31 December 2008

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

  • Organizational Security
  • Information Security Infrastructure: Cooperation between organizations
  • Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
  • Asset classification and control
  • Information Classification: Information labelling and handling
  • A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
  • Personnel Security
  • Responding to security incidents and malfunctions: Reporting security weaknesses
  • Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
  • Communications and operations management
  • Operational procedures and responsibilities: External facilities management
  • Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
  • Exchanges of information and software: Security of electronic mail
  • A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
  • Access Control
  • Monitoring system access and use: Monitoring system use
  • Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
  • Business Continuity
  • Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
  • Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
  • Compliance
  • Compliance with legal requirements: Collection of evidence
  • Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:
  • Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
  • Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.
The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

22 December 2008

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:


“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “nützliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.


The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:


Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

  • · Systems for monitoring and auditing
  • · Incident response and reporting
  • · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

15 December 2008

OPS Risk: Tsunami of Fraud...

Just when you think you have avoided the major risk of the credit crisis, HSBC may have been one of many banks exposed to the Bernard Madoff "tsunami of fraud".

Banks and investment funds across the world lined up on Monday to admit investing billions of dollars in the companies of Bernard Madoff, whom U.S. authorities accused of masterminding a massive fraud.

HSBC Holdings was the latest bank to join the growing list, saying it had exposure of around $1 billion (663 million pounds), making it one of the biggest victims of the alleged $50 billion fraud.

Royal Bank of Scotland and Man Group, Japan's Nomura and France's Natixis also said they were hit by the worldwide scandal.

Financial companies, reeling after a year of enormous writedowns on bad credit assets, have so far tallied up more than $10 billion in direct and indirect exposure to the possible fraud by Madoff, the 70-year old trader who was arrested on Thursday.


Last year, HSBC sold it's 42 story headquarters tower for $1.1B. to Metrovacesa in a smart strategy that has now been extinguished by the likes of a simple and yet enourmous ponzi scheme. A Ponzi is an investment fraud in which profits are promised to investors from fictitious sources. Sounds like a hedge fund. Early investors are paid off with funds raised from later ones. Is there any conservative institution that will be spared from the corporate malfeasance and corruption that has permeated our global systems of finance?

The SEC has issued the temporary restraining order for Madoff and his companies while this is drowning out the recent fraud allegations against Marc Dreier:

Dreier was arrested in Canada this month and charged with impersonating a lawyer for the Ontario Teachers Pension Plan. He was released on bail and arrested by U.S. authorities on his return to New York.

Dreier on Dec. 11 was ordered held in custody pending his trial after prosecutors told a federal magistrate that victims of a fraud that started in 2006 have lost $380 million.

If convicted of the securities fraud and wire fraud charges against him, Dreier faces as many as 20 years in prison on each count.

The U.S. Securities and Exchange Commission filed a civil suit against Dreier claiming he stole $38 million from an escrow account set up to hold money for the unsecured creditors of 360networks (USA) Inc., which the firm represented in bankruptcy court.

The movie moguls in Hollywood must be looking at these latest cases to determine if a screenplay might be a worth while endeavor. The hundreds of lawyers and other workers impacted by these two incidents alone, will no doubt bring out a few who were close enough to the two crooks to be able to provide technical consulting on the projects. The setting in the Hampton's or the Palm Beach Country club could even bring some real well known people into the movie picture itself.

Back in May 2008 this blog touched upon the legal ecosystem and the survival of the fittest. Fraud, like other crimes of opportunity, have three common attributes:

  1. A growing supply of motivated offenders
  2. The availability of prospective or ideal targets
  3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

25 November 2008

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term. In a case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

But in a case now pending before the 2nd U.S. Circuit Court of Appeals, United States v. Ionia Management SA, the defendant corporation, as well as a diverse group of business and legal organizations acting as amici curiae, are asking the court to re-examine what had previously been accepted as black-letter law regarding when a corporation may properly be held vicariously liable for the acts of its employees.

While the defense bar has successfully battled some of the U.S. Justice Department's specific tactics in corporate criminal investigations (such as pressuring companies to waive attorney-client privilege or deny payment of employees' legal fees), this is the first significant direct challenge in recent years to the long-standing doctrine of corporate criminal liability. Their arguments, if accepted by the court, could have far-reaching consequences for the balance of power between the government and the targets of corporate criminal investigations.

Even if the corporate compliance programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation. How the cases settle or end up in deferred prosecution deals is another subject. Andrew Weissmann is in the precarious position of having been on the other side of the court room during the Enron trial. Now after having moved to the defense he is feeling the size of the governments powerbase.


Mr. Weissmann, 50 years old, says he noticed the "glitch" in the law four years ago as a prosecutor when he helped put together deferred-prosecution agreements of Merrill Lynch & Co. and Canadian Imperial Bank of Commerce for their conduct in connection with the Enron collapse. It struck him that the standard for criminal liability might be too low for "companies that work hard to create compliance programs" and yet are still on the hook, he says.


Regardless of the amount of awareness building, education and corporate window dressing you can't ultimately control human behavior. More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively. And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex. One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision. QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process. As an example, let's take the Request for Proposal (RFP). Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response. Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business enviroment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions. More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

14 November 2008

Corporate Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.


The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?


In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.


If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:


In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."


Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.

22 October 2008

EESA: Oversight & Legal Filings...

What is on the mind of GCs in the United States and United Kingdom? What are they saying about the costs of litigation, labor and employment, the financial/subprime crisis, regulatory investigations and FCPA, e-discovery preparedness and patent infringement claims. A Fulbright & Jaworski 5th year survey, gets the answers from 350 senior-level executives.

