Top Ten Mistakes: Board of Directors Risk...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options

And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days.  Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

The Washington Post reports:

By Ellen Nakashima, Published: November 22

In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond. 

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state. 

That was when J. Michael McConnell, a senior vice president at Booz Allen and former director of national intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries. 

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”

A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

• Hacker
• Spies
• Terrorists
• Corporate Raiders
• Professional Criminals
• Vandals
• Voyeurs

Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

• Attackers
• Tool
• Vulnerability
• Action
• Target
• Unauthorized Results
• Objectives

Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

• Challenge, Status, Thrill
• Political Gain
• Financial Gain
• Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards. Five factors here are:

• Existence addresses the question of who is hostile to the assets of concern?
• Capability addresses the question of what weapons have been used in carrying out past attacks?
• History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
• Intention addresses the question of what does the potential threat element hope to achieve?
• Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?

The Washington Post reports:

By Ellen Nakashima, Published: November 14 

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks. 

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.  The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats. 

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed. 

“What it does, really for the first time, is it explicitly talks about how we will use cyber-
operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.

Workplace Trust: Integrity, Ethics & Legal Risk...

Operational Risk Management professionals wonder about the "Tone at the Top" and decisions at the latest Board of Directors meetings to ignore or investigate a whistleblowers claims of ethics or governance violations in the workplace.

The financial services companies have for years been the target of scrutiny for claims of fraud, mistreatment of consumers and violations of several U.S. federal regulations many under further examination by the SEC.  As time goes on in the evolution of maleficence you will find examples of wrong doing in other private sector areas, such as the Defense Industrial Base (DIB), Retail and Information Technology (IT).  Think about your own company and ask yourself how you treat and respond to the 800 number Ethics Line and those who staff the Internal Audit, Risk Management or Information Security departments.  Are these enablers or impediments to your future success?  Your answer may be a clue to the issue at hand.

The professionals in the Inspector Generals office, the Operational Risk Management department and the General Counsels office are also there for a good reason.  Think about them as the last "Thin Blue Line" between your company becoming a success or falling into a cultural abyss that will plague the institution for decades.  Steven Pearlstein explains from the Washington Post:

Steven Pearlstein: How could SAIC miss this? By Steven Pearlstein, 

Last week in these pages, The Post ran a profile of John Jumper, the straight arrow former Air Force general who was brought in as chief executive of local contracting giant SAIC in the wake of an embarrassing overbilling scandal involving bribery, kickbacks, foreign shell corporations and a safe deposit box stuffed with $850,000 in cash. 

A year ago company officials were publicly denying that there were any problems at all with its contract to build a new timecard system for New York City, which by then was so late and so over budget that “CityTime” had become a frequent target for the New York tabloids and political embarrassment for Mayor Michael Bloomberg. 

It was just last June that SAIC executives and directors first informed shareholders that there might be a little $2.5 million overbilling problem with the contract and that federal prosecutors had brought criminal charges against six employees of an SAIC subcontractor. Shareholders had to read deep into Note 9 of that quarterly report to learn that there might be “a reasonable possibility of additional exposure to loss that is not currently estimable” that “could have a material adverse impact” on the company’s finances.

This episode by one DIB contractor, was not the first nor will it be the last.  One has to ask whether the advice these companies are getting from their outside counsel is always the right course of action.  The government and the internal risk management departments are going to be continuously deluged with new whistleblower claims.  Not just because new laws are in place to protect them and to provide them with the incentives to come forward.  It is because good people are sick and tired of having their organizations reputation tarnished and their respective ethical practices being jeopardized by a few bad cowboys or rogue actors.  Yet now, the Retail sector is being taught a serious lesson regarding a potential FCPA violation by Wal-Mart.  David Barstow at the NYT has this to report:

By DAVID BARSTOW 

Published: April 21, 2012  MEXICO CITY — 

In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country. 

The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico. 

Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”

Mitigation of Operational Risks in the workplace, such as fraud and corruption is different than it is outside the enterprise.  The difference is, that corporate executives do not always believe that their own employees would behave this way.  They could be naive to the reasons why fraud finds its way into the psyche of some of the organizations must trusted officers.  Corruption and the signs that an organization has lost its way from a place of cultural integrity and one that condones others to look the other way or for many to help perpetuate schemes of wrong doing, requires a massive organizational transformation.  A transformation that is lead by focused and talented Operational Risk professionals.

But most of all, even if you have these professionals on your team already, there are still some important ingredients to achieving your own "Defensible Standard of Care":

1.  If you think you have funded the risk management department in your enterprise adequately, you haven't.  Do not confuse your outside audit function with your internal risk management function. 

2.  If you don't understand how your 800 number ethics line works and the outsourced organization that runs this, then you need to do so immediately. 

3.  If you have a favorite outside counsel to help you with investigations, it might be time for a check up.  Even more importantly, it might be time to get your outside counsel firms and your outside audit firms invited to a meeting of the minds on corporate integrity. 

4.  If you find any indications that 1 through 3 have been ignored, pushed aside or been giving you a false sense of security, then you might consider making a career change.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.

RSA Conference: CSO Insomnia Over Insider Threat...

