Risk Management Associates

Life Happens...Things Change

Risk Management Assocates — Mon, 02 Aug 2010 19:00:22 GMT

We have always known that businesses must either operate within the confines of the law or risk prosecution by the government. In the early days, when there were relatively few rules that applied to business conduct, it was much easier to discern the scope of allowable behavior. However, several decades ago, this began to change. Now, the “rules of the game” are more numerous and significantly more complex. Consider the following:

On May 15, 2010, a North Carolina food distributor is approached by Ignacio Gutierrez of Mega Empacodora De Frutas S.A. de C.V., a fruit company based in Mexico. Distributor agrees to buy fruit from Gutierrez and Company. Distributor makes all necessary customs declarations and receives its first delivery on June 15, 2010.

Has Distributor violated the law? Yes.

Although Distributor made all required import declarations, this alone did not fulfill its obligations under U.S. law. Distributor was also required to query all parties to this transaction (including transporters and their vessels) against lists of debarred persons and entities maintained by the U.S. Treasury Department’s Office of Foreign Asset Controls (OFAC) – an office which primarily regulates exports. Had it done so, it would have discovered that six days before it received its first shipment, both Gutierrez and Company were listed as Specially Designated Narcotics Traffickers (SDNT) under the Drug Kingpin Act and barred from doing business with all U.S. persons.

Since 2000, OFAC has designated more than 700 individuals and corporate entities as SDNT (Source: Source: treas.gov/press/releases/tg738.htm, 7/2/2010). Penalties for trading with such persons range from civil penalties to criminal fines up to $10 million. Corporate officers may also be sentenced to up to 30 years in prison and fined up to $5 million dollars.

OFAC regulations and the Drug Kingpin Act are not unique. Most laws regulating corporate conduct include similar punishment provisions. However, the example underscores the ease with which a company can run afoul of the law – even when trying to do the right thing.

So, what does this mean for Distributor? Oddly, the answer may depend as much on what happened before the violation as anything else. More and more, both the decision to prosecute violations and the extent of sanctions imposed turns on the presence or absence (and quality) of Distributor’s corporate compliance and ethics program.

Origin of Corporate Compliance Programs

The concept of corporate compliance was first introduced in 1991, through the Federal Sentencing Guidelines for Organizational Defendants. Under the Guidelines, if an organizational defendant was found to have created and maintained an “effective” compliance program prior to the violation, it would earn credits that could, in effect, lessen the penalty assessed against it. For organizations that had taken no steps toward compliance, the opposite was true. Since then, the existence of an effective compliance program has become the touchstone in both the initial decision to prosecute and the extent of liability imposed on corporate officers and directors.

What is an “Effective” Compliance Program?

An “effective” compliance and ethics program requires more than just lip-service to the notion of compliance. An organization must “exercise due diligence to prevent and detect criminal conduct,” and “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” On the other hand, both prosecutors and the courts realize that no plan – no matter how well designed – will be 100% effective. Therefore, as long as the program is designed, implemented, and enforced so as to be generally effective in preventing and deterring criminal conduct, the failure to detect or prevent any single instance of conduct will not render it ineffective.

Because risks differ among industries and companies, the specifics of each program will vary. However, to be generally effective under the Guidelines, the program must at a minimum require:

The establishment of standards and procedures to prevent and detect criminal conduct;
Programmatic oversight by the Board of Directors (or highest level governing body in the organization);
Designation of one or more high-level employees to be responsible for day-to-day program operation;
Allocation of sufficient resources to achieve the program’s objectives;
Training of personnel, employees, and agents on their respective duties under the program;
Reasonable steps to ensure program compliance/effectiveness;
Consistent promotion and enforcement of the program throughout the organization;
Appropriate responses to criminal conduct detected, to prevent future occurrences; and
Periodic reassessment to identify and mitigate new risks of criminal conduct.

Notes on the Cost of Compliance

As with any new program, there will be costs associated with a compliance program. However, many companies are surprised to learn that much of the required infrastructure is already in place. Most are already engaged in some form of compliance; workplace safety and anti-discrimination/harassment are common examples. Many times, the mechanisms put in place to address these select risks can be modified for use in a broader compliance program.

Companies should also consider the cost of lost opportunity. Arguably, the most widely recognized of all compliance statutes is the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, which requires publicly traded U.S. companies to develop compliance programs aimed at deterring and detecting financial fraud. While the Act itself only applies to publicly traded companies, it also extends liability for the conduct of companies with which they do business. As a result, there is a growing trend among companies subject to the Act to do business with only those companies that have an effective compliance program already in place.

One added bonus is that the same techniques utilized in an effective compliance program (help lines, investigations, and other internal controls) often lead to the prevention and detection of internal fraud, waste, and abuse. Since this can account for upwards of 6% of a company’s revenue, the savings realized by catching or deterring even some of this conduct can more than cover the cost of the entire program (Source: Frank & Newman-Limata, “A New Audience for COSO – SEC & PCAOB Requirements for Anti-Fraud Programs & Control,” Prevention of Corporate Liability Current Report 36, 32, BNA April 19, 2004).

Think Small, Lose Big

Risk Management Assocates — Sat, 01 May 2010 18:02:00 GMT

Note: The following paragraph is an amalgamation of several recent RMA cases. Names and circumstances have been modified, combined, or altered to protect the privacy of our clients.

John unlocked the front door of the office and headed straight for the break room for his second cup of the day. A plate of homemade cookies sat next to the coffee, and he realized that Jane must already be at work. Her dedication to the job was admirable, yet she always seemed to find time to do those extra things that made people feel special. On his way back to his office, he noticed a birthday gift on Mary’s desk. Jane must have left that as well. John entered his office, dropped his bag on the floor, and began sifting through the piles of paper on his desk that never seemed to shrink. On top of the pile was the P/L from the previous month that he had been scrutinizing late the night before. Usually Jane handled the details, but with the way the economy had been, he felt the need to take a closer look. Some of the documentation looked a little off, and he reminded himself to ask Jane yet again for the relevant files. Finance and accounting were not his strengths, and he relied on her to run that part of the business and explain it to him when needed. Last month, however, something just seemed off. Income was slightly down, but the expenses seemed strangely high. John sighed, fearing that he would have to deny employee requests for raises for a third time. He frowned as he noticed an entry for a payment to a vendor he did not recognize. There was another, and another, and the amounts seemed a little high. As he looked through the reports before him, an uneasy thought began to creep into his mind. Was something wrong happening here? He dismissed the thought as irrational paranoia. The only person with enough skill was Jane, and he trusted her implicitly. This was a small business, and they were like family here. He dug through his desk and found the reports for the previous two months. They had the same pattern, and his uneasiness grew. What if Jane had been stealing from the company?