Lawsuit fears also vary across the United States: California companies have qualms about employment cases; Northeastern companies worry about environmental cases; and Southern companies expressed concerned about class actions and products liability lawsuits.

The survey responses indicate that lawsuits filings ultimately vary by industry.

During the past year, two-thirds of insurance companies reported at least six new lawsuits, followed by 55 percent of retail companies.

Manufacturing companies were the third most sued industry, with 54 percent facing six new claims. Health care providers followed closely behind with 52 percent reporting a half dozen new cases.

Two industries were far less likely to face multiple lawsuits in one year.

Thirty-seven percent of financial services companies reported six new lawsuits compared with 30 percent of technology firms.


Somehow we think the financial services companies are going to see a large spike in the next nine months. The SOX cases will be tested and there will be a few that won't get settled. The outcomes will set the precedence for Corporate Governance related suits for years to come.

Keep on "eye" on this one. Part of the new EESA legislation will have some kind of IG and oversight. This will be keeping the legal teams busy:

7) Compliance: The law establishes important oversight and compliance structures, including establishing an Oversight Board, on-site participation of the General Accounting Office and the creation of a Special Inspector General, with thorough reporting requirements. We welcome this oversight and have a team focused on making sure we get it right.

The Special Inspector General's purpose is to monitor, audit and investigate the activities of the Treasury in the administration of the program, and report findings to Congress every quarter.


The "TARP" Inspector will have their hands full and since they are appointed by the President, you can be sure that they will not be too partisan.

17 October 2008

A few years ago there was an anonymous posting on CSO Online about "Doing the Right Thing". It could only be about the rules and policies set down by the ethics committee. Right?

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."


Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

  • · Systems for monitoring and auditing
  • · Incident response and reporting
  • · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

That’s when we really learned that this game of business is just about the human factors. It’s really not about the controls, the monitoring or even the awareness programs. It’s about being a model manager, and a model human being.

The odds are it will be the human factors that are going to be what gets you on the steps of the local federal building. And it all comes back to good old-fashioned management 101.

As indicated, the great manager can impact the lives of tens or hundreds of people in your company. Conversely, the uncivil manager can wreak havoc with a similar numbers of lives. The position of management is every so powerful to influence those around them.

Your company wide compliance initiative has the elements that provide guidance for creating a program that the government is likely to look favorably upon. The problem is that these same criteria inadvertently communicate the message that implies building a program based on this formula is enough. It isn’t.

07 October 2008

FCPA: 21st Century Investigations...

Intellectual property theft, corporate espionage, transnational economic crime and the Foreign Corrupt Practices Act (FCPA) are on collision course with international 21st Century investigators. New age professionals who were almost born with a keyboard or PDA in their hand; remain ever vigilant.

The use of third parties, offshore banking and other avoidance mechanisms such as Black Market Peso Exchange (BMPE) increases the potential for theft, corruption and abuse buried in global commerce using the Internet Protocol (IP).

The FCPA prohibits corrupt payments through intermediaries. It is unlawful to make a payment to a third party, while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. The term "knowing" includes conscious disregard and deliberate ignorance. The elements of an offense are essentially the same as described above, except that in this case the "recipient" is the intermediary who is making the payment to the requisite "foreign official."

Intermediaries may include joint venture partners or agents. To avoid being held liable for corrupt third party payments, U.S. companies are encouraged to exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives. Such due diligence may include investigating potential foreign representatives and joint venture partners to determine if they are in fact qualified for the position, whether they have personal or professional ties to the government, the number and reputation of their clientele, and their reputation with the U.S. Embassy or Consulate and with local bankers, clients, and other business associates. In addition, in negotiating a business relationship, the U.S. firm should be aware of so-called "red flags," i.e., unusual payment patterns or financial arrangements, a history of corruption in the country, a refusal by the foreign joint venture partner or representative to provide a certification that it will not take any action in furtherance of an unlawful offer, promise, or payment to a foreign public official and not take any act that would cause the U.S. firm to be in violation of the FCPA, unusually high commissions, lack of transparency in expenses and accounting records, apparent lack of qualifications or resources on the part of the joint venture partner or representative to perform the services offered, and whether the joint venture partner or representative has been recommended by an official of the potential governmental customer.


Digital fingerprints and technology has changed the way we manage and store information just as it has changed the way cases are developed and presented to new juries who understand the evidence. Organizations operating on a global scale with branch offices in London, Frankfurt, Mumbai, Hong Kong and Shanghai are continually exposed to operational risks associated with rogue employee behavior in the normal course of doing business in country. The legal matrix of risk exposures are magnified by Internet commerce, privacy, intellectual property and transnational policing.

In the recent "2008 Report to the Nation on Occupational Fraud and Abuse" by the ACFE, the Banking / Financial Services industry group suffered the highest frequency of losses:

  • # of Cases - 132
  • % of Cases - 14.6%
  • Median Loss - $250,000.00
The type of scheme with the highest percentage was corruption at 33.3% of banking cases. Government had 106 cases with 26.4% of these associated with corruption. The telecommunications sector endured the biggest impact with 16 cases reported yet with a median loss of $800,000.00 . Healthcare suffered 76 fraud cases at 26.3% involving corruption.

In all cases the digital trail is there for the forensic professionals to track, trace and assemble the history and chronology of events. Unfortunately for the prosecution and the plaintiffs, there is a tremendous backlog for the collection and analysis of this modern day CSI. Independence and expertise is the key element of getting your favorable day in court. Judges and juries are far more educated on the new Federal Rules of Evidence and Civil Procedure. Lawyers are utilizing the eDiscovery threat to force premature settlements. Meanwhile, the digital evidence continues to be collected, imaged and stored for analysis waiting it's day in court.

