Inspect v. Study: Quality of Operational Risk Management...

As this weblog reaches it's 1,000th post in the next few months, much has been documented on the course of "Operational Risk" over the past eight years. We have continuously witnessed the dawn of new threats and vulnerabilities that could only have been imagined in the last millenium.

At the same time, we could not have predicted the new found solutions, to many of the same operational risk related incidents that have plagued our institutions, governments and the planet we call Earth. Every time you think you have heard or witnessed it all and that all new future risk events will just be some variant of those that have preceded us in history, we are surprised and blind-sided. The "Black Swan" has visited us once again.

Yet one item that remains consistent over the course of risk incidents and numerous after action findings is this fact. We have not devoted enough resources in preparation and in scenario-based exercises to improve our resiliency. We remain in denial that we could ever be subjected to the 1-in-100 year event. However, there is someone named Warren Buffet who to this day, is still adding reinsurance companies to the Berkshire Hathaway portfolio. Do you think it is because Mr. Buffet is betting on more risk or less in the world over the next decade?

Risk Managers think about the "What if" more than anyone else, in many cases because they are paid to do this on behalf of their employer. Yet as human beings, we take risks every day without even thinking twice about how much risk we are taking on and what the possible outcomes could be. We just move through life in a wait and see totally reactive mode. So how do you get at least a majority percentage of the people walking around the halls of your organization to think more like a savvy risk manager? What does it take to inject a little more "What if" into the consciousness of each person and the roles and jobs that they play in your institution?

The first is to design and engineer your management system to incorporate a risk-based standard for operations. Secondly, to incorporate the applicable risk management controls to produce the rules-based behavior that you are adopting. Finally, to test the rule-sets with a continuous approach to ever so incremental improvement over time. Sounds familiar doesn't it. Plan-Do-Check-Act.

Whether you are trying to improve the awareness, implementation and/or measurement of Operational Risk on the deck of the aircraft carrier, at the FOB, on the trading or manufacturing floor or within the supply chain of the vital resources that fuels your organization, "Plan-Do-Check-Act" (PDCA) works. And you have heard it before, those who are hit by the "Black Swan" event will die or go out of business relative to the previous attention they have paid over the years to PDCA.

PLAN

Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By making the expected output the focus, it differs from other techniques in that the completeness and accuracy of the specification is also part of the improvement.

DO

Implement the new processes, often on a small scale if possible, to test possible effects. It is important to collect data for charting and analysis for the following "CHECK" step.

CHECK

Measure the new processes and compare the results (collected in "DO" above) against the expected results (targets or goals from the "PLAN") to ascertain any differences. Charting data can make this much easier to see trends in order to convert the collected data into information. Information is what you need for the next step "ACT".

ACT

Analyze the differences to determine their cause. Each will be part of either one or more of the P-D-C-A steps. Determine where to apply changes that will include improvement. When a pass through these four steps does not result in the need to improve, refine the scope to which PDCA is applied until there is a plan that involves improvement.

It's clear to the "Operational Risk" professional why PDCA has one little flaw. The "Check" could and should be replaced by "Study" to emphasize analysis over inspection as Dr. W. Edwards Deming has said. To analyze and study takes us to the core of the issue. People are always looking for expected results, not unexpected outcomes. If we are to expect "unexpected" results, perhaps the "Analyze-Study" mindset would then perpetuate the plethora of risk professionals who are still caught up on the "Check". Inspection will get you killed and it will produce more "Black Swans" in your lifetime than you would ever expect. Check = Inspection. Study = Analyze.

So we think it is safe to say, that Warren Buffet is betting on the current trend of a mentality of inspection and not study. He is investing in the future of insurance companies needing insurance to hedge their own underwriting failures. Study and analysis are the ingredients of success for the most sought after risk managers on the globe. Unfortunately, too many still have not figured out that "Check" is out and "Study" is in.

The future quality of Operational Risk Management will lie in the hands of practitioners who are analyzing and studying before they apply new changes to gain new improvements. Now think about your organization. Where are the people who are patient? How long do they take to study the business problem or assess the climate you operate in every day? When you find these individuals you need to keep them close and you will soon find that you are well on your way to a more resilient future.

Occupational Fraud Risk: UBS Rogue Trader...

