18 December 2011

Integrity & Ethics: Whistleblower Risk...

Operational Risk Management in your organization may be in need of a more robust awareness campaign.  Malfeasance and ethical wrongdoing is continuously perpetuated in the workplace when those who are victims or witnesses refuse to speak up. Many fear the retaliation by supervisors or other co-workers. This study emphasizes the issue at hand:

Labaton Sucharow LLP yesterday announced the results of its nationwide Ethics & Action Survey. Conducted by ORC International between November 17-20, the survey questioned 1,000 Americans on their knowledge of wrongdoing in the workplace and willingness to come forward and report it. With significant financial rewards and strengthened anti-retaliation and anonymity protections offered under Dodd-Frank, an overwhelming 78% of respondents indicated they would report wrongdoing in the workplace if it could be done anonymously, without retaliation and result in a monetary award. In fact, more than one-third (34%) of respondents knew about wrongdoing in the workplace. However, 68% were unaware that the Securities and Exchange Commission (SEC) has a new Whistleblower Program designed to protect and reward individuals who report violations of the federal securities laws.

This kind of Operational Risk doesn't have to involve insider trading or the SEC to be an issue.  Do you have a controlling boss or a bully in the organization who uses their position of power to get what they want at any cost or to force you to look the other direction?  What kind of facts point to their behaviors and the actions by others that contribute to a caustic and toxic work place setting or to further perpetuate the situation?  Whether it is your Fortune 500 public company or your tiny 501(c)3 non-profit does not matter.  When over one-third of the respondents of the ORC Ethics and Action Survey knowingly ignore or are afraid to report incidents of wrongdoing or ethics violations the culture is broken and in need of repair.  The people who have the fiduciary duty to see that this kind of behavior is deterred also have the responsibility to provide the tools and the mechanism for those being victimized and those who are observing the malfeasance to anonymously defend themselves.

So what should you do as an Operational Risk professional to make sure this doesn't happen to the people in your respective organization?  Here is a good start:

Many corporations have internal compliance programs for corporate misconduct. These programs are, in theory, designed to provide an audience for workers who want to report unethical or illegal corporate conduct. Whether to utilize internal compliance reporting procedures is not an easy question to answer. As a general proposition, some believe that where the wrongdoing is pervasive—as in the case of securities fraud—an internal compliance program will not provide an adequate means of redress. Some believe that where the issue involves massive overbilling to the Government, or an allegation that a corporation is receiving significant dollars in unlawful revenue through fraudulent conduct, the internal compliance system will not work.

It's imperative that you also become aware of and communicate to employees and volunteers what their rights are outside the formal processes that are in place within the organization. Sometimes the nature of the ethics violations will not easily fall into the category for the internal compliance department.

So even "A Decade After the Fall of Enron" the laws and the rules provide us with a false sense of security from the corporate and workplace malfeasance that so many U.S. citizens are being subjected to on a daily basis.  And based upon the current-state-of-play around the beltway in Washington, DC you can expect that the coordination and cooperation is increasing by the minute.

The increased collaboration among the alphabet soup of enforcement and regulatory agencies is also due to a collateral effect of the current financial crisis: declining agency budgets. In the current downward budget cycle, agencies are working in concert more than ever before. This trend is exacerbated by a change in the mission of the FBI in the post-Sept. 11, 2001, world, shifting resources to counterterrorism and creating a need for other agencies to play an increased role. The overarching lesson from this increased collaboration is clear: Gone are the days that inside or in-house counsel can assume that the state or federal agency with whom they are dealing is acting alone; it is increasingly likely there are additional state or federal agencies involved, resulting in overlapping criminal, civil or regulatory exposure.

If you are charged with the position of the Senior Operational Risk professional in your organization, this topic of wrongdoing in the workplace can not be overlooked any longer.  It is not too late to create a "Defensible Standard of Care" and to turn the word "Integrity" into a cultural pursuit for all to aspire to, before it is too late.

01 October 2011

Deepwater Energy Risk: Protecting Business Performance...

The Operational Risk professionals are applying the use of effective software tools in the Energy Sector. After all, the core disciplines of OPS Risk lie with safety and security and the current reality of deepwater drilling beyond 8,000 feet of ocean is here now.

There are few organizations that understand the risks associated with drilling and capturing precious natural resources under these demanding conditions more than the Marine Well Containment Company, (MWCC) based in Houston, TX USA. This new and quickly expanding consortium of ten energy exploration companies have banded together to address the "All Hazards" requirements as a result of the Deepwater Horizon catastrophe. Never before, have so few private sector energy companies converged to take on readiness, and managing operational risks with so much capital and mission focus.

