opportunity to work through different workplace related scenarios, highlight the legal rulings and discuss the "What if's" could mean the difference between adversarial litigation and "Achieving a Defensible Standard of Care."

This is also a good time to establish the foundation for the "Corporate Intelligence Unit" within the enterprise:

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject.

Monday, June 07, 2010

FCPA Readiness: Training Corporate Aviators...

Operational Risk Management is a topic that rarely comes up at a social event, unless you happen to be talking with a "Naval Aviator". In just a few minutes of explaining the focus of this writers subject matter expertise, the dialogue took on a whole new level. Mike M. immediately began to talk about the many facets of Operational Risk in the context of flying his missions across the globe. He sipped his drink in the back yard under flaming torches as the backyard BBQ buzz was in high gear.

As we continued the conversation on the OPS Risk "All Hazards" point of view and the vulnerability of false or failed information he was clear about one thing. When all fails in the face of pre-planning, contingency exercises and the dawn of a new twist in your mission objectives becomes apparent, your training instinct is what takes over. This may be a true statement when it comes to the military worldview and their obsession with continuous training exercises yet it remains a lofty and sometimes elusive goal in the ranks of the private sector and Fortune 1000 companies.

The private sector company is still eons away from the level of readiness and the ability to call their employees in top shape as it pertains to corporate fundamentals. The Corporate 101 of ethics, compliance and legal risk is typically an hour orientation on the first week of the job. The training associated with protecting company assets and personnel is left to a few people in the Facilities Security Office. Providing the awareness of online threats, phishing and data leakage or privacy is often an online web "Flash" based learning module you must answer to correctly if you want access to the corporate e-mail server.

The serious nature of Operational Risk on the deck of the aircraft carrier operating in the Arabian Sea is light years away from the mind set of the Board of Directors at the latest Quarterly Meeting after a round of golf. You have to ask yourself why there is a difference?

The topic of Risk Management in the context of the corporate enterprise in many cases comes down to lawyers and insurance companies. The perception is that these two devices for risk management will be able to solve any problem that arises or any incident that could eventually occur. This mindset by corporate management is in many cases what causes their eventual downfall.

Investing in the education, training and awareness building of your company employees will in the long run provide tremendous business resilience and longevity. Exercising special diligence in the implementation of the proactive controls for early warning and effective detection will at some point pay off. Just ask companies such as HP or Avon:

Fitch Ratings says there could be rating implications to U.S. corporate issuers with modest free-cash flow or liquidity for violating the Foreign Corrupt Practices Act (FCPA). This is in addition to management distraction, reputational risk and added compliance costs according to a new special report issued today.

In April 2010 alone, three corporations rated by Fitch were the subject of news stories related to the FCPA, including Avon Products Inc. (Avon), Hewlett-Packard Co., and BHP Billiton, Plc. Violation of the FCPA is a criminal offense and average fines have started to increase. Mere indictment can trigger onerous reporting requirements, civil lawsuits and business losses. More important, enforcement activity is set to increase with a primary focus on the pharmaceutical industry.

In the U.S., proposed financial reform legislation in the House and Senate includes rewards for whistleblowers which provide added impetus for corporations to self-report violations. The cost of investigating violations on a worldwide basis can be relatively high, as noted in Avon's recent disclosure that the cost of its current FCPA investigation is expected to be in the $85 million to $95 million range during 2010 after being $35 million in 2009. The $85 million would represent approximately 55% of Avon's 2009 free cash flow. However, Avon maintains substantial cash balances which can easily fund these FCPA investigatory costs.


The Operational Risk associated with corruption on the front-line of business operations is growing. The reason is because of the continued pressure that is being put on the deal-makers and the "Rain Makers" to increase revenue. Companies that must fill the product pipeline with new inventory and the best pricing will continue to operate in risky waters, especially if they are selling their goods and services on a global scale.

As we finished our smoked beef BBQ, corn bread and baked beans "Naval Aviator Mike" came to the bottom line. "When the mission plan goes haywire or the equipment begins to fail, there is only one thing you have left. Your instinct. That instinct is directly hard wired to your training."

We agree and will continue our advocacy of the direct link between an organizations dedication and investment in Business Resilience, Training and Exercises and their ability to survive in today's hostile corporate environment.