31 December 2007

2007: The Year of Living Dangerously...

What a year 2007 has been for Operational Risk Management. Looking back over the past 365 days, brings visions of significant accomplishment and historical failures. Reflection on what has worked can sometimes bring out the emotions and the evidence of our most vivid encounters with risk. You can't see risk. You can only witness the effectiveness of your work in the aftermath of incidents as a result of your people, processes, systems or external events. That measurement or metrics is why the loss event databases are growing. So we can keep score.

Unfortunately, many are trying to keep score so that they can justify additional funding and resources for their pet projects or new initiatives. The Board of Directors and executive management needs something to judge whether the programs and the efforts for managing risk in the enterprise are working. Sometimes the quantitative must be taken in context with the qualitative measures to see the entire landscape of operational risk across your environment:

Here are just a few National Security milestones in the United States this past year:

  • PROTECT AMERICA ACT: In August, the President signed the Protect America Act of 2007, which closed critical intelligence gaps that threatened the safety of our Nation. The Protect America Act (PAA) modernized the Foreign Intelligence Surveillance Act of 1978 (FISA) to provide our intelligence community essential tools to acquire important intelligence information about foreign terrorists abroad who want to harm America. Unfortunately, critical provisions of the PAA expire on February 1, and Congress must act to keep our Nation safe by making these tools permanent and provide meaningful liability protection for companies who are believed to have assisted the Government after 9/11.
  • BORDER SECURITY: The Administration has taken steps within existing law to secure our borders more effectively. In 2007, we exceeded our goal of 145 miles of fencing at the border, and are on track to strengthen the border with 18,300 Border Patrol agents, 370 miles of fencing, 300 miles of vehicle barriers, additional cameras and radar towers, and three additional unmanned aerial vehicles by the end of 2008. The Administration has also instituted a policy of "catch and return," ensuring that all removable aliens caught trying to cross the border illegally are held until they can be returned to their home countries.
  • IMMIGRATION ENFORCEMENT: In 2007, ICE removed roughly 240,000 illegal aliens, made over 850 criminal arrests, and fined or seized more than $30 million following worksite investigations. The Department of Homeland Security has issued a "No-Match" regulation to help employers ensure their workers are legal and help the Government identify and crack down on employers who knowingly hire illegal workers. Unfortunately, this useful regulation is being held up by misguided litigation.
  • COUNTERTERRORISM: Working with our partners overseas, U.S. efforts to combat terrorism have contributed to the arrest of terrorist suspects and have disrupted plots aimed at both the United States and its allies. For example, in September, U.S. and German authorities disrupted a major terrorist plot resulting in the arrest of three suspects who were planning to attack a U.S. military base in Germany as well as Frankfurt International Airport. In June, the United States worked with authorities in Trinidad to arrest four men suspected of planning to blow up fuel tanks and a fuel pipeline at the John F. Kennedy International Airport.
  • NATIONAL STRATEGY FOR HOMELAND SECURITY: In October, the President issued an updated National Strategy for Homeland Security, which is serving to guide, organize, and unify our Nation's homeland security efforts. The Strategy articulates our approach to secure the Homeland over the next several years, reflects our increased understanding of the threats confronting the United States, incorporates lessons learned from exercises and real-world catastrophes, and articulates how we should ensure our long-term success by strengthening the homeland security foundation we have built.
  • 9/11 COMMISSION ACT: On August 3, the President signed the "Implementing Recommendations of the 9/11 Commission Act of 2007." This legislation protects Americans from being unduly prosecuted for reporting activity that could lead to acts of terrorism, and takes steps to modernize the VISA Waiver Program, particularly the additional security measures. The President continues to work with Congress to advance security and foreign policy objectives by allowing greater flexibility to bring some of our closest allies into the program.
In other events across the globe we witnessed how risks continue to challenge even the most prepared nations:

  • Virginia Tech joined the annals of US gun atrocities when a student killed 32 people and then turned the weapon on himself in what was the country's worst shooting rampage.
  • Three days after Gordon Brown became prime minister, and a day after two car bombs were found in London, Scotland experienced its first terrorist attack since Lockerbie. Two alleged Islamic extremists, one a doctor, drove a Jeep into the security bollards at the entrance of a busy Glasgow Airport on the first Saturday of the local school holidays. The car carried explosive gas canisters and although it burst into flames on impact, most of the containers remained intact. A few bystanders were injured, and were treated at nearby Royal Alexandra Hospital where one of the alleged terrorists worked. The driver of the car, Kafeel Ahmed, 27, died a month later from his burns, and others suspected of being involved in the attack were apprehended on the M6. All the suspects in the case were foreign recruits to the NHS.
  • The credit crunch arrived. Northern Rock became the most high-profile British victim of a crisis sparked by low-income American homeowners who'd been lent money they could never afford to pay back. Northern Rock was forced to apply to the Bank of England for emergency funds, in what was to become one of the biggest financial crises in a generation. Cue panic, cue queues.
  • A human chain of depositors formed at branches as bank customers attempted to reclaim their money. There was some very un-British behaviour, with police called to one branch when a couple staged a sit-down in an attempt to recover their £1m deposit. They left empty-handed. The run on Northern Rock caused the Treasury to pledge that no-one would lose their shirt, a promise which has so far cost £24 billion in lending to the troubled institution. The sheen of middle class security was wiped off property prices as people began to sniff a recession. It was the first of many indicators that Britain was still a nation divided by class, education and income.
  • The most significant event of the year, for the future of the planet, came this month when the Arctic Ocean melted back to a record low point. The extreme melt rate was not predicted by any supercomputer or climate change scenario and scientists began to think that an educated guess for an ice-free Arctic summer might be 2030, well within most of our lifetimes.
  • Six foreign-born men are charged in what authorities say was a plot to attack the Fort Dix Army base in New Jersey.
  • Pakistani army commandos capture the Red Mosque in a 35-hour battle; the cleric who led the mosque's violent anti-vice campaign is among those killed.
  • A strong earthquake in northwestern Japan causes malfunctions at the world's most powerful nuclear power plant, including radioactive water spilled into the Sea of Japan.
  • Minneapolis bridge collapses into the Mississippi River during evening rush hour; 13 people are killed.
  • Mattel recalls 9 million Chinese-made toys because of lead paint or tiny magnets that could be swallowed.
  • Magnitude-8 earthquake strikes Peru, causing more than 500 fatalities.
  • A B-52 bomber armed with six nuclear warheads flies cross-country unnoticed, in serious breach of nuclear security; Air Force later punishes 70 people.
  • Hurricane Felix slams into Nicaragua's coast, the first time two Category 5 Atlantic hurricanes hit land in the same year.
  • Osama bin Laden appears in a video for the first time in three years, telling Americans they should convert to Islam if they want the war in Iraq to end.
  • Citigroup Inc. CEO Charles Prince resigns as company loses billions in debt crisis.
  • Suicide bombing kills six parliament members in Afghanistan; a U.N. report later says some of the 77 total victims were killed by gunfire from panicked bodyguards, not the bomb.
  • Cyclone Sidr strikes Bangladesh with 150 mph winds, killing more than 3,200 and leaving millions homeless.
  • Oil prices peak at $99.29 a barrel.
  • CIA director says interrogations of two top terror suspects in 2002 were videotaped but the tapes were destroyed later to prevent leaks; lawmakers and courts investigate whether evidence was destroyed.
  • President Pervez Musharraf lifts a six-week state of emergency he says was imposed to save Pakistan from destruction from an unspecified conspiracy.
  • Opposition leader Benazir Bhutto is assassinated in Pakistan by an attacker who shot her after a campaign rally and then blew himself up. The attack and rioting after her death claim at least 29 more lives.


These events over the course of 2007 illustrate the breadth and depth of the operational risks we face in the next few years. Climate change, terrorism, market volatility and human behavior will continue to challenge us as professionals. So as we embark on a new journey into 2008 what resolutions will we make? What have we learned about risk? Can it be managed?

One event not mentioned above may be a clear warning for a threat still unimagined in it's capacity to cripple the entire planet.