Kweku Adoboli, is no different than any other person who commits fraud. At UBS, this trader understood the controls that were in place to prevent the kind of naked unhedged bets that he was making in the market. UBS or any other firm is subjected to the testing by those people who are looking for the method and opportunity to circumvent the controls to commit fraud. Motivation is another topic.

In other words, this case very closely resembles that of Bernard Madoff, the man who has been described as the investment equivalent of Charlie Manson. Madoff told his clients, business partners and regulators that he was trading in a whole variety of stocks—when in fact the trades never took place. They were simply made up—as were the phony gains to client portfolios.

Here it seems that Adoboli was also able to simply make up trades and cover up the fact that he was not hedging. His trades involved UBS's funds, rather than that of clients. But if you are a UBS wealth management client you have to at least wonder whether any part of your portfolio is based on trades that were never actually made. If Adoboli could do it, certainly others could as well.

Now the question needs to be asked to their auditors. How is this possible? What controls failed and why? The analysis of the incident will slowly unfold and other firms in the industry will be examining the method and process that was utilized at UBS to perpetuate this fraud over the course of three years. When a fraud of this size is finally revealed, it is no different than the others that have preceded it. Many will ask about the systemic Operational Risk issues that may be prevalent within the UBS culture.

Three years ago it all began. And so goes the typical story line on the epic tales of fraud in the years past and the decades to come. Effective oversight and risk management walks a fine line between enabling innovation and insight and mitigating errors, omissions and significant losses. One thing is certain, the "Insider" threat in your organization exists today, tomorrow and next week. It's not going away regardless of the number of controls, personnel or systems put in place to eradicate it's existence in your institution.

Whether this incident will end up in the Fraud Museum is yet to be determined. What is more certain is that traders around the globe are under a new spot light and renewed scrutiny by oversight investigators. The goal now is to make sure that the combination of people, processes, and systems are fine tuned to the right tolerance levels and triggers for alerts. Only then will the correct balance occur between risk and reward.

What will certainly be an outcome of the investigation is the number of other people that will be implicated, either directly or indirectly by the incident itself.

Jerome Kerviel of Societe Generale and Bernard Madoff, will have a new member for the multi-billion dollar fraud club, Kweku Adoboli. What do all of them have in common according to the Association of Certified Fraud Examiners (ACFE) in the Report to the Nations:

Perpetrators of Fraud

• High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.
• More than 80% of the frauds in our study were committed by individuals in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing.
• More than 85% of fraudsters in our study had never been previously charged or convicted for a fraud-related offense. This finding is consistent with our prior studies.
• Fraud perpetrators often display warning signs that they are engaging in illicit activity. The most common behavioral red flags displayed by the perpetrators in our study were living beyond their means (43% of cases) and experiencing financial difficulties (36% of cases).

A Decade of Risk: 9/11 Memory Endures...

Tomorrow is the ten year anniversary of the 9/11 attack on the United States. For those people who were put in harms way that day and survived, their lives have changed forever. Have you ever had a near death experience? If you have, then you know what we mean.

A near death experience is everything that you have heard people say about it. That visions of their loved ones flashed into their thoughts and other physical implications, as a result of the adrenaline that was released into their system. Regardless of the experience, many say that they realize that "life is too short" and that they now have a new outlook on life and the relationships that surround them.

When you think back to your particular near death experience, what changed in the way you have now managed "Risk" in your life? Did you become more risk-oriented or less? Were you more cautious in the way that you managed your work or personal pursuits to avoid risks? Once someone has a near death experience or is very close to someone who does, the odds are that they quickly become "Risk Aware" and more cautious in taking future risks to their well being.

When you are building a team within your particular organization to manage risks; dig deep to find out what each team members life experiences have been with past risk events. The goal is to make sure that you have a balanced portfolio of people, who are risk aware and who have a broad spectrum of risk experiences so far in their life. The more diverse your team is from a risk management perspective, the more successful you will be in your ability to persevere as new risk events confront you on a daily basis.

Over the course of the past ten years the whole planet Earth has a heightened sense of "Operational Risks" and "Asymmetric Warfare" that span the incidents from mother nature to the man-made impacts of poor decisions and judgement, from New York and Washington to Kabul, Cairo and Tripoli. At this junction of the anniversary of 9/11 and the mixed emotions of how much risk we still need to mitigate and how much risk we are willing to accept, it's important to look in the rear view mirror and to simultaneously consider what lies ahead.