Unfortunately, the scenario described above is not unique or unusual. Employee theft and embezzlement has always been a problem, especially for small businesses, and some experts believe the problem may be increasing in today’s economy. RMA has recently assisted several clients with this problem. Although not comprehensive, the information below is intended as a starting point to recognizing and preventing embezzlement.

What conditions make embezzlement easier?

Little to no oversight, especially of a trusted employee. Oversight could be provided by an immediate supervisor, a supervisor at a higher level, or an outside third party such as an accountant or auditor. In addition to making embezzlement more difficult, oversight provides an opportunity to examine the standard accounting process for errors or inefficiencies. In our recent cases, the thefts were discovered by supervisors taking a closer look or by new employees learning the process.
A large amount of available petty cash. Petty cash should be kept to a minimum for several reasons, not just potential misuse. Simply from a security standpoint, it may be unwise to have a large amount of cash in an unsecured office or desk. Allowing employees to have access to ready cash is sometimes too tempting to resist. Company credit cards are a good alternative to petty cash and provide an opportunity for oversight when reconciling the statements. If petty cash is used, receipts should be mandatory and the reconciled frequently. One of our recent cases involved a significant manipulation of petty cash.
A trusted employee in a family atmosphere. This seems like an ideal situation, but no employee should ever be trusted to the point where their work is not subject to evaluation and scrutiny. Speaking from personal company experience, our Vice President has been the model of integrity for our company since she started in 1991. She has Secret clearance from the Department of Defense and is our Facility Security Officer. She is beyond reproach, and her trust is not questioned. Although she is responsible for all accounts payable and payroll, the bank statements are only opened and reviewed by the company President who provides oversight of the process. In our recent cases, the thieves were highly respected members of the organization who were thought to be incapable of embezzlement.

What are some common characteristics of the thief?

An exceptionally dedicated employee. Working late or arriving early provides an opportunity to work without supervision. By never taking a vacation, the thief reduces the chance of discovery by a replacement. An employee who volunteers to go to the bank to conduct transactions on behalf of others may be hiding a crime. Each of our recent cases involved a suspect who used at least one of these methods.
Someone who seems to live beyond their means. The thief is spending the money they should not have in ways that are not typical. This could be gifts, sometimes lavish or expensive, for family, friends, and coworkers. The embezzled money could be spent on the home, clothing, or furnishings, or on vehicles including cars, boats, RVs, ATVs, or similar items. Sometimes the thief may lend money to family or a friend in need. If questioned, this unusual freedom with money is often explained as an inheritance or other unexpected windfall. Although each suspect spent their ill-gotten gains in different ways, all shared a common trait of spending more money than they seemed to have.
A person with a history of embezzlement or other issues. If they have stolen once, chances are they will steal again. With new employees, the first line of defense is a pre-employment background investigation. Some previous incidents of embezzlement may not have resulted in criminal prosecution, making a civil record search for anomalies even more important. In addition, previous employment references may provide direct information or indirect clues about the circumstances surrounding the termination of employment. Of our recent cases where the employee was a relatively new hire, the thief had been suspected of embezzlement at a previous employer. No pre-employment background investigation was conducted.
Someone who is everyone’s friend. The thief may be trying to avoid suspicion by making sure that everyone thinks highly of them. If someone is your friend, you find it harder to believe that they would steal from you. They may also be trying to solicit help from unknowing accomplices to manipulate some part of the system over which they have no control. This could involve requesting “help” on the computer to “fix an error” or requesting assistance on an unusual task. The suspects in our recent cases were described as friendly, well-loved members of the organization.
A person who routinely operates outside the system, especially related to computer software. Many companies operate using an accounting system or software that requires some form of modification. It is understood that certain changes are required to meet the needs of the business, for example if an error needs to be corrected or an entry needs to be legitimately changed. Frequent changes and “fixes” provide opportunities to insert fictitious “fixes” to hide embezzlement. All of our recent cases have involved a suspect who manipulated the accounting software to hide their embezzlement.

What can a company do to minimize the risk?

Provide internal oversight and review. Many companies have some form of control in place, but these controls must be periodically evaluated for appropriateness, effectiveness, and compliance. Require two signatures on checks, and do not allow the use of a signature stamp on checks. When reviewing information, do not just skim the information and “rubber stamp” the process. If something seems suspicious or unusual, ask questions and investigate. The thieves in our recent cases all took advantage of a lapse in internal oversight.
Provide external oversight and independent evaluation. An outside auditor or accountant providing review services will make embezzlement more difficult. In addition, outside oversight provides an opportunity to evaluate the entire system and suggest improvements that may benefit the financial situation of the company. As with internal oversight, it provides an opportunity to discuss the function and health of the business as well as future plans for growth. It can be difficult for a small business to hire an outside auditor or accountant, but this service is highly valuable.
Create and follow sound policies and procedures. Companies may create good policies and procedures, but they are useless if not followed or updated as conditions change. As businesses change, process should change and evolve to meet the needs of the business. If a new vendor needs to be added to the system, for example, require approval from a supervisor to complete this task. When entries are changed, require approval for this process. Separate accounting functions and cross train employees in different tasks to minimize one single person having control of the accounting process. Periodically evaluate the entire accounting process for compliance with established policies and procedures. In all of our cases, the suspect conducted activities considered “normal” that were contrary to written policies and procedures.
Use the appropriate tools and technology. If the accounting software is not appropriate for the company, modify it to make it work without a great deal of manual intervention. Create a process and method for changing entries that produces a record that is examined for accountability. Provide training to employees and supervisors to make them familiar with the abilities and limitations of the system. If not using accounting software, make sure that the paper system is organized, straightforward, and clear. In all of our recent cases, the suspect took advantage of a “glitch” in the system.