21st Century investigators utilize digital forensic certifications and training combined with years of education and experience. Managing the legal risk to institutions and those who have been implicated is their only priority by achieving a defensible standard of care. Judging the evidence is not their interest nor their objective. Insuring that the relevant information is soundly collected, preserved and presented without spoilation or prejudice, is the primary mission.

08 September 2008

A Perfect Storm: OPS Risk & The Asian Factor...

The forensic professionals have been busy at Freddie Mac and Fannie Mae over the past six months, and we are only looking at the tip of the ice berg. The results are in and Uncle Sam (US) is now adopting them in order to try and achieve new corporate governance and operational risk management objectives. The "Asian Factor" is a major influence in this decision.

The historic announcement has been well received by some of the institutions and Asian countries that were heavily invested in the US mortgage backed securities market. In Hong Kong, HSBC soared 4.5 percent and No.1 China lender ICBC rose 4.7 percent in trading.

Asian stock markets soared Monday after Washington announced a bailout of mortgage giants Fannie Mae and Freddie Mac — a move that could help bolster a shaky U.S. housing market and renew global investor confidence.

The initial relief will give some the feeling that the worst is over and that is not the case. The Operational Risks associated with these events have now increased exponentially as new people take over and existing people jump off the sinking ship. Just the attrition in manpower will create new threats from within these organizations in the form of just errors and omissions alone.

And now let the litigation begin:

A shareholder is suing five banks, claiming they did not warn her or other investors about a proposed accounting-rule change that lowered the value of Fannie Mae stocks she bought, Bloomberg News reported.

The proposed rule is FAS 140, the accounting standard that specifies the conditions for keeping securitized assets off the balance sheet. If the proposal is issued in its current form and takes effect in November 2009 as expected, it could force companies like Fannie Mae to bring some special-purpose entities back on their balance sheet.

Plaintiff Karen Orkin, who bought 600 shares of class B Fannie Mae shares, filed the suit in New York State Supreme Court in Manhattan this week as a proposed class action, according to Bloomberg. The complaint reportedly says 89 million shares of the stock were sold, and the share price sunk by 44 percent in value in four months.

The five banks — Citigroup, Merrill Lynch, Wachovia, Morgan Stanley, and UBS — formed a syndicate to underwrite the stocks. Wachovia, Morgan Stanley, and UBS declined to comment on the suit.

The lawyers and the accountants are circling the feeding frenzy looking for new opportunities to cash in on the next phase of the sub-prime mortgage crisis. And they are not the only firms that have been gearing up for the court room drama in the months and years to come. FTI, LECG and other eDiscovery firms such as Encore are creating specialty units to focus on the growing number of law suits and litigation as a result of the tremendous fraud allegations:

The fact that numerous government entities are involved puts a high premium on the use of sound electronic discovery processes, chain of custody and especially forensic expertise. “What may start as a broad-based investigation by the SEC could quickly evolve into a complex web of related cases,” said Hemanth Salem, Encore’s Vice President of Professional Services and member of the Subprime Services Unit. “For example, the discovery process must factor in that an investigation could quickly expand to include 10b- 5 and derivative cases, ERISA ‘stock-drop’ cases, fraud or negligence claims revolving around slack underwriting standards, lack of appropriate internal accounting controls and failure to disclose exposure to risk in MBSs and CDOs.”

As the markets stabilize and the new corporate governance takes hold at institutions across the globe, take a minute to consider the real interdependencies. Operational Risk is directly tied to the sophistication of our systems, software and algorithms that make up the very DNA of our financial trading infrastructure. Add to this the complexity of people, cultures and their behavior when emotions of fear, greed and even revenge come into play. Welcome to the "Perfect Storm" of Global Enterprise Risk Management.

02 September 2008

EDD Overload: Modern Incident Response...

Remote Digital Forensics is quickly migrating into a vast science that requires a sound combination of both legal and technical expertise. The EDD process has been helpful in educating the marketplace about the industry and the steps that are necessary for a complete and thorough eDiscovery review. However, relevancy and precision is highlighted here by Richard Betjlich:

Why copy a 2-terabyte RAID array on a server if cursory analysis reveals that a small set of files provides all of the necessary evidence to make a sound case? Expect greater use of "remote previews" during incident response and select retrieval of important files for forensic analysis.

In addition to focusing on just the material that matters, modern incident response and forensic processes are more rapid and effective than historical methods. When hard drives were 40MB in size, it was feasible for a moderately skilled investigator to fairly thoroughly examine all of the relevant data for signs of wrongdoing. With today's volume of malicious activity, hard drive size, and efforts to evade investigators (counter- and anti-forensics, for example), live response with selective retrieval and review are powerful techniques.


The explosion of ESI and EDD related businesses is creating confusion and fear in the marketplace. Corporate counsel is working with outside law firms to get a better understanding of what their specific competencies are in the processing and analysis of electronically stored information that is relevant to the case. The question may remain, are they looking at everything instead of what is material to the case thus driving up the costs of litigation and the billable hours?

The Federal Rule of Evidence 502 takes effect in a few months (December 1, 2008) and this will address part of the problem:

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.
"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest

11 August 2008

ESI: Federal Civil eDiscovery...

The San Francisco DA "Operational Risk" factors have spiked now that they have released passwords in public documents for their internal VPN networks.

The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's virtual private network. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.

Mr. Childs is a good example of the "Insider Threat" that any savvy CSO has on their mind today. As a result of the case evidence being gathered and the eDiscovery involved with proving the case in court, now we have additional exposures to the City of San Francisco. A system administration nightmare only if the city has not implemented tools such as Multi-Factor authentication and encryption of sensitive personal identifiable information or classified data.