Next week in the U.S. there will be thousands of risk management and security professionals invading the RSA Conference in San Francisco. The myriad of topics, education and case studies are worth examining to see what is on the mind of these thought leaders and practitioners who are also designated speakers. You can even look to the popular press to see what the vibe is on what this years biggest worries will be:

1. Mobile Devices
2. Advanced Persistent Threat
3. Big Data Privacy
4. Hacktavists

However, if you spend some time to drill down on each of these topic areas and really look at the actual presentations of the presenters, some are based upon real cases and research and others are not. The one presentation that caught our eye and continues to be what some savvy CSOs would say keeps them sleeping with one eye open each night, is their insomnia over the "Insider Threat." That person or organized group of unidentified subjects that are there to recruit vulnerable people into initiating or perpetuating crimes against the organization.

Dawn Cappelli runs the Insider Threat Center at the Software Engineering Institute and highlights these areas of concern from their research and analysis of real cases:

The CERT Top 10 List for Winning the Battle Against Insider Threats

Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University

• 10. Learn from past incidents
• 9. Focus on protecting the crown jewels
• 8. Use your current technologies differently
• 7. Mitigate threats from trusted business partners
• 6. Recognize concerning behaviors as a potential indicator
• 5. Educate employees regarding potential recruitment
• 4. Pay close attention at resignation / termination!
• 3. Address employee privacy issues with General Counsel
• 2. Work together across the organization
• 1. Create an insider threat program NOW!

Number Three on the list is certainly on the top third and for good reason. Employees and the policy decisions on what data is owned by the company and owned by the employee is of grave concern these days in the United States. Now after so many years it looks as if this issue is going to get more heated and see the light of day from a congressional point of view. Yet the CSO must feel that the ability for the safeguards necessary to keep the organization safe and secure are not in place yet. Catherine Dunn of ALMs Corporate Counsel sheds more light on this:

According to a new White House report on consumer data privacy protection, trust is worth a lot of money to U.S. businesses—users have to know their data will be protected if the economic engine of digital innovation is to keep roaring. Ergo, the U.S. needs a privacy framework that’s “flexible” enough to accommodate industry innovation, and comprehensive enough that consumers will feel safe—and keep clicking.

But trust between consumers and companies in the U.S. is only part of the equation. There’s another important element, too: how compatible U.S. safeguards are with those of the rest of the world, and particularly Europe. This new proposal arrives a month ahead of a conference on data protection between E.U. and U.S. officials in Washington, D.C., leading to questions about whether Europe and the U.S. are any closer to getting on the same page when it comes to data privacy.

The answer not only depends on who you ask, but also what section of the White House’s report you’re looking at. The white paper lists seven principles and stresses that these principles should form the basis of voluntary codes of conduct adopted by industry. Once adopted, the Federal Trade Commission would have the power to enforce compliance to those codes. The paper also includes a call for Congress to pass legislation based on these principles, and devotes a section to “international interoperability”—which considers how data can be sent across international borders without violating laws on either side of the transaction.

This is where we need to make sure we understand the difference between what privacy issues have to do with a company employee and the privacy associated with just a U.S. consumer, who is not an employee but perhaps a member, client or customer of the organization.

If we go back to the big worries at RSA and combine this with the employees who are operating at the "Speed of Business" in your enterprise, you begin to see the difference. Actually, if you think about it some more, every employee of the organization has a duty to care for the information inside the organization, in order to better protect the assets of the enterprise but simultaneously the assets of the consumer.

The consumer assets are their "Personal Identifiable Information" (PII) and this represents in many cases what the organized criminals are after in the first place. This is where the outside recruitment threat starts to have its nexus. However, even the highly trained and state sponsored agents who are inside the enterprise to steal corporate or national security secrets are far and few these days. That may be surprising to some, but if you look at how the exfiltration of data is taking place it's almost all automated. No human intervention is required.

If that is the case, then what is Dawn Cappelli and the Insider Threat Team at CERT so concerned about from their research insights:

Criminal enterprises mask their fraud by involving multiple insiders who often work in different areas of the organization and who know how to bypass critical processes and remain undetected. In several cases, management is involved in the fraud. Those insiders affiliated with organized crime are either selling information to these groups for further exploitation or are directly employed by them. Ties to organized crime appear in only 24 cases in the CERT insider threat database and are characterized by multiple insiders and/or outsiders committing long-term fraud.

All of the insiders involved with organized crime attacked the organization for financial gain. The insiders usually were employed in lower level positions in the organization, were motivated by financial gain, and were recruited by outsiders to commit their crimes. The average damages in these cases exceed $3M, with some cases resulting in $50M in losses.

Now you know why your CSO is headed to the RSA Conference this week and why they are sleeping with one eye open these days.

Irregular Warfare: 21st Century Corporate Battlefield...

The safety and security of your corporate assets is a Board of Directors level issue. The loss events including adversarial litigation for errors, omissions, or just plain ignorance of regulatory compliance are gaining momentum. These Operational Risks associated with human behavior and the daily tasks performed on the job remain a vast vulnerability within the corporate enterprise. Why?

The discipline of effective Operational Risk Management requires a tone from the top that speaks to the core issue:

Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps.

The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.

The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.

Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:

• Design
• Implementation
• Configuration

If business understands that these are three areas that the attackers are focused on, then perhaps they will realize that resources and manpower must be allocated to these key components of the enterprise defense. If you think about each loss you have incurred over the past year, the odds are that your attacker was able to exploit one of these three attributes. Think about it for a minute.

Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:

When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.

Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.

In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses. Operational Risk Management discipline is an essential element that begins with the tone at the top and one enlightened CEO.