If you suspect embezzlement, contact a professional who specializes in addressing those situations. This could be a forensic accountant, an attorney, or an investigative company.

Products for Sale

Risk Management Assocates — Mon, 15 Feb 2010 18:15:00 GMT

An employee comes to you and tells you that her uncle bought some of your company's products at a very good price. The employee asks how he could make the purchase at less than the employee discount. That afternoon, you receive a call from the local police department. They report that some of your company’s products have been spotted at a local flea market, and they want to know if those sales are authorized. What would you do?

If you are not responsible for security at your facility, forward the information directly to that individual or to a member of upper management. A successful theft investigation relies on discretion, so forward all information directly to a single contact.

For the person responsible for security, if law enforcement is already engaged, begin by determining if the products for sale are genuine products or imitations and by determining if these sales are part of an authorized process. Request that law enforcement conduct the investigation into how the product is being diverted and offer to support the investigation and the criminal prosecution of those responsible in any way. If case load or availability prevents a timely response from law enforcement, consider hiring a competent private investigator with demonstrated experience in cases of this type. The investigation in to the allegations is important and should be handled by professionals as sensitive personnel, civil, and criminal information will be involved. Upper management and legal counsel should be involved in assisting in the investigation whether private or public, limiting those aware of its existence to a “need to know” minimum.

It is important to establish policies and follow procedures to prevent thefts from occurring or to aid in any investigation if necessary. The specific measures will depend on the type of facility, whether manufacturing, distribution, or a combination.

Have inventory control procedures in place and verify that they are being applied correctly.
Use access control technologies and cameras effectively.
Separate the shipping and receiving function.
Develop policies for returned or damaged goods.
Limit access to the building to reduce the potential for outside theft. This includes main entrances and dock doors.
Move employee parking away from the building to reduce the potential for internal theft.
If small products are involved, do not allow employee personal belongings such as bags, purses, or lunch containers in work areas.
If the facility manufactures products, develop policies to compare the amount of raw materials versus finished goods. When determining waste tolerances, consider the quantity of product, the cost of raw materials, and the final value of finished products.
If the facility manufactures products, develop policies to address second quality or “off-quality” products. An employee purchase program is a potential source of abuse or theft if not managed properly.

Traveling Technology

Risk Management Assocates — Mon, 01 Feb 2010 18:00:00 GMT

While traveling on company business, Bob uses a laptop containing company information. When he returned after his last visit, his laptop could not be found. He remembers using it in the airport, but he does not know where the laptop is now. What would you do?

Your first thought may be “fire Bob,” however, the most effective way to address this problem is to take action before Bob leaves for his trip.

First, develop company policies on the proper security procedures when using company laptops, PDAs (Blackberry or iPhone), or portable drives (jump drives, thumb drives, USB drives).
Train all employees on these procedures and provide refresher training and updates when needed.
Limit the amount of sensitive information on the hard drive or device, and do not create or keep any “password” files listing usernames and passwords.
Keep in mind that all information accessed by the device will be stored locally in some fashion, so clean out cache and temp files on a frequent and regular basis.
Always carry the laptop in the same fashion in the same bag in the same place every time so you will be less likely to accidentally lose it.
Do not carry a laptop without the benefit of a bag or a case where it can be seen as an easy target by a thief.
Most airlines now have rules prohibiting placing the laptop in the back pocket of the seat in front of you, and storing the laptop in the overhead bins means it will be out of your control and could be out of the plane by the time you realize it is missing, especially if you are in the window seat.
Be cautious of people intentionally or unintentionally reading over your shoulder.
Consider disabling the caching of emails from the company email account on the laptop because if the laptop is lost or stolen, all emails will be lost available on the laptop.
If traveling employees share a laptop, delete the user account from the laptop when it is returned and use software to wipe all unused areas of the hard drive.
Any laptop used by an employee should have corporate antivirus software installed and updated on a regular basis.
The IT department or staff should review, update, and monitor any computer used for company business on a regular basis.

After the loss is determined, immediately contact the last known location to determine if the laptop has been recovered. Even if the laptop can be located, once the loss is reported it should be determined, in an interview with the employee, what was on the laptop. Any password typed into a program, Internet Explorer, virtual private network (VPN), or Remote Desktop connection can be collected from the stolen computer. All passwords on any account used on the laptop should be changed immediately, network wide. It may even be necessary to temporarily disable the account of any person who used the laptop while assessing the magnitude of the potential loss. In addition, all employees who have ever used the laptop should be notified in case they used the computer to access the company network or personal accounts such as email and online banking. Depending the on the type of business conducted from the laptop, it may be necessary to notify customers.

Practical Considerations for Blast Mitigation

Risk Management Assocates — Mon, 07 Sep 2009 18:48:00 GMT

We were recently asked by a client to provide information on how they should protect their facility from potential vehicle-born improvised explosive devices. Although this information was written specifically for an educational facility, the principles of how and when to apply blast mitigation procedures and protocols are appropriate for a variety of other companies and organizations as well.

Planning for protection against high-yield, vehicle-born improvised explosive devices (VBIED) is a typical dilemma encountered by threat and vulnerability analysts in the U.S. since the Murrah Building was bombed in 1995. After the events of 9/11/01 and the advent of the Department of Homeland Security, a series of documents, references and recommendations have been published that seem to assume the worst case scenario with regard to use of extremely high-yield devices by an all-knowing and all-powerful enemy. These recommendations often seem devoid of threat-scale determinations and if taken literally, amount to extraordinarily costly and impractical remedies that most institutions, save the federal government who recommends them, cannot afford.

There is a propensity in government agencies to proffer military targeting doctrine and models for use in establishing vulnerability criteria for civilian targets. The most cited, CARVER, is a model used by special operations forces to establish a target priority by using a matrix that considers the uniqueness, lack of redundancy, quality of protection, and other characteristics of a target to determine what to strike. Use of sophisticated military models of this type is not appropriate for evaluating civilian targets because terrorists and other militant groups likely to conduct such an attack are not trained, equipped, or proficient at conventional military operations. Neither do they discern target attractiveness in the same objective manner as a military force nor are they disposed to employ the same doctrine, logic, or psychology.