Simultaneously, others close to the maritime risk management industry such as Lloyds Register Group have embarked on the bold mission to assist organizations like MWCC in the future quest for our insatiable thirst for energy. They too, understand the necessity for mitigation and prevention of another Macondo incident where a blowout preventer failed:

ModuSpec BV and Scandpower AS, members of the Lloyd’s Register Group, are developing a new tool with origins from the nuclear power industry that may prove highly useful to subsea engineers, offshore drilling managers, and regulators.

Operational Risk Management (ORM) is the process that evaluates the likelihood of a casualty occurring while comparing it to its associated consequences. BOP Monitor, a new tool under development by Scandpower applies ORM principles in a highly specific manner to one of the most important, and highly complex systems on board a drilling rig, the blow out preventer.

Last year’s Deepwater Horizon disaster cast an enormous spotlight on blow out preventer technology because the one sitting atop the Macondo Well failed to accomplish its mission, and millions of gallons of oil spilled into the sea. A one-in-a-million chance? Perhaps. In the decades since subsea blowout preventers have been used, countless have worked as-designed mitigating the disastrous consequences we all saw last summer. As the industry moves toward the arctic however, failure of these systems is absolutely not an option and risk management is of utmost importance to operators and coastal states.

The combination of MWCC and Lloyds Register to address the challenges ahead in deepwater drilling is a natural, in the Gulf of Mexico and beyond. Perhaps even more so, is the division Lloyds Register Quality Assurance (LRQA) who are experts in Business Assurance and protecting business performance. They are the people who go beyond the words in a regulation or international standard to apply a holistic and multi-faceted approach to your business achieving higher performance. MWCC will need that business assurance and performance management going forward if they are to work in concert with the United States regulatory agencies such as Bureau of Ocean Energy Management, Regulation Enforcement (BOEMRE).

All of the plans and processes will not be enough for those operators who are drilling in deepwater. This is exactly why exercising and testing those people, plans and processes will be a verified requirement:

Tracking and verification of exercise requirements for spill responders is an BOEMRE function that ensures that all responders have the required experience and expertise to respond to an offshore facility spill. Operators are required to conduct annual Spill Management Team “table top” exercises. These drills are required to test the Spill Management Team’s organization, communication, and decision-making in managing a response. The operator is also required to conduct an annual deployment exercise of the equipment staged at onshore locations identified in their plan. Each type of equipment staged onshore must be deployed and operated every 3 years. The operator is required to exercise their entire response plan every 3 years. Another exercise that tests the ability of the operator to communicate information in a timely manner is the required annual notification exercise required for every facility that is manned on a 24-hour basis. The operator must notify BOEMRE at least 30 days prior to these drills occurring. This notice provides an opportunity for BOEMRE to witness the exercise or to request changes in the frequency or location of the exercise, equipment to be deployed and operated, or deployment procedures or strategies. BOEMRE can also evaluate the results of these exercises and advise the owner/operator of any needed changes in response equipment, procedures or strategies.

The operational risk readiness factor is at the core of all of the exploration companies as it pertains to the Safety and Environmental Management Systems (SEMS). All of the MWCC consortium companies will already be well versed in "Operating Integrity Management Systems" yet, as all ten come together to work on a combined solution, a baseline of standards and guidelines will be paramount to their inevitable success.

Remember, all of this focus is on the prevention of another "All Hazards" incident. Much of which stems from the lack of confidence in equipment or procedures being replicated by humans, at just the right moment and if an emergency condition presents itself. That is why testing and exercising the multi-facets of the entire spectrum of threats is necessary, beyond those related just to the equipment integrity or failure:

More specifically, the goal of an offshore energy exploration and production safety regime must ensure that:

• Life, environment and property are protected in an effective, consistent, transparent and predictable way; both for those directly affected and involved in offshore operations.

• Risks are properly evaluated and all prevention and mitigation measures are identified;

• Control measures are implemented and maintained by all parties in accordance with mandatory risk assessments as well as what is prescribed by regulation;

• Conditions of safeguards, facilities, procedures, personnel and organizations are continuously monitored throughout the lifetime for proper functioning and compliance with all regulatory requirements and to assure that risks do not increase;

• Technical innovation and efficiency improvements can be implemented safely and responsibly.


And then there is the kind of risk, that many are still not thinking about in the Gulf of Mexico. The risk that exists in other offshore drilling regions of the globe today:

Gunmen attack ExxonMobil supply vessel kidnapping one, wounding another


By Dorothy Davis

Industry sources have reported that gunmen have attacked a ship supplying an ExxonMobil (NYSE:XOM) oil rig off the coast of Nigeria, kidnapping one crew member and injuring another.

Nigel Cookey-Gam, a spokesman for the ExxonMobil subsidiary Mobil Producing Nigeria (MPN) told The Associated Press that the kidnapping happened early Friday (09/30) off the coast of Nigeria's Akwa Ibom state.