Childs faces four felony counts of computer network tampering and one penal-code violation for causing losses in excess of $200,000. He has pleaded not guilty but remains in custody in lieu of $5 million bail.

The ordeal has spurred the city's IT department to bolster network oversight and to consider hiring outside auditors to monitor a security upgrade. City officials also will review all access to its FiberWAN network, the hub through which payroll, e-mail and criminal files flow.

It has also persuaded other cities to scrutinize their own systems.


As more cases like this one enter our legal system it is imperative that attorneys for both the plaintiff and defense realize the implications of their search for justice. The identities of people who may be witnesses in an upcoming trial have a sensitivity just as the ID's or login credentials for city employees and officials. As these types of cases become more prevalent there will be new procedures and controls invoked by judges who have learned their lessons about releasing sensitive information such as network passwords to the public record.

So What! What does Operational Risk have to do with a criminal case? What would eDiscovery have to do with this? Where do you think they got all of these passwords? Inside a paper notebook sitting on a shelf?

In a case that did not receive a lot of publicity the Court in United States v. O'Keefe, 537 F. Supp. 2d 14, 18-19 (D.D.C. 2008) applied the federal civil ediscovery amendments to a federal "criminal" case. This was a significant decision in that DOJ's federal prosecutors (over 4000), defense counsel, and others have some guidance from a federal magistrate regarding ESI in the criminal area. The Court stated:

In criminal cases, there is unfortunately no rule to which the courts can look for guidance in determining whether the production of documents by the government has been in a form or format that is appropriate. This may be because the "big paper" case is the exception rather than the rule in criminal cases. Be that as it may, Rule 34 of the Federal Rules of Civil Procedure speak specifically to the form of production.

The Federal Rules of Civil Procedure in their present form are the product of nearly 70 years of use and have been consistently amended by advisory committees consisting of judges, practitioners, and distinguished academics to meet perceived deficiencies. It is foolish to disregard them merely because this is a criminal case, particularly where, as is the case here, it is far better to use these rules than to reinvent the wheel when the production of documents in criminal and civil cases raises the same problems.

28 July 2008

ESI Risk: Seizing Electronic Evidence...

In this issue of Board Member Magazine, Lisa Ferri reminds us of the importance of the risk of Electronic Evidence.

If the only thing better than learning from your mistakes is learning from the mistakes of others, then directors need to take a lesson from Philip Morris. A few years ago the tobacco giant was slapped with a $2.75 million fine by a federal court. The offense? Wrongful destruction of e-mails, otherwise known in legal circles as spoliation of evidence. The court found that at least 11 Philip Morris executives “at the highest corporate level” were guilty of violating a court order concerning document retention. In other words, they purged and paid the price.

United States of America v. Philip Morris USA Inc., et al. is a cautionary tale of the problems awaiting companies that are either unaware of or unprepared for the world of electronic evidence. The rules governing that world are evolving at warp speed.


In the United States, does an employee need the companies permission to seize your computer at the workplace for electronic evidence? In order to be more informed about this procedure and the legal implications in your enterprise, see CCIPS.

Warrantless workplace searches occur often in computer cases and raise unusually complicated legal issues. The starting place for such analysis is the Supreme Court's complex decision in O'Connor v. Ortega, 480 U.S. 709 (1987). Under O'Connor, the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.


Your compliance or legal office can provide you with the guideance for any employee that is suspected of violating company policies with regard to computers crime or theft of confidential information or intellectual property. The question remains, what policy is in existence today and what methods have been utilized for full disclosure to employees that may impact their rights of privacy on the job?

For more help on this subject see: Best Practices for Seizing Electronic Evidence.

Just remember, Forensics and gathering electronic evidence in a criminal matter is in opposition to your recovery. Once a violation has occured, you can make changes, clean up the problem and get back to normal or you can preserve the crime scene for evidence. It's one or the other. If it's not, then that is when you run into problems. Document retention strategies in combination with Forensic Digital Discovery procedures are critical to any organization that cares to mitigate the ongoing risks of electronic evidence.

01 July 2008

Directors Q & A: Outside Counsel Risk...

Every Board Member needs to ask "Six Legal Questions" of corporate management because the answers will help you determine what law firms your company should fire, or even consider hiring. This special report by Randy Myers in Corporate Board Member highlights the Operational Risk of litigation and whether you are prepared for offense, defense and the next reputation scandal:

  1. How well do our outside law firms know our business?
  2. Are we prepared to handle litigation against us in the best way?
  3. Under what circumstances should we consider suing another company?
  4. When should we use a big law firm? When are we better off with a small one?
  5. What clues can tell us if our outside lawyers are no longer right for us?
  6. How well will we stand up to scrutiny?

We have to highlight the commentary on #6 (H. Rodgin Cohen, partner and chairman of New York City-based Sullivan & Cromwell LLP)

Directors must let the compliance office and general counsel know that they are to be informed anytime the company is put under investigation, Cohen says; government regulators and prosecutors expect the board to take a role in such matters. Having a clear policy in place is critical, says attorney Matthew Powers.

There is no cookbook recipe to prepare a company for an investigation. But what directors have to do, says Cohen, is approach any such inquiry with the understanding that in today’s environment, with laws and regulations being rigorously enforced, fighting a government investigation is almost always a bad idea. Companies must be seen as cooperative, he says, which means that they must conduct thorough investigations of their own when alerted to potential wrongdoing and provide the government with whatever it requests. If problems are uncovered, they should move quickly to take remedial action, implement policies and procedures to prevent further troubles, and penalize the people responsible. “If the company fails to take action,” Cohen warns, “it must expect that it will receive harsher punishment.”