As a matter of practice, security analysts and planners must consider the probability of an event as well as the criticality. It is possible to design and build blast resistant structures. External hardening of the fascia and reinforcement of the structure of existing buildings can provide protection from blast energy as it impacts the exterior surfaces and prevent intrusion of the energy into the interior spaces that are not resistant to lateral, vertical, or sheer forces.

It is also possible to isolate a structure geographically to a degree sufficient to mitigate over distance the effect of blast from even a very high yield conventional explosive device. However, this isolation may very well conflict with practical ingress and egress, and interfere to varying degrees with the purpose and use of the structure.

Standoff considerations are important in defeating the effects of any explosive device, and the bigger the charge, the greater the desired standoff distance required. Usually absent in these considerations is a realistic analysis of probability. Particularly noteworthy in most of these documents is the considerable overstatement of the size of the weapons that may be encountered. As an example, a statement has appeared in several DHS documents that truck born IEDs are ‘typically’ over 10,000 lbs in TNT equivalent yield. The Murrah Building bomb was around 6500 lbs. of ammonium nitrate (0.82 TNT equivalent) or about 5000 lbs. equivalent TNT yield in a rental box van. Another significant incident of a VBIED is relevant to this issue. In 1970, anti-war radicals bombed the University of Wisconsin-Madison with an approximately 1500 lb. ANFO device (approximately 1230 lb. TNT equivalent) in an Econoline van damaging the Army Mathematics Center in Sterling Hall and killing a researcher inside. The third significant VBIED attack was the New York World Trade Center and involved a charge of approximately 1500 lbs (1350 lbs TNT equivalent) of urea nitrate in a rented van. The device devastated the underground parking garage, killed six, and injured more than a thousand. The other significant attacks were against U.S. military and diplomatic facilities overseas and are not believed relevant to this discussion. Therefore, the projection of potential charge weight in the U.S. theatre of operations is not supported by history.

Terrorist threat evaluation centers on several unique factors. Any terrorist wants the most ‘bang for the buck’ because terrorism is a theatrical event. Timothy McVeigh did not perpetrate a ‘terrorist’ attack in Oklahoma City. This was an unconventional, direct military-style attack (guerrilla warfare) on a U.S. Government facility as a response to FBI actions in Ruby Ridge and Waco. Similarly, the Armstrong brothers’ bombing at the University of Wisconsin was an unconventional (guerrilla warfare) attack on a U.S. Army facility they perceived as a part of the of the Viet Nam war effort. The World Trade Center bombing was indeed a terrorist attack by Islamic fundamentalists on an icon of American prosperity, which was again attacked and destroyed on 9/11/2001. Considering these incidents, it is believed that a typical terrorist or guerrilla would seek to strike at an icon of America or a highly visible, representative target of their specific perceived enemy.

While it may be prudent to consider the possibility of high-yield bombing in considerations of building security on American campuses, it is also prudent to moderate assessments with a regard for threat probability. Creating permanently hardened structures is costly, and establishing permanent standoff zones can restrict property use needed for other purposes. All such considerations need to be based on a reality of the threat and the likelihood of an event occurring.

Protective standoff can be created temporarily when a threat environment presents itself through tactical use of exclusionary procedures and protective perimeters and devices that prevent unvetted vehicles from approaching a target building or entering a target area. This is a more flexible approach that can be applied to any location at any time as opposed to the creation of static, permanent, hard-site zones. Such security planning and development of doctrine and procedures should be considered and prepared to allow for quick creation of stand-off/exclusion zones and, depending on the perceived threat, implementation of tight screening procedures for vehicles or personnel.

These procedures and protocols should be based on the analysis of past use of IED’s in the U.S., a realistic appraisal of the potential target for attack by terrorists or other militant factions, a realistic assessment of the type and potential yield of an IED device, and the relative cost/use/threat efficiency of the specific target.

The Basics of Computer Forensics

Risk Management Assocates — Mon, 31 Aug 2009 19:20:00 GMT

In recent years, shows like CSI and others have made the general public aware of the concept of forensics - the use of science and technology to investigate and establish facts in criminal or civil courts of law (Source: www.dictionary.com). However, based on storytelling time constraints imposed on television shows and movies, certain processes and procedures are often oversimplified, enhanced, and expedited. As licensed private investigators, it is sometimes necessary to explain to clients or potential clients exactly what information can be obtained and how long the process will actually take. This is especially true in computer forensics, the acquisition, preservation, and analysis of information on computers and similar technologies.

Examining the contents of a hard drive or similar device first involves acquiring an image of the device in order to preserve the original data. In layman’s terms, this is essentially a copy of the hard drive that will be used during the analysis by the computer forensics examiner. The analysis is always conducted on the copy, never on the original device. The data is then processed by computer forensics software. Generally, the software first identifies intact files (such as operating system files, documents, pictures, etc.) and then evaluates the remaining file fragments. In some instances, these fragments can be assembled into recovered files, but in some instances, there is not enough information available to create a recovered file. This process often takes several hours depending on the amount of data involved.

After this process is complete, the data can be searched for information relevant to the case. This may include Internet history, email history (both Outlook and web-based), keyword searches, encrypted files, user passwords, and information about when files were created, modified, accessed, or deleted, along with many other kinds of information. As with the previous process, the time required to complete this step depends both on the amount of data being searched and the searches being conducted.

Although the type of information analyzed and produced in each case differs, the basic goal of computer forensics is to use proven software and procedures to gather and analyze data to create reproducible results. As with other scientific examinations, computer forensics requires the use of specialized tools and procedures that are standardized and consistent. Starting with original data, one computer forensics examiner should be able to follow a logical procedure and reproduce the results of another computer forensics examiner.

When selecting a computer forensics examiner, certifications, experience, and references are crucial. A competent computer forensics examiner should have a current certification, license, or degree in computer forensics. In some states, the computer forensics examiner must also be a licensed private investigator. This examiner should have experience with computer forensics or similar work, and if testimony in depositions or court may be required, the examiner should also have experience with the legal process. As with any service provider, references will show the successful completion of similar projects and may also provide information about what to expect from the examination process in general. For this type of work, it is important to select an expert.