"Mobil Producing Nigeria, operator of the joint venture with the Nigerian National Petroleum Corporation, confirms that in the early hours of Friday, some armed men attacked a supply vessel near one of our platforms, offshore Akwa Ibom State," Cookey-Gam offered in the official statement. “The incident has been reported to security and relevant government agencies”

According to ExxonMobil, MPN is the second largest oil producer in Nigeria having begun production of crude oil in February 1970 from the Idoho field, located off the coast of Akwa Ibom State.

Violence and extortion driven kidnappings have been prevalent in Nigeria’s oil and gas -rich southern delta since 2006 when militants kicked-off a series of attacks targeting oil companies. In 2009 a government amnesty program offering Niger Delta rebels an unconditional pardon and cash payments brought about a short period of reprieve, but has not been successful in quelling the targeted violence in mostly impoverished the region.


Deepwater Energy Risk in the next decade will be expanding off the coast of Brazil and in the Arctic:

In a warming and changing Arctic, China is stepping up its activities in the Arctic Ocean Basin. While China’s interests and policy objectives in the Arctic Ocean Basin remain unclear, Beijing is increasingly active and vocal on the international stage on issues that concern the region. To that end, China is actively seeking to develop relationships with Arctic states and participate in Arctic multilateral organizations such as the Arctic Council. The region includes a rich basket of natural resources: The U.S. Geological Survey estimates that 25 percent of the world’s undiscovered hydrocarbon resources are found in the Arctic region along with 9 percent of the world's coal along with other economically critical minerals. There is presently scarce open source information on China's Arctic policy and very few public pronouncements on the Arctic by Chinese officials.

30 July 2011

Legal Risk: General Counsel Digital Leadership...

Operational Risks continue to plague any senior manager with the title of "Corporate General Counsel". "Achieving a Defensible Standard of Care" remains ever so challenging. General Counsel digital leadership is required by the Board of Directors. A recent Corporate Executive Board Report outlined some of their top line issues in a recent Corporate Counsel article by Catherine Dunn:

1. Regulatory issues will converge, while regulation of issues will fragment.

What it means: Common issues—such as data privacy, executive compensation, anti-bribery, and antitrust—are gaining importance in the eyes of regulators the world over, says Lee. But countries and states are regulating those issues in different ways, which makes it more difficult for companies—and in-house legal teams—to harmonize their policies.

2. Information will grow exponentially.

What it means: E-discovery requests are getting bigger (think terabytes, not gigabytes) and the quality of meta-data that could be subpoenaed is getting better (like someone's location, as identified by GPS technology). As more and more information comes into play, the study finds, it "will increase the premium of how companies organize and manage their information."

3. Dueling demands for corporate transparency and consumer privacy will collide.

What it means: Consumer demands for privacy will place more emphasis on data security and how companies shore up their IT infrastructure. "The end result for legal departments is that, at the very least, they're going to need to become more [technologically] literate," says Lee. And again, legal teams will also have to deal with a variable set of regulations, depending on where companies operate.

While consumers want to protect their own information, they also want to to have more information about corporations, information about executive compensation packages, private conversations between executives, and company investments.

4. The legal department's center of gravity will shift.

What it means: As companies expand into emerging markets to capitalize on growth opportunities, risks will follow. "It's going to be more important for those risks to be managed locally," Lee says. The report hypothesizes, then, that in-house legal teams will become more decentralized, decamping from corporate headquarters for local terrain. "Culture is an often-underestimated factor with regard to risk," Lee adds. Seeing as how different countries identify, report, and react to misconduct in different ways, that will also add to the need for on-site legal teams.

Another facet of this shift is that in-house lawyers will take on additional responsibilities—such as auditing and keeping an eye on corporate integrity and employee behavior.

5. The legal services market will mature.

What it means: If five to 10 years ago companies wondered which law firm to partner with, today it's not just traditional firms that are competing for the work, Lee says. Legal- and business-processes outsourcers are "very good for discrete pieces of work," such as discovery and document review, he says, and that could "rival or surpass the quality of law firms."


How fast is fast enough these days to provide your members or customers notice that their bank account has been hacked and money has been transfered to transnational criminal syndicates across the globe? Six hours is too long according to this latest suit against Comerica Bank in Michigan, USA:

It started with a simple e-mail that landed in the inbox of Experi-Metal Inc.'s controller, Keith Maslowski, in January 2009. The message appeared to come from the company's bank, and Maslowski followed the directions to click on a link and enter confidential log-in data and other codes as part of routine maintenance. The details are laid out in a lawsuit that the small metal shop in Sterling Heights, Michigan, filed against Comerica. Scam artists used Maslow­ski's codes to initiate more than 85 wire transfers, moving $1.9 million out of the company's account to China, Estonia, Finland, Russia, and Scotland.

