Legal Risk: The Art of Compliance...

Risk Management is on the mind's of Corporate Directors and in some interesting places according to a recent poll by PWC and Corporate Board Member Magazine:

How has your personal risk as a director changed in the past 12 months?

Increased 69%
No change 30%
Decreased 1%

Some risks are tough to name...

What keeps you up at night?

Unknown risks 59%

...while others are identifiable.

Do you think regulators are more likely to investigate your company?

Yes 71%

Do you think there'll be an increase in shareholder suits?

Yes 65%

If 71% of the directors surveyed think that regulators are more likely to investigate the company where does that feeling come from? Is it the fact that the SEC and others such as the FTC, OCC and others are gearing up to facilitate greater oversight than in past years? Is it the lack of internal focus on creating a systemic Risk Management Framework? Could it be the amount of toxic assets that are still on the balance sheet? The answer is yes, yes, and yes.

So what can Directors do to make sure that management and the company are ready when the "Feds" come to town? The answer may well lie in the ability to show a history and evidence of doing the right thing and doing it with extreme diligence.

For good or bad—okay, mainly for bad, most respondents agree—the government as boardroom-player-cum-active-investor will be around for a foreseeable spell.

Regulation will rise...

Do you think there will be a big increase in regulation?

Yes 91%
No 2%

Of that 91%, 54% “strongly agree” with the premise that there’ll be more regulation, 37% “agree.”

...and spread.

Do you think other companies will have to adopt rules that the government has imposed on those receiving financial help?

Yes 54%
No 20%

Nearly 45% of the respondents say no amount of government control, whether more or less than what we got, could have prevented the severity of the economic crisis.

No to Uncle Sam as paymaster

Respondents are against the feds’ having a say in setting executive pay.

Are government limits on executive compensation justified?

No 88%

Should the government impose further limitations on pay?

No 97%

Should comp be left to the board?

Yes 76%

The only hope for "Achieving A Defensible Standard of Care" in your institution could be what Siemens and other wrongdoers have discovered. Spending hundreds of millions of dollars on "Compliance" might be a good thing when the time comes to differentiate yourself in the marketplace and negotiate with the government. Especially if you are a global enterprise doing business in countries that don't exactly have the best reputation with transparency and the rule of law. Here is what Chairman of the Supervisory Board of Siemens AG, Gerhard Cromme had to say on their efforts to date:

Wherever wrongdoing was proved beyond a doubt, we immediately took the necessary actions. Wherever there were systemic weaknesses, we identified them and corrected them. Where the necessary resources were lacking, we provided them. These demanding efforts have paid off: Today Siemens has a clear, transparent structure that no longer allows any gray areas with respect to responsibility. At the same time, these structures make Siemens more efficient, more cost-effective, and thus more competitive. The authorities took into consideration our unflinching desire to do whatever was necessary for a fresh start in determining the size of the penalties and the duration of the proceedings.

Operational Risk encompasses the actions taken by Siemens that includes the new centralized systems for payments, disbursements and other accounting functions that were previously in business units outside of Germany. This consolidation and integration of systems was not easy but represents that a discovery in the vulnerability of controls with a decentralized system warranted the investment in a new way of doing business.

Only time will tell whether any companies Board of Directors efforts to spend more resources on "The Art of Compliance" will make a difference to the regulators, investigators and litigators. One could probably bet that over time it will make a difference. But only if the "Tone at the Top" is commensurate with the actions being asked of the employees and stakeholders, doing the day-to-day tasks running the risk operations of the enterprise.

Irregular Warfare: 21st Century Corporate Battlefield...

The safety and security of your corporate assets is a Board of Directors level issue. The loss events including adversarial litigation for errors, omissions, or just plain ignorance of regulatory compliance are gaining momentum. These Operational Risks associated with human behavior and the daily tasks performed on the job remain a vast vulnerability within the corporate enterprise. Why?

The discipline of effective Operational Risk Management requires a tone from the top that speaks to the core issue:

Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps.

The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.

The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.

Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:

• Design
• Implementation
• Configuration

If business understands that these are three areas that the attackers are focused on, then perhaps they will realize that resources and manpower must be allocated to these key components of the enterprise defense. If you think about each loss you have incurred over the past year, the odds are that your attacker was able to exploit one of these three attributes. Think about it for a minute.

Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:

When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.

Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.

In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses. Operational Risk Management discipline is an essential element that begins with the tone at the top and one enlightened CEO.

Remote Digital Forensics: Complacency Risk...

Operational Risk Management commands a spectrum of disciplines within the global corporate enterprise. While convergence of responsibility, accountability and resources is taking place the internal threats continue to flourish. Why? How could a Chief Security Officer (CSO) not be aware of a specific threat to the institution by unknown subjects half way around the world? The transnational organized crime syndicates that target our weakest organizations know that they don't share information between departments, business units or even shared services within the enterprise. Does your CSO get a briefing from the CISO or CIO / INFOSEC staff on what the latest threats mean to you, such as cyber heists using ACH fraud?

This complacency is an internal threat that continues to amaze many and reinforces what few people truly understand about risk management. The adversaries utilize asymmetric strategy against unsophisticated targets to perpetuate their crimes and overall threats to people, processes, systems and deposit accounts. They are the modern day equivalents of "Bonnie & Clyde", Al Capone with a dash of Al Gonzales all rolled up into a massive threat that is increasing exponentially:

Two Romanian Citizens Extradited to the United States to Face Charges Related to Alleged Phishing Scheme

A phishing scheme uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers, and Social Security numbers. Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions, or other companies.

The investigation leading to the indictment stemmed from a citizen’s complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People’s Bank. In fact, the e-mail message directed victims to a computer in Minnesota that had been compromised, or “hacked,” and used to host a counterfeit People’s Bank Internet site. During the course of the investigation, it was determined that the defendants had allegedly engaged in similar phishing schemes against many other financial institutions and companies, including Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay, and PayPal.

Risk Management 101 talks to the X and Y axis with X representing the frequency of risk and Y representing the severity (impact) of the risk. So using the four quadrant model, the lower right box is where low risk times high frequency incidents occur. In the upper left box is where high risk times low frequency incidents occur. Got it.

As a CSO in your organization, where do you spend your time, resources and personnel in terms of their training, awareness and work efforts? Think about it for a minute. Most of you would probably say, "Well we focus on the High Frequency times High Risk incidents, the upper right box of the Risk Management model." Practice and prepare for the incidents that happen often and you will have employees who have no clue on what to do the day that something from that upper left box impacts your organization. The HIGH RISK x LOW FREQUENCY incidents are where you remain most vulnerable.

Arlington Man Sentenced 36 Months for $40 Million Ponzi Scheme

ALEXANDRIA, VA—Preston David Pinkett II, age 70, of Arlington, Va., was sentenced to 36 months in prison for engaging in a massive Ponzi scheme that raised more than $40 million in fraudulent payments from investors. Pinkett was also sentenced to three years of supervised release and ordered to pay $18,774,989 in restitution.

The two years that most frauds are conducted before they are discovered tells most risk managers that even effective accounting and audit controls can't catch these white collar criminals before it's too late. The high risk low frequency incidents are the greatest impact on your institution and yet little or no resources, training or attention is paid to these threats to your reputation and economic livelihood.

Now let's take this step further into what practices you have with exiting employees from your business. Are you conducting exit interviews? Are you examining all of the employee's digital assets for the presence of anti-forensics or the ex-filtration or theft of sensitive, proprietary trade secrets or intellectual property from the corporation? Both of these steps are necessary regardless of the person leaving and the circumstances why they are leaving your institution.

The utilization of "Remote Digital Forensics" and other centralized shared services such as this can provide your Business Units and even suppliers with capabilities that they don't need to staff internally. The technologies and resources exist today to address the stealth of fraud, the crisis stemming from industrial espionage or the disgruntled employee stalking those who they perceive as the reason for their dismissal.

An effective internal approach to high tech and advanced Operational Risk Management as it pertains to the rapidly changing landscape of smart, educated and daring people shall include a robust intelligence and audit capacity. Without it, the transnational eCrime syndicates or the internal employee threat will prey on your vulnerabilities of complacency, lack of training and apathetic approach to the design, configuration or implementation of your systems.

Threat Management Team: Preemptive Risk Strategy...

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:

• Duty to Care
• Duty to Warn
• Duty to Act
• Duty to Supervise

Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with continuing job losses in many states across the United States where the stimulus programs have not stopped the erosion of employment opportunities. This in turn exacerbates the pressure on existing employees who are being held hostage by employers to do more with less and the stress factors in their jobs produce extreme and sometimes bizarre behavior. Just ask Dr. Larry Barton about the subject of corporate threat assessment:

Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital.

This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:

• an associate being stalked by a spouse or former partner


• an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide


• altercations between co-workers and/or with a supervisor that are escalating in tone and severity


• serious changes in attitude and performance with known or suspected substance abuse factors


• social networking, blog and other means of electronically threatening an individual or team

Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive. Each dollar invested here with the correct and smart resources with independent viewpoints will return nine dollars in savings from the reactive costs of hiring outside counsel and playing damage control on the corporate reputation.

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is on every Operational Risk Management executives mind these days. The recent milestone conviction under the Economic Espionage Act of 1996 in the United States marks the starting point for accelerated investigations by the counter intelligence and OPSEC units of major public and private organizations:

A former Rockwell and Boeing engineer from Orange County was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket.

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being that exploits the vulnerabilities in the design, configuration or implementation of the layers of defense. This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the internal insurgency within the organization.

The Operational Risks that the OPSEC team is focused on these days has to do with data leakage prevention (DLP) and insider threat prevention and data exfiltration prevention capabilities. As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences can be just as effective as the newest software running on the fastest computer box. One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees? Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation, thereby allowing the investigator to focus upon the person most likely to be guilty.

Organizations spend thousands of dollars if not hundreds of thousands doing what are called background investigations. These are many times outsourced to 3rd parties to provide a level of comfort that the person they are going to hire is a person with integrity and has not committed any crimes or lives a lifestyle that is not commensurate with the policies and regulations of the organizations hiring and employment practices.

The Integrity Interview is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

Specifically, the following areas are assessed during the interview:

Employment History
Theft and Related Activities
Work Related Alcohol Use
Violations of Company Policy
Recent Use of Illegal Drugs
Criminal Behavior

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies regarding digital assets and cyberspace access to organizational data repositories. Individuals who have the characteristics associated with deception could be the target of a further investigation to determine whether any unauthorized information has been sent to a webmail account or if a 4 GB Thumb Drive happened to be plugged into a corporate laptop the night before the last day on the job.

This low tech method may be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure will not be able to thwart a diligent, patient and trusted insider. Utilizing Behavioral Interview Analysis can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their 4GW strategy on the cyberspace front of corporations and governments worldwide. Just ask Jeffrey Carr:

The Cyber Domain consists of inter-related threats (financial crimes, espionage, network warfare) that have traditionally been segmented off to different agencies with their own siloed areas of responsibility. What is needed, however, is a unified approach to collection and analysis that mimics the non-traditional, multi-faceted strategies used by non-state actors in both cyber and kinetic conflicts. Project Grey Goose was our proof-of-concept.

Economic espionage and attacks on nations states critical infrastructures requires a substantial shift in policy and taxonomy if we are ever going to be effective in defending ourselves. GreyLogic may be on the right track when it comes to educating those who need it so that they can make the leap to be "Wired for War." While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware" we can only hope that OPSEC is conducting the behavioral analysis interview. A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secret in the brief case at their feet.

Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.

Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.

The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

• Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.

Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

FCPA: Modern Day "Smoking Gun"...

Corporate malfeasance is on the mind of most global executives today. Their enterprise is consistently fighting the economic challenges and at the same time defending it's reputation as new "Smoking Guns" are revealed. Perhaps these modern day discoveries of wrong doing should be renamed "Smoking Digital Evidence" because this is exactly what it is. Information uncovered through normal monitoring practices or as the result of a specific investigation produces "Red Flag" alerts based upon acceptable use policy or corporate rule sets.

These "Red Flags" uncovered in the context of programs devoted to processing digital evidence is now a standard Modus Operandi for corporate governance, legal and operations risk management. These new tactical business units are being developed in a rapid response to new regulatory and compliance mandates yet the greater pressure is coming from the wake-up calls senior executives have been receiving lately.

The Justice Department's probe of the credit default swaps market is reportedly focusing on Markit Group Holdings Ltd., the London-based supplier of prices in OTC derivatives, and its relationship to a group of major banks that own a stake in the company. The DOJ is scrutinizing the ownership of Markit by a group of banks that control a large amount of pricing in the $28 trillion credit derivatives market.

The banks have received a notice of investigation from the DOJ asking them for details on their trading activity, including how much they have at risk in the market and their monthly value of their credit default swaps, according to Bloomberg News. Banks that own the largest stakes in Markit, include: J.P. Morgan, Bank of America (through its acquisition of Merrill Lynch), Deutsche Bank, Royal Bank of Scotland which acquired ABN Amro, as well as Credit Suisse, Goldman Sachs, Morgan Stanley and UBS, according to Bloomberg News.

"The DOJ is looking to find any wrongdoing in that marketplace," commented Paul Zubulake, senior analyst at Aite Group in an interview with Wall Street & Technology. "Obviously that is going to open up a large can of worms," he said. "It will be costly for the dealers that have to battle the DOJ given the discovery issues, about all the information, emails and instant messages they will need to turn over."

