Common Elements of Failed Financial Institutions (FDIC)
Posted In Business Continuity, Regulatory Compliance, Risk Management on November 5th, 2009 Tags: Failed Banks, FDIC, FinancialYes, I admit it…I was surfing the FDIC web site this past weekend and I was spending some time reviewing past Financial Institution Letters that the FDIC releases to advise the banking industry of supervisory changes and guidelines.
I came across a Financial Institution Letter for Newly Insured FDIC-Supervised Depository Institutions that included the new changes, as well as a list of common elements from troubled or failed institutions.
The list offers some potential lessons learned for organizational leaders (board of directors, executive management, compliance and others) and so I thought I would share the list.
- Rapid growth
- Over-reliance on volatile funding, including brokered deposits
- Concentrations without compensatory management controls
- Significant deviations from approved business plans
- Noncompliance with conditions in the deposit insurance orders
- Weak risk management practices
- Unseasoned loan portfolios, which masked the potential deterioration during an economic downturn
- Weak compliance management systems leading to significant consumer protection problems
- Involvement in certain third-party relationships with little or no oversight
The list identifies the difficulties and complexities of “connecting the dots” and reminds bank leaders about many different types of “dots” that need better management to ensure better results.
If you are an organizational leader in the financial sector, this is good information!
No Comments
Email This Post
To Do Lists and Got To Do Lists…
Posted In Business Continuity, Information Security, Legal, Pandemic Flu, Regulatory Compliance, School Safety on August 14th, 2009 Tags: FTC, H1N1, Heartland, HIPAA, HITECH, Obama, OSHA, QSAsEvery manager I talk to has a long To Do List and they all say the list is getting longer.
Then I ask them a question about their GOT TO DO LIST? Their responses usually include groans, moans and terribly painful looks on their faces.
As I talk to more and more managers and review more and more headlines in the news, it is obvious to me that managers’ GOT TO DO LISTS are becoming more painful by the day.
Why are GOT TO DO LISTS getting more painful? Look at these articles which include lessons learned as well as future challenges:
Heartland CEO on Data Breach: QSAs Let Us Down
HITECH Act Ramps Up HIPAA Compliance
Obama Wants Big Banks to Pay More for Oversight
FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule
Updated Federal Guidelines for 2009 H1N1 Influenza in Schools Offer Many Options
Improving OSHA’s Enhanced Enforcement Program
How are you managing and implementing your GOT TO DO LIST?
No Comments
Email This Post
Strained Budgets Cut Funding for Technologies…Blessing in Disguise?
Posted In Business Continuity on July 30th, 2009 Tags: Bottom Line, Budget Cuts, TechnologyAccording to a recent article, because of tight budgets, many organizations plan to cut funding for technologies that would help to mitigate the main security threats they face.
The article went on to say that 72 percent of respondents have seen an increase in e-mail borne malware and phishing, but eight percent of respondents said they plan to cut previously allocated funding for messaging security, e-mail encryption, e-mail security or instant messaging security technologies.
The survey also revealed that although 40 percent of respondents noted lost or stolen devices as a top security challenge for the next 12 months, 15 percent said they will be cutting budget allocations planned for mobile encryption and wireless security.
Other surveys have offered some interesting numbers, too. A survey from Ponemon indicated that 88% of breaches in 2008 were due to negligence and a survey from Verizon revealed 90% of breaches could have been prevented with security basics.
So perhaps the strained budgets could be a good thing??
What if an organization implemented awareness and accountability instead of more technology?
What if an organization implemented better knowledge that led to better decisions, less duplication and more efficiency across their silos/departments?
The bottom line would be improved with cost savings. The bottom line would be improved by targeting negligence. The bottom line would be improved by addressing security basics.
The bottom line is that perhaps strained budgets are a blessing in disguise…
No Comments
Email This Post
The Achilles Heel of All Managers
Posted In Business Continuity, Human Resources, Risk Management on July 7th, 2009 Tags: Implementation, Management, Virginia TechNumerous lessons learned reveal the Achilles Heel for most managers (and organizations) is the Lack of Implementation Tools. The lack of implementation tools has become THE principal weakness for all levels of managers that eventually will lead to their downfall.
So let’s discuss some of the details surrounding implementation.
First, the lack of implementation tools for implementing what you may ask?
Implementing Processes. Processes include: procedures, policies, plans, regulations, specifications, roles, responsibilities, strategies, priorities, etc.
Numerous Processes need to be implemented in every Department in an organization. Numerous Processes need to be implemented to meet requirements in Regulations and Mandates, which continue to mount.
Numerous Processes need to be implemented for Emergency Management, Risk Management, Information Management, Personnel Management, Reputation Management, Vendor Management, Contractor Management, Environmental Management, Credit Management….are you getting the picture?
Numerous Processes need to be updated and re-implemented to ensure adaptability with continuous changes involving risks, budgets, personnel, threats, strategies, goals, lawsuits, layoffs, etc.