It took the bank only six hours to spot the unusual activity, notify the customer, and stop the transfers. But it wasn't good enough for the federal judge. Court documents show that the company had only two prior transfers in two years. On June 13 U.S. district court judge Patrick Duggan in Detroit ruled that Comerica was responsible for the $560,000 that remained unrecovered because the bank didn't act "in good faith." The judge ruled that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."


Yet another example of the Operational Risks that require more preventive measures for the savvy "General Counsel" (GC) of 2011 and beyond. To what degree are there other "Tripwires" in place for the GC to become a nerve center for detecting those incidents and behavior that is strange or not normal. After all, you can't be everywhere and no one can effectively work 24 x 7. So there remains only one answer. Automation working with Operational Risk experts.

How do the programmers know how many transfers are out of a normal range? In the case of Comerica, Judge Duggan ruled that six hours was too long to stop the fraudulent transfers. You see, the risk for establishing the right business rules can't lie completely with anyone who is doing the programming. Business management, consumers and risk management experts all need to be in the process of developing the triggers and alerts that allow faster response on incidents such as this one.

The number of data breaches and other cyber criminal activities will continue to rise as long as the General Counsel remains aloof or segmented from the departments and business units that can establish effective automated "Trip Wires" to get notified when something is "Not Normal".

Here are just few of the larger and most reported incidents in 2011 according to Law.com:

2011
April 1: Epsilon Inc., the world's largest e-mail marketer, reveals an unauthorized entry into Epsilon's e-mail system, exposing customer names and e-mail addresses.

April 26: Sony Network Entertainment America and Sony Computer Entertainment America disclose a "carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information." The intruders stole identity data from about 77 million PlayStation Network and Qriocity customer accounts.

May 10: Citigroup Inc. discovers a breach exposing more than 360,000 customer names, account numbers, and contact information. Citigroup waits almost a month before notifying its customers, and later says $2.7 million was stolen.

May 24: The Los Angeles Times reports that a Bank of America Corporation insider leaked detailed customer data to a ring of identity thieves resulting in $10 million in losses. The bank later confirmed the loss, which occurred sometime last year but came to light only recently, when the bank began informing customers.

June 15: Automatic Data Processing Inc., the world's largest payroll processor, says personal data of one of its 550,000 corporate clients was breached. It ­provided no details.


So what is the answer for the General Counsel? The "Plan-Do-Check-Act" lifecycle applies to the GC just as others in the corporate enterprise. Information Governance is no different for the legal department than it is for the CIO. The problem is, how much are both working in concert so that the holders and managers of digital information are working side by side the legal eagles of the company? Not enough in a world where transnational criminals, advanced persistent threat and insiders are testing your controls and the latency of your alert mechanisms on a daily basis.

The companies plagued with the incidents highlighted in the popular press are working hard to prevent the vulnerabilities exploited by those tasked with finding them. They have invested millions of dollars in technology and sophisticated tools for detection and defense. In todays world of 4 Billion devices connected to wireless networks and ultimately the Internet; working hard just will not suffice anymore.

The General Counsel working in concert with the Chief Information Security Officer (CISO), Chief Information Officer (CIO) and even the Chief Security Officer (CSO) along with outside contract consultants typically defines who is responsible for the ongoing defense of the corporate enterprise. The question now remains; "What is the single Management System that they are all using to manage risk in the organization?" Unfortunately, the answer may be that they are not using the same management system. When your organization has not agreed upon a single management system for risk management then there is no wonder that you have opened yourself up to the possibility of failure. Utilizing a single international standard such as ISO 27001: 2005 could be the beginning of a unified effort by the entire stakeholder community in your organization.

Certifying your Information Security Management System against ISO/IEC 27001 can bring the following benefits to your organization:

  • Demonstrates the independent assurance of your internal controls and meets corporate governance and business continuity requirements
  • Independently demonstrates that applicable laws and regulations are observed
  • Provides a competitive edge by meeting contractual requirements and demonstrating to your customers that the security of their information is paramount
  • Independently verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation
  • Proves your senior management’s commitment to the security of its information
  • The regular assessment process helps you to continually monitor your performance and improve

09 July 2011

ISO 28000: Bankers Exposed to Supply Chain Risk...

The banking institutions of the globe are on high alert. The Operational Risk doctrine is finally getting beyond the historical threats of fraud and rogue traders to the "New Normal" of other significant business disruptions. It's been on the horizon for some time, yet now Basel is finally enhancing the rules that have so far been ignored or given little consideration:

Banks should bolster their defenses against losses caused by rogue traders, client fraud and other so-called operational risks, global regulators said.