Digital Forensics, Records Management and eDiscovery units at some of the largest financial institutions are working overtime. Finding any "Smoking Digital Evidence" will be the standard operating procedure on most international transactions whether it be in the financial services industry or even telecommunications:

Good news for compliance officers: You now have solid evidence that the benefit of implementing an effective compliance program far outweighs the cost, in the form of the massive Foreign Corrupt Practices Act settlements swallowed by Siemens AG and three of its foreign subsidiaries.

Siemens, a German conglomerate that is one of the largest engineering firms in the world, agreed in December to pay more than $1.6 billion to U.S. and German regulators for a massive bribery scheme that felled the highest executives at the company. Penalties paid to the Justice Department and Securities and Exchange Commission alone topped $800 million, by far the largest sanction ever imposed in an FCPA case.

In the following excerpt, Linda Chatman Thomsen speaks on the massive Siemens investigation: "Furthermore, the $1.6 billion total that Siemens will pay in these settlements is the largest amount that any company has ever paid to resolve corruption-related charges.

And that is fitting because the alleged conduct by Siemens was egregious and brazen. It was systematic, it involved thousands of payments, and it occurred over an extensive six-year period. Siemens created elaborate payment schemes to conceal these corrupt payments to foreign officials. The company’s inadequate internal controls allowed the conduct to flourish.

The details tell a very unsavory story: employees obtained large amounts of cash for Siemens’ cash desks; employees sometimes carried that cash in suitcases across international borders to pay bribes; payment authorizations were recorded on post-it notes that were later removed to avoid leaving any permanent record; there were slush funds and a cadre of consultants and intermediaries to facilitate paying the bribes.

Investigating this intricate scheme and righting Siemens’ wrongs has taken a remarkable and unprecedented level of coordination among many law enforcement agencies around the world."

The internal threat of employees, partners and so called in-country agents who help facilitate business deals is one square in the risk management matrix. The business transactions themselves are becoming part of the Venn Diagram that includes:

• Business & Global Commerce
• Personnel Security & Integrity
• Rule of Law & Litigation

As global institutions continue their expansion across the continents where capital follows security and the rule of law, so too will the attacks on the corporate enterprise.

Trusted Systems: Human Factors in Play...

The case is U.S. v. Dreier, 09-cr-00085, U.S. District Court, Southern District of New York (Manhattan). It's only the beginning of a long hard road for many unidentified subjects (unsubs) as the fall out from the U.S. Economic crisis uncovers who was stealing others peoples money for their own fraudulent schemes.

Marc Dreier, the New York law firm- founder who pleaded guilty to defrauding hedge funds of more than $400 million, should be sentenced to 145 years in jail, prosecutors said, as a defense lawyer sought a term of as little as 10 years.

The rival requests came in court filings today in federal court in Manhattan. Dreier will be sentenced on July 13 by U.S. District Judge Jed Rakoff. Investors who placed more than $740 million with Dreier lost at least $400 million, lawyers said.

Operational Risks associated with 3rd party suppliers is a continuous concern. Effective due diligence with partners and service providers is a necessary task, on a quarterly basis. Many institutions leave it up to the service level agreement (SLA) or the written contract to be the monitor. To their demise, written words on a contract are not enough. Especially, when the partners are the lawyers themselves.

New York prosecutors on Wednesday said 13 people and a mortgage origination company have been indicted on charges of running a multimillion-dollar real-estate fraud that cheated lenders through sham sales.

The defendants include employees at the Long Island, New York-based mortgage company AFG Financial Group Inc, several attorneys and other defendants, according to Manhattan District Attorney Robert Morgenthau.

The investigation is continuing, and Morgenthau said the size of the scheme could eventually total $200 million.

One lawyer accused of engaging in fraudulent transactions was involved in transactions adding up to more than $100 million, Morgenthau said.

Lenders who were victimized in transactions made by that one lawyer included New Century Mortgage Corp, WaMu/Long Beach Mortgage Co, Countrywide Financial, First Franklin Financial Corp and Mortgage Network USA Inc.

The financial services sector will continue to be a quagmire for transactions for decades to come. The due diligence, fact checking and assurance that the "Deal" is a solid one will continue to under go a tremendous burden on all parties. The consumer, the lender and the underwriters.

The human factors associated with crimes such as fraud are well known. The study of the "Ponzi Scheme" has been a text book case for study in business schools for years. What may not have been so obvious is the science behind the human motivators. And maybe not even noticeable, is how accustomed the human is to trusting the automated world we live in. The fact that computers calculate what we have purchased in the retail store is one of the first trusted information scenarios we grow up with. How many people actually add up all of the dozens of items in their grocery cart, calculate the tax and any discounts to see if the Point of Sale (POS) system has done it's math correctly?

So what is Human Factors Science?

Human factors are sets of human-specific physical, cognitive, or social properties which either may interact in a critical or dangerous manner with technological systems, human natural environment, or human organizations, or they can be taken under consideration in the design of ergonomic human-user oriented equipments. The choice/identification of human factors usually depends on their possible negative or positive impact on the functioning of human-organization and human-machine system.

Did someone try to steal Goldman Sachs’ secret sauce?

While most in the US were celebrating the 4th of July, a Russian immigrant living in New Jersey was being held on federal charges of stealing top-secret computer trading codes from a major New York-based financial institution—that sources say is none other than Goldman Sachs.

The allegations, if true, are big news because the codes the accused man, Sergey Aleynikov, tried to steal is the secret code to unlocking Goldman’s automated stocks and commodities trading businesses. Federal authorities allege the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major “financial institution” generate millions of dollars in profits each year.

Trusted Systems and the information that flows from them is only as good as the programs that run them and the people who developed the millions of lines of code in the software. The trading systems at the NYSE, NASDAQ and Hang Seng Index are only a reliable as the calculations and the integrity of the systems themselves. When that trust is compromised in the trusted system, whether it be a program or a person, human factors take over.

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.

Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.

As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.

The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors. If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"? The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen. Only one can be prevented, preempted or neutralized before it can cause harm.

Sadly, the Report of the (Virginia Tech) Review Panel to the Governor, issued in August 2007, contained important inaccuracies, despite the panel’s best efforts to get to the truth. University officials, it now appears, may have been less than candid and forthright in their responses to the questions put to them by the panel.

OPS Risk: Military Lesson for Wall Street...

Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska has captured the essence of Operational Risk Management. Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:

Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a wingman.

Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations it's a fact that effective "Operational Risk Management" will improve your organizations resilience factor. The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" , is his understanding that most of us will become more complacent the minute we hit the parking lot. You see, OPS Risk is not just something being advocated in the workplace. It's just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

Freddie Mac investors have filed expanded court claims accusing the mortgage finance company and three former executives of committing fraud by misleading them about risky loan practices and manipulating financial results.

The allegations, contained in a nearly 300-page court complaint filed late on Tuesday, are based in part on interviews with more than 100 former company employees and others who are described in the lawsuit as having knowledge of Freddie Mac's operations and finances.

One of the unnamed employees cited in the lawsuit is a former director of operational risk management at the company, who was quoted in the complaint as saying that Freddie Mac was an "appallingly run company" and that it was clear as far back as August 2007 that its capital position was inadequate.

"CONFIDENTIAL WITNESSES"

Other so-called "confidential witnesses" cited in the complaint include a former Freddie Mac vice president of investor relations and an ex-senior examiner with the Office of Federal Housing Enterprise Oversight, the company's regulator, now part of the newly formed Federal Housing Finance Agency.

What most organizations the size and complexity of Freddie Mac under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

Whether it's buying and packaging financial assets to sell on Wall Street or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it.

Human Factors: Early-Warning System...

Predictive Intelligence And Analytics From 1SecureAudit Provides Transnational Organizations With A Preemptive Human Factors Early-Warning System

According to Managing Director and Chief Risk Officer of 1SecureAudit, Peter L. Higgins, the complexity of today's extended global enterprises requires a new governance lens to view hidden insider risks and to guide management executives to achieving a defensible standard of care.

"Our newest consulting practice accelerates the time line in identifying employee insider risks and potential threats associated with international client transactions," said Higgins. "Ms. Marcia Branco is launching our new client offering with more than a decade of experience identifying the complex connections between human behavior and corporate operational risk responsibility."

Advocating a "People First" approach, Ms. Branco, vice president, practice director of the Predictive Intelligence and Analytics practice, believes corporate personnel; partners and suppliers represent a tremendous asset and simultaneously a significant legal liability to a business. "People are the primary focal point to better understanding and resolving systemic risk problems within the walls of the enterprise and beyond to the extended supply-chain," said Branco.

The Association of Certified Fraud Examiners affirms "U.S. organizations lose an estimated seven percent of annual revenues to fraud," and insider negligence is the highest cause of data breaches, reports the Ponemon Institute & PGP Corporation. The complexity and quantity of insider threats is growing at the same time as businesses are facing shrinking budgets and mounting pressures to maintain and grow profits with fewer resources. "How successful has your company been at identifying and swiftly addressing issues, conflicts and preventing malfeasance? Whether originating internally from an employee or contractor or at your extended border of partners, suppliers and clients, predictive intelligence is essential?" asks Higgins.

1SecureAudit provides critical assessments, internal investigations, strategy execution and program development. These proactive governance and advisory services generate positive change to business culture, operations and bottom line.

"Our distinctive 'People First' approach examines your organization's human capital assets to gain unique insights on corporate culture, company issues and the workforce's attitude about management and business initiatives. We convert these human factor data into predictive intelligence to preemptively determine how to best shape current and new corporate strategies. Our clients are able to take advantage of short-lived opportunities, attract and retain employees, partners and customers, demonstrate a more defensible standard of care and promote a trustworthy corporate reputation," stated Branco. "Does your organization consistently adhere to and enforce corporate policies, ethical standards and procedures that value your employees and respond to shareholder advocates?"

Working with 1SecureAudit to integrate predictive intelligence in any business strategy and practices is a sound investment that directly contributes to corporate management's, Board of Directors', and shareholders' peace of mind. For more information, visit 1SecureAudit.com or e-mail RDU (at) 1SecureAudit.com.

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.

Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

• What policies or procedures do you manage in your department/organization?
• What training do you have on the collection and preservation of "Electronically Stored Information"?
• Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
• Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

Unthinkable: Adapting in New World Disorder...

35 million electronic records of Personal Identifiable Information (PII) was exposed in 2008. Up 47% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.

Will 2009 bring more data breaches, lost laptops and insider theft than 2008? You can bet on it and this is why CSO's, CPO's and General Counsels are getting their teams ready. When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised assets the picture is clear.

That suggests that many companies can significantly boost security and reduce their exposure by following basic and inexpensive measures. But even if your company has encryption in place (as Heartland did), don't rest too easy. "The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts," says Ken Dunham, director of global response at iSight Partners, a provider of threat intelligence services. "Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace."

The motivation for cybercrime is even higher during economic hard times. A January report by iSight says that the economic decline in the United States and around the world will significantly increase the risk organizations face from employees who are laid off, fear being laid off, or face some form of personal financial trouble that may lead some to consider insider crime.

The insider remains a key focus for Operational Risk Management professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may not have any prior criminal history, have never considered doing something to jeopardize their reputations may now be up against a wall. When there is no exit and no way out, people do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life. Study the women who have made decisions to strap on suicide vests or the dozens of "Mini Madoff's" yet to get their day in court. Both have similar attributes tied directly to human behavior.

In Joshua Cooper Ramo's new book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy fraud investigator on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

Compliance: Workplace Security, Ethics & Governance...

Bernie Madoff clones and the 11,000 other unregulated investment advisors across the US will be subjected to increased scrutiny in 2009 and beyond. The SEC, FINRA, US Treasury FINCEN, FBI and the tribe of banking regulators are all gearing up for audits, inspections and more granular forensic accounting examinations.

Fraud and the corruption of corporate America is hard to detect. Even more difficult when the watchdogs are too busy or without the resources to do the job effectively. Post Enron and the whole SOX wave of documentation, controls implementation and testing the Big Four Accounting firms were very busy.

The cases are among a series of recent alleged frauds at financial firms. While they have been handled differently, they have shined a light on loopholes in federal regulations, such as fragmented regulations governing brokers, investment advisers, auditors and other firms. And the cases have underscored obstacles facing authorities, including inadequate resources for detecting wrongdoing and difficulties in gaining access to foreign financial accounts.

"Reform is needed to close the existing regulatory gaps that expose investors to risk," said Richard Ketchum, chief executive of the Financial Industry Regulatory Authority, Wall Street's self-policing agency.

SEC Chairman Mary L. Schapiro is looking to work with lawmakers to overhaul the nation's financial regulatory system. This week, the SEC announced that it would partner with a government-funded research center to study ways to better assess the thousands of tips and complaints that come in each year. The House and Senate plan to consider legislation as early as late spring that would bring all financial activities under federal regulation. The details, however, aren't clear.

At the SEC, Schapiro plans a new focus on spotting fraud and other market manipulation early on. She plans to create a large team to seek out where abuses might be occurring. Then she plans to direct the SEC's limited examination staff toward those places. "We've got to be able to conduct risk assessment that allows us to understand where problems might arise and connect the dots between different problems in different places -- whether they're generated by different products, different firms or different trends in the economy," Schapiro said in a recent interview.