By the way, the definition of Implementation is to ensure actual fulfillment by concrete measures or to perform or to carry out. Implementation is difficult and complex because Processes need to be clearly understood by People before they can be fulfilled, performed and carried out.
Over the next several Lessons Learned blogs, the importance of implementation and ensuring managers have proven implementation tools will become obvious…
For example in the Virginia Tech Review Panel Final Report in the A FINAL WORD section:
“Had the recommendations in this report been implemented, many of the problems cited above might have been averted.”
No Comments
Email This Post
resident Obama’s 10-point Cybersecurity Action Plan – Part 7
Posted In Business Continuity, Information Security, Risk Management on June 16th, 2009 Tags: cyber security, Obama, PolicyStep 7 is:
Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
Wow…this is a very complex step when you consider the Cyberspace Policy Review described cybersecurity policy as:
cybersecurity policy as used in this document includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure.
Step 7 is also very complex because of:
- International partnerships and
- Creating initiatives that address the full range of activities, policies and opportunities associated with cybersecurity.
The easy part of Step 7 is “developing U.S. Government positions”, because Lessons Learned have proven over and over that developing a position is fairly simple to do and all it takes is a PC and a megaphone or Press Release.
However, implementing and managing the “cybersecurity policy framework” across international partnerships (different languages across all appropriate individuals) and “creating initiatives that address the full range of activities, policies and opportunities associated with cybersecurity” will require extensive situational awareness, accountability, measurability and audit-ready documentation to ensure the initiatives are working.
If you can’t measure it…you can’t manage it.
Stay tuned for Step 8…
No Comments
Email This Post
Identity Theft: Will bank customers be held liable?
Posted In Business Continuity, Incident Reporting, Information Privacy, Information Security, Legal on June 1st, 2009 Tags: Bank Accounts, Nordea, PhishingIn 2007 the Swedish Bank, Nordea was stung for $1.1 million, in the “biggest ever” online bank heist. 250 bank customers were affected by the fraud after falling victim to phishing e-mails. The e-mail contained a trojan horse that redirected customers to a false home page where they entered important login information. Most of the customers affected had not been running antivirus applications on their computers. The bank covered the attacks and refunded all the affected customers.
In 2009 Credit Union Customers received text messages notifying them that their debit cards had been inactivated. The message gave a number to call to reactivate the card and the customers were then asked for personal banking information. Those who provided information instantly had their bank accounts wiped out. 100 people fell for it and the bank had to refund the money to their accounts.
Incidents like these occur every day.
Should banks really be held accountable for their customers’ lack of awareness?
Will the customers ever be made liable?
While these events clearly indicate a lack of understanding among bank customers, the real problem lays within the lack of education provided by banks. Banks should implement awareness programs and training options for their customers and provide them with up-to-date information regarding the latest security threats, risks and best practices. By engaging and educating customers, banks can not only create a competitive advantage and add value to their services, banks can also help prevent incidents like those mentioned above from occurring and save valuable time and money, while avoiding embarrassing and expensive headlines.
No Comments
Email This Post
Swine Flu Preparedness…White House Megaphone vs. Twitter Megaphones
Posted In Business Continuity, Emergency Management, Pandemic Flu on April 29th, 2009 Tags: Emergency, Megaphone, Pandemic Flu, Swine Flu, TwitterThis past Sunday I was watching and listening to DHS and HHS officials talk about the Swine Flu Alert. During the announcement I found it interesting that Secretary Napolitano made a special point to clarify the declaration of emergency by saying she wished they could call it a declaration of emergency preparedness, because that is really what it is in this context.
I agree with Secretary Napolitano that a declaration of emergency preparedness is needed because most organizations are not well prepared for a Pandemic flu outbreak….but that is another topic for another day.
Then I came across a headline on CNN about Twitter causing controversy as some of the Twitter micro-blogging is propagating fear, unnecessary hype and misinformation about the outbreak while others comment that the Twitter buzz is a good sign that people are talking about the issue.
No matter what you think about Twitter, everyone using Twitter has a megaphone to use however they want.
So, are there any Lessons Learned involving megaphones? Remember what happened when Orson Welles went on the radio in October 1938 and presented a series of simulated news bulletins that suggested an actual Martian invasion was in progress? The radio show created panic and widespread outrage with some calling the event cruelly deceptive.
So, what happens if an ‘Orson Welles’ or terrorists decided to use Twitter to create panic or spread hype and misinformation about the outbreak? Is your organization prepared to address rumors, hype and misinformation from Twitter and other megaphones?
What happens if your employees stayed home from work because of misinformation?
What happens if ‘bad guys’ or ‘competition’ use Twitter to create panic with your customers and your partners?
Does your organization have a way to securely communicate accurate and sensitive information with your employees? With your partners?
Can your organization ensure integrity and accountability for information at the individual level?
Lessons Learned clearly show megaphones can create complex problems and megaphone management is a dangerous trend that is creating expensive and massive “pains” for organizations of all sizes.