The Basel Committee on Banking Supervision endorsed updated principles on how banks should protect themselves from risks not directly linked to lending or market movements, the group said today on its website.

The measures add to beefed up capital and liquidity rules to toughen regulation of banks following the worst financial crisis since the Great Depression. Rogue traders such as Jerome Kerviel at Societe Generale (GLE) SA and Nick Leeson at Barings Plc can also wreak havoc on individual institutions, said Nicolas Veron, a senior fellow at economics research group Bruegel.

“Barings was killed by operational risk, and Societe Generale came very close to a near-death experience in 2008,” Veron said in a phone interview from Brussels.

“Does operational risk generally cause systemic crises? No. But it can have a major impact on individual institutions when things go wrong,” said Veron.

Today’s changes build on rules from 2004 that require lenders to hold reserves against risks including natural disasters, computer hacking, systems failures, theft, fraud and unauthorized trading.

So where is the weakest link in the 63 "Principles for the Sound Management of Operational Risk"? We still think it is this one, number 54 under the Principle of Mitigation and Control:

54. Outsourcing is the use of a third party – either an affiliate within a corporate group or an unaffiliated external entity – to perform activities on behalf of the bank. Outsourcing can involve transaction processing or business processes. While outsourcing can help manage costs, provide expertise, expand product offerings, and improve services, it also introduces risks that management should address. The board and senior management are responsible for understanding the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities.

The reason that we believe this to be a single-point-of-failure, is the tremendous number of outsourced services from the critical informations systems infrastructure in the banking industry to the supply chain risk of the major global firms who the banks themselves are investing in for the continued commerce of the world.

One key aspect of this area of Operational Risk has to do with the sense of risk mitigation that usually occurs with the use of a "Service Level Agreement" (SLA) with a vendor or service provider. The General Counsel and the legal team are responsible for the prudent review and drafting of outsourcing contracts. This (SLA) in many cases is never audited or tested to find out how a supplier would respond or behave, during a major incident that impacts their particular area of supply chain operations. This brings us to ISO 28000.

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.

Regardless of the legal documents agreed upon with you and your Tier 1 suppliers, you can bet that they have their own supply chains that you have not done any due diligence on. Can you trust that all of your Tier 1 suppliers have gone down another layer or two to ensure their own survivability for a myriad of operational risks? Adopting an international management system such as ISO 28000, will send you on your way to a more adaptive enterprise and with improved business resilience.

Now the question might be, how many major banks or hedge funds are major investors in companies such as DP World? Are they ISO 28000 certified to be more business resilient at their respective supply chain points of failure?

DP World Cochin has announced that the International Container Transhipment Terminal (ICTT) at Vallarpadam has been certified under the ISO 28000 Standard for Supply Chain Security Management system, and has joined the other DP World terminals in India to be the only container terminal in the country to be certified in port security. Dubai: In 2007, Port operator DP World has raised $3.25 billion in Islamic and conventional bond sales to refinance existing debt and fund its expansion. The company said it exceeded its target of $3 billion for the two bond issues. Barclays Capital, Citi, Deutsche Bank and Lehman Brothers lead managed the two issues, helped by Dubai Islamic Bank for the sukuk. DP World, the world's third largest marine terminal operator, manages 42 terminals in 22 countries. Its investment commitments run into billions of dollars over the next few years in several countries, including India, Turkey, Britain, Senegal, Peru and China. Total capacity at DP World's ports was 48 million TEUs ((twenty-foot equivalent container units) in 2006 and is expected to increase to 84 million TEUs by 2016 when new terminals are built.


So the final analysis on Operational Risk Management in your particular supply chain, may very well be beyond the surface of the Service Level Agreement (SLA). The General Counsel and Legal team would be highly advised to dig deeper than their Tier I suppliers in "Achieving a Defensible Standard of Care." Barclays, Citi and Deutsche should be more confident that DP World is one of a few companies managing their Operational Risks with ISO 28000 at one port. Now your next step, may be to find out whether the precious semiconductors you need to manufacture your companies electronic products are in the hands of the DP World Dubai Port Jebel Ali, Terminal 1 or DP World Cochin.

You should not be alarmed that DP World has a vacancy for the SVP, Global Operations:

VAC2531 - Senior Vice President - Global Operations

Division: Operations
Location: Dubai, U.A.E.
Department: DPW FZE DUBAI PORT INTL - DEP
Closing Date: 11-Jul-2011
About the Role:

This position reports to Executive Vice President and Chief Operations Officer - DP World and the main purpose of the role is to develop, lead and assist in the implementation of DP World's standards in the management of Safety, Environment, Security, Operations and Engineering, in line with DP World business and Container Terminal Strategies.



18 June 2011

FCPA Alert: Dodd-Frank vs. Powerball...