Cyber security experts quoted in the McAfee report believe 99 per cent of attacks on government systems go unnoticed. But one attack this year that could not be overlooked was launched against the Baltic nation of Estonia, and that incident serves as a warning for other nations. The report calls the Estonia attack in April 2007 "the first real example of nation states flexing their cyber-warfare capabilities".

Estonian computers for government, banks and news organisations were hit with what is known as a distributed denial of service attack - that is, they were bombarded with so many requests they couldn't function.

First the mobile fails. Intermittent black spots are nothing new but you haven't had so much as an SMS from motormouth Michael in hours or anything from Jen who always calls with arrangements for Tuesday's movie by now.

You resign yourself to catching up on email and the frustrations mount with each minute on an unresponsive computer. Has the whole world stopped?

You resist the urge to slam the door as you head to the nearest ATM and the walk does you good ... until you key in your pin number. The machine is so sluggish it seems to take forever but eventually the screen responds. The news is worse than you thought. Your balance is: $0. It's as worrying as it is wrong. No mobile, no mail, no money.

You want to throw your hands in the air - and surrender is a more appropriate response than you suspect. You've lost a war you didn't even know was being waged.

The war of the future, according to an international look into cyber crime, could well be waged online. And the dangers are magnifying as governments and organised groups hone their abilities to spy on each other and attack critical pieces of public infrastructure with an arsenal of e-weapons.


20 December 2007

FRE 502: Evidence & Digital Discovery...

What could the implications of this ruling be for employees in New York state? Scott v Beth Israel Med. Ctr. Inc.

The writing is on the wall with the attorney-client privilege and Federal Rules of Evidence 502. A review of current e-mail policy may also be in order at your institution if you plan on achieving "A Defensible Standard of Care."

On December 11, 2007, Senator Patrick Leahy, Chair of the Senate Judiciary Committee, introduced S. 2450, a bill adding new Evidence Rule 502 to the Federal Rules of Evidence. The legislation addresses waiver of the attorney-client privilege and work product protection and is identical to proposed Evidence Rule 502, which was approved by the Judicial Conference of the United States and transmitted to Congress for its consideration in September 2007.

Here are comments by the BLT:

If approved, the legislation would allow litigants to avoid waiving privilege on inadvertent disclosures if parties took reasonable efforts to vet the documents and asked for the return of any privileged information in a timely manner.

"The surging use of email and other electronic media has forced parties to spend billions of dollars and countless hours to guard against the unintentional release of such information," Leahy's office reported. Specter added that the new rule would help ensure that "the wheels of justice will not become bogged down in the mud of discovery.”

Stephen D. Whetstone, Esq. of Stratify says this:


Given the increased risks and costs, it is no surprise that many companies are trying to wrest control over the discovery process. More companies are now directing outside their counsel to leverage technology to automatically organize huge data collections, help understand foreign languages and detect privilege and thereby drive down the costs and mistakes that result from fatigued human review. The rule-makers get it, too. The Advisory Committee Notes to proposed FRE 502 provide: "Depending on the circumstances, a party that uses advanced analytical software application and linguistic tools in screening for privilege and work product may be found to have taken 'reasonable steps' to prevent inadvertent disclosure."

In short, in the 12 months since adoption of the new discovery rules, the sky did not fall. But, for some, it grew darker and more expensive to prop up.

In case you haven't noticed your CIO in the General Counsel's office lately, you soon will. The use of automated tools for Electronic Content Management (ECM) have converged with the tools for Disaster Recovery Management (DRM). In the middle of the pile of documents, email and other electronically stored information (ESI) is something called effective Records Management.

Managing information that is discoverable through email from Party A to Party B using the internal e-mail system provided by the employer to the third parties outside of the organization including lawyers is the nexus here. How can an organization make sense of it all and keep the GC from pointing fingers at the CIO?

The answer begins with building awareness and education with all employees in the organization, not just the legal staff and IT. It begins the moment any employee opens the word doc or excel spreadsheet. The second you reply to that IM or e-mail on your PDA . Only through effective education and policy management will the enterprise learn how to modify behavior regardless of what tools and systems are put in place to organize, sort and query ESI.
"Whether building the castle walls or defending the crown jewels, knowing the right questions can make all of the difference."

The beginning of your educational journey starts here: CastleQuest