It depends what you mean by “lost”

When someone touts numbers, what do they really mean?

“Your Lost Luggage May Not Count as Lost,” The Wall Street Journal, November 16, 2017 A12.  The “official” figures on how many pieces of luggage each airline misplaces are different than how many bags get lost.  The government defines the operating statistics that must be reported.

Are your sufficiently critical when someone gives you numbers?  Especially when it affects their compensation?


Leave a comment

Filed under Accuracy, Controls, Data quality, Definition, Information, Requirements

20% failure rate

What does it say about your process if it has a 20% failure rate?  Are you not serious about quality?

“Army Didn’t Submit Convictions,” The Wall Street Journal, November 16, 2017 A3.  Twenty percent of the time, the Army failed to file records of military convictions into the federal database used for background checks for gun purchases.

The Air Force missed filing one, and the Texas church shooter killed 26.  The Defense Secretary ordered a review of all military units and how they process convictions.  Apparently, this is done (or not) by the local base.

Does your company have policies or processes that remote offices doesn’t follow 20% of the time?  Other than your record retention schedule?

Leave a comment

Filed under Uncategorized

Eggs and baskets

On the one hand, regulators want to be able to easily see all the trading data about stock trades.  On the other, if you put all the important information in one place, hackers might go after it.  What’s a body to do?

“Exchanges Seek Database Delay, Citing Security,” The Wall Street Journal, November 15, 2017 B18. The NYSE and others asked the SEC to delay the start of a new database of sensitive trading information so that they can enhance the security. By adding a CISO, for example.

The SEC hasn’t been a positive model for computer security, and industry has had a few oopsies as well.  How does one balance ease of regulatory enforcement and security?  Which one is more important?  Who’s responsible/liable if there’s an oops?


Leave a comment

Filed under Access, Accuracy, Controls, Corporation, Duty, Duty of Care, Governance, Government, Internal controls, Oversight, Protect assets, Security, Third parties, Value

Checkers checking checkers

What happens when the person in charge of protecting whistle blowers is alleged to have retaliated against employees who pointed out possible wrongdoing?

“SEC Watchdog Faces Complaints,” The Wall Street Journal, November 13, 2017 B9.  The Inspector General at the SEC faces complaints of retaliation against whistle blowers, who raised time and attendance fraud.  Was there also some office hanky-panky?  The investigation may also not have been independent.

It’s good when the government gives examples of behavior.  It would be better if they were examples of good behavior.

Leave a comment

Filed under Compliance, Controls, Culture, Duty, Employees, Governance, Government, Internal controls, Oversight


A fascinating area for exploration is the drafts that led to the final version.  The dates, the wording, the recipients.  Why do people keep drafts?  Just because?

“Comey Originally Tougher On Clinton, The Wall Street Journal, November 7, 2017 A5.  A Republican Senator discloses that Comey’s early draft of the exoneration document used the language “grossly negligent,” the statutory test.

I’ve referred to July 5, 2016 as the Day that Information Governance Died.  That’s when the Director of the FBI announced his decision not to prosecute someone who had routinely violated the rules on handling secret documents, because “no reasonable prosecutor would bring charges.”  Not to get into the politics of things, but how can you argue that following the rules is required when the Secretary of State isn’t held to the standards that apply to a Navy seaman?

That being said, why do people hold on to drafts?  Because it’s easy?  Or because it’s hard to get rid of them?  There is seldom a reason to retain them beyond when the document is final.  Maybe a phrase or a paragraph.  But the entire document?  How can we convince people not to keep drafts?



Leave a comment

Filed under Legal, Discovery, Risk, Records Management, Governance, Controls, Internal controls, Compliance, Duty, Employees, Corporation

Swiss cheese, revisited

I am reminded of the Swiss cheese model for managing risk.  See

The awful shooting at the church outside San Antonio.  How many controls to manage the risk of a lunatic buying a gun failed?  Certainly, the Air Force failed by not recording the circumstances of his dishonorable discharge and related matters. (Was this systemic?  What about other branches?  Were there incentives/disincentives?)  And the fact that he had been in a mental institution wasn’t in the data base either. Who else failed?

And what about the self-certification, where a gun buyer needs to certify that he/she hasn’t done a bunch of bad things, which in turn is confirmed by the background check?  Do self-certifications work?  How much do you rely on having your employees sign an annual certification that they’ve read and understood (and don’t know of any violations of) your Code of Conduct?  Does that provide any protection?  Or does it just give you false comfort and a metric to measure?


Leave a comment

Filed under Compliance Verification, Risk

Equifax, continued

“Equifax Clears Four Executives,” The Wall Street Journal, November 4, 2017 B8.  Apparently, the senior execs didn’t know about the hack of 145.4 million accounts that was allegedly discovered only three days before they sold stock.

How do you prove what you didn’t know?  How does the lawyer approving the sales know what they knew?  Someone in the company knew about the hack.  Doesn’t that knowledge get imputed to all the senior execs?

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Employees, Governance, Internal controls, Lawyers