The internal threat to your institution by your own employees who may do you harm, intentionally or not is just a core factor in day to day Operational Risk Management. Where it gets more interesting to plaintiff lawyers is when there is a clear pattern of ignorance or just plain lack of resource allocation or funding to policing the organization. The even more vulnerable facet of the OPS Risk mosaic could be the supply chain of companies and people who represent the vital outsourced functions. How many mission critical components of running your business have you handed over to call centers, ISP and hosting companies, distribution and delivery, back office administration including accounting and payroll?

One of the key areas of due diligence long overlooked at these investment advisers is the supply chain of feeder firms. The alternative investment industry has it's reach into the accountants and tax advisory services for a good reason. They are the ones who prepare your tax returns. Their insight into your cash flow, ability to invest and necessity for potential hedging of tax liability gives them the opportunity to be great referral agents. How many times has your tax advisor recommended you go see a friend in the alternative investment industry?

Creating awareness among the ranks of corporate America that everyone is going to be under the magnifying glass won't change the motivators:

• Money
• Ideology
• Compromise
• Ego

Economic challenges inside the corporation or on the home front can increase exposure to heightened threats in the workplace. These include violence, fraud and product theft at a minimum. However, the greatest asset of value being attacked, stolen and sold to the highest bidder is information. Corporate espionage and good old fashioned competitive intelligence is a 21st century Operational Risk Managers nightmare.

Workplace Security, Ethics and Governance programs will continue to be a focus for auditors and inspector generals. A lack of evidence of effective and robust efforts to deter, detect, defend and document withing the confines of the institution could be a differentiator when it comes time for any sentencing guidelines to be considered.

§8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

Oversight Risk: Evidence of Compliance...

In light of the tremendous announcements of corporate and financial malfeasance over the past few months, there is a "cramdown" in the works. The US Office of the Special Inspector General for the Troubled Relief Asset Program (SIGTARP) is gearing up.

The Office of the Special Inspector General for the Troubled Asset Relief Program ("SIGTARP") was established by the Emergency Economic Stabilization Act of 2008 ("EESA").

Under EESA, the Special Inspector General has the responsibility, among other things, to conduct, supervise and coordinate audits and investigations of the purchase, management and sale of assets under the Troubled Asset Relief Program ("TARP"). SIGTARP’s goal is to promote economic stability by assiduously protecting the interests of those who fund the TARP programs - i.e., the American taxpayers - by facilitating transparency in TARP programs.

Transparency and effective oversight in the TARP will be accomplished in coordination with other relevant oversight bodies, and by robust criminal and civil enforcement against those, whether inside or outside of Government, who waste, steal or abuse TARP funds.

The Special Inspector General, Neil M. Barofsky, was confirmed by the Senate on December 8, 2008, and was sworn into office on December 15, 2008.

As the new Stimulus Package works it's way to the local and state governments additional oversight will be placed on the bidding, procurement and contracting processes. Compliance with federal and state laws will become ever so vital as funds are applied under TARP in the mortgage markets and "shovel ready" projects are funded for maintenance and repair of critical infrastructures.

As the government ramps up to spend trillions of dollars to revive the economy, loopholes in federal law and a shortage of FBI agents assigned to investigate white-collar crime could lead to a big payday for perpetrators of mortgage fraud and other schemes.

That's the view of lawmakers who want to extend federal fraud laws to private mortgage companies that aren't regulated at the federal level, and provide $155 million a year to the U.S. Justice Department to triple the number of active mortgage-fraud task forces and help the FBI rebuild its white-collar investigation program.

So what should a Chief Compliance Office or Vice-President of Operational Risk Management at an institution be concerned with over the next few years? Get ready. First and foremost, the Board of Directors will be focused on "Corporate Governance Strategy Execution." Public institutions who have most recently taken on the role of becoming a more traditional bank in order to become eligible for government funds are most at risk. Some of these include traditional insurance companies and credit or charge card institutions. This is because they have not had the controls, staff and policy programs in place to effectively deal with all of the new banking regulations and compliance mechanisms the oversight agencies will be scrutinizing during their audits.

Securities and Exchange Commission Chairman Mary Schapiro plans to look into whether the boards of banks and other financial firms conducted effective oversight leading up to the financial crisis, according to SEC officials, part of efforts to intensify scrutiny of the top levels of management and give new powers to shareholders to shape boards.

As she examines what went wrong, Schapiro is also considering asking boards to disclose more about directors' backgrounds and skills, specifically how much they know about managing risk, said the officials,

As new sources of funding flow to the organizations for redistribution to consumers or small businesses the oversight process must be implemented up front. The human factors will play a tremendous role in how ethics are either applied consistently or are absent all together, in day to day operations. Boards of Directors will ensure that corporate management are injecting the correct amount of corporate governance and compliance management oversight to keep human behavior and red flags in check. Operational Risk Managers will be busy expanding their breadth and reach into the corporate enterprise for years to come.

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:^[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.

Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

• Organizational Security
• Information Security Infrastructure: Cooperation between organizations
• Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
• Asset classification and control
• Information Classification: Information labelling and handling
• A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
• Personnel Security
• Responding to security incidents and malfunctions: Reporting security weaknesses
• Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
• Communications and operations management
• Operational procedures and responsibilities: External facilities management
• Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
• Exchanges of information and software: Security of electronic mail
• A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
• Access Control
• Monitoring system access and use: Monitoring system use
• Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
• Business Continuity
• Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
• Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
• Compliance
• Compliance with legal requirements: Collection of evidence
• Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:

• Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
• Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.

The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:

“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “nützliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.

The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

• · Systems for monitoring and auditing
• · Incident response and reporting
• · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.

Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term. In a case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

But in a case now pending before the 2nd U.S. Circuit Court of Appeals, United States v. Ionia Management SA, the defendant corporation, as well as a diverse group of business and legal organizations acting as amici curiae, are asking the court to re-examine what had previously been accepted as black-letter law regarding when a corporation may properly be held vicariously liable for the acts of its employees.

While the defense bar has successfully battled some of the U.S. Justice Department's specific tactics in corporate criminal investigations (such as pressuring companies to waive attorney-client privilege or deny payment of employees' legal fees), this is the first significant direct challenge in recent years to the long-standing doctrine of corporate criminal liability. Their arguments, if accepted by the court, could have far-reaching consequences for the balance of power between the government and the targets of corporate criminal investigations.

Even if the corporate compliance programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation. How the cases settle or end up in deferred prosecution deals is another subject. Andrew Weissmann is in the precarious position of having been on the other side of the court room during the Enron trial. Now after having moved to the defense he is feeling the size of the governments powerbase.

Mr. Weissmann, 50 years old, says he noticed the "glitch" in the law four years ago as a prosecutor when he helped put together deferred-prosecution agreements of Merrill Lynch & Co. and Canadian Imperial Bank of Commerce for their conduct in connection with the Enron collapse. It struck him that the standard for criminal liability might be too low for "companies that work hard to create compliance programs" and yet are still on the hook, he says.

Regardless of the amount of awareness building, education and corporate window dressing you can't ultimately control human behavior. More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively. And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex. One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision. QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process. As an example, let's take the Request for Proposal (RFP). Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response. Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business enviroment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions. More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

Corporate Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:

In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."

Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.

EESA: Oversight & Legal Filings...

What is on the mind of GCs in the United States and United Kingdom? What are they saying about the costs of litigation, labor and employment, the financial/subprime crisis, regulatory investigations and FCPA, e-discovery preparedness and patent infringement claims. A Fulbright & Jaworski 5th year survey, gets the answers from 350 senior-level executives.

Lawsuit fears also vary across the United States: California companies have qualms about employment cases; Northeastern companies worry about environmental cases; and Southern companies expressed concerned about class actions and products liability lawsuits.

The survey responses indicate that lawsuits filings ultimately vary by industry.

During the past year, two-thirds of insurance companies reported at least six new lawsuits, followed by 55 percent of retail companies.

Manufacturing companies were the third most sued industry, with 54 percent facing six new claims. Health care providers followed closely behind with 52 percent reporting a half dozen new cases.

Two industries were far less likely to face multiple lawsuits in one year.

Thirty-seven percent of financial services companies reported six new lawsuits compared with 30 percent of technology firms.

Somehow we think the financial services companies are going to see a large spike in the next nine months. The SOX cases will be tested and there will be a few that won't get settled. The outcomes will set the precedence for Corporate Governance related suits for years to come.

Keep on "eye" on this one. Part of the new EESA legislation will have some kind of IG and oversight. This will be keeping the legal teams busy:

7) Compliance: The law establishes important oversight and compliance structures, including establishing an Oversight Board, on-site participation of the General Accounting Office and the creation of a Special Inspector General, with thorough reporting requirements. We welcome this oversight and have a team focused on making sure we get it right.

The Special Inspector General's purpose is to monitor, audit and investigate the activities of the Treasury in the administration of the program, and report findings to Congress every quarter.

The "TARP" Inspector will have their hands full and since they are appointed by the President, you can be sure that they will not be too partisan.

A few years ago there was an anonymous posting on CSO Online about "Doing the Right Thing". It could only be about the rules and policies set down by the ethics committee. Right?

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

• · Systems for monitoring and auditing
• · Incident response and reporting
• · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

That’s when we really learned that this game of business is just about the human factors. It’s really not about the controls, the monitoring or even the awareness programs. It’s about being a model manager, and a model human being.

The odds are it will be the human factors that are going to be what gets you on the steps of the local federal building. And it all comes back to good old-fashioned management 101.

As indicated, the great manager can impact the lives of tens or hundreds of people in your company. Conversely, the uncivil manager can wreak havoc with a similar numbers of lives. The position of management is every so powerful to influence those around them.

Your company wide compliance initiative has the elements that provide guidance for creating a program that the government is likely to look favorably upon. The problem is that these same criteria inadvertently communicate the message that implies building a program based on this formula is enough. It isn’t.

FCPA: 21st Century Investigations...

Intellectual property theft, corporate espionage, transnational economic crime and the Foreign Corrupt Practices Act (FCPA) are on collision course with international 21st Century investigators. New age professionals who were almost born with a keyboard or PDA in their hand; remain ever vigilant.

The use of third parties, offshore banking and other avoidance mechanisms such as Black Market Peso Exchange (BMPE) increases the potential for theft, corruption and abuse buried in global commerce using the Internet Protocol (IP).

The FCPA prohibits corrupt payments through intermediaries. It is unlawful to make a payment to a third party, while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. The term "knowing" includes conscious disregard and deliberate ignorance. The elements of an offense are essentially the same as described above, except that in this case the "recipient" is the intermediary who is making the payment to the requisite "foreign official."

Intermediaries may include joint venture partners or agents. To avoid being held liable for corrupt third party payments, U.S. companies are encouraged to exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives. Such due diligence may include investigating potential foreign representatives and joint venture partners to determine if they are in fact qualified for the position, whether they have personal or professional ties to the government, the number and reputation of their clientele, and their reputation with the U.S. Embassy or Consulate and with local bankers, clients, and other business associates. In addition, in negotiating a business relationship, the U.S. firm should be aware of so-called "red flags," i.e., unusual payment patterns or financial arrangements, a history of corruption in the country, a refusal by the foreign joint venture partner or representative to provide a certification that it will not take any action in furtherance of an unlawful offer, promise, or payment to a foreign public official and not take any act that would cause the U.S. firm to be in violation of the FCPA, unusually high commissions, lack of transparency in expenses and accounting records, apparent lack of qualifications or resources on the part of the joint venture partner or representative to perform the services offered, and whether the joint venture partner or representative has been recommended by an official of the potential governmental customer.

Digital fingerprints and technology has changed the way we manage and store information just as it has changed the way cases are developed and presented to new juries who understand the evidence. Organizations operating on a global scale with branch offices in London, Frankfurt, Mumbai, Hong Kong and Shanghai are continually exposed to operational risks associated with rogue employee behavior in the normal course of doing business in country. The legal matrix of risk exposures are magnified by Internet commerce, privacy, intellectual property and transnational policing.

In the recent "2008 Report to the Nation on Occupational Fraud and Abuse" by the ACFE, the Banking / Financial Services industry group suffered the highest frequency of losses:

• # of Cases - 132
• % of Cases - 14.6%
• Median Loss - $250,000.00

The type of scheme with the highest percentage was corruption at 33.3% of banking cases. Government had 106 cases with 26.4% of these associated with corruption. The telecommunications sector endured the biggest impact with 16 cases reported yet with a median loss of $800,000.00 . Healthcare suffered 76 fraud cases at 26.3% involving corruption.

In all cases the digital trail is there for the forensic professionals to track, trace and assemble the history and chronology of events. Unfortunately for the prosecution and the plaintiffs, there is a tremendous backlog for the collection and analysis of this modern day CSI. Independence and expertise is the key element of getting your favorable day in court. Judges and juries are far more educated on the new Federal Rules of Evidence and Civil Procedure. Lawyers are utilizing the eDiscovery threat to force premature settlements. Meanwhile, the digital evidence continues to be collected, imaged and stored for analysis waiting it's day in court.

21st Century investigators utilize digital forensic certifications and training combined with years of education and experience. Managing the legal risk to institutions and those who have been implicated is their only priority by achieving a defensible standard of care. Judging the evidence is not their interest nor their objective. Insuring that the relevant information is soundly collected, preserved and presented without spoilation or prejudice, is the primary mission.

A Perfect Storm: OPS Risk & The Asian Factor...