Board Directors are ever more tuned into the recent 2011 case settlements in Foreign Corrupt Practices Act (FCPA) violations. This is because Operational Risk Professionals are being much more proactive than years past on uncovering malfeasance in the supply chain operations of major global conglomerates:

Notable 2011 FCPA Settlements. 2010 was a record year for FCPA enforcement, and thus far 2011 has been no different. In the first half of 2011, 10 notable FCPA enforcement actions have settled, resulting in a total of about $490 million in penalties, disgorgement and prejudgment interest:

1. Tenaris agreed to pay a $3.5 million criminal penalty and $5.4 million in disgorgement and prejudgment interest.

2. Rockwell Automation agreed to pay disgorgement of $1.7 million, prejudgment interest of $590,000 and a civil penalty of $400,000.

3. Johnson & Johnson agreed to pay a $21.4 million criminal fine and $48.6 million in disgorgement and prejudgment interest, as well as about $7.9 million in related United Kingdom Serious Fraud Office recovery.

4. Comverse agreed to pay a $1.2 million criminal fine and $1.6 million in disgorgement and prejudgment interest.

5. Ball Corporation agreed to pay a $300,000 civil penalty.

6. Jeffrey Tesler, a key member of the TSKJ-Bonny Island joint venture accused of being part of a scheme to bribe Nigerian officials in exchange for contracts related to the construction of liquefied natural gas facilities, forfeited nearly $149 million, the largest FCPA-related forfeiture imposed on an individual to date.

7. JGC Corporation of Japan agreed to pay $218.8 million in criminal fines.

8. IBM agreed to pay a $2 million civil penalty, disgorgement of $5.3 million and $2.7 million in prejudgment interest.

9. Tyson Foods, Inc. agreed to pay a $4 million criminal penalty and $1.2 million in disgorgement and prejudgment interest.

10. Maxwell Technologies agreed to pay $8 million in criminal penalties, as well as $6.4 million to settle SEC civil charges.


Are any Board Directors out there amazed that companies such as IBM are still being impacted by the FCPA risk to the enterprise? Maybe more importantly, why is a Japanese company paying a criminal fine of over two hundred million dollars?

JGC CORPORATION is a Japan-based company mainly engaged in the engineering business. The Company operates in two business segments. The Integrated Engineering segment is engaged in the planning, design, procurement, construction and testing of equipment, appliances and facilities for petroleum, petroleum processing, petrochemistry, gas, liquefied natural gas (LNG), general chemistry, nuclear energy, metal smelting, biotechnology, food, pharmaceutical, logistics, information technology, environment protection and pollution prevention industries. This segment is also engaged in the provision of related inspection, maintenance and information processing services, as well as water and power generation business, among others. The Catalyst and Chemical segment is involved in the manufacture and sale of catalyst agents, functional materials, deodorants and enzymatic filters, electronic materials and high-performance ceramic products, as well as next-generation energy related products.

The Board of Directors of any transnational organization should be doing their homework on the reasons why JGC Corporation has employed an independent compliance consultant for the next two years and paid the $200M. fine. Remember, your supply chain and your business partners may be the reason why you are sitting around the Board Room table negotiating with the U.S. Department of Justice.

The larger question is, could this have been prevented? Is this a risk that can be mitigated within the corporate enterprise? Has the company done everything in it's capacity to put the right controls in place and the tools to keep the possibility of FCPA ever finding its way back to the Board Room Agenda? Do you know all of your joint venture partners are from the U.S. and all of the projects that they are working on together?

JGC’s agreement to pay the fine brings to $1.5 billion the total penalties in a case against a joint venture known as TSKJ that included Houston-based Kellogg Brown & Root LLC, Paris- basedTechnip SA (TEC) and Dutch engineering firm Snamprogetti Netherlands BV, according to a Justice Department statement.

The joint venture’s prosecution represents one of the biggest foreign bribery cases undertaken by the Justice Department since it stepped up pursuit of such cases starting in 2008 when Munich-based Siemens, Germany’s largest engineering company, paid $1.6 billion to settle U.S. and German probes.

“Each of the four companies in the TSKJ joint venture, the former chairman of the U.S. joint venture partner, and several other individuals have now been held accountable for a massive conspiracy to bribe Nigerian government officials to obtain lucrative construction contracts,” Deputy Assistant Attorney General Mythili Raman said in the statement.


What is the cost of a FCPA investigation beyond the fine? Imagine for a moment the number of e-mail messages that have to be acquired, preserved and examined. Add up the billable hours for subject matter experts to review the remaining mountain of data to determine the final relevancy of a communication with the matter and the people associated with the project. As an example, what was the magnitude of the Siemens case?

According to court records, it was a vast undertaking spanning 34 countries, with private investigators conducting more than 1,750 interviews and gathering more than 100 million documents. They reviewed approximately 14 million of those documents and gave the Justice Department and the SEC a small subset, about 24,000, according to a Siemens tally.