He says it makes sense to report suspected violations of the law voluntarily when an internal examination uncovers them. “You’re really rolling the dice if you don’t, because if the government later finds out, it will have no confidence in you. And remember, the government has two ways to find out—on its own or from someone inside the company.” If the government decides it needs to find out on its own, he says, any penalties are likely to be much more painful.


Firing your long time outside firm is not easy and like any third party supplier who has been embedded for years or decades, "Breaking Up is Hard to Do." Every Corporate General Counsel's greatest fear. Have you every received advice that the negative results of an internal investigation needs to be buried, hushed up or even worse, ignored in hopes that nothing will happen?

Corporate Governance is taking on a new resonance in a politically charged election year here in the United States. The Democrats are gearing up for more oversight, investigation and compliance laws focused on areas that the Republicans have been long to scrutinize. Laws that have been gathering momentum in the halls of Capitol Hill are targeting some of the industry sectors that have benefited the most from the Defense Industrial Base windfall.

In a global survey by Fulbright & Jaworkski LLP, 40% of US companies had at least one lawsuit with $20M. or more at risk. 60% had one or more plaintiff class actions pending and 36% say that the government regulators have stepped up their visits.

So if you are on the Board of Directors and you want to be proactive on the upcoming front for litigation, where do you look? The Accounting department. Sales and Marketing. Information Technology. Legal Department. The easy answer may be, who has the most laptops? Brian Krebs talks about the Data Breach problem from The Washington Post blog:

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

The nexus of data, plaintiff law suits and your outside counsel (3rd party suppliers) will be the Board of Directors #1 priority in the next few years. This is the vortex of Operational Risk in the 21st century.

18 June 2008

ESI: The Economics of Litigation...

The operational risk and complexity of eDiscovery is increasing and the economic impacts are becoming a Board Room topic of debate. This study from RAND by James N. Dertouzos, Nicholas M. Pace, and Robert H. Anderson opens up some of the serious implications of Electronically Stored Information (ESI) as it pertains to this research:

Business litigants display a mix of optimism and concern about the impact of the new federal rules on e-discovery that went into effect in December 2006. To some extent, the balkanization that marked federal decisions in this area is likely to be reduced, but the core concerns over uncertainty about what are reasonable steps to take in advance of and during litigation remain. Thus, it is apparent that further clarification and development of e-discovery rules that promote efficiency and equity for both defendants and plaintiffs are required. For example, the new federal rules require early and full disclosure of IT systems, but interviewees noted that many lawyers are unfamiliar with the modern and continuously evolving hardware, applications, and internal record-keeping practices of their clients. Lawyers risk significant sanctions for failing to properly carry out e-discovery duties that they may not be equipped to handle. Even technologically savvy attorneys voiced concerns that providing opposing parties with detailed IT “roadmaps” as envisioned under the new rules would lead to discovery demands designed solely to drive up costs. And as corporate clients increasingly move toward internalizing collection, review, and production tasks in order to limit litigation costs, their outside counsel may find themselves with reduced control over the process but nevertheless still vulnerable to sanctions.

Lawyers who are modernizing their efforts to review documents are partnering with new boutique firms to accomplish this because they have the tools and the technology subject matter expertise. However, these efforts may be increasing the cost of litigation to corporate clients even though the automation and outsourcing is enhancing their process of review and relevancy. This is because the lawyers are still charging their clients for manual review by associates in the firm who charge by the hour in most cases in excess of $300/hr.

eDiscovery and the costs and benefits of litigation are a constant dialogue on the golf course, the skybox and the private rooms of fine dining in New York, Washington, DC and most major metro areas. The reason has to do with the "Mathematics of Litigation".

The previous discussion makes it clear that e-discovery, by changing costs, creating new risks, and altering the flow of information, could alter litigant incentives to file suit, settle cases, and go to trial. For example, several interviewees claimed that the significant burdens of e-discovery outweighed the benefits of going to trial, especially in low-stakes cases. Thus, they were fearful of an increase in lawsuits of questionable merit in which defendants would settle rather than incur the costs of discovery. Viewed from another perspective, plaintiffs may choose to settle cheaply, dismiss their own cases, request less, or refrain from filing in the first place if their own costs of discovery (whether as producer or requestor) overwhelm the value of their claims.

The trend line for eDiscovery is clear. Corporations are bringing the eDiscovery mechanism in-house and are integrating the legal department with savvy staff in the IT ranks. Outside counsel will continue to remain a key aspect of the litigation process but are quickly being asked to take more traditional roles in the case. Outsourcing the automation tasks to the law firm will only increase the complexity and the potential liability of ESI related episodes or incidents.

08 May 2008

Legal Ecosystem: Survival of the Fittest...

The life cycle of monetary policy and financial fraud is being mapped once again in concert with new investigations into corporate malfeasance. As economic trends run their systemic course so do the highs and lows of human behavior to create new schemes to defraud customers, partners and even fellow employees.

Prosecutors in the Eastern District of New York in Brooklyn are stepping up their scrutiny of players in the subprime-mortgage crisis, focusing on Wall Street firms and mortgage lenders, the Wall Street Journal said on its Web site.

A task force of federal, state and local agencies will look into potential crimes ranging from mortgage fraud by brokers to securities fraud, insider trading and accounting fraud, the Journal said.

The Federal Bureau of Investigation is already targeting major corporate insiders and criminal groups in its investigation of fraud in the mortgage lending industry. The FBI has said it is investigating 19 companies in mortgage cases.

The formation of the task force amplifies efforts already under way in Brooklyn, where prosecutors are investigating whether investment bank UBS AG (UBSN.VX: Quote, Profile, Research) improperly valued its mortgage-securities holdings, the report said.