Be Prepared to Stand Alone: Planning for Weather Related Emergencies

Risk Management Assocates — Mon, 24 Aug 2009 16:43:00 GMT

No one can control the weather, and weather can only be predicted accurately for a day or so into the future. With regard to specific locations, severe weather that can create extreme conditions and pose threats to life and property can only be predicted a few hours or a few minutes in advance. Within this parameter, weather emergencies may occur without any advanced warning, often leaving only seconds to take precautions or protective action.

The security organization is tasked with the physical protection of personnel and property. In these situations, it is paramount to this mission that the continuity of the security function itself be maintained. Although the management of the organization is responsible for the recovery of the business enterprise after the emergency, it is incumbent on the security operation to plan and perform in a manner that maintains the integrity of the protection function, thereby placing a security umbrella over the organization as it attempts to cope and recover.

Weather related emergencies create an operational environment in which the security department may have to stand alone for minutes, hours, or days without significant assistance from outside agencies. Although relatively localized on a broad geographic scale, a weather emergency may affect everyone and everything in a specific area. The scope of such disasters often overwhelms public safety response for hours or days, and in some cases, has actually destroyed the public safety response infrastructure completely.

The critical issues in weather related emergencies are the potential for sudden onset, the potential for extreme devastation by the forces of nature, and the potential for widespread effect. Nothing can be done to prevent weather emergencies, but there are measures that can be taken in advance to mitigate their effects and maximize the ability to respond to them during and after the fact.

Weather emergencies are those situations in which the direct or collateral effects of weather create circumstances that pose a general threat. This may include disruption of transportation, such as employee travel, shipping and receiving, or emergency response. Communications, such as telephones, mobile phones, radio communications, and/or local computer or Internet access may also be disrupted. Utility services, including electric power, gas, water, and/or sewer, are also frequently affected. Weather emergencies also create short and long term hazards to life and property, whether directly or indirectly.

Weather related emergencies have a direct effect on the security operation and security infrastructure. Security personnel may have difficulty in reporting for duty, home and family concerns, mental and physical effects, and functional hardships. There are also effects on security infrastructure, such as lack of electrical power, failure of other utilities, and difficulties with outside support.

Recognizing the devastating potential of this type of emergency and understanding the unique response and recovery environment that might confront the security organization is the first step in planning for and integrating this challenge into the general security and emergency response plan. Contingency plans can help to overcome or adapt to direct and collateral effects of a weather emergency. Plan for special transportation assistance for personnel coming to and going home from work. Plan to address home and family concerns of personnel, including a disaster support program. Plan for adapting to infrastructure problems, including the potential for long-term outages, disruption, or lack of service. Plan for isolation and self-sufficiency, and be able to stand alone for 12 to 72 hours in a major disaster with no outside support.

Effectively planning for the continuity of security operations in such weather emergencies is essential to carrying out the overall security mission. It also serves as a stable model for other units within the company to emulate. Being the well prepared “calm in the eye of the storm” serves the security function, the organization as a whole, and the entire surrounding community. Self-sufficiency in these situations minimizes the drain on heavily strained or overwhelmed public resources, and reinforces the security organizations professional reputation as well as the company’s image as a good corporate neighbor.

Preparing for the Ordinary Means Protection for the Extraordinary

Risk Management Assocates — Mon, 17 Aug 2009 19:02:00 GMT

Although this article was originally written for electrical utilities, the concepts apply to other companies and organizations. Darren Nix of Risk Management Associates authored this article originally published in Security Products Magazine.

Increased security at Electrical Utility companies for the prevention of ordinary events also provides protection for the extraordinary events. There has been a tremendous focus on protecting our nation’s infrastructure from terrorist attacks. For several years, many in the security industry have even been “holding their breath” waiting for terrorist attacks to become routine on US soil. Public agencies and private sector businesses have been preparing for such events and how to mitigate them and/or respond; rightfully so, because it is critical that our industry, and America as a whole, is prepared for such events. The fact is, when conducting a threat assessment of an electrical utility facility, a terrorist attack is considered a low probability event but potentially very critical. Notwithstanding, there is a definite correlation between electrical companies providing increased protection and response to the higher probability lower criticality events and the security measures to protect and respond to terrorism attacks on our infrastructure. As a key element to our country’s infrastructure, electrical utilities face the threat of high probability events as well as low probability terrorist acts.

Electrical utility providers have a responsibility to protect a variety of facilities and assets, such as power plants, operation centers, remote maintenance facilities, substations, transmission lines, and office buildings. Each of these facilities holds assets to be protected, such as employees, confidential company files, critical production equipment, precious metals, service equipment, money, and others. Homeland Security directives require electrical utilities to identify, prioritize, and protect BCI (Business Critical Infrastructure) facilities and operations. The utility providers protect assets at these facilities and other assets throughout their organization. A breakdown of those facilities might look like the following:

Generation facilities including control rooms at these facilities
- Coal (fossil fuel) plants
- Hydro Plants
- Nuclear Plants (Government Regulations on security)
- Gas fired IC Turbine facilities
Operations
- Substations (Some are more critical than others with 500kV subs generally the most critical. Others are 230kV, 115kV, and 66kV Some substations provide power to customers, such as, military bases, hospitals, government facilities, etc.)
- Transmission lines (hardest to protect)
- Distribution lines
- Control Center (very critical facility where generation operations are monitored and to a great extent controlled)

Federal, state, and industry regulatory demands are placing increased pressure on the electrical utility industry to handle incidents in a manner that minimizes the impact of downtime while maintaining public confidence. As with other businesses, utility providers should determine the probability and criticality of specific events with a detailed Threat Assessment. Once this assessment has been completed, the company can then provide the appropriate resources to lessen the possibility of the event or the impact to the company. For example, consider the high probability of copper theft. With the rising cost of copper, there is an increase in theft of copper products. Electrical utility providers are one of the most susceptible victims to this type of theft. In most locations, preventing copper theft is a daily requirement. Thieves have been so bold as to even cut live or electrified copper lines out of substations. In some cases, assailants have lost their lives in the act. A copper theft of this nature could obviously cause some power outages and would draw the public’s attention to the company’s security. There are certainly many other events to consider, and with the increase of this and other types of incidents in recent years, utility companies have taken many necessary measures to enhance their security programs to prevent higher probability events.

