Monthly Archives: July 2014

Oxymoronic German process

If you’re in business, and you need to keep the market informed about your operations, so that they can make educated choices about investments, it’s important that your communications are accurate, complete, and reliable.  So you take steps to make sure that you have processes and procedures that provide a level of assurance that the information you report is correct.  And if problems arise, you address them promptly.  Before the regulators step in and require it.  Twelve years later, in December 2013.  And cause a 3% drop in share value.

“Fed Raps Deutsche Bank For Shoddy Reporting,” Wall Street Journal, July 23, 2014 A1  Bank repeatedly warned over the years about weakness of processes and unreliability of financial information.

It’s good to aspire to be best in class.  But it’s not good to be worst.

What would a similar report do to your company’s reputation?


Leave a comment

Filed under Board, Collect, Communications, Compliance, Compliance, Compliance, Compliance Verification, Governance, Inform market, Inform shareholders, Internal controls, Oversight, Protect, Protect assets, Protect information assets, Risk, Value

Photos on your phone

Most of my postings are about what people write and what they say.  Clearly that’s information, and if written or said in the course of a company’s business, a proper subject for information governance.

But what about photos?  Are there risks of your employees taking pictures (or video) of your information or the information of your clients?  Do your controls capture that?

“Johns Hopkins to Pay Out Millions for Secret Photos,” Wall Street Journal, July 22, 2014 A2  An egregious violation of patients’ rights leads to a settlement of nearly $200 million for 7,000+ plaintiffs.  Surprisingly low.

Can photos and videos be a way for your information to leak?  Or for your company to be out of compliance with privacy, copyright, trade secret, or HIPAA requirements?  Do your controls address this, when everyone has a smartphone?

Leave a comment

Filed under Collection, Controls, Definition, Duty of Care, Internal controls, Privacy, Protect information assets, Risk, Security

Barclays, again

Barclays is in the news again.  And that’s not a good thing.

Scandals have dogged Barclays for years.  The most recent one has a couple of different facets, which should be familiar.

First, Barclays lied to its clients, despite the issues having been raised to senior management.  It fell back on the time-worn defense of emails being taken out of context.  When did that work?  Would you prefer to trust your broker?

Second, a key employee behind the recent problems had been fired from Goldman for being somewhat lax about his documentation of trades.

“Barclays Pool Drew Fast-Trade Alarms,” Wall Street Journal, July 21, 2014 C1

I guess they must have thought people had forgotten.  Or that they will forget.  Seems to me, the culture is fatally flawed.  Certainly, the governance model needs work.


Leave a comment

Filed under Uncategorized

Catch 22

Yes, in Europe you have the right to be forgotten.  But when you seek to enforce that right, the website needs to be notified to take down the “offending” article.  And when they are notified, especially in the States, that is a separate story.

“Tantric Sex Workshop Gets ‘Forgotten,'” Wall Street Journal, July 19, 2014 B4 An American, named in an article in the US, move to Amsterdam, and seeks European protection.  But the US website gets notified.

Memory is a tricky thing.  So is information.

Leave a comment

Filed under Definition, Privacy, Protect information assets

Protect the grid

The pot calling the kettle black.

The Federal government, by way of the Federal Energy Regulatory Commission, is telling industry to increase the security around the electricity grid.  And requesting additional authority for the Fed to say which facilities need enhanced security.

“FERC Seeks Changes To Grid-Security Plan,” Wall Street Journal, July 18, 2014 B2  An industry-led group prepared the proposal for providing physical security.  The Fed wants the plan to apply to more facilities.  This is the same government that had issues with Wikileaks, Edward Snowden, the Navy Yard shooter, and other physical security lapses.

That being said, this does highlight an important point.  While there’s a lot of focus on on-line security, what about the security of the physical assets containing your company’s information?  Are you as secure as you need to be where you need to be?


Leave a comment

Filed under Protect assets, Risk, Security, Third parties

Who feels the pain? And when?

Compliance enforcement measures sometimes fail because the wrong people are punished.

“Prosecutors Change Tune on Prevention,” Wall Street Journal, July 17, 2014 C2.  US Department of Justice and FBI officials are starting to realize that threatening prison for corporate officials involved in bad behavior isn’t as effective a deterrent as imposing fines large enough to make shareholders angry.  Especially when few corporate officials go to prison.  But how large do fines need to be before they are confiscatory?  And are you taking money from people who did nothing wrong?  Isn’t the objective compliance, not punishment?

Does imposing huge fines convince shareholders to lean on their Boards to do a better job of oversight and compliance?   Does that really have the intended impact?  And the shareholders at the time of the fines aren’t the same shareholders anyway.

I think the impact would be a lot more powerful, and the effect more immediate, if prison terms were a real threat.  You don’t want to hit your puppy on the nose two weeks after some other dog had an “accident.”

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Culture, Governance, Internal controls, Investor relations, Oversight, Risk

Smallpox and anthrax

Lessons learned.

People get desensitized to the risks and dangers of the things they work with every day.  Specifically and to wit: smallpox virus.

“CDC Needs Tougher Oversight, Critics Say,” Wall Street Journal, July 17, 2014 A3. “[G]overnment laboratories that handle dangerous microbes [have] problems with oversight and a lax culture.”

If the labs handling smallpox and anthrax can’t keep track of stuff,  how can you expect your employees to follow the rules on keeping and organizing your companies information?  Oversight and culture, I guess.


Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Governance, Internal controls, Management, Oversight, Protect, Protect assets, Protect information assets, Risk, Security