The considerations underway for the United States and the Intelligence Community (IC) are going to have significant implications to the man-made set of risks that we experience in the second decade of the new millenium. It's imperative that we take stock of the last ten years looking through the lens of "Homeland Security Intelligence" in order to determine the amount of risk that we are willing to take going forward, perhaps even at the peril of our own privacy and civil liberties:

In the aftermath of the tragic events of 9/11, Americans slowly came to the realization that while the country had spent considerable national treasure on intelligence capabilities over the years to protect the nation and had prevailed in the Cold War for which the U.S. Intelligence Community (IC) had largely been designed, this IC was not designed, equipped, or ever primarily intended to detect significant national security threats originating or residing within our nation’s own borders. Instead, it had been a longstanding and unique set of circumstances that had allowed Americans the good fortune of feeling safe within those borders. This sense of security was facilitated by two oceans and the Gulf of Mexico; two friendly neighbors to the north and south along relatively peaceful land borders; and a long history wherein immigrants, who are the lifeblood of this nation, came for opportunity and a hopeful future for their children, not to try to destroy the nation.

Whether it is the safety and security of your organization or of your own country, there will always be a process for risk mitigation that is subject to peril. There have been several near misses from a rising domestic threat from U.S. citizens that are inspired by others who leverage the "Information and Communication Technology" (ICT) platforms and mobile situational awareness. These ICT capabilities allow your adversaries to reach within your borders through the Internet, to disseminate their operational training to "Homegrown Violent Extremists".

Turning the lens back inside the U.S. will not be an easy path for many Americans. One only has to revisit the latest domestic incident in Oslo, Norway to see why it will be a priority:

The 2011 Norway attacks were two sequential terrorist attacks against the government, the civilian population and a summer camp in Norway on 22 July 2011.

The first was a car bomb explosion in Oslo within Regjeringskvartalet, the executive government quarter of Norway, at 15:25:22 (CEST).^[8] The car bomb was placed outside the office of Prime Minister Jens Stoltenberg and other government buildings.^[9] The explosion killed eight people and wounded several others, with more than 10 people critically injured.

The second attack occurred less than two hours later at a summer camp on the island of Utøya inTyrifjorden, Buskerud. The camp was organized by AUF, the youth division of the ruling NorwegianLabour Party (AP). A gunman dressed in an authentic looking police uniform and showing false identification^[10] gained access to the island and subsequently opened fire at the participants, killing 69 attendees,^[4][5] including personal friends of Prime Minister Jens Stoltenberg and the stepbrother of Norway's crown princess Mette-Marit.^[11]

The Norwegian Police Service arrested Anders Behring Breivik, a 32-year-old Norwegian^[12] right-wingextremist^[13] for the mass shootings on Utøya^[14] and subsequently charged him with both attacks.^[15]

On the eve of remembering all of those people who have sacrificed so much, we remain vigilant. We remain committed to the continuous monitoring and operational risk measures that are required, to keep our homeland safe and secure.

Read more:

The two cities that were at the heart of the Sept. 11 terrorist attacks are on high alert this weekend after the government received a “credible” tip that Al Qaeda plans to launch an attack on Washington or New York as the nation marks the 10th anniversary of 9/11. Extra security is clearly visible on subways in both cities as officials are taking seriously a joint FBI, Homeland Security Intelligence Bulletin, first obtained by Fox News that states the timing and method of the potential terror plot.

9/11 Revisited: The Homeland Security Practitioner...

We are approaching the 9/11 anniversary and the images and memories will be revisited. Many of us will shed a tear and millions will recall where they were and what they were doing, on that unforgettable Tuesday morning in September, 2001.

The education of "Homeland Security" is taking place on a daily basis in the popular press and on the new social media platforms that have risen and now dominate the digital content since 9/11. The academic and government institutions have strived for improving the standards, processes, rule sets and protocols for anti-terrorism policy. By education, we also need to explore what we are doing to collaborate at the academic institution level on a global basis, not just on a government basis.

The "Homeland Security" curriculum at universities in the EU and the United States will soon be converging on several fronts and for good reason. The generation that will be starting their 1st year (freshmen) in college were only 8 or 9 years old in 2001. Their perception of what Homeland Security is and the future for a life long career must be designed on a global basis, because this is a global issue.