In today’s world of megaphones, organizations need tools that can deliver the right information to the right people in the right place at the right time with accountability and auditability.
No Comments
Email This Post
Heartland Payment Processor on PCI “Probation”…Compliance is not a Once a Year Thing
Posted In Business Continuity, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance, Risk Management on April 6th, 2009 Tags: Compliance, Heartland Payment Company, PCI, Security, VisaIn one of the largest data breaches to date, Heartland Payment Company compromised the cards of over 100 million people, almost 1/3 of the U.S. population.
In addition to dealing with a damaged reputation, expensive notifications and fallout, and continued lawsuits from affected banks and credit Unions, the latest hit to Heartland came from Visa. Visa recently took action at Heartland by suspending the data breach victim and removing it from Visa’s online list of PCI-DSS compliant providers.
Heartland was last certified as PCI-DSS compliant in April 2008 but in a presentation given earlier this month by two Visa executives, Visa was quoted as saying, “As of today, no compromised entity as been found to be compliant at the time of the breach”.
Of course they weren’t! How can an organization that exposes 100 million credit card accounts be considered PCI compliant? And…compliance on April 1 does not equal Security on April 1.
Heartland is yet another learning experience of how critical it is for organizations to not only focus on getting past the upcoming compliance examination, but to truly and proactively maintain a secure organization throughout the year. A comprehensive approach to security includes ongoing assessments, ongoing updates, ongoing testing, ongoing training, etc. Employees must be continuously updated on new risks, threats, best practices, etc. on an ongoing basis. Once-a-year training is not enough. Once-a-year compliance is also not enough.
How many more data breaches will we see before organizational leaders realize the importance of implementing lessons learned?
No Comments
Email This Post
Leaders Must Learn From Others’ Mistakes Too
Posted In Business Continuity on March 5th, 2009 Tags: Knowledge Management, Lessons Learned, ROILearning from our mistakes is popular advice and I find it interesting that the majority of the advice and the majority of experts’ quotes have two common themes:
- If YOU are taking risks and moving forward, YOU will make mistakes.
- When YOU make mistakes, the key is not to make the same mistakes twice.
Good advice but not updated for today:
- Today’s challenges include serious economic challenges, accelerating threats and constant changes.
- Today’s leaders will not live long enough to make all the mistakes on their own so today’s leaders must do a better job of learning from the mistakes of others.
Headlines, lessons learned and case studies seem to be occurring almost every day and the incidents are showing alarming and dangerous trends in two key areas:
- Bad guys are taking advantage of known gaps and weaknesses that organizations are not proactively addressing
- Individuals (at all levels) and organizations are making the same mistakes over and over leading to expensive and embarrassing results
While a lot of leaders are saying a lot of the right things when it comes to mistakes and lessons learned, it is time for today’s leaders to take proactive steps to implement and maintain customized knowledge based on their own lessons learned as well as lessons learned from mistakes made by others.
Another good reason to learn from the mistakes of others is impressive ROIs! If it is someone else’s mistake then your costs are $0 and if your proactive efforts reduce, eliminate or prevent thousands or millions of dollars in expenses, fines and lawsuits…why wouldn’t you?
No Comments
Email This Post
2008 vs. 2009 and Information vs. Knowledge
Posted In Business Continuity, Human Resources on January 5th, 2009 Tags: Budgets, New Year's ResolutionsOne thing you can bet on this time of year is “resolutions”.
And now that 2008 is behind us, experts, leaders and politicians are offering all types of information. Some offer top 10 events of 2008 and some provide lists of past and future incidents and challenges that organizations will need to manage and oversee more effectively in 2009 and beyond.
There is no doubt that these experts, leaders and politicians mean well and there is no doubt they are attempting to offer valuable information to help organizations more successfully address escalating challenges especially now due to limited budgets and limited resources. But…(yes I know saying but after a comment can sometimes nullify the previous comment)…But to actually help organizational leaders take proactive steps I must share the following advice:
1) A bunch of Information is not Knowledge.
2) Megaphone Management is not working.
In my previous 27+ years of experience, I have experienced 27 different “new years” and at least 27 different versions of New Year’s resolutions. Unfortunately most organizational leaders take a ‘bunch of information’ and broadcast it out to employees, partners and others and expect everyone to understand what the information means and how to implement all the information so decisions and results are better in the new year.
I think we can all agree that this status quo approach is causing a lot of the problems we are now facing in 2009 and beyond.
For “a bunch of information” to be usable, the information needs to be translated into customized knowledge for your organization so your people can use this knowledge to make better decisions.
And “megaphone management” is not working because when you blast out information in e-mails and memos and binders and on intranets, organizations have no idea if the right people got the right information and no idea if anyone understood what, why, where and how the information should be utilized.
In future blog comments, I will provide examples of incidents, events and lessons learned that will help explain how next generation knowledge management efforts will be a key to success in 2009 and beyond.
No Comments
Email This Post