A common standard of care and security practice for the electrical utility companies is to prevent, prepare, and respond. First, prevention techniques are utilized. Each of the following security tools is incorporated in many cases at the facilities:

Fencing (height, top guard, etc.)
Lighting (standards)
Security management systems
Access control
Video surveillance and recording
Intrusion detection systems (buildings, fencing, etc.)
Signage
Barriers (natural and man-made)
Security Guards (presence)
Hardened control rooms

By creating a security atmosphere around the facilities and utilizing many of the above tools, the companies are essentially attempting to prevent and thwart unwanted events. By creating barriers around the facility, installing fences, adding signage, meeting lighting standards, and using some of these other tools, utility companies are accomplishing two things. First, they are making it more difficult for would be attackers to carry out their plan. With some of these other tools, such as security management systems, intrusion detection systems, and video surveillance, security personnel are able to better monitor facilities. These systems send notifications that would allow security personnel to assess the situation and perhaps intervene prior to the event taking place. As in our example of the higher probability of copper theft, these prevention techniques also effectively assist in making it more difficult for terrorists. For example, a utility company was experiencing an increase in copper theft at their operations facility by individuals compromising the fence at the back of the facility. Company management elected to increase security by making improvements to the fence, adding video surveillance on the fence line, and implementing video analytics to notify security personnel of activity around the fence. Applying these tools not only makes it more difficult for a copper thief to breach the fence line, but it also makes it harder for a would-be terrorist to breach the fence as well.

Secondly, these companies must be prepared. Preparation unifies and permeates prevention and response. Along with the prevention tools mentioned above, these companies should have fundamental written security policies and procedures. Also, it is extremely critical that they have an Incident Management Plan (IMP) and/or Business Continuity Plan (BCP). After an event or natural disaster, the company must be able to quickly return the business critical infrastructure facilities to an operational status. This accomplishes two things: customer and public confidence is maintained and power production and transmission are quickly returned providing minimal losses in revenue. As companies are implementing these prevention methods, they are basically being prepared. They build on that by training personnel to be prepared. Some of this training is directly related to responding to events. For example, security guards and other personnel are trained in how to respond to certain incidents and how to resolve any problems. Therefore, the preparations made link the level of and methods of prevention and response.

How a company responds to certain events displays how prepared they were to deal with it and the effectiveness of their IMP or BCP. If the response is poor then public scrutiny is almost certain, but even with an effective and well planned response, public opinion is often critical and long lasting. Therefore, prevention and preparation is equally, if not more important, than response. Utility companies must also communicate with local authorities in order to effectively coordinate response activities. For example, if a copper theft has occurred, then security personnel must gather as much of the investigative material possible to give to law enforcement. This may include recorded video, event data, eyewitness statements, and other information that will help in the investigations. Ultimately, the relationship and communication efforts that utility companies develop with law enforcement on the day-to-day, higher probability cases such as copper thefts will increase their overall effectiveness in responding to more critical incidents like terrorist attacks.

Higher probability prevention ultimately assists the company and their security program in being prepared to prevent and potentially respond to terrorist attacks. This point is not meant to imply that if a company addresses all high probability, low criticality events they will be prepared to deal with very critical events, such as terrorist attacks. The resources needed to be able to respond to more critical events are much different than those needed to respond to a less critical event. However, as these companies increase their security posture and implement the tools and techniques to prevent the more probable and most likely less critical incidents, they are ultimately increasing the ability to prevent terrorist activities, are better prepared to deal with terrorist acts, and have the means to respond to those types of incidents.

Preparing for a Pandemic

Risk Management Assocates — Mon, 10 Aug 2009 18:30:00 GMT

When planning for a pandemic, masks and gloves are the last thing you need.

When considering a response to a pandemic, most employers immediately think of personal protective equipment (PPE), which are less effective measures used to protect employees and the public. Work practice, engineering controls, and administrative controls are far more effective but generally take more advanced time and resources to plan and implement. The key to a successful response is to be proactive as well as reactive. Every organization should include a planned response to a pandemic as part of the emergency response plan, business continuity plan, or general policies and procedures.

RMA was recently asked to assist a client in developing a pandemic response plan. In conducting our research, we discovered a wide variety of good resources available to assist organizations. OSHA’s Guidance on Preparing Workplaces for an Influenza Pandemic is well written and provides valuable information. Additional links are listed below.

How to Choose an Integrator

Risk Management Assocates — Mon, 03 Aug 2009 17:52:00 GMT

A key component to choosing an appropriate security system is a vulnerability assessment or a security threat analysis of a facility. Once an organization’s security needs have been determined, an appropriate security system can be designed to meet those needs. Critically important to the success of these projects is the choice of a qualified systems integrator to install the necessary components and maintain the system in the future. Whether this process is managed by in-house personnel or a qualified outside consultant, the qualifications of system integrators should be carefully evaluated.

When evaluating integrators on behalf of our clients, these are some of the key factors considered by RMA. The following information should be required at a minimum, although certain organizations or projects may have more stringent requirements.

How many years has the company been in business? What is their history and length of service providing and installing certified applications?
Does the company possess all of the pertinent licenses that are required to do business in the state in which the work is to be performed? If required, does the company possess a low voltage license and/or alarm system licensing?
Have any complaints about the organization been filed with the local or state Better Business Bureau or similar organization? If so, what were the circumstances?
Is the company financially stable? Require financial information for past the two years, if available.
What are the labor rates of the company? How do they compare with similar companies?
What certifications and training does the staff possess? Require resumes of key employees and inquire about the technical capabilities of the staff, including computer, network, and other technical certifications on specific product lines and applications. How are these certifications obtained, and are they current?
Does the integrator perform all of their own work or do they utilize subcontractors? If subcontractors are used, what percentage of the work do they perform? Require a supervisor from the security integrator to be on site when the subcontractors are working.
Require references of clients with systems and/or services similar to those that you are requesting. Contact the references and ask if they would be willing to allow you to visit the site and view the installation performed by the integrator.
Who provides the service work after the sale and installation? Does the integrator have a dedicated service team? Inquire about service after the sale, including hours of operation and response times.
Require the integrator to provide examples of design/engineering documents, As-Built documents, and preventative maintenance schedules and scope of work.