The forensic professionals have been busy at Freddie Mac and Fannie Mae over the past six months, and we are only looking at the tip of the ice berg. The results are in and Uncle Sam (US) is now adopting them in order to try and achieve new corporate governance and operational risk management objectives. The "Asian Factor" is a major influence in this decision.

The historic announcement has been well received by some of the institutions and Asian countries that were heavily invested in the US mortgage backed securities market. In Hong Kong, HSBC soared 4.5 percent and No.1 China lender ICBC rose 4.7 percent in trading.

Asian stock markets soared Monday after Washington announced a bailout of mortgage giants Fannie Mae and Freddie Mac — a move that could help bolster a shaky U.S. housing market and renew global investor confidence.

The initial relief will give some the feeling that the worst is over and that is not the case. The Operational Risks associated with these events have now increased exponentially as new people take over and existing people jump off the sinking ship. Just the attrition in manpower will create new threats from within these organizations in the form of just errors and omissions alone.

And now let the litigation begin:

A shareholder is suing five banks, claiming they did not warn her or other investors about a proposed accounting-rule change that lowered the value of Fannie Mae stocks she bought, Bloomberg News reported.

The proposed rule is FAS 140, the accounting standard that specifies the conditions for keeping securitized assets off the balance sheet. If the proposal is issued in its current form and takes effect in November 2009 as expected, it could force companies like Fannie Mae to bring some special-purpose entities back on their balance sheet.

Plaintiff Karen Orkin, who bought 600 shares of class B Fannie Mae shares, filed the suit in New York State Supreme Court in Manhattan this week as a proposed class action, according to Bloomberg. The complaint reportedly says 89 million shares of the stock were sold, and the share price sunk by 44 percent in value in four months.

The five banks — Citigroup, Merrill Lynch, Wachovia, Morgan Stanley, and UBS — formed a syndicate to underwrite the stocks. Wachovia, Morgan Stanley, and UBS declined to comment on the suit.

The lawyers and the accountants are circling the feeding frenzy looking for new opportunities to cash in on the next phase of the sub-prime mortgage crisis. And they are not the only firms that have been gearing up for the court room drama in the months and years to come. FTI, LECG and other eDiscovery firms such as Encore are creating specialty units to focus on the growing number of law suits and litigation as a result of the tremendous fraud allegations:

The fact that numerous government entities are involved puts a high premium on the use of sound electronic discovery processes, chain of custody and especially forensic expertise. “What may start as a broad-based investigation by the SEC could quickly evolve into a complex web of related cases,” said Hemanth Salem, Encore’s Vice President of Professional Services and member of the Subprime Services Unit. “For example, the discovery process must factor in that an investigation could quickly expand to include 10b- 5 and derivative cases, ERISA ‘stock-drop’ cases, fraud or negligence claims revolving around slack underwriting standards, lack of appropriate internal accounting controls and failure to disclose exposure to risk in MBSs and CDOs.”

As the markets stabilize and the new corporate governance takes hold at institutions across the globe, take a minute to consider the real interdependencies. Operational Risk is directly tied to the sophistication of our systems, software and algorithms that make up the very DNA of our financial trading infrastructure. Add to this the complexity of people, cultures and their behavior when emotions of fear, greed and even revenge come into play. Welcome to the "Perfect Storm" of Global Enterprise Risk Management.

EDD Overload: Modern Incident Response...

Remote Digital Forensics is quickly migrating into a vast science that requires a sound combination of both legal and technical expertise. The EDD process has been helpful in educating the marketplace about the industry and the steps that are necessary for a complete and thorough eDiscovery review. However, relevancy and precision is highlighted here by Richard Betjlich:

Why copy a 2-terabyte RAID array on a server if cursory analysis reveals that a small set of files provides all of the necessary evidence to make a sound case? Expect greater use of "remote previews" during incident response and select retrieval of important files for forensic analysis.

In addition to focusing on just the material that matters, modern incident response and forensic processes are more rapid and effective than historical methods. When hard drives were 40MB in size, it was feasible for a moderately skilled investigator to fairly thoroughly examine all of the relevant data for signs of wrongdoing. With today's volume of malicious activity, hard drive size, and efforts to evade investigators (counter- and anti-forensics, for example), live response with selective retrieval and review are powerful techniques.

The explosion of ESI and EDD related businesses is creating confusion and fear in the marketplace. Corporate counsel is working with outside law firms to get a better understanding of what their specific competencies are in the processing and analysis of electronically stored information that is relevant to the case. The question may remain, are they looking at everything instead of what is material to the case thus driving up the costs of litigation and the billable hours?

The Federal Rule of Evidence 502 takes effect in a few months (December 1, 2008) and this will address part of the problem:

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.

"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

ESI: Federal Civil eDiscovery...

The San Francisco DA "Operational Risk" factors have spiked now that they have released passwords in public documents for their internal VPN networks.

The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's virtual private network. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.

Mr. Childs is a good example of the "Insider Threat" that any savvy CSO has on their mind today. As a result of the case evidence being gathered and the eDiscovery involved with proving the case in court, now we have additional exposures to the City of San Francisco. A system administration nightmare only if the city has not implemented tools such as Multi-Factor authentication and encryption of sensitive personal identifiable information or classified data.

Childs faces four felony counts of computer network tampering and one penal-code violation for causing losses in excess of $200,000. He has pleaded not guilty but remains in custody in lieu of $5 million bail.

The ordeal has spurred the city's IT department to bolster network oversight and to consider hiring outside auditors to monitor a security upgrade. City officials also will review all access to its FiberWAN network, the hub through which payroll, e-mail and criminal files flow.

It has also persuaded other cities to scrutinize their own systems.

As more cases like this one enter our legal system it is imperative that attorneys for both the plaintiff and defense realize the implications of their search for justice. The identities of people who may be witnesses in an upcoming trial have a sensitivity just as the ID's or login credentials for city employees and officials. As these types of cases become more prevalent there will be new procedures and controls invoked by judges who have learned their lessons about releasing sensitive information such as network passwords to the public record.

So What! What does Operational Risk have to do with a criminal case? What would eDiscovery have to do with this? Where do you think they got all of these passwords? Inside a paper notebook sitting on a shelf?

In a case that did not receive a lot of publicity the Court in United States v. O'Keefe, 537 F. Supp. 2d 14, 18-19 (D.D.C. 2008) applied the federal civil ediscovery amendments to a federal "criminal" case. This was a significant decision in that DOJ's federal prosecutors (over 4000), defense counsel, and others have some guidance from a federal magistrate regarding ESI in the criminal area. The Court stated:

In criminal cases, there is unfortunately no rule to which the courts can look for guidance in determining whether the production of documents by the government has been in a form or format that is appropriate. This may be because the "big paper" case is the exception rather than the rule in criminal cases. Be that as it may, Rule 34 of the Federal Rules of Civil Procedure speak specifically to the form of production.

The Federal Rules of Civil Procedure in their present form are the product of nearly 70 years of use and have been consistently amended by advisory committees consisting of judges, practitioners, and distinguished academics to meet perceived deficiencies. It is foolish to disregard them merely because this is a criminal case, particularly where, as is the case here, it is far better to use these rules than to reinvent the wheel when the production of documents in criminal and civil cases raises the same problems.

ESI Risk: Seizing Electronic Evidence...

In this issue of Board Member Magazine, Lisa Ferri reminds us of the importance of the risk of Electronic Evidence.

If the only thing better than learning from your mistakes is learning from the mistakes of others, then directors need to take a lesson from Philip Morris. A few years ago the tobacco giant was slapped with a $2.75 million fine by a federal court. The offense? Wrongful destruction of e-mails, otherwise known in legal circles as spoliation of evidence. The court found that at least 11 Philip Morris executives “at the highest corporate level” were guilty of violating a court order concerning document retention. In other words, they purged and paid the price.

United States of America v. Philip Morris USA Inc., et al. is a cautionary tale of the problems awaiting companies that are either unaware of or unprepared for the world of electronic evidence. The rules governing that world are evolving at warp speed.

In the United States, does an employee need the companies permission to seize your computer at the workplace for electronic evidence? In order to be more informed about this procedure and the legal implications in your enterprise, see CCIPS.

Warrantless workplace searches occur often in computer cases and raise unusually complicated legal issues. The starting place for such analysis is the Supreme Court's complex decision in O'Connor v. Ortega, 480 U.S. 709 (1987). Under O'Connor, the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.

Your compliance or legal office can provide you with the guideance for any employee that is suspected of violating company policies with regard to computers crime or theft of confidential information or intellectual property. The question remains, what policy is in existence today and what methods have been utilized for full disclosure to employees that may impact their rights of privacy on the job?

For more help on this subject see: Best Practices for Seizing Electronic Evidence.

Just remember, Forensics and gathering electronic evidence in a criminal matter is in opposition to your recovery. Once a violation has occured, you can make changes, clean up the problem and get back to normal or you can preserve the crime scene for evidence. It's one or the other. If it's not, then that is when you run into problems. Document retention strategies in combination with Forensic Digital Discovery procedures are critical to any organization that cares to mitigate the ongoing risks of electronic evidence.

Directors Q & A: Outside Counsel Risk...

Every Board Member needs to ask "Six Legal Questions" of corporate management because the answers will help you determine what law firms your company should fire, or even consider hiring. This special report by Randy Myers in Corporate Board Member highlights the Operational Risk of litigation and whether you are prepared for offense, defense and the next reputation scandal:

1. How well do our outside law firms know our business?
2. Are we prepared to handle litigation against us in the best way?
3. Under what circumstances should we consider suing another company?
4. When should we use a big law firm? When are we better off with a small one?
5. What clues can tell us if our outside lawyers are no longer right for us?
6. How well will we stand up to scrutiny?

We have to highlight the commentary on #6 (H. Rodgin Cohen, partner and chairman of New York City-based Sullivan & Cromwell LLP)

Directors must let the compliance office and general counsel know that they are to be informed anytime the company is put under investigation, Cohen says; government regulators and prosecutors expect the board to take a role in such matters. Having a clear policy in place is critical, says attorney Matthew Powers.

There is no cookbook recipe to prepare a company for an investigation. But what directors have to do, says Cohen, is approach any such inquiry with the understanding that in today’s environment, with laws and regulations being rigorously enforced, fighting a government investigation is almost always a bad idea. Companies must be seen as cooperative, he says, which means that they must conduct thorough investigations of their own when alerted to potential wrongdoing and provide the government with whatever it requests. If problems are uncovered, they should move quickly to take remedial action, implement policies and procedures to prevent further troubles, and penalize the people responsible. “If the company fails to take action,” Cohen warns, “it must expect that it will receive harsher punishment.”

He says it makes sense to report suspected violations of the law voluntarily when an internal examination uncovers them. “You’re really rolling the dice if you don’t, because if the government later finds out, it will have no confidence in you. And remember, the government has two ways to find out—on its own or from someone inside the company.” If the government decides it needs to find out on its own, he says, any penalties are likely to be much more painful.

Firing your long time outside firm is not easy and like any third party supplier who has been embedded for years or decades, "Breaking Up is Hard to Do." Every Corporate General Counsel's greatest fear. Have you every received advice that the negative results of an internal investigation needs to be buried, hushed up or even worse, ignored in hopes that nothing will happen?

Corporate Governance is taking on a new resonance in a politically charged election year here in the United States. The Democrats are gearing up for more oversight, investigation and compliance laws focused on areas that the Republicans have been long to scrutinize. Laws that have been gathering momentum in the halls of Capitol Hill are targeting some of the industry sectors that have benefited the most from the Defense Industrial Base windfall.

In a global survey by Fulbright & Jaworkski LLP, 40% of US companies had at least one lawsuit with $20M. or more at risk. 60% had one or more plaintiff class actions pending and 36% say that the government regulators have stepped up their visits.

So if you are on the Board of Directors and you want to be proactive on the upcoming front for litigation, where do you look? The Accounting department. Sales and Marketing. Information Technology. Legal Department. The easy answer may be, who has the most laptops? Brian Krebs talks about the Data Breach problem from The Washington Post blog:

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

The nexus of data, plaintiff law suits and your outside counsel (3rd party suppliers) will be the Board of Directors #1 priority in the next few years. This is the vortex of Operational Risk in the 21st century.

ESI: The Economics of Litigation...

The operational risk and complexity of eDiscovery is increasing and the economic impacts are becoming a Board Room topic of debate. This study from RAND by James N. Dertouzos, Nicholas M. Pace, and Robert H. Anderson opens up some of the serious implications of Electronically Stored Information (ESI) as it pertains to this research:

Business litigants display a mix of optimism and concern about the impact of the new federal rules on e-discovery that went into effect in December 2006. To some extent, the balkanization that marked federal decisions in this area is likely to be reduced, but the core concerns over uncertainty about what are reasonable steps to take in advance of and during litigation remain. Thus, it is apparent that further clarification and development of e-discovery rules that promote efficiency and equity for both defendants and plaintiffs are required. For example, the new federal rules require early and full disclosure of IT systems, but interviewees noted that many lawyers are unfamiliar with the modern and continuously evolving hardware, applications, and internal record-keeping practices of their clients. Lawyers risk significant sanctions for failing to properly carry out e-discovery duties that they may not be equipped to handle. Even technologically savvy attorneys voiced concerns that providing opposing parties with detailed IT “roadmaps” as envisioned under the new rules would lead to discovery demands designed solely to drive up costs. And as corporate clients increasingly move toward internalizing collection, review, and production tasks in order to limit litigation costs, their outside counsel may find themselves with reduced control over the process but nevertheless still vulnerable to sanctions.