The students who pursue an education in languages, political science, international affairs, history and science have just as much a stake in the future of Homeland Security as others. Those who are getting a degree in emergency management, criminal justice or risk management, or information security are well on their way, yet still may lack the knowledge and tools their liberal arts colleagues have learned to be better analysts, targeters or linguists.

A flash back to this blog post on "Homeland Security Intelligence" (HSI) last February, reminds us that regardless of the university education one receives, the future of effective strategies across the world will stem from intelligence:

27 February 2011HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes? The following areas must be addressed in order to get closer to the truth.

• Governance

• Policies

• Regulatory and Statutory Concerns

• Civil rights and Liberties

Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself.

Whether the homeland security incident is a natural catastrophe or a man-made threat, there are several components that all people pursuing a profession in the discipline should be developing with increased competency, including risk mitigation, legal framework, ethics, communication/collaboration, alternative analysis, supply chain, critical infrastructure, emergency/crisis management and terrorism.

Those kids who were 8 years old on 9/11, may have a different perspective on what might be important these days in order to detect another attack of the same magnitude during these times of heightened digital and mobile awareness. They grew up with the Internet and they don't need a class in Social Media 101 or how to use BBM. They might however, also need some training in NGiNX, Miranda IM, Trillian or Jabber Servers, if they want to support the HSI infrastructure, or understand the adversaries modus operandi.

The definitions of Homeland Security Intelligence and what comprises the spectrum of relevant and legally obtained information may differ from country to country and state to state. Is it legal to perform digital triage on a cell phone that has been part of a lawful search and seizure in the State of Ohio, USA?

As cell phones have become more sophisticated, courts might be expected to treat these devices differently than other containers. With a couple of notable exceptions, this has not happened. Courts, relying on the container cases, have permitted law enforcement to search the contents of the phone incident to the defendant's arrest. These courts have concluded that cell phones are containers and therefore, subject to a review by the search incident to arrest doctrine. In this view, although they are more sophisticated, cell phones are just like a cigarette packet, a wallet, or a pager.

Some courts are, however, starting to treat cell phones differently. These decisions have suggested that the application of traditional rules to modern cell phones may be inappropriate because of their unique ability to hold vast amounts of diverse personal information. The most notable decision was by the Ohio Supreme Court inState vs. Smith, 920 N.E.2d 949 (2009). In that case, the court held that the search of the contents of an arrestee's cell phone violated the Fourth Amendment.

And because so much data is now in the clear, or otherwise public information on open web sites on the Internet, 80+% of open source information is what analysts are using, to add to their HSI case files. Does your local department have a listening strategy?

In partnership with the Bureau of Justice Assistance, Office of Justice Programs, U.S. Department of Justice, the IACP launched its Center for Social Media in October 2010. The goal of the initiative is to build the capacity of law enforcement to use social media to prevent and solve crimes, strengthen police-community relations, and enhance services. IACP’s Center for Social Media serves as a clearinghouse of information and no-cost resources to help law enforcement personnel develop or enhance their agency’s use of social media and integrate Web 2.0 tools into agency operations.

Why should law enforcement care about listening online? There are many benefits to listening on social media channels, especially for law enforcement agencies. It is important to be aware of what is going on in and around the community and what people are saying on the Internet about the agency, its municipality, its officers, or its events. Monitoring can be incredibly valuable during a disaster or other large event, by providing law enforcement with situational awareness. Listening can also provide information to guide resource allocation and other service or response efforts. Listening through social media channels can also assist in the mitigation of a criminal event or disaster.

The education for Homeland Security professionals beginning with the university must take into consideration the requirements that exist for collecting, analyzing and sharing relevant and legally obtained information. The next step is to determine the correct skills that must be developed, before the newly minted student is filling out their first job applications or interviewing for their first internship.

As we reflect on the 9/11 ten year milestone, we can all admit the journey has not been easy. It is still far from over. Let the next ten years produce the next generation of Homeland Security professionals who may decide that Social Media and Internet expertise is just as vital to the curriculum as privacy and civil liberties. Watch this area to converge dramatically over the course of the next few years and for the Supreme Court in the United States to make some landmark decisions.