Before any actual agreement is signed, ask to meet the Project Manager and inform him or her of your expectations. As when interviewing a potential employee, the right questions are crucial to obtaining useful answers.

Creating a Master Plan

Risk Management Assocates — Mon, 27 Jul 2009 17:01:00 GMT

The process of developing a Master Security Plan begins with and has its foundation in the information, outcomes and recommendations of the assessment activities. Creating an integrated security plan to guide a security program is rooted in the existing organization, policies and procedures, culture and characteristics of the population. Each of these is surveyed and determined during the security survey/vulnerability analysis phase of the project. In plain words, the observer discovers what is ‘right’ as well as what may be ‘wrong’ or inadequate. The recommendations that arise from these analyses should build upon and utilize what is right, enhance or improve what may be marginal, and provide a guide for creating what is needed but does not exist.

The concept or paradigm of integrated security provides latitude useful in creating or improving a security posture for an individual organization or site, and avoids the inadequacies and disappointments involved with forcing “one size fits all” solutions upon unique and sophisticated activities and facilities. The ability to devise the right combination of policy, procedure, physical security, electronic security, and police/security officer assets is a critical factor in creating a practical, workable and sustainable program.

A master security plan defines the structure and procedure for the security program. A security posture is the degree of adequacy of a security plans and the degree of compliance with the security program as defines in the plan. The components of the physical security plan should include all of the following components to some degree:

Perimeter: A physical definition of the facility setting it apart from the surrounding area.
Barriers: Perceived barriers – Signage and suggested obstacles that do not physically prevent intrusion, but advise and suggest to the population where they can and cannot go. Physical barriers – Fences, gates moats and other substantial obstacles that actually prevent or significantly delay penetration.
Access control: Devices or personnel that control entry through barriers and perimeters by authorizing admission.
Identification: Procedures and devices that vet and authorize legitimate people for entry and provide a means of determining by electronic means or appearance that those authorized are who and what they represent themselves to be.
Surveillance: The watching and monitoring of people and places to detect unauthorized or undesired behavior, and unusual or dangerous conditions and circumstances. This is accomplished by use of security officers on post of patrol, CCTV systems and alarms.

The components of the operational security plan are intended to provide for the command, control, training and operational guidance for personnel who administer the physical security program and respond to conditions and incidents that threaten the welfare of the population, the peace of the environment, or the security of property. Operational plans should consist of those directives and requirements that apply to the conduct of the population, procedures for security operations and the conduct of law enforcement and security personnel, guidelines for responding to foreseeable events, and criteria for dealing with unusual or emergency conditions.

A master security plan should contain components that specify policies and procedures for operation of a law enforcement/security force, specifications for the location and use of physical security devices; communications and command and control criteria for these operations; and requirements and codes for the population.

RMA consultants have developed and written security plans, security and emergency policy and procedures, detailed post orders and security response and operation plans for a number of large corporate and government clients, including a federal intelligence center and a major federal agency headquarters. Our recommendations are not based on theory but are the application of over 20 years of experience in seeing these recommendations put into place by our clients.

Background Investigations

Risk Management Assocates — Mon, 13 Jul 2009 18:15:00 GMT

Would you make a business decision without attempting to obtain all of the relevant information? When buying a product, do you only consider the information provided by the manufacturer? When hiring employees, do you take their resume at face value without independent verification of the information?

Let’s look at some numbers compiled from a variety of business and security sources.¹ Theft and fraud cause nearly 30% of all business failures, and approximately 70% of these crimes are committed by repeat offenders. The estimated cost of employee theft or dishonesty to U.S. businesses is $60 to $120 billion per year, and approximately 75% of internal theft is undetected. The cost of even one bad hire can exceed $100,000 in time recruiting, hiring, training, and inadequate performance, and 30% to 80% of resumes and job applications contain lies and/or exaggerations.

Background screening is an organization's first line of defense against employee fraud. Employees are the greatest and most expensive asset of any business. Companies who have a comprehensive background screening policy attract higher quality applicants, discourage applicants with something to hide, provide better information for hiring decisions, reduce their liability, and provide a safer work environment.

The goals of background screening are two fold.

Confirmation – a potential employer attempts to verify information provided by the applicant (identity, personal history, credentialing)
Investigative – potential employer looks for information that applicant may try to hide (previous termination, criminal history, etc.)

Whether companies decide to conduct background investigations in-house or contract with a third party, it is important to remember that a "Background Screening" or "Background Investigation" is not the same thing as “Records Check”. A records check refers to a search of public records such as criminal, civil, driving, military, professional licenses, and sexual offender indices. A background screening or background investigation includes more information, such as references and developed references, employment history, and verification of education, and provides a more detailed picture of the potential employee.Unless you are a law enforcement agency, there is no such thing as a “national” criminal records check. Criminal records can be generated at a local level, such as a county or parish, or at the state or federal level. Not every county makes its records available online, and not every state has a statewide criminal records database available online. For example, North Carolina makes statewide criminal records available online through the Administrative Office of the Courts, meaning that a person’s record can be searched in all counties through one source. In Delaware, statewide requests are submitted via mail and must include the person’s fingerprints. In Ohio, criminal records are searched by each individual jurisdiction, meaning that a person’s record must be searched in each one. For companies seeking to conduct either background investigations or records checks, knowing what information can and cannot be obtained is vital.

Not doing a through background investigation is the equivalent of trying to cross I-40 at rush hour with your eyes closed. Why take that risk?

¹Sources: Security Management, How to Identify Dishonest Within Your Business, HR Logic, Inc.

Beware of Warnings, or Check before You Forward

Risk Management Assocates — Mon, 06 Jul 2009 18:20:00 GMT

Have you received an email like this?

Police Warning (Send to Everyone): A man came over and offered his services as a painter to a female putting gas in her car and left his card. She said no, but accepted his card out of kindness and got in the car…Almost immediately, she started to feel dizzy and could not catch her breath. She tried to open the window and realized that the odor was on her hand… Apparently, there was a substance on the card that could have seriously injured her. This drug is called 'BURUNDANGA' and it is used by people who wish to incapacitate a victim in order to steal from or take advantage of them… So take heed and make sure you don't accept cards at any given time you are alone or from someone on the streets.

