Data intrusion, Ponzi schemes, natural disasters, health pandemic emergencies, branch robberies, terror threats and attacks, cyber attacks, and "occupy" events, among others, pose risks to assets, people and reputation. These events and others fall within the description of critical incidents. As mandated by government regulations and best business practices, financial and non-depository institutions have implemented extensive and robust business continuity and business contingency plans (BCP). These plans, coupled with post-event recovery practices, have helped financial institutions retool in many circumstances. However, a gap exists in this traditional business approach. In between BCP and recovery is the process of critical incident management.

This article provides a high-level introduction to the subject including critical incident management roles and tasks for AML, compliance, BSA, financial crimes and anti-fraud officers.

The traditional roles of operational risk/fraud/compliance departments are no longer sufficient to manage the complex threats now being faced by financial and non-depository institutions. These roles have evolved to include enterprise-wide crisis management functions and effective incident response processes.

When responding to an incident, what is needed is executable strategies to enhance communication, coordination and cooperation within the compliance function and across the enterprise. National governments across the globe have established response standards and mandates for private and public institutions. Here are a few examples:

• United States — the National Incident Management System (NIMS) provides a systemic, proactive approach to guide departments and agencies at all levels of government, as well as nongovernmental organizations, and the private sector to work seamlessly to prevent, protect against, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity, in order to reduce the loss of life and property and harm to the environment.
• United Kingdom and the United Nations — recommended the use of the Incident Command System (ICS) as an international standard. ICS is also used by agencies in Canada.
• New Zealand — has implemented a similar system, known as the Coordinated Incident Management System, Australia has the Australasian Inter-Service Incident Management System and British Columbia, Canada, has BCERMS developed by the Provincial Emergency Program.
• Brazil — ICS is also used by The Fire Department of the State of Rio de Janeiro (CBMERJ) in every emergency or large-scale events.

Critical Incident Definition and Impact on Financial Institutions

A critical incident is any event or series of events that has caused, or could lead to one or more of the following:

• People being injured, harmed or death
• Disruption of business
• Disruption to customer service
• Financial losses
• Reputational damage to the financial institution
• Compliance compromise

All financial institutions regardless of size, location, product offerings and security measures are vulnerable to human exploitation and natural disasters. These threats result in critical incidents. The incidents can originate from:

• Natural disasters
• Disgruntled or troubled employees, former employees or customers
• Individuals or groups engaged in criminal activity and/or technology intrusion
• Gangs, drug dealers, organizations or cartels, ethnic organized crime groups, terrorists or terrorist groups

Typically, leaders of financial institutions do not possess expertise in emergency management to respond competently to incidents. These leaders should not be expected to be critical incident management experts. What is needed is a system to have information, procedures, guidelines and practices in place to enable leaders to manage a critical incident. The process and response methods include assets internal and external to the financial institution. The operational goal(s) of financial institution critical incident management leaders and the AML/Compliance team is to:

• Restore normal operations as quickly as possible
• Minimize impact on business operations
• Ensure best possible levels of service, quality, and availability is maintained
• Contain incident — enhance safety and prevent loss
• Minimize chaos and disruption
• Maximize communications, continuity and organization

The organizational challenge for any type of incident response lies in the ability to utilize existing human capital and technology tools. Unfortunately, in times of a crisis, financial institution employees have had to rely on information contained in a five-inch response manual notebook sitting on the shelf covered with dust. Alternatively the financial institution should have user-friendly tools such as guides, checklists and procedures that are integrated with easily accessed software. These tools should be available to all employees enterprise wide. Tactical process tools should be authorized for use by all levels of management and leadership. The software utility should include functionality to:

• Organize FI response quickly and consistently
• Communicate effectively between levels of response and management
• Locate and communicate with resources, internal and external, on a 24/7 basis
• Maintain "business continuity" and manage the impact of the incident on the organization at the highest level.
• Demonstrate day-to-day compliance with regulatory mandates

During a critical incident there are four levels of response and management. In most financial institutions AML/compliance personnel participate in all four levels. The levels include:

1. Initial response by employees
2. Incident scene management using command post (CP) concept
3. Administrative level management using an emergency operations center (EOC)
4. Executive policy group

The AML/compliance function is an important resource during a critical incident. It is essential to the success of the critical incident leadership team to utilize and deploy the capabilities of the AML/compliance team. How can compliance help?

• Identify red flag warnings from customers, vendors, employees or other relationships that pertain to incidents
• Provide intelligence information "on the fly" from search engines, detection systems, KYC, CIP and risk rating programs. Some incidents can be predicted
• Leverage relationships with law enforcement partners that exist in normal financial crimes, fighting, and compliance activities
• Drill into past incident and financial crimes investigations for relevant intelligence information
• Support management by using experience from prior look-back and investigations
• Deploy a team of analysts with a "get 'er done" mentality

An Opportunity for Thought Leadership

Most financial institutions have installed and deployed business continuity planning and software, and have detailed business recovery steps. In comparison, critical incident management programs and software have not been integrated. Critical incident management is needed to fill the operational gap to elevate organizational effectiveness and mitigate threat risk.

In today's threat-filled world, incident management cannot be concentrated in the security or risk management silo. The knowledge, skills and abilities of AML/compliance assets in financial institutions are positioned to have a leadership role to address most if not all critical incidents.

Robert A. Goldfinger, CAMS, CFS, Cmdr.CID (retired) president, Lormel Goldfinger Global Group LLC, Holly Springs, NC, USA, rgoldfinger@LormelGoldfinger.com