So what is one of the answers or solutions to finding the "Red Flags" and to self-disclose the issue to the proper authorities early and often? First off, you need to develop your corporate "Human Intelligence" (HUMINT) capability, around your Corporate Intelligence Unit (CIU). Developing and building an awareness factor in a pervasive manner is one way to do this. In order to get your HUMINT working for you, the people on the front lines and in the middle of the corporate hierarchy need to understand and internalize these "Red Flags". If the monthly or quarterly bulletin from the CEO, discussing the integrity factor of the company supply chain partners raises the issue of ethical behavior around a particular scenario, this will educate and increase awareness with those people in the enterprise who comprise this HUMINT network.

Sticks and carrots or other methods for awarding compliance is so 1980's and 1990's. Wake up! In order to bring your global enterprise into the next decade of the 2000's, you have to start using the methods, processes and tools your deal makers use to run their business (SAP, Siebel CRM, Oracle). When was the last time the CEO visited the deal makers pipeline meeting to review and discuss the joint ventures or pending projects that the business developers are forecasting to close in the next quarter? This is the perfect time for the CEO to ask them to fire any partner, agent, consultant, contractor or vendor that does not meet the foundation for the companies "Corporate Integrity Standards." Does your CEO even know what Social CRM is all about?

And how quickly the lessons that should have been learned, are soon forgotten. Not any more. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, employees, partners and other persons who provide original information on an FCPA violation by a public company can receive between 10% and 30% of the resulting fines as a "Whistleblower" bounty.

We wonder whether the odds of winning the next "Powerball" Lottery in the U.S. might be more difficult than getting 20% of a $200 million dollar fine. Global corporations should be preparing their internal processes for Ethics and Integrity Management now. This Operational Risk will soon be more apparent as employees understand the odds of "Winning".

28 May 2011

OPSEC: TQM in the Defense Industrial Base...

OPSEC in the Defense Industrial Base (DIB) is on high alert since the RSA SecureID vulnerability was revealed several months ago. The Operational Risks Management discipline is now ever so pervasive in private sector companies who have outsourced national security programs. When top secret information is at risk, the game plan shifts from a single company incident to a federal priority.

By Jim Finkle and Andrea Shalal-Esa

BOSTON/WASHINGTON, May 27 (Reuters) - Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N: Quote, Profile, Research, Stock Buzz) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N: Quote, Profile, Research, Stock Buzz) RSA security division, said the person who was not authorized to publicly discuss the matter.

It was not immediately clear what kind of data, if any, was stolen by the hackers. But Lockheed's and other military contractor networks house sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.



The SecureID hack has been an eye opening wake up call for those Operational Risk professionals who are charged with keeping information safe from foreign adversaries. The "One-Time-Password" (OTP) market place is gearing up for a dramatic shift. Organizations such as EMC the parent to RSA are still back pedaling from the crisis and cooperating with three letter U.S. agencies to determine the culprits. Not only do organizations such as Lockheed Martin hold the nations major weapons systems contracts they are also prime contractors for defending the cyber security networks across the government.

So what is the answer for keeping the nations states across the globe from continuously probing and successfully compromising secret systems networks by hacking tools like the SecureID?

The answer lies within the private sectors approach to quality assurance in software development. The vulnerability that all security-based companies and defense industrial based companies face is the flaws in software quality assurance practices. The known fact is that in any process for software development there is a testing phase to determine whether the product requirements have been satisfied. In the lifecycle of software development, the QA testing phase is still the most neglected and under staffed. Raising the bar on software quality testing is not the only answer, it is just a facet of the security mosaic that continues to be a major challenge.

Total Quality Management (TQM) initiatives not only should be mandated by software development organizations, the Defense Industrial Base needs to require new levels of software code testing by companies that are charged with securing the secrets of the company and the nation. As each new product or software version is launched into the marketplace it should have a label on it that discloses how diligent the vendor was in testing the software for defects. Reducing those defects before it lands in the hands of the consumer is one major path to reducing the vulnerabilities of such serious breaches of trade secret or national security information.

Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life.



What will soon be the norm in the software development industry is the TQM mind-set that has been at the forefront of other manufacturers for decades. Once the regulators get the gears rolling the private sector will finally change and work towards "Six Sigma" in software in combination with more effective approaches to Operational Risk Management:

The approach to managing operational risk differs from that applied to other types of risk, because it is not used to generate profit. In contrast, credit risk is exploited by lending institutions to create profit,market risk is exploited by traders and fund managers, and insurance risk is exploited by insurers. They all however manage operational risk to keep losses within their risk appetite - the amount of risk they are prepared to accept in pursuit of their objectives. What this means in practical terms is that organisations accept that their people, processes and systems are imperfect, and that losses will arise from errors and ineffective operations. The size of the loss they are prepared to accept, because the cost of correcting the errors or improving the systems is disproportionate to the benefit they will receive, determines their appetite for operational risk. Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale,Barings, AIB and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.

