The discussion about information governance is normally directed to Management, where the argument is either compliance (yawn) or ROI (impossible to measure). But hope springs eternal.
The Target credit card breach has yielded a worthwhile public service (beyond providing this teacher fodder for my information governance course).
“Ouster of Target Directors Is Urged,” Wall Street Journal, May 29, 2014 B2 http://on.wsj.com/SUu6FU
Finally, someone is taking the battle to where it belongs — the Board. The Board has a duty to comply with the law, of course, and to exercise reasonable oversight over the operations of Management. But the Board has a fiduciary duty to take reasonable steps to protect the assets of the company. Information is an asset. Ergo, if they don’t fulfill their duty, either sue them or run them off. Then information governance may get more attention.
Filed under Board, Controls, Duty of Care, Governance, Information, Internal controls, Management, Protect, Protect assets, Protect information assets, Risk, Security, Value
Leaving aside the political uproar over the stories of the VA waiting lists, stop a second and think about what really happened here.
First, people established as a metric how long veterans were on the waiting list before they got medical attention. Then people decided to give bonuses based on that metric. And… Surprise. People allegedly gamed the system to make the statistics look better (and get their bonuses). And levels of management who knew or should have known didn’t report the gaming up-dip to their management.
But people knew there were problems, and had been for years.
Lessons: People will game systems tied to their bonus or external perception. Management doesn’t really check the administrative details very closely. And even when Management knows of a problem. they don’t always tell their bosses up-dip. And even when Management knows and commits to fix, they don’t always do it very well.
Do you have information metrics in your business, tied to bonuses? Are people afraid to tell the boss bad news? Do bosses really fix things they don’t care about? Or is the problem different? And what is accountability for information, really?
“Obama Pushes Accountability at VA,” Wall Street Journal, May 22, 2014 A1 http://on.wsj.com/1olnoDG
Filed under Board, Business Case, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Governance, Internal controls, Management, Operations, Oversight, Protect, Protect information assets, Risk, Use, Value
Eight out of eleven. Good odds?
Of the eleven years in which a horse has won the Triple Crown, the stock market has gone down in eight. Is this coincidence or unconnected noise? Do you bet on it?
“Triple Crown a Bad Bet for Dow,” Wall Street Journal, May 21, 2014 C4 http://on.wsj.com/1kr0WIE
How do you connect information to decisions? Is that part of governance?
One of the steps to good information governance is to control inputs, and to educate your folks not to write words high in drama but low in meaning, or ambiguous, or absolute (when you don’t mean absolute).
So, you advise your clients not to write “Corvair-like” or “rolling sarcophagus” when describing your product. You counsel them to avoid characterizations of defect and keep business writing strictly factual. So, avoid characterizing something as a defects; instead, state the applicable factual parameters, such as 60cms (where the minimum in 65cms), or “the ball bearing did not meet specifications.”
But then even the Wall Street Journal slams you for educating your folks.
“U.S. Says GM Hid Recall Failures,” Wall Street Journal, May 17, 2014 A1 http://on.wsj.com/1t4cpjY
Any lawyer worth his/her salt would give the same advice. Don’t unnecessarily shoot yourself in the foot by writing dumb, unfactual stuff. For the 69 words employees were told not to use, go here. http://on.wsj.com/1n240ya Not a bad list; I would agree with everything but “failed,” “safety,” and safety-related.” Depending on context. Nothing deceptive IMHO. Now, as part of the Consent Order, they can’t tell people not to use these words?
A major challenge is getting Management to buy into Information Governance, especially other than from a legal compliance standpoint. Harder still is getting the Board to buy into it. But if the Board buys in, can Management be/stay too far behind?
“GM Board Probing Information Gap,” Wall Street Journal, May 15, 2014 B1 http://on.wsj.com/1gFyVbx
GM Board hires its own lawyer/law firm to investigate why the Board hadn’t heard about the ignition switch problem earlier. Was the problem structural, or did Management not know that this was the type of information policy required Management to report to the Board?
How important is complying with internal company reporting requirements to your career? Gives a different meaning to the word “cut-out.” I guess no one thought there’d be litigation. So no work product protection.
Filed under Board, Business Case, Collect, Communications, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Governance, Inform market, Inform shareholders, Information, Internal controls, Investor relations, Management, Oversight, Ownership, Policy, Risk, Value
Two articles from today’s Journal.
“Oh, Baby, Wearables Track Infants’ Vital Signs,” Wall Street Journal, May 13, 2014 B1 http://on.wsj.com/1jXDgvh For the gear-obsessed, you can wrap your baby in electronics and follow them on your iPhone. Another stream of information; now you just have to figure out how to use it and hot to not abuse it.
“A Hidden Data Treasure Trove in Routine Checkups,” Wall Street Journal, May 13, 2014 D1 http://on.wsj.com/1jDHatu The proliferation of electronic medical data allows researchers to locate connections that were heretofore hidden.
If big data is, as the Journal defines it, a collection of information too large to be processed using earlier processing power, then isn’t what it is and isn’t constantly changing? The point is, with sources of electronic data constantly expanding (see anything by IDC), how we access, process, and use that data becomes even more important. “Managing” it – storing, classifying, protecting, deleting – is less important than figuring out how to use it. Which is/are “information governance”?
Symantec (makers of Norton AV software), who should know, says that antivirus software catches only 45% of cyberattacks. So the battle then becomes one of mitigation: how do you limit the damage after the bad guys get in? Why should you care? Ask the former CEO of Target.
“Thwarting Hackers After They Invade,” Wall Street Journal, May 5, 2014 B1 http://on.wsj.com/1lTAacb
What steps do/should you take to monitor and prevent theft of information inside your perimeter defenses?
Filed under Board, Business Case, Controls, Duty of Care, Governance, Information, Interconnections, Internal controls, IT, Management, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value
Barclays has had a rough few years. On Thursday I blogged about the shareholder reaction to proposed compensation and bonuses.
Barclays keeps getting kicked.
Today’s Journal reports the rumored departure of several senior employees.
“Exodus From Barclays Continues,” Wall Street Journal, May 3, 2014 (online)
How do you attract the right new people to a damaged operation when you can’t offer premium wages? All this in reaction to a series of scandals and oopsies from the bank. How do you mitigate these types of impacts?
[Problems posting while traveling]
Filed under Culture, Risk