Lawyers who are modernizing their efforts to review documents are partnering with new boutique firms to accomplish this because they have the tools and the technology subject matter expertise. However, these efforts may be increasing the cost of litigation to corporate clients even though the automation and outsourcing is enhancing their process of review and relevancy. This is because the lawyers are still charging their clients for manual review by associates in the firm who charge by the hour in most cases in excess of $300/hr.

eDiscovery and the costs and benefits of litigation are a constant dialogue on the golf course, the skybox and the private rooms of fine dining in New York, Washington, DC and most major metro areas. The reason has to do with the "Mathematics of Litigation".

The previous discussion makes it clear that e-discovery, by changing costs, creating new risks, and altering the flow of information, could alter litigant incentives to file suit, settle cases, and go to trial. For example, several interviewees claimed that the significant burdens of e-discovery outweighed the benefits of going to trial, especially in low-stakes cases. Thus, they were fearful of an increase in lawsuits of questionable merit in which defendants would settle rather than incur the costs of discovery. Viewed from another perspective, plaintiffs may choose to settle cheaply, dismiss their own cases, request less, or refrain from filing in the first place if their own costs of discovery (whether as producer or requestor) overwhelm the value of their claims.

The trend line for eDiscovery is clear. Corporations are bringing the eDiscovery mechanism in-house and are integrating the legal department with savvy staff in the IT ranks. Outside counsel will continue to remain a key aspect of the litigation process but are quickly being asked to take more traditional roles in the case. Outsourcing the automation tasks to the law firm will only increase the complexity and the potential liability of ESI related episodes or incidents.

Legal Ecosystem: Survival of the Fittest...

The life cycle of monetary policy and financial fraud is being mapped once again in concert with new investigations into corporate malfeasance. As economic trends run their systemic course so do the highs and lows of human behavior to create new schemes to defraud customers, partners and even fellow employees.

Prosecutors in the Eastern District of New York in Brooklyn are stepping up their scrutiny of players in the subprime-mortgage crisis, focusing on Wall Street firms and mortgage lenders, the Wall Street Journal said on its Web site.

A task force of federal, state and local agencies will look into potential crimes ranging from mortgage fraud by brokers to securities fraud, insider trading and accounting fraud, the Journal said.

The Federal Bureau of Investigation is already targeting major corporate insiders and criminal groups in its investigation of fraud in the mortgage lending industry. The FBI has said it is investigating 19 companies in mortgage cases.

The formation of the task force amplifies efforts already under way in Brooklyn, where prosecutors are investigating whether investment bank UBS AG (UBSN.VX: Quote, Profile, Research) improperly valued its mortgage-securities holdings, the report said.

Also being investigated are the circumstances surrounding the failure of two hedge funds at Bear Stearns Cos (BSC.N: Quote, Profile, Research), which collapsed last summer because of losses tied to mortgage-backed securities, the report said.

Fraud, like other crimes of opportunity, have three common attributes:

1. A growing supply of motivated offenders
2. The availability of prospective or ideal targets
3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. Grace Duffield and Peter Grabosky have captured the four main categories of fraud in their paper, "The Psychology of Fraud."

• Fraud committed against an organisation by a principal or senior official of that organisation
• Fraud committed against an organisation by a client or employee
• Fraud committed against one individual by another in the context of face-to-face interaction
• Fraud committed against a number of individuals through print or electronic media, or other indirect means

Now the IT departments will be buzzing as they will be under orders to preserve e-mail archives as evidence as soon as notices arrive on the doorsteps of not only the large funding institutions themselves, but the hundreds of organizations in the corporate supply-chain.

The duty to preserve attaches immediately once the company is on notice. Once an investigation or lawsuit is reasonably anticipated or a complaint is received, the requirement to preserve materials attaches and preservation efforts need to be undertaken as soon as possible. There are no cases that provide definitive guidance as to how quickly litigation hold notices must be sent once the duty is triggered, but any such case will be evaluated in hindsight, i.e., after relevant materials have been destroyed, and very little if any delay is likely to be tolerated by the courts.

Let's do some simple math here. Multiply the number of banking branches x the number of mortgage brokers for each branch x the number of appraisal firms and you start to understand the magnitude of the volume of data. While some larger banking institutions have centralized underwriting operations for all of the branches, they still rely on a supply-chain of small businesses in the local market to address the valuations and appraisals of property.

The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

"Survival of the fittest" is sometimes claimed to be a tautology. The reasoning is that if one takes the term "fit" to mean "endowed with phenotypic characteristics which improve chances of survival and reproduction" (which is roughly how Spencer understood it), then "survival of the fittest" can simply be rewritten as "survival of those who are better equipped for surviving".

Corporate Governance: Testing for Organizational Disease...

In our continuing series on Security Governance we now turn to Corporate Governance: Testing for Organizational Disease.

It's been three years since a 25 year sentence was handed down in the Worldcom corporate governance and fraud case, it's obvious that prosecuting white collar crime cases is a real challenge.

In the HealthSouth Corp. fraud trial, the jury made a different decision and the CEO was acquited.

Some lawyers suggested white-collar cases are inevitably difficult to present to jurors, whether they live in Birmingham or New York. "It's different from a drug deal or a bank robbery," said Donald Stern, a Boston attorney who was formerly that city's top federal prosecutor. "It's not obvious that a crime has been committed."

What the Board of Director's and Executive Management do know is that it's time to make some more changes in Corporate Governance initiatives. The relationships with the shareholders is bound to continue to be a challenge for any management team and they realize that they must be creating a culture full of ethics and risk management principles.

At the end of the day it comes down to the evidence presented to the jury. And the evidence is typically a presentation of information utilizing forensic methods of discovery. Dr. Thomas R. O'Connor at NCWC has some interesting background on the subject of "Investigative Methods of Forensic Accounting."

Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.

Red Flags of Organizational Behavior:

1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.

2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.

3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.

4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.

5. Poor computer security -- the organization doesn't seem to care about computer security, has slack password controls, hasn't invested in antivirus, firewalls, IDS, logfiles, data warehousing, data mining, or the budget and personnel assigned to IS. Simultaneously, the organization seems over-concerned with minor matters, like whether employees are downloading music, chatting, playing games, or viewing porn.

6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.

As we move forward on strategies for improving ethics and protecting corporate assets it's clear that educating board members and employees to the symptoms of corporate disease can be a key initiative. That education and awareness program could be the beginning of a whole new era of high performing companies. And for that matter, the programs effectiveness may be the first test of any organizations health.

Rule-Set Reset: Evidence Life Cycles...

Here are a few of the "Top of Mind" topics these days at the nexus of Legal Risk and "Defining the New Rules Sets" for Information Management and Digital Forensics. What is a "Rule-Set Reset"?

When a crisis triggers your realization that your world is woefully lacking certain types of rules, you start making up those new rules with a vengeance (e.g., the Patriot Act and the doctrine of preemption following 9/11). Such a rule-set reset can be a very good thing. But it can also be a very dangerous time, because in your rush to fill in all the rule-set gaps, your cure may end up being worse than your disease.

• The Computer as Witness--What The Courts Allow.
• Improper and Negligent Records Hold Practices.
• Calculating Settlement Values in a Digital World..
• Economics of Electronic Discovery.
• Evaluating Outside Law Firms: Competing for Client Revenue.
• Discovering the Legal Value of Electronic Information.
• Chain of Custody Controls and Vulnerabilities.
• Logs, Metadata and Backups.
• Evidence Life Cycle Management.
• Operational Risks in Existing Corporate Information Management Practices.

These topics and more are worth investing time, resources and manpower for vital learning, education and convergence within the legal department of your institution. Why? Just ask Waters Edge Consulting. Because just preparing for ESI custodian depositions under Rule 30(b)(6) will not be enough for your team to win these days. It's going to take substantially more investment in governance strategy execution within the ranks of the CIO, CSO and General Counsel in the aftermath of the sub-prime "Armageddon."

Today, many organizations have Enterprise Records Management (ERM) systems that provide clear guidelines for data retention and destruction. In addition, organizations facing frequent lawsuits often use Electronic Data Discovery (EDD) vendors and outside counsel to process and review electronically stored information (ESI) during discovery.

Unfortunately, neither solution creates a framework that recognizes all data as potential evidence and puts a consistent methodology in place for handling it efficiently and cost effectively.

Evidence Lifecycle Management (ELM) is such a framework. An ELM system, such as MatterSpace from WorkProducts, provides:

• Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
• Role-based collaboration and communications that drive all case-specific ESI activities
• Auditing and reporting of all ESI communications and events, including litigation holds

ELM bridges the gap between ERM and EDD, speeding up ESI delivery while reducing the risk and cost of ESI processing and legal review.

A prudent governance execution strategy would include a ratio of new learning, education and policy development combined with the correct tools and managed services. Yet how do you determine the right recipe for your institution? After all, you are unique and unlike any other organization out there.

The fact is that it has to be customized to your exact size, exposures and vulnerabilities. You first have to establish the baseline and develop the foundation for making the right decisions in the right order. Most importantly, it has to be co-designed with the legal team and the custodians of the information if you are to ever find any chance of success. Underlying all of the dialogue on who a particular matter relates to and where the information is located brings up another area that is imperative to the overall resilience of the organization. Continuity of Operations.

At the end of the day, this is what you are really buying. True DataVaulting means exchanging the headaches and liability of maintaining your own backups for the simplicity and convenience of contractually backed Service Level Agreements (SLAs).

Without effective DataVaulting, DRP and overall Continuity of Operations as an underlying foundation for managing the life cycle and longevity of your institutions records, you may already be subjected to the increased risk of fines and non-compliance sanctions from FINRA or the SEC.

The correct Business Resilience Architecture begins with a firm statement of applicability for your institution. The statement of applicability (SOA) is the architectural blueprint that identifies controls that are pertinent to your environment, and explains how and why they are appropriate. The SOA is derived from the output of a comprehensive operational risk assessment and development of an enterprise wide "Early Warning System."

Centre-left leaders from around the world called on Saturday for urgent reform of global financial institutions to prevent a recurrence of the credit crisis.

About a dozen leaders, brought together by Prime Minister Gordon Brown, issued a communique urging the International Monetary Fund to help develop an effective early warning system to guard against financial risks to the global economy.

Australian Prime Minister Kevin Rudd said the world had to learn the lessons from the credit crisis, sparked eight months ago by massive default on U.S. sub-prime mortgage debt.

"Too often in the past when these sorts of events have occurred ... the lessons are lost. The lessons must be learned and applied, otherwise we will face a very rocky future indeed," Rudd told a news conference after the "Progressive Governance" conference outside London.

The leaders, also including South African President Thabo Mbeki, New Zealand Prime Minister Helen Clark and Austrian Chancellor Alfred Gusenbauer, gathered just before key Group of Seven and IMF meetings in Washington next week which will discuss the financial turbulence.

Also attending were the heads of the IMF, World Trade Organisation (WTO), the African Development Bank and several U.N. agencies.

Information Risk: The Zero's & One's Don't Lie...

The Bear Stearns implosion has been predicted as a casualty of failed hedge funds. These entities are less regulated than banks and don't have to keep a minimum capital reserve. The limits on the amount of leverage they utilize can sometimes come back to burn you.

Angry Bear Stearns Co Inc shareholders have wasted no time in bringing legal claims following the company's stunning stock collapse and $2-a-share fire sale to JPMorgan Chase & Co.

At least one federal lawsuit in New York seeking class- action status for alleged securities fraud was filed on Monday by an investor contending the company hid its true financial condition from shareholders.

"Who Knew What When" is the focus of the legal mechanism now in full swing as investigators at the SEC and other federal regulators begin their forensic examinations and interviews. Eliot Spitzer is finally a back story after his demise in the FINCEN money laundering investigation:

But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI’s charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).

The nexus of eDiscovery, Data Mining and Operational Risk Management are in the news as these incidents are unraveled. The information and evidence from the data analysis will reveal the truth and those caught shredding documents or deleting files will no doubt become part of one of these inquiries.

Even today at 2AM JP Morgan Chase was searching Google with the terms "information operations risk management" and landed here on this Operational Risk Management Blog. Then they "Out Clicked" to A Defensible Standard of Care in hopes of finding answers to their questions.

The law suits and the lawyers are busy these days with the Federal Rules of Civil Procedure (FRCP) as they defend ongoing data breaches and bad behavior by employees and interested 3rd parties:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

If the latest economic studies are correct, that's going to cost about $98.00 per record on the low side when it comes to the amount of money that these organizations will spend (unless insured) to clean up this operational risk related incident.

New York State has a new Governor at the same time the Bears are descending on Wall Street:

David A. Paterson became New York’s 55th Governor on March 17, 2008. In his first address as Governor, Paterson spoke about the challenges New York faces and his plan for New York’s future.

This month it's New York in the news but our prediction is that California will soon be next to capture the nations headlines. The legal buzzards are soaring overhead...

Lessons Learned: The Impact of Executive Decisions...

In times of economic downturn the Operational Risks within your institution will begin to rise. Enron, Worldcom and HealthSouth are the few names people recognize as the major casualties of the last significant dip in our economy. When times get tough, people get desperate and try to keep the schemes and any red flags from being discovered.