Also being investigated are the circumstances surrounding the failure of two hedge funds at Bear Stearns Cos (BSC.N: Quote, Profile, Research), which collapsed last summer because of losses tied to mortgage-backed securities, the report said.

Fraud, like other crimes of opportunity, have three common attributes:

  1. A growing supply of motivated offenders
  2. The availability of prospective or ideal targets
  3. The lack of consistent oversight mechanisms—control systems or someone to monitor the business

Beyond the typical motivations for initiating deceptive practices and fraud are the underlying mind sets. "Neutralization" creates the road map for nullifying internal moral objections. The type of fraud is not the issue here as much as that offenders seek to justify or rationalize their actions and methods. Grace Duffield and Peter Grabosky have captured the four main categories of fraud in their paper, "The Psychology of Fraud."

  • Fraud committed against an organisation by a principal or senior official of that organisation
  • Fraud committed against an organisation by a client or employee
  • Fraud committed against one individual by another in the context of face-to-face interaction
  • Fraud committed against a number of individuals through print or electronic media, or other indirect means

Now the IT departments will be buzzing as they will be under orders to preserve e-mail archives as evidence as soon as notices arrive on the doorsteps of not only the large funding institutions themselves, but the hundreds of organizations in the corporate supply-chain.

The duty to preserve attaches immediately once the company is on notice. Once an investigation or lawsuit is reasonably anticipated or a complaint is received, the requirement to preserve materials attaches and preservation efforts need to be undertaken as soon as possible. There are no cases that provide definitive guidance as to how quickly litigation hold notices must be sent once the duty is triggered, but any such case will be evaluated in hindsight, i.e., after relevant materials have been destroyed, and very little if any delay is likely to be tolerated by the courts.

Let's do some simple math here. Multiply the number of banking branches x the number of mortgage brokers for each branch x the number of appraisal firms and you start to understand the magnitude of the volume of data. While some larger banking institutions have centralized underwriting operations for all of the branches, they still rely on a supply-chain of small businesses in the local market to address the valuations and appraisals of property.

The next trend line we will see is the up tick in court filings and the litigation wars for the next few years to come. One fact remains obvious. Organizations large and small will be drawn into these Operational Risk Management challenges without the proper policies, practices and behavior to prevail. In any "legal ecosystem" we know about the phrase "Survival of the Fittest" comes to mind and this one, will be no different.

"Survival of the fittest" is sometimes claimed to be a tautology. The reasoning is that if one takes the term "fit" to mean "endowed with phenotypic characteristics which improve chances of survival and reproduction" (which is roughly how Spencer understood it), then "survival of the fittest" can simply be rewritten as "survival of those who are better equipped for surviving".

28 April 2008

Corporate Governance: Testing for Organizational Disease...

In our continuing series on Security Governance we now turn to Corporate Governance: Testing for Organizational Disease.

It's been three years since a 25 year sentence was handed down in the Worldcom corporate governance and fraud case, it's obvious that prosecuting white collar crime cases is a real challenge.

In the HealthSouth Corp. fraud trial, the jury made a different decision and the CEO was acquited.

Some lawyers suggested white-collar cases are inevitably difficult to present to jurors, whether they live in Birmingham or New York. "It's different from a drug deal or a bank robbery," said Donald Stern, a Boston attorney who was formerly that city's top federal prosecutor. "It's not obvious that a crime has been committed."


What the Board of Director's and Executive Management do know is that it's time to make some more changes in Corporate Governance initiatives. The relationships with the shareholders is bound to continue to be a challenge for any management team and they realize that they must be creating a culture full of ethics and risk management principles.

At the end of the day it comes down to the evidence presented to the jury. And the evidence is typically a presentation of information utilizing forensic methods of discovery. Dr. Thomas R. O'Connor at NCWC has some interesting background on the subject of "Investigative Methods of Forensic Accounting."

Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.


Red Flags of Organizational Behavior:

1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.

2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.

3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.

4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.

5. Poor computer security -- the organization doesn't seem to care about computer security, has slack password controls, hasn't invested in antivirus, firewalls, IDS, logfiles, data warehousing, data mining, or the budget and personnel assigned to IS. Simultaneously, the organization seems over-concerned with minor matters, like whether employees are downloading music, chatting, playing games, or viewing porn.

6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.


As we move forward on strategies for improving ethics and protecting corporate assets it's clear that educating board members and employees to the symptoms of corporate disease can be a key initiative. That education and awareness program could be the beginning of a whole new era of high performing companies. And for that matter, the programs effectiveness may be the first test of any organizations health.

06 April 2008

Rule-Set Reset: Evidence Life Cycles...

Here are a few of the "Top of Mind" topics these days at the nexus of Legal Risk and "Defining the New Rules Sets" for Information Management and Digital Forensics. What is a "Rule-Set Reset"?

When a crisis triggers your realization that your world is woefully lacking certain types of rules, you start making up those new rules with a vengeance (e.g., the Patriot Act and the doctrine of preemption following 9/11). Such a rule-set reset can be a very good thing. But it can also be a very dangerous time, because in your rush to fill in all the rule-set gaps, your cure may end up being worse than your disease.

  • The Computer as Witness--What The Courts Allow.
  • Improper and Negligent Records Hold Practices.
  • Calculating Settlement Values in a Digital World..
  • Economics of Electronic Discovery.
  • Evaluating Outside Law Firms: Competing for Client Revenue.
  • Discovering the Legal Value of Electronic Information.
  • Chain of Custody Controls and Vulnerabilities.
  • Logs, Metadata and Backups.
  • Evidence Life Cycle Management.
  • Operational Risks in Existing Corporate Information Management Practices.