As OPSEC evolves in the Defense Industrial Base, the risk appetite and TQM conversation will continue to be on the agenda. The degree to which it makes it to the Board Rooms of EMC, still remains to be seen.

27 March 2011

Rule-based Design: The Future of HSI...

Levers in the Homeland Security Intelligence (HSI) ecosystem impact the performance and the health of the environment that the entities are sharing their respective insights. These HSI entities are people within the analytic ecosystem who are diverse in the art and science they utilize to create and share insight.

The threat to any ecosystem in many cases is "too much" or "too little" of a key element of that environment that makes it thrive. Anything that occurs to offset the equilibrium in the ecosystem can have dramatic effects. What is the greatest killer of human beings on the planet earth over the past few decades? A good guess would be "Drought". Too much sun and too little water has killed millions.

Yet in the context of intelligence, if data is "The Sun" and shared insight is "The Water" then in order to mitigate the impacts of upsetting the equilibrium of our HSI ecosystem a prudent course of action is required. The levers should assist in the governance of the right amount of data and the right amount of shared insights so no one entity is at risk. Now we must examine the topic of "Rule-based Design."

Homeland Security Intelligence analysts who are experiencing too much data and not enough insight is many times the argument at hand. They are indeed at the mercy of the compliance and data governance mechanisms that are in place, because of the civil liberties, legal framework and privacy statutes across 50 U.S. states. To add to the complexity are the systems and analytic software solutions that have been developed over the past ten plus years. The software designers must incorporate "Rule-based Design" if they are to assist in the entire equilibrium of the HSI ecosystem. Jeffrey Ritter explains:

Clearly, for the IT architect, there are lessons to be learned. For each step taken by the IT architect to better account for all of the rules that a solution must navigate, before the design process begins and long before construction of the solution is underway, the IT architect is able to better assure the timely completion of the solution, and the compliance of the systems and resulting data with applicable rules. Yet, even in this second decade of the 21st century, we are witnessing a continued failure of IT systems to be designed for compliance. Time and again, systems are designed, built and implemented without early and complete evaluation of the rules that must be satisfied. The result is that corporations (and their lawyers) are often patching compliance onto the systems after the fact. Expenses are increased, compliance is less assured, and the IT architect often gets stuck with the responsibility.

“Rules–based design” means that IT solutions are designed with a fully-informed awareness of all of the rules, including the legal rules, that the solution and the data must satisfy. With cloud computing, data that is dynamic and volatile, and mobile users, the challenge is genuine – how do we anticipate all of the legal rules that may apply?

The solution will emerge incrementally. But the first step is to accept the principle that IT systems, and their data, can be designed differently. We can take into account prior to the design process, and not after the completion of construction, all of the rules that the systems and the data must successfully navigate.


Now we must examine the "Civil Liberties and Privacy Policy" and the applicability within the Department of Homeland Security.

The Policy applies to “protected information,” which the ISE defines as information about U.S. citizens and legal permanent residents that is subject to information privacy, civil rights, and civil liberties protections required under the U.S. Constitution and Federal laws of the United States. DHS has instituted a policy whereby any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system is treated as a system of records subject to the administrative protections of the Privacy Act regardless of whether the information pertains to a U.S. citizen, legal permanent resident, visitor, or alien. As a result, this Policy also applies to information about nonresident aliens contained in “mixed systems.”

When you combine the complexity of a vast and endless data ecosystem with the rule-based design to try to accomplish the civil liberties and privacy of U.S. citizens; you have the basis for a significant challenge and a simultaneous opportunity. The governance of Homeland Security Intelligence is in the hands of policy makers and software systems designers. The drought metaphor utilized earlier to illustrate the point on "too much data" and "too little insight" can now be clarified in our focus post 9/11. As of this writing, the system is working and has prevented a terrorist attack in the U.S. homeland on the magnitude of that unforgettable Tuesday in September, 2001.

The entities within our Homeland Security Intelligence ecosystem will continue to be enabled or impeded by the policy decisions of civil liberties and privacy laws. The degree to which the software systems and rule-based design are commensurate with these policies may very well determine whether the equilibrium continues it's success in the United States.

The levers to improve our HSI in the midst of a dynamic and asymmetric enemy are a constant ambition. Looking into the future, we can only pray our analytic entities execute in an ecosystem that perpetuates our successes so far and minimizes our failures. The governance factors designed by our policy makers and software developers will determine our abilities to save lives and protect our vital national assets for years to come.