So what are some of the areas that encompass Operational Risk:

• Internal Fraud - bribery, misappropriation of assets, tax evasion, intentional mismarking of positions
  
• External Fraud - theft of information, hacking damage, third-party theft and forgery
• Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
• Clients, Products, & Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
• Damage to Physical Assets - natural disasters, terrorism, vandalism
• Business Disruption & Systems Failures - utility disruptions, software failures, hardware failures
• Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Cynthia Cooper has written a new book "Extraordinary Circumstances: The Journey of a Corporate Whistleblower" about her honorable quest to find the truth at Worldcom. Her quote in the March/April issue of Fraud Magazine says it all:

"Listen to your instinct. If people are acting out of character or appear to be working to head you in another direction, step back and ask yourself why. Continue to ask for support and dig until you're satisfied that you've gotten it right."

Beyond Cynthia's first person account to give the reader her emotional perspectives, Operational Risk Management professionals realize that their role and the job they have been trained to do is not always a "Pleasant" experience. This is why all of the training and education is so important and the rehearsals are absolutely imperative. Testing, evaluating and testing some more is the norm. Understanding what "Normal" looks like, takes time and persistence. Yet without it, our horizon for positive change could be in jeopardy.

With many of the "Lessons Learned" books now published from the last economic dip, who will be next to blow the whistle or expose the real risks that some companies are hiding from the Board of Directors and the shareholders. The class action lawyers are even gathering their evidence on the possibility of cashing in on predatory lending practices:

A federal appeals court is nearing a decision on a battle between Chevy Chase Bank and a Wisconsin couple that could for the first time enable homeowners across the country to band together in class-action lawsuits against mortgage firms and get their loans canceled.

The case is alarming Wall Street 's biggest banks, which could bear the hefty cost of reimbursing all mortgage interest, closing costs and broker fees to groups of homeowners who uncover even minor mistakes in their loan documents. After a federal judge in Milwaukee ruled last year that the Wisconsin couple had been deceived and other borrowers could join their suit, Chevy Chase Bank appealed to the circuit court in Chicago.

So what we have are markets that are volatile. Bankers who are raising the stakes for borrowers. And naive consumers who are facing higher prices across the board. The time for increased vigilance is in front of us all. From the Board Room to the Court Room it's time that we spend more time looking at the interdependencies and realize that risk is more than a prediction.

During these times, it's worth revisiting this post on Fear: The Elements of Prediction.

ESI Lessons Learned: CREDO & Qualcomm...

Qualcomm Inc. v. Broadcom Corp., Case No. 05cv1958 (BLM) (S.D. Cal.), issued on January 7, 2008, should be a major wake-up call for corporate litigants. (The U.S. District Court for the Southern District of California) This case is about electronically stored information (ESI) and the ability to manage and produce the correct records at the time requested.

Evidence Lifecycle Management (ELM) is imperative in the context of Governance Strategy Execution within the halls of corporate legal departments. Having an Operational Risk Framework to address legal matters is the "Holy Grail" for many Audit Committees of global Fortune 50 institutions and the General Counsel. What are some of the elements of enterprise ELM? To start:

• Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
• Role-based collaboration and communications that drive all case-specific ESI activities
• Auditing and reporting of all ESI communications and events, including litigation holds

Duane Morris LLP has this to say about the Qualcomm case:

Emphasizing that it is the responsibility of attorneys (both in-house counsel and retained counsel) to make certain that their clients carry out an effective and comprehensive document search, the court noted that "[p]roducing 1.2 million pages of marginally relevant documents while hiding 46,000 critically important ones does not constitute good faith and does not satisfy either the client's or attorney's discovery obligations." The court suggested that in-house counsel have a duty to confirm the veracity of any signed papers produced during discovery.

The district court's solution was to order Qualcomm to implement a "comprehensive Case Review and Enforcement of Discovery Obligations ('CREDO') program" which, at a minimum, includes:

(1) identifying the factors that contributed to the discovery violation, (2) creating and evaluating proposals, procedures, and processes that will correct the deficiencies identified in subsection (1), (3) developing and finalizing a comprehensive protocol that will prevent future discovery violations, (4) applying the protocol that was developed in subsection (3) to other factual situations, such as when the client does not have corporate counsel, when the client has a single in-house lawyer, when the client has a large legal staff, and when there are two law firms representing one client, (5) identifying and evaluating data tracking systems, software, or procedures that corporations could implement to better enable inside and outside counsel to identify potential sources of discoverable documents, and (6) any other information or suggestions that will help prevent discovery violations.

The court ordered that the attorneys submit a proposed protocol for the court to evaluate and revise, if necessary. While the district court's immediate goal was to remedy this specific instance of misconduct, the court hoped that its opinion would be a "road map" for electronic discovery and would "assist counsel and corporate clients in complying with their ethical and discovery obligations and conducting the requisite 'reasonable inquiry.'"

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The Board of Directors have learned their lesson turning over the entire process to outside counsel. The trend of outsourcing the many tasks and duties assigned to the discovery and admissibility of (ESI) is coming to an end. Soon the General Counsel will be standing up the internal "Task Force" to identify and produce in a reliable and cost-effective manner. The trend is gaining momentum and law firms are getting more "Requests for Information" (RFI) on their true electronic discovery capabilities.

Establishing "A Defensible Standard of Care" within the enterprise continues to be the ultimate goal. While some law firms have started to offer services to determine the readiness of their clients for large ESI cases, more corporate institutions are reversing the economic process associated with E-Discovery and asking:

"What are the Electronic Discovery Capabilities of our outside counsel?"

IPR Risk: Beijing Olympics 2008 & Beyond...

The global corporate security directors have been planning for the 2008 Olympic Games in China for well over a year now. Company employees of Fortune 500 institutions who are in the intellectual property and branding departments have been working feverishly for even longer. What do the two have in common?

Safety, Security and Intellectual Property Rights (IPR) Protection to name a few. The stakes are tremendous and the world's stage for sports and marketing is coming soon to a web site, cell phone and e-mail in your control. These Operational Risks are growing especially to Corporate Travelers and other Executive Management who have engaged in negotiations and business deals for the past 24 months. Let's put some of this into context:

China Customs is committed to providing Beijing Olympic Games with good service in all respects and is entitled to conduct control over Olympic materials entering or leaving China Customs territory (hereafter referred to as the territory) in accordance with relevant laws and regulations. This notice applies to the completion of Customs formalities and the payment of Customs duties and the taxes collected by Customs on behalf of other government departments for importation of all materials entering or leaving the territory (hereafter referred to as the inward and outward materials) for the Olympic Games, Paralympics, testing-games, torch relay and other related activities during Beijing Olympic Games and its preparation period. The time for Beijing Olympic Games and its preparation period refer to the time starting from January 1st,, 2007 to October 17th,, 2008.

This is a facet of the puzzle that corporate marketing and operations management have ironed out for the most part. However, what is being addressed from another Intellectual Property perspective is another question. The Digital Age is certainly upon us and this brings a heightened sensitivity to the strategy for employees who plan on visiting China, before, during and after the Olympic Games in 2008.

Companies often have negotiated contractual obligations to protect confidential and trade secret information of customers, vendors, and business partners. Companies aggressively guard against theft or loss of intellectual property, however, the loss of sensitive employee and customer information can be just as damaging. Lose trust with your customer and you may lose the customer. Additionally, the media and public are paying increased attention to privacy breaches. Companies risk significant public embarrassment—not to mention potential litigation—if they fail to appropriately safeguard private and confidential information. Courts nationwide are also taking an increasingly intolerant view of companies that fail to take reasonable efforts to protect sensitive employee and customer data. The digital age has significantly increased the risk of data losses.

Security Advisory and OPS Risk Consulting firms have been gearing up for challenges global corporations face in the next six months. Increasing awareness, educating and training employees while testing the soundness of legal and security policies is just the beginning:

“The next wave of global coordinated attacks blends physical, logical and cyber exploits – specifically targeting high-value intellectual property and customer information around the world,” said Watters, iSIGHT Partners’ Founder, Chairman & CEO. “This trend will dominate the future threat landscape.”

John Watters knows the stakes and understands the magnitude of the digital challenges faced by corporate entities across the globe. In the wake of the speeding boat towards brand presence and intellectual property rights management, lies another common and misunderstood threat. It's called "guanxi".

Understanding this threat in the context and relevance to corporate stakeholders is vital. The focus on developing a vigilant strategy for interacting with business partners in China is imperative. Prudent CSO's and GC's are well on their way to rolling out the legal programs and security management training to mitigate the risks to their employees and their precious corporate secrets. This is the result of some very well known cases involving counterfeiting and enforcement of trademarks and intellectual property.

What might be less well known, is how digital information is being removed without your knowledge from devices such as laptops, cell phones and PDAs such as a Blackberry while you walk through the hotel lobby or the airport waiting area. Here is some easy advice and a simple strategy as you contemplate your intineary for the Olympic Games. Leave it at home, locked up in your corporate office.

FRE 502: Evidence & Digital Discovery...

What could the implications of this ruling be for employees in New York state? Scott v Beth Israel Med. Ctr. Inc.

The writing is on the wall with the attorney-client privilege and Federal Rules of Evidence 502. A review of current e-mail policy may also be in order at your institution if you plan on achieving "A Defensible Standard of Care."

On December 11, 2007, Senator Patrick Leahy, Chair of the Senate Judiciary Committee, introduced S. 2450, a bill adding new Evidence Rule 502 to the Federal Rules of Evidence. The legislation addresses waiver of the attorney-client privilege and work product protection and is identical to proposed Evidence Rule 502, which was approved by the Judicial Conference of the United States and transmitted to Congress for its consideration in September 2007.

Here are comments by the BLT:

If approved, the legislation would allow litigants to avoid waiving privilege on inadvertent disclosures if parties took reasonable efforts to vet the documents and asked for the return of any privileged information in a timely manner.

"The surging use of email and other electronic media has forced parties to spend billions of dollars and countless hours to guard against the unintentional release of such information," Leahy's office reported. Specter added that the new rule would help ensure that "the wheels of justice will not become bogged down in the mud of discovery.”

Stephen D. Whetstone, Esq. of Stratify says this:

Given the increased risks and costs, it is no surprise that many companies are trying to wrest control over the discovery process. More companies are now directing outside their counsel to leverage technology to automatically organize huge data collections, help understand foreign languages and detect privilege and thereby drive down the costs and mistakes that result from fatigued human review. The rule-makers get it, too. The Advisory Committee Notes to proposed FRE 502 provide: "Depending on the circumstances, a party that uses advanced analytical software application and linguistic tools in screening for privilege and work product may be found to have taken 'reasonable steps' to prevent inadvertent disclosure."

In short, in the 12 months since adoption of the new discovery rules, the sky did not fall. But, for some, it grew darker and more expensive to prop up.

In case you haven't noticed your CIO in the General Counsel's office lately, you soon will. The use of automated tools for Electronic Content Management (ECM) have converged with the tools for Disaster Recovery Management (DRM). In the middle of the pile of documents, email and other electronically stored information (ESI) is something called effective Records Management.

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.

"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

The GC: The Truth Can Be Adjusted...

If you are a General Counsel (GC) today for an organization doing business on a global basis, your Blackberry must be "buzzing" every few minutes. The legal risk being encountered will always be a factor of the number of deals, the number of employees and the growing number of countries you do business in.

As a corporate GC of a global enterprise, you have a fiduciary responsibility to protect the enterprise from adversaries such as the rogue employee, the government regulator, competitors and plaintiff class actions. The Rule of Law in your organization is in your hands. How you transfer the "Talking Points" on ethics and legal messages to your employees, partners, suppliers and adversaries is critical. The effectiveness of your relationship with internal CSO, CISO and Internal Audit leadership could mean the survival of the company and your job.

In the latest hollywood movie Michael Clayton with George Clooney, he plays the role of a prominent law firm's "Fixer." He finds himself taking care of the messes corporate clients put themselves into and even the internal firm problems with senior litigators who have decided to do secret battle with a prominent clients General Counsel. The GC in this film takes every precaution to ensure the settlement of a pending class action suit that has achieved over +30,000 billable hours by Michael Clayton's law firm.

While this fictitious story displays the extremes of the world many GC's live in with their outside counsel, it sets the stage for gaining insight into the legal ethics and corporate challenges global institutions face on a continuous basis. The Yin / Yang of corporate compliance and governance is consistently wrestling with the pressure to save people from losing their reputations and the longing to do the right thing. The goal is to achieve a defensible standard of care and to have peace of mind. To be able to stand behind the fiduciary duty to uphold the law and enforce the rule of law in corporate business.

When was the last time a GC took the "Ethics" and "Rule of Law" program directly to the employees in face to face sessions? To give the employees, partners or suppliers first hand opportunity to meet, greet and engage with the General Counsel of the enterprise. By doing this you are directly engaging with the people on the front line to be the "eyes and ears" for the company. To be that early warning system of potential conflicts of interest, fraud and corruption. As an example, Scott Chaplin at Stanley Associates says this:

"I deal with a wide range of issues on any given day. I support not only our business operations but also corporate support. Our recurring issues include corporate governance and securities, and we're active in the mergers and acquisitions area -- we've done several deals recently. I handle labor and employment issues on a daily basis, along with government contracts issues, litigation, IP and compliance work. I'm also the ethics officer for the company, responsible for our ethics compliance program, as well as secretary of our board of directors, where I act as legal adviser to the board."