These topics and more are worth investing time, resources and manpower for vital learning, education and convergence within the legal department of your institution. Why? Just ask Waters Edge Consulting. Because just preparing for ESI custodian depositions under Rule 30(b)(6) will not be enough for your team to win these days. It's going to take substantially more investment in governance strategy execution within the ranks of the CIO, CSO and General Counsel in the aftermath of the sub-prime "Armageddon."

Today, many organizations have Enterprise Records Management (ERM) systems that provide clear guidelines for data retention and destruction. In addition, organizations facing frequent lawsuits often use Electronic Data Discovery (EDD) vendors and outside counsel to process and review electronically stored information (ESI) during discovery.

Unfortunately, neither solution creates a framework that recognizes all data as potential evidence and puts a consistent methodology in place for handling it efficiently and cost effectively.

Evidence Lifecycle Management (ELM) is such a framework. An ELM system, such as MatterSpace from WorkProducts, provides:

  • Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
  • Role-based collaboration and communications that drive all case-specific ESI activities
  • Auditing and reporting of all ESI communications and events, including litigation holds

ELM bridges the gap between ERM and EDD, speeding up ESI delivery while reducing the risk and cost of ESI processing and legal review.


A prudent governance execution strategy would include a ratio of new learning, education and policy development combined with the correct tools and managed services. Yet how do you determine the right recipe for your institution? After all, you are unique and unlike any other organization out there.

The fact is that it has to be customized to your exact size, exposures and vulnerabilities. You first have to establish the baseline and develop the foundation for making the right decisions in the right order. Most importantly, it has to be co-designed with the legal team and the custodians of the information if you are to ever find any chance of success. Underlying all of the dialogue on who a particular matter relates to and where the information is located brings up another area that is imperative to the overall resilience of the organization. Continuity of Operations.

At the end of the day, this is what you are really buying. True DataVaulting means exchanging the headaches and liability of maintaining your own backups for the simplicity and convenience of contractually backed Service Level Agreements (SLAs).

Without effective DataVaulting, DRP and overall Continuity of Operations as an underlying foundation for managing the life cycle and longevity of your institutions records, you may already be subjected to the increased risk of fines and non-compliance sanctions from FINRA or the SEC.

The correct Business Resilience Architecture begins with a firm statement of applicability for your institution. The statement of applicability (SOA) is the architectural blueprint that identifies controls that are pertinent to your environment, and explains how and why they are appropriate. The SOA is derived from the output of a comprehensive operational risk assessment and development of an enterprise wide "Early Warning System."

Centre-left leaders from around the world called on Saturday for urgent reform of global financial institutions to prevent a recurrence of the credit crisis.

About a dozen leaders, brought together by Prime Minister Gordon Brown, issued a communique urging the International Monetary Fund to help develop an effective early warning system to guard against financial risks to the global economy.

Australian Prime Minister Kevin Rudd said the world had to learn the lessons from the credit crisis, sparked eight months ago by massive default on U.S. sub-prime mortgage debt.

"Too often in the past when these sorts of events have occurred ... the lessons are lost. The lessons must be learned and applied, otherwise we will face a very rocky future indeed," Rudd told a news conference after the "Progressive Governance" conference outside London.

The leaders, also including South African President Thabo Mbeki, New Zealand Prime Minister Helen Clark and Austrian Chancellor Alfred Gusenbauer, gathered just before key Group of Seven and IMF meetings in Washington next week which will discuss the financial turbulence.

Also attending were the heads of the IMF, World Trade Organisation (WTO), the African Development Bank and several U.N. agencies.

18 March 2008

Information Risk: The Zero's & One's Don't Lie...

The Bear Stearns implosion has been predicted as a casualty of failed hedge funds. These entities are less regulated than banks and don't have to keep a minimum capital reserve. The limits on the amount of leverage they utilize can sometimes come back to burn you.

Angry Bear Stearns Co Inc shareholders have wasted no time in bringing legal claims following the company's stunning stock collapse and $2-a-share fire sale to JPMorgan Chase & Co.

At least one federal lawsuit in New York seeking class- action status for alleged securities fraud was filed on Monday by an investor contending the company hid its true financial condition from shareholders.


"Who Knew What When" is the focus of the legal mechanism now in full swing as investigators at the SEC and other federal regulators begin their forensic examinations and interviews. Eliot Spitzer is finally a back story after his demise in the FINCEN money laundering investigation:

But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI’s charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).

The nexus of eDiscovery, Data Mining and Operational Risk Management are in the news as these incidents are unraveled. The information and evidence from the data analysis will reveal the truth and those caught shredding documents or deleting files will no doubt become part of one of these inquiries.

Even today at 2AM JP Morgan Chase was searching Google with the terms "information operations risk management" and landed here on this Operational Risk Management Blog. Then they "Out Clicked" to A Defensible Standard of Care in hopes of finding answers to their questions.

The law suits and the lawyers are busy these days with the Federal Rules of Civil Procedure (FRCP) as they defend ongoing data breaches and bad behavior by employees and interested 3rd parties:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.


If the latest economic studies are correct, that's going to cost about $98.00 per record on the low side when it comes to the amount of money that these organizations will spend (unless insured) to clean up this operational risk related incident.

New York State has a new Governor at the same time the Bears are descending on Wall Street:

David A. Paterson became New York’s 55th Governor on March 17, 2008. In his first address as Governor, Paterson spoke about the challenges New York faces and his plan for New York’s future.

This month it's New York in the news but our prediction is that California will soon be next to capture the nations headlines. The legal buzzards are soaring overhead...

27 February 2008

Lessons Learned: The Impact of Executive Decisions...

In times of economic downturn the Operational Risks within your institution will begin to rise. Enron, Worldcom and HealthSouth are the few names people recognize as the major casualties of the last significant dip in our economy. When times get tough, people get desperate and try to keep the schemes and any red flags from being discovered.