What about this?

RAPIST TRICK: Know what money you are carrying… I stopped at the station to get gas… I took into the store two $5 bills and one $1 bill (just enough to get my stuff). As I pulled away from the store, a man approached my truck from the back side of the store (an unlit area). He was an "approachable-looking" man (clean cut, clean shaven, dressed well, etc.)… Since I'm very paranoid and 'always looking for the rapist or killer,' I didn't open the window. I just asked what he wanted. He raised a $5 bill to my window and said, "You dropped this." … When I told him it wasn't mine, he began hitting the window and door, screaming at me to open my door, and insisting that I had dropped the money! At that point, I just drove away as fast as I could. After talking to the Internal Affairs Department and describing the man I saw, and the way he escalated from calm and polite to angry and volatile ... it was determined that I could have possibly encountered the serial killer myself. Up to this point, it had been unclear as to how he had gained access to his victims, since there has been no evidence of forced entry into victim's homes, cars, etc. … How many times would you have opened your window (or door) to get your money and say thank you ...Because if the person is kind enough to return something to you, then he can't really be a threat ... can he???? Please be cautious! This might not have been the serial killer... But what might have happened if I had opened my door.

These are not true and should not be forwarded.

As security professionals, we often receive quite a few of these “warnings”, cautionary tales, or similar information via email. Other subjects have included information about cell phones, cautionary tales about diseases contracted in a strange fashion, warnings about dangerous household products, stories about terrorist activities, and scams involving money. Any email that states “forward this to everyone you know” should be more closely evaluated.

Before forwarding the email, check the validity of the story. The best source is usually Snopes.com, and their interface is easy to use. To use their search feature, choose a term that is unique to the email. For example, “burundanga” in the first story and “rapist trick” in the second story would produce results. As stated above, both of these stories are false.

The next time you see a story that sounds too scary to be true, check out Snopes.com before forwarding. To do otherwise is simply contributing to the rampant spread of urban legends and lessening the likelihood that a real warning will be read.

There is no substitute for a site visit

Risk Management Assocates — Mon, 29 Jun 2009 18:29:00 GMT

We recently were asked to evaluate the security of a facility where a nighttime injury occurred in a parking deck. Upon preliminary review after receiving the information and photos, no real problems were noted. The facility looked well-kept, and reports were that their security was reasonable and up-to-date. The client was advised that a “long-distance’” review would frequently overlook critical areas. The client agreed to a site visit by RMA.

During the site visit, we examined the entire facility, including that upper level section of the parking deck where the injury had occurred. Although the facility had up to four roving security patrols at a time, they were never observed entering the upper level of this deck during the day-long site visit. They were seen multiple times in an adjacent deck. Although the upper level deck had light fixtures, about one-third were broken or otherwise inoperative and the overall level of lighting measured far below accepted standards. The deck was so dark that the end of the deck could not be seen when standing at the entrance to the facility.

From an outside examination, it had appeared that the facility was practicing reasonable security. Once we were on location, however, the situation was actually much different. This scenario has been experienced over and over again by RMA consultants. What one believes to be the existing conditions and what the conditions are when examined are often drastically different. There is no substitute for a site visit.

What is Crime Prevention Through Environmental Design?

Tasha Dyson — Mon, 22 Jun 2009 18:34:00 GMT

We recently had the opportunity to create a guide and reference for property owners and community stakeholders to use as an aid in understanding the concepts and strategies that can be used to improve security and the quality of life in their neighborhoods. During that process, we researched the concept of CPTED, Crime Prevention Through Environmental Design, an approach that considers environmental conditions and the opportunities they offer for crime or other unintended and undesirable behaviors.

CPTED is different from other crime prevention or security measures because it specifically focuses on aspects of the design, while the other measures tend to be directed at target hardening by denying access to a target using locks and bars, using sensors and cameras to detect and identify an offender, or deploying security guards. CPTED is unusual also when compared to some police activities, because CPTED encourages prevention and considers design and place, while policing has traditionally focused on efficient and effective response to incidents and the identification and apprehension of offenders.

CPTED is intended to specifically enhance the appearance and design of a facility, business, neighborhood, or residence in order to provide and present the appearance of significant guardianship. CPTED attempts to reduce or eliminate those opportunities by using elements of the environment to:

Control access.
Provide opportunities to see and be seen.
Define ownership and encourage the maintenance of territory.

Crime prevention through environmental design is a relatively new term, but the use of design for safety and security is not. Caves, cliff dwellings, castles, and moats are historical examples of the use of natural features for protection. As an example, requirements for street lighting grew out of a need to distinguish legitimate travelers from outlaws and thieves during a time before the protection afforded by automobiles.

Contemporary approaches, including CPTED, emerged out of research on the relationship between crime and place, theories known variously as environmental criminology, situational crime prevention, rational choice theory, and routine activity theory, among others. Each theoretical approach focuses on considerations of how a criminal perceives and interacts with the environment in the planning, selection and decision-making related to committing a crime.

CPTED and associated theoretical research asks the question, “Why here?” Research has revealed that:

Crime is specific and situational.
The distribution of crimes is related to land use and transportation networks.
Offenders are opportunistic and commit crimes in places they know well.
Opportunity arises out of daily routines and activities.
Places with crime are usually places without observers or guardians.

Crime prevention through environmental design examines crime problems and the ways in which various features of the environment afford opportunities for undesirable and unwanted behaviors. CPTED attempts to remove or reduce these opportunities by changing aspects of the building, site, location, and how the space may be used.

For more information on CPTED and its practical application in this situation, please contact us.

BusinessWeek Article on Fraud

Risk Management Assocates — Fri, 09 Jan 2009 20:32:00 GMT

It is without doubt that during difficult financial times there are more cases of corporate fraud. With a recession upon us not seen in decades we will surely be seeing fraud rise to unprecedented levels.

http://www.businessweek.com/bwdaily/dnflash/content/jan2009/db2009018_753877.htm

Welcome

Risk Management Assocates — Thu, 08 Jan 2009 14:14:32 GMT

Welcome to the Risk Management Associates blog. Please check back soon for new entries.