"I recently completed our annual ethics training at a number of our offices. After each training session, I would have a line of employees waiting to speak with me about various issues. That got me thinking that a lot of employees don't feel they have a direct line of communication to me at corporate. They might not feel that the issue is important enough to bring up with the GC. It made me realize that in-house lawyers need to get out of headquarters more often and go to the employees, instead of waiting for the employees to come to us. We have to get out to the field and foster the client relationship a little bit more."

Scott is absolutely correct and what a better time than to emphasize SOX Section 806. Protecting the rights of corporate whistle-blower's is the GC's responsibility in combination with an external ethics hot line for employees. While there have been plenty of other people calling for reform on other burdensome and expensive components of SOX, no one is going to touch Section 806. Employees don't understand the implications of the law and corporate management can't under estimate the impact of this in terms of potential litigation it may face.

Achieving a Defensible Standard of Care requires a General Counsel with the vision to address a spectrum of legal and ethical risks in the modern enterprise. When this is finally accomplished, the Michael Clayton's in law firms around the globe, will be looking for a new career.

operational risk

Red Flags: The Oracle of Omaha...

What do you do when you see a "Red Flag"? This was the question posed to Directors in a recent poll by Corporate Board Member Magazine in the November/December 2007 issue. C. Warren Neel the Executive Director of the Corporate Governance Center, at the University of Tennessee could not have answered this any better:

I don't want to see it; I want to "hear" the red flag before I see it. I want to hear about it before it happens. And I don't want to just know it happened, I want a diagnostic as to why it happened. I want a postmortem. What led us down that track? How did it start? Was it personnel-based? Process-based? Because of a malfunctioning system? Did we have the wrong strategy? Or what?

Welcome to the world of Operational Risk Management Mr. Neel. These are the scenarios that are played out on a continuous basis in the midst of the daily humming of business throughout the organization. These Ops Risk professionals are testing, exercising, stressing, and "Thinking of the Unthinkable" everyday so you do hear it before it happens. It may not be weeks, or even days. It could be hours or minutes. And then what will the Board of Directors do next?

This is perhaps one of the largest worries these professionals have. They don't know you, the Board or the steps you might or may not take once you get the warning, the news or the prediction. As the Board of Directors it's imperative that you learn all you can about who the Operational Risk experts are in the enterprise and to know them personally. Otherwise, how are you ever going to have an early warning system that you can trust and gets you the answers sooner than later?

What you need is an extension to the "Whistleblower" mechanism that tracks potential ethics violations and other wrong doing of corporate policy. It's a risk management method integrated with your current fraud management systems and combined with the ongoing behavioral analysis of "High" risk employees. Without this early warning process and supporting system in place the Board is forever doomed to be on the "reactive" end of the spectrum, continuously wondering how to respond to an incident that has already occurred.

How did Warren Buffet get the "Red Flag" on Freddie Mac even years before their implosion with senior management?

The charges against Brendsel were filed three years ago by the Office of Federal Housing Enterprise Oversight, which regulates Freddie Mac and its larger government-sponsored sibling Fannie Mae. OFHEO, which blames the accounting scandal on management misconduct is seeking damages and penalties against Brendsel totaling nearly $1 billion, including $24 million in severance benefits and stock awards.

Buffett said he was uncomfortable, among other things, about an investment by Freddie Mac that was unrelated to its business as the nation's second-largest financer of home mortgages.

"I follow the old dictum: There's never just one cockroach in the kitchen," Buffett said.

Details of his testimony were reported in Wednesday's editions of The Washington Post. They were confirmed by people familiar with the proceeding, speaking on condition of anonymity because they weren't authorized to speak about the case publicly.

Regardless of the outcome of this proceeding, the point could be made that the board had a huge "Red Flag" that Warren was selling his stake in the company. Predictions are based upon a number of factors and there must have been many pieces of information that added up to "somethings not right" at Freddie Mac. Today, there are ten positions open at Freddie Mac for operational risk related jobs and here is what they are seeking:

Position is part of a team supporting Operations as an operational risk management partner. Significant time will be spent as the face of the Audit Liaison function. Engages with the business areas to fully understand the operational process in order to coach and support the group in identifying and assessing operational risk and designing appropriate controls to mitigate the risk. Provides subject matter expertise on operational risk management systems and Freddie Mac operational processes.

Ensures all operational risk deliverables are completed within established timeframes with a high level of quality especially the mitigation of outstanding major/critical issues and monitoring of status on all outstanding issues. Deliverables include Operational Breakdown and Loss Event Reporting, Risk and Control Self-Assessments, SOX Assessments, Internal and External Audit Responses. Also supports Quality Assurance testing of SOX Key Controls and Root Cause Analysis.

• Skills/Knowledge needed:
• Indepth knowledge of operational risk management and controls with minimum 2 years experience.
• Knowledge of key principals of auditing.
• Knowledge of key principals of mortgage operations.
• Knowledge of financial industry operations and/or accounting is preferred.
• Ability to work independently with strong organizational skills to meet frequent deadlines.
• Strong interpersonal skills with ability to build working relationships.
• Flexibility and ability to multitask.
• Strong analytical skills.

One might wonder why they are looking for someone with in depth knowledge of operational risk management (ORM) with only two years of experience. Sadly, this is because the organization relied for too many years on their financial auditors and their armies of freshly minted MBA's from some of the best business schools in the nation. However, the main reason is that the science of ORM is new compared to other disciplines in the accounting profession.

As organizations evolve their ORM departments and combine the attributes of fraud management, systems testing, continuity of operations, records management and employee behavioral analysis the Board of Directors will have a better opportunity to predict "Red Flags". They will ultimately become more preemptive in their actions and follow through to protect the shareholders assets. Until that happens, keep your eyes and ears on the "Oracle of Omaha"...

3rd Party Outsourcing: Compliance Management...

Hedge Funds who require outsourcing products or services in conjunction with their broker-dealers and clearing banks are still under the "Regulators" microscope. The focus on "Red Flags" is a continuous challenge in addition to the latest operational risk mandates and due diligence on 3rd parties.

This was highlighted by Geofrey L. Master of Mayer Brown last May in one of his articles from Mondaq:

"Further, and even more significantly, hedge funds must deal with many compliance requirements that are applicable to other parties that are part of the fund’s operating environment. An example of such indirectly applicable requirements is the compliance obligations faced by the fund’s investment advisor, its broker-dealers, and its clearing banks. These parties face distinct, and often significant, legal and regulatory requirements that necessarily impact the fund’s operations. In addition, the demands of fund investors, as well as other business environment realities, result in a variety of selfimposed operational requirements that function effectively as (and in some cases may actually become — through fraud claims, for example) legal requirements." "With regard to laws applicable to the service provider, compliance requirements range from licensing and authority-to-do-business issues to those directly impacting service performance, such as health and safety and environmental regulations and data safeguarding requirements."

The Governance, Regulatory, and Compliance (GRC) business process within the ranks of the hedge fund has a fundamental requirement to assure that outsourced entities are executing their responsibilities. Service providers are an extension of the Hedge Funds supply chain of information services and financial intelligence that investors have taken as a natural extension of the funds operational infrastructure. The EU Market in Financial Instruments Directive (MiFID) takes effect on November 1, 2007 and directly intersects with outsourcing services to 3rd parties.

Mark A. Prinsley also of Mayer Brown sums up the impact of MiFID on firms and how they are currently managing the risk associated with outsourced services:

In substance, the rules should largely reflect no more than sound and prudent practice in any outsourcing relationships. However, in relation to the management of the outsourcing relationships, firms will be required to retain skills and exercise risk management not just for the services provided by the service provider, but also in relation to the way in which the firm manages its outsourced activities. Inevitably, this will lead to the need for more resources and skills in the areas of management and audit to be retained by firms in the financial services sector that outsource their activities.

It is also important to note that the new rules will apply retroactively. Thus, while firms will not be required to re-write their existing outsourcing arrangements, it will be prudent for them to confirm, particularly for arrangements that may not have been "material contracts" - and therefore not previously notified to the FSA - that the arrangements do meet the new rules in areas such as retention of appropriate skills and resources and management of risk.

One solution for addressing this increased scrutiny within the EU and other firms who are looking to enhance their outsourcing resilience can look no further than the BS 25999 standards for Business Continuity Management.

"Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle."

This new standard utilizes the same Plan-Do-Check-Act life cycle that many practitioners are already familiar with from previous implementation standards such as ISO 27001 for Information Security Management Systems. BS 25999 is suitable for any organization, large or small, from any sector. It is particularly relevant for organizations which operate in high risk environments such as finance, telecommunications, transport and the public sector, where the ability to continue operating is paramount for the organization itself and its customers and stakeholders.

A Defensible Standard of Care: Six Million Reasons...

There are 6,000,000 reasons why Operational Risk at TD Ameritrade is in the Red Zone this week as a result of what seems to be a case of malicious code discovered last week, or over a year ago.

This author received a recent letter from TD Ameritrade regarding their so called pseudo "breach". And we quote:

"While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain information stored in one of our databases, including email addresses, to be retrieved by an external source."

What is absolutely amazing is the request to visit www.amtd.com for more information and a list of Frequently Asked Questions (FAQs) and an additional message from me, (The CEO Joe Moglia). The link to this message requires you to run Windows Media Player for what must be a sincere apology. However, the PR department must not know how many malicious code exploits are associated with .wmv files. Nor, how many people still do not have broadband connections as a consumer.

But that is not even the most fascinating aspect of this whole incident. The story gets even more disturbing if it is indeed true:

Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago.

Kamber, who filed the suit this past May, had recently filed a preliminary injunction asking the court to compel Ameritrade to disclose the data breach and the compromised information to current and prospective customers. The company was given a two-week adjournment and made the public announcement during that recess.

"I am glad customers finally know of the compromise of their personal information," said Kamber. "I'm not pleased it took the company so long to do that."

Hillyer said she could not comment on ongoing litigation but said, "As soon as we discovered it, we stopped it. And as soon as we had gathered enough information, we notified our clients."

Ameritrade notified the FBI and the U.S. Securities and Exchange Commission last week, according to the spokeswoman.

It's apparent that the nexus of Information Security, Digital Forensics, eDiscovery, Legal Risk and Reputation Management have imploded in Bellevue, NE yet this will not be the last place we hear about this kind of incident. If a Rootkit is on a server there, you can be sure that there are others at a another broker or investment management firm near you.

Being vigilant about protecting privacy and doing the right thing with customers in the event of a breach has significant legal ramifications, that is for certain. What is less known at this point are the processes and corporate behavior that could be even more of a source of liability for TD Ameritrade. Who what how and why is now under investigation and will play out in a court room again soon.

The degree that any firm in the industry is "Litigation Ready" or has adequately prepared for this particular nexus between the elements of Information Security and the Law will determine the amount of Operational Risk they are potentially exposed to in incidents like this one. How can any firm prepare for an event similar to this?

1. Conduct a Litigation Readiness Audit of the firm.

2. Develop a strategic plan for achieving a "Defensible Standard of Care."

3. Train the stakeholders on Crisis, Command and Control.

4. Implement an early warning data analytics system to preempt potential threats.

Number four on this list pertains to something that is also in the authors letter. "As part of our effort to protect privacy, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft." Let's just hope these guys didn't load up a CD at their shop handed over to them by TD Ameritrade with 6,000,000 records of personal identifiable information on it.

True or false: A large corporate private sector company hires an outside counsel to investigate an employee suspected of fraud. The outside counsel hires a fraud examiner to look into the facts. The fraud examiners report to the outside counsel will assist in determining whether a crime has been committed. The report and the communications with the outside counsel are protected confidential work product and is privileged. If you don't know the answer, read on.

Organizations who realize that internal investigations can pose a tremendous risk of litigation are ahead of the Operational Risk Management curve. Being proactive about prudent strategy on how to address the potential internal employee fraud is imperative, especially if you plan to pursue litigation to try and recover the stolen assets.

The two primary areas of emphasis here for the purpose of what information is discoverable is the attorney-client privilege and the work product doctrine: This Texas case from the Texas Bar Journal article by Derek Lisk illustrates the point:

In yet another case in which one party sought to protect documents from an investigation on privilege grounds, the U.S. District Court for the Eastern District of Texas took a more expansive view of the privilege. In-house counsel for Electronic Data Systems (EDS) hired outside attorneys, who in turn hired a consulting firm, to independently analyze and report on alleged misuse and misappropriation of assets by an EDS employee, Mr. Steingraber. In the ensuing litigation, EDS objected to producing documents from the investigation.

Steingraber, like Seibu Corp., argued that the documents were not privileged “because they were made to facilitate a business decision rather than the rendition of professional legal services.” This court, however, sided with the party seeking to protect the documents, finding Steingraber’s interpretation of the privilege “unduly narrow” and disagreeing with Seibu Corporation to the extent it held otherwise. Among other things, the court said, “The fact that the attorneys may have been hired to facilitate a business decision does not mean that such a decision was devoid of legal consequences.” Because EDS hired the outside lawyers to contribute legal expertise, including contract interpretation, risk evaluation, witness interviews, and evidence evaluation, the communications between them were “for the rendition of legal services.”

The status of H.R. 3013 in the US House of Representatives is unknown as it goes to be debated in committees:

7/12/2007--Introduced.

Attorney-Client Privilege Protection Act of 2007 - Amends the federal criminal code to prohibit any U.S. agent or attorney, in any federal investigation or criminal or civil enforcement matter, from demanding, requesting, or conditioning treatment on the disclosure by an organization (or affiliated person) of any communication protected by the attorney-client privilege or any attorney work product.