So what are some of the areas that encompass Operational Risk:

  • Internal Fraud - bribery, misappropriation of assets, tax evasion, intentional mismarking of positions
  • External Fraud - theft of information, hacking damage, third-party theft and forgery
  • Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  • Clients, Products, & Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  • Damage to Physical Assets - natural disasters, terrorism, vandalism
  • Business Disruption & Systems Failures - utility disruptions, software failures, hardware failures
  • Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Cynthia Cooper has written a new book "Extraordinary Circumstances: The Journey of a Corporate Whistleblower" about her honorable quest to find the truth at Worldcom. Her quote in the March/April issue of Fraud Magazine says it all:

"Listen to your instinct. If people are acting out of character or appear to be working to head you in another direction, step back and ask yourself why. Continue to ask for support and dig until you're satisfied that you've gotten it right."

Beyond Cynthia's first person account to give the reader her emotional perspectives, Operational Risk Management professionals realize that their role and the job they have been trained to do is not always a "Pleasant" experience. This is why all of the training and education is so important and the rehearsals are absolutely imperative. Testing, evaluating and testing some more is the norm. Understanding what "Normal" looks like, takes time and persistence. Yet without it, our horizon for positive change could be in jeopardy.

With many of the "Lessons Learned" books now published from the last economic dip, who will be next to blow the whistle or expose the real risks that some companies are hiding from the Board of Directors and the shareholders. The class action lawyers are even gathering their evidence on the possibility of cashing in on predatory lending practices:

A federal appeals court is nearing a decision on a battle between Chevy Chase Bank and a Wisconsin couple that could for the first time enable homeowners across the country to band together in class-action lawsuits against mortgage firms and get their loans canceled.

The case is alarming Wall Street 's biggest banks, which could bear the hefty cost of reimbursing all mortgage interest, closing costs and broker fees to groups of homeowners who uncover even minor mistakes in their loan documents. After a federal judge in Milwaukee ruled last year that the Wisconsin couple had been deceived and other borrowers could join their suit, Chevy Chase Bank appealed to the circuit court in Chicago.

So what we have are markets that are volatile. Bankers who are raising the stakes for borrowers. And naive consumers who are facing higher prices across the board. The time for increased vigilance is in front of us all. From the Board Room to the Court Room it's time that we spend more time looking at the interdependencies and realize that risk is more than a prediction.

During these times, it's worth revisiting this post on Fear: The Elements of Prediction.

05 February 2008

ESI Lessons Learned: CREDO & Qualcomm...

Qualcomm Inc. v. Broadcom Corp., Case No. 05cv1958 (BLM) (S.D. Cal.), issued on January 7, 2008, should be a major wake-up call for corporate litigants. (The U.S. District Court for the Southern District of California) This case is about electronically stored information (ESI) and the ability to manage and produce the correct records at the time requested.

Evidence Lifecycle Management (ELM) is imperative in the context of Governance Strategy Execution within the halls of corporate legal departments. Having an Operational Risk Framework to address legal matters is the "Holy Grail" for many Audit Committees of global Fortune 50 institutions and the General Counsel. What are some of the elements of enterprise ELM? To start:

  • Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
  • Role-based collaboration and communications that drive all case-specific ESI activities
  • Auditing and reporting of all ESI communications and events, including litigation holds

Duane Morris LLP has this to say about the Qualcomm case:

Emphasizing that it is the responsibility of attorneys (both in-house counsel and retained counsel) to make certain that their clients carry out an effective and comprehensive document search, the court noted that "[p]roducing 1.2 million pages of marginally relevant documents while hiding 46,000 critically important ones does not constitute good faith and does not satisfy either the client's or attorney's discovery obligations." The court suggested that in-house counsel have a duty to confirm the veracity of any signed papers produced during discovery.

The district court's solution was to order Qualcomm to implement a "comprehensive Case Review and Enforcement of Discovery Obligations ('CREDO') program" which, at a minimum, includes:

(1) identifying the factors that contributed to the discovery violation, (2) creating and evaluating proposals, procedures, and processes that will correct the deficiencies identified in subsection (1), (3) developing and finalizing a comprehensive protocol that will prevent future discovery violations, (4) applying the protocol that was developed in subsection (3) to other factual situations, such as when the client does not have corporate counsel, when the client has a single in-house lawyer, when the client has a large legal staff, and when there are two law firms representing one client, (5) identifying and evaluating data tracking systems, software, or procedures that corporations could implement to better enable inside and outside counsel to identify potential sources of discoverable documents, and (6) any other information or suggestions that will help prevent discovery violations.

The court ordered that the attorneys submit a proposed protocol for the court to evaluate and revise, if necessary. While the district court's immediate goal was to remedy this specific instance of misconduct, the court hoped that its opinion would be a "road map" for electronic discovery and would "assist counsel and corporate clients in complying with their ethical and discovery obligations and conducting the requisite 'reasonable inquiry.'"

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The Board of Directors have learned their lesson turning over the entire process to outside counsel. The trend of outsourcing the many tasks and duties assigned to the discovery and admissibility of (ESI) is coming to an end. Soon the General Counsel will be standing up the internal "Task Force" to identify and produce in a reliable and cost-effective manner. The trend is gaining momentum and law firms are getting more "Requests for Information" (RFI) on their true electronic discovery capabilities.

Establishing "A Defensible Standard of Care" within the enterprise continues to be the ultimate goal. While some law firms have started to offer services to determine the readiness of their clients for large ESI cases, more corporate institutions are reversing the economic process associated with E-Discovery and asking:

"What are the Electronic Discovery Capabilities of our outside counsel?"