Prohibits a U.S. agent or attorney from conditioning a civil or criminal charging decision relating to an organization (or affiliated person) on one or more specified actions, or from using one or more such actions as a factor in determining whether an organization or affiliated person is cooperating with the government.

The question on the table here is how much as a corporation do you want to cooperate to prosecute the employee? It may make sense as a corporation to waive some rights to help recover your losses. How you architect a process for engaging outside counsel, independent investigators and fraud examiners in order to mitigate Legal Risk is crucial. The information exchanged, obtained in the process and communicated between parties must be done correctly. Not only to protect the information under the new Federal Rules of Civil Procedure but to insure the integrity and trust of the information itself.

A Board of Directors that oversees the governance of hundreds or thousands of employees is going to be continuously subjected to corporate malfeasance and white collar crime matters. The rule of law within the halls of the organization must be clear and precise. The mechanisms for the company to cooperate with investigators may mean the difference between an employee that creates irreversible economic damage to the enterprise or even worse. Our national security.

BSA/ AML: Testing the Channel...

Legal compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) is a complex and growing concern by regulators, enforcement and Operational Risk Executives. In the United States, the FFIEC (Federal Financial Institutions Examination Council) has published the latest Examination Manual to provide guidance:

Enterprise-Wide BSA/AML Risk Assessment

Holding companies or lead financial institutions that implement an enterprise-wide BSA/AML compliance program should assess risk both individually within business lines and on a consolidated basis across all activities and legal entities. Aggregating risks on an enterprise-wide basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the holding company or lead financial institution should continually reassess the organization’s BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control.

When a financial institution utilizes a strategy for it's channel or broker network the goal is to build controls into the consumer application process. These controls help the parent financial institution with compliance issues and give the independent broker or registered investment advisor with the tools and mechanisms for risk mitigation. However, to what degree do these independent brokers who interface with the consumer actually understand, implement and comply 100% with BSA/AML laws?

This question may haunt the minds of many OPS Risk professionals as they try to manage the mountain of data and documentation requirements at the home office or processing center. When there are dozens or hundreds of independent brokers in the client acquisition process your risk exposure increases dramatically. When and how often do you need to audit these important entities in your member or client supply chain?

Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

Those persons responsible for conducting an objective independent evaluation of the written BSA/AML compliance program should perform testing for specific compliance with the BSA, and evaluate pertinent management information systems (MIS).

This is not any surprise to large banks and securities dealers who have been working diligently on these compliance management problems for decades. Whenever an organization is deploying a distributed and indirect model for acquiring new consumers, high net worth individuals and other business entities for financial-based products and services; BSA/AML programs should be robust. The individuals who are planning to launder money that has been obtained illegally or are part of a fraud scheme will prey on those unsuspecting and naive institutions first. In some cases, it could be an independent broker or business who is the target of a sophisticated and influential individual. They want to find a weak link in the institutions sales channel to gain access to a well known brand to leverage their scheme with new victims.

The criminal trial of ex-Refco Inc. Chief Executive Phillip R. Bennett and two other former executives has been postponed until March 2008, according to court transcripts.

During a telephone conference last month, U.S. District Judge Naomi Reice Buchwald delayed the trial of Bennett; Robert C. Trosten, Refco's ex-chief financial officer; and Tone N. Grant, the commodities broker's former president, until March 17. A transcript of the call was released publicly earlier this week.

The case was originally scheduled to go to trial in October.

The men are facing a variety of charges including conspiracy, securities fraud, bank fraud, wire fraud and money laundering.

Late Wednesday, the litigation trusts representing Refco's creditors announced they had sued Thomas H. Lee Partners LP in federal court in Manhattan, alleging the buyout firm uncovered red flags about Refco and its executives before the buyout firm's 2004 purchase of a controlling stake in Refco, but failed to follow up in hopes of profiting from Refco's initial public offering the next year. Lee has denied the claims.

ESI: Authenticity of Evidence...

Legal opinions on the admissibility of evidence and electronically stored information (ESI) are becoming more prevalent and increasingly relevant to Operational Risk Management:

In Lorraine v. Markel, authentication of information is a key issue in the ruling. Maryland Courts Watcher caught this ruling and our eye recently. "In its 101 page opinion, the court dedicated at least 90 pages to providing extensive and detailed analysis and guidance on the interrelated evidentiary issues governing the admissibility of electronically stored evidence (ESI), including: analysis under Rule 104, relevance under Rule 401, authentication as required by Rule 901(a), effect of hearsay as defined by Rule 801 and any applicable exceptions, consideration of the form of the ESI being offered under the original writing rule and the admissibility of any secondary evidence to prove its content, and the probative value of the ESI considering potential unfair prejudice or one of the other factors identified by Rule 403."

Whether ESI is admissible into evidence is determined by a collection of evidence rules that present themselves like a series of hurdles to be cleared by the proponent of the evidence. Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible. Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be); (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception (Rules 803, 804 and 807); (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of if not, is there admissible secondary evidence to prove the content of the ESI (Rules 1001-1008); and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance.

Authenticity and the chain of custody of ESI will continue to be a major challenge for the general counsels of major corporations in the years ahead. Creating and maintaining trusted information through out the enterprise intersects policy, processes, people and technology. The legal risk associated with non-compliance and missed opportunities is a growing concern in executive management and Board of Directors meetings.

The explosion of information as early as 2001 started a process of discussions on the nexus of information security regarding data integrity and authenticity:

With the explosive growth of data exchange and the availability of access to services over the Web, the Trusted Information requirement is more and more an issue to providers and users of these services. Addressing this security issue, this volume is divided into eleven parts covering the essentials of information security technologies, including application-related topics, and issues relating to application development and deployment:

• Security Protocols;
• Smart Card;
• Network Security and Intrusion Detection;
• Trusted Platforms;
• eSociety;
• TTP Management and PKI;
• Secure Workflow Environment;
• Secure Group Communications;
• Risk Management;
• Security Policies;
• Trusted System Design and Management.

Companies like IBM have been talking to clients about trusting their information for decades. However, when the discussions turn to litigation and admitting information stored on hard disks, dvd's, USB Thumb Drives and the data on your VOIP phone system it all starts to become more complex than one could ever imagine. That complexity and the speed that courts are asking for responsive answers puts your legal risk in the center of the discussion.

Achieving a Defensible Standard of Care requires more than a savvy outside counsel. It demands an effective CIO, CSO and Records Manager working in combination with the hundreds of law firms you may have retained to address your ongoing litigation.

4GW: Trusted Information Class Actions...

The SEC is in the middle of a Supreme Court battle and they have called in the "A" team to assist. Former SEC officials William H. Donaldson, Arthur Levitt and Harvey J. Goldschmid want to expand investors' abilities to sue in frauds:

The big-money issue has mobilized lawyers who bring class-action lawsuits and the companies and executives they target in one of the most important securities-law issues to reach the Supreme Court in years.

In cases in which fraud-ridden corporations have filed for Chapter 11 bankruptcy protection, investors may not be able to wrest money from the company itself. Lawsuits against business partners and advisers such as accountants and lawyers may present the only rich and viable option for shareholders and plaintiff lawyers, experts said.

What have we learned since Enron? Do we not have a more ethics based atmosphere at the professional services firms? In the long run, will investors be better off with the ability to sue the advisors of the companies as accomplices to wrong doing? You can bet that if the US Chamber of Commerce has it's way, the SEC is in for a real fight on this one.

Some people are behind bars. Some companies are out of business. And the Dow is again at an all time high nearing the 14,000 threshold. All of the legislation, class actions and fraud allegations are all about one thing. Information. Trusted Information.

A number of trends focused on corporate data continue to distract today's IT departments. Shareholders are clamoring for more transparency as a result of the financial scandals that have shaken confidence in corporate governance around the world. Compliance legislation such as the U.S. Sarbanes-Oxley Act (whose impact is reaching far beyond the U.S.) can result in jail sentences for executives who - even unintentionally - report erroneous information. New privacy laws around the world restrict the use of customer information. Increasing global competition has put pressure on organizations to use their expensive information assets more strategically.

All these issues can be summed up in a single concept: trusted information. Simply accessing data is no longer enough. Today's CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions back to the original source systems in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively. Despite this, information users at all levels of the organization are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures are correct, rather than what to do about the company's issues. Additionally, they worry about the consequences of making strategic decisions using the wrong information, directly impacting the long-term survival of the organization.

This brief essay by Jeffrey Ritter discusses the compelling forces converging at the beginning of the 21st century that are shaping the need to consider trusted information as a vital asset that should be the priority of any organization:

As the 21st century accelerates, digital devices connected to the Net will continue to be indispensable to modern life. But those devices, and the services provided through them, remain vulnerable to human judgment—the 21st century winners will be those who earn and sustain the trust of those using the devices and the services—whether those are consumers, employees, shareholders, lenders or service providers.

When the law intersects with the validity of information the corporate battle lines are drawn. Think about how much time and dollars are spent proving or disproving the integrity of information in a court of law. Those organizations who know that they are in the "4th Generation Warfare" (4GW) era will survive only if they can grasp this concept. Fourth Generation Warfare removes the front entirely. Attackers rely on a barrage of information salvos and coordinated incidents to paralyze or erode the adversaries political will, rather than seeking decisive hand-to-hand combat. Does this sound familiar to your General Counsel?

We are not talking about Al Qaeda now. We are talking about the class action "Army" that is forming the strategy and the means to wage unconventional battles against your, trusted information. Or is it?

ECM Security: Trusted Information...

When it comes to Enterprise Content Management (ECM), security is an issue that continues to challenge most vendors. John Newton is in search of topics at AIIM that address the security needs of the market place:
Content Log

• Common identity. There needs to be a common way of addressing identity between different services whether those services are in the enterprise or outside.
• Common Models for Rights Management. The big, looming problem in content is the fact that huge numbers of users are adding, accessing or updating an even larger number of pieces of content.
• Distributed Directory Services. Identity is not sufficient for determining roles or entitlements.
• Mashup Frameworks for Security. Mashups, the integration of different systems at the browser level, represent the fastest-growing and easiest mechanism to weld systems together. Almost all mashups have no notion of security and only work on public systems.
• Search and Security. As search becomes increasingly federated, such as through the OpenSearch API, managing identity and entitlements on content becomes very problematic.

Whether John will find the answers is questionable. And that is exactly the issue when it comes to hosting or managing enterprise information. Almost a year ago before Stellant (Sealed Media) was purchased by Oracle, their survey of 29 CIO's who had invested more than $1M. in ECM had these as their top priorities:
The concerns were ranked on a scale of one to eight, eight being the most important.

1. Guarantee ISO 17799 compliance: 6.03
2. Protection of intellectual property during offshoring or outsourcing: 5.52
3. Protection of high- and executive-level communications: 4.79
4. Improvement of workflow-process automation: 4.41

So what?

If you are an ECM vendor and you only have so many bucks to spend on development of the next generation of your software, what are you going to add and what are you going to fix? So why is number one and two so important to CIO's who have invested so much money in their platforms?

Some of the answers can be found in the root cause of their concerns. We found some relevant discussion in a position paper entitled:

W3C Workshop on Transparency and Usability of Web Authentication by Jeffrey Ritter & Said Tabet

Statement of Issues: The conflict between the potential of Web Services and the inadequacy of web authentication is potentially best described as “a failure to communicate”. As enterprises extend and evolve into more dynamic, real-time facilities, central operations require the ability to express their security requirements in greater detail than can be currently enabled. Corporations must define and adhere to increasingly large directories of requirements in the management of their internal security controls; requiring compliance with those controls by participants in the extended enterprise is becoming essential.

Corporate operations increasingly distribute their computing and data processing requirements across a network of third party services, some of which are engaged and employed for controlled, finite sessions. But those third parties, for so long as they are processing data and functioning as part of the operating whole of the primary corporation, are being pressured to demonstrate their adherence to the security controls of their customers. This requirement is an expression of a requirement for trustworthiness—to be engaged as a part of the extended enterprise is to be trusted to perform in compliance with the applicable controls.

The enterprise who has exposure to continuous litigation is evaluating new ways to look at 3rd Parties who manage their information and this includes law firms. When you hand over management of critical and legally binding information to a 3rd party, trust is a key component of that decision. So how do you know if your law firm(s) and database marketing companies such as Merkle, Inc. or other outsourced service providers have the trustworthiness to be part of your extended enterprise? The fact is you don't unless you require the new and existing parts of the information supply chain in your organization to operate as one seamless trusted entity.

The greatest economic risk companies face with electronic discovery is choosing the wrong law firm. Under the new Federal Rules of Civil Procedure, the amounts at stake are not just legal fees or settlement costs; searching for and recovering electronic business records causes productivity losses and threatens revenue. Bottom line, selecting a law firm that is ill-prepared to effectively manage electronic discovery can cost enormously - internal records preservation and production costs are considered one of the largest uncontrolled expenses in corporate America.

So how do you select the right firm?

For corporations, Evaluating the Electronic Discovery Capabilities of Outside Law Firms: A Model Request for Information and Analysis provides corporate law departments, records management and IT departments an invaluable tool to ensure that the legal risks of e-discovery are competently addressed by their outside law firms.

Here is a peek at the line up so far this year by just one government regulator, the SEC.