Monthly Archives: September 2015

Watching the dominoes fall

Who would have anticipated the outcomes flowing from the VW scandal, either from risk or crisis management perspective?  How would you quantify the potential losses to the company from this scandal?


  • The EPA established test standards and protocols for emissions testing of vehicles
  • Some auto manufacturers design around the protocols.
  • The EPA makes some designing-around illegal.
  • VW allegedly designs software that causes the engine to work one way when under test conditions and another way when on the road. (Actually, another company designed the software, but advised VW in a letter that using the technology was illegal.)(This letter was located by the internal auditors.)
  • VW advertises a lot, trumpeting the environmental test results.
  • People buy a bunch of VW cars.
  • VW gets caught (they knew they were caught several weeks before they fessed up).
  • The cars consumers bought now aren’t in compliance, and have lost a lot of value.
  • Customers who financed through VW claim fraud.
  • VW’s other brands suffer (Bentley, Lamborghini, Audi, and Porsche).
  • The chairman resigns.
  • VW loses 30% of market cap, hires Kirkland & Ellis.
  • Huge impact to German economy.
  • Germany plans criminal investigations.
  • Shareholders suffer huge losses.
  • Suppliers of diesel engines scramble, dropping more than 9%.
  • VW takes a 6.5 billion euro charge.
  • Discovery specialists circle the body, considering the amount of litigation and cross-border discovery coming soon.  Privacy experts and works councils are speechless.

From a compliance point of view, this says a lot about the culture at VW, which allowed this behavior to continue unabated.  And the internal controls weren’t effective.

What does this have to do with information governance?  Well, at the core this is fudging the data you give to the government (even if that isn’t your home government).  How many controls do you have in your organization to make sure the information you give to others is accurate and complete?  Are those controls effective?  Do you need more?

Will individuals go to jail?

See “VW Scandal Affects Finance Units,” The Wall Street Journal, September 28, 2015 B1.

Leave a comment

Filed under Board, Business Case, Collect, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Culture, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Investor relations, Management, Oversight, Oversight, Policy, Protect assets, Protect information assets, Risk, Use, Value


For years, you have tracked information based on 14,000 categories.  Sort of like record retention categories.  But then they go and change from 14,000 categories to 70,000.  How do you manage the transition?

“70,000 Ways to Classify Ailments,” The Wall Street Journal, September 28, 2015 B1.

Maybe not a big deal for you, but your doctor and nurse and hospital have been spending big bucks to get ready.


Leave a comment

Filed under Collect, Definition, Governance, Information, Management, Oversight, Protect assets, Records Management, Use

No derivative suit

What do you do if a company you invested in was institutionally corrupt, at a massive scale?  Normally, a shareholder can use a derivative suit to have the corporation sue the directors who allowed the defalcation.  The directors can be held personally liable, or you can tap the insurance policy.  But if it’s a state-owned corporation, you need to follow a different path.

“Gates Foundation Sues Petrobras, Auditor for Fraud,” The Wall Street Journal, September 26, 2015 A8.  Bill Gates sues Petrobras and the PwC affiliate who audited Petrobras for losses coming from a massive bid-rigging and bribery scheme that had run for years.  Apparently, the internal controls were ineffective, even though PwC signed off on them.  More than $17 billion written off.

Counting on the Board to have effective internal controls to prevent fraud and bribery is one step.  So you also have a global auditor do an audit to give you objective verification.  Hopefully, litigation isn’t your backup plan.

Is there other information that would have clued you in to what was going on?

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Culture, Directors, Duty, Duty of Care, Governance, Internal controls, Oversight, Oversight, Protect assets, Risk, Third parties, Vendors

Catching up

Some articles from earlier this week.

“Bill and Billy Discuss Big Data in Baseball,” The Wall Street Journal, September 22, 2015 D6.  Reflections on the data-driven sport of baseball.

“U.S. Begins Criminal Probe of VW,” The Wall Street Journal, September 22, 2015 B1. VW designed its vehicles to operate differently when under test conditions than when actually being driven. Question:  Why is VW criminal and GM (hiding ignition lock problem) isn’t?  In the case of GM, people died.

“For Peanut Executive, 28 Years In Prison,” The Wall Street Journal, September 22, 2015 B1. Owner of peanut company sentenced for covering up salmonella contamination. Lesson:  food and drug industry executives are responsible corporate officers; everybody else isn’t.  It’s a long way from the misdemeanor and $50 fine in US v. Park.

“Ex-Adviser Pleads Guilty in Data Case,” The Wall Street Journal, September 22, 2015 C3.  Former adviser at Morgan Stanley pleads guilty to taking client data home.  Data later appeared for sale online.

“Data Pushes Aside Chief Merchants,” The Wall Street Journal, September 23, 2015 B7. Companies begin to value analytics more than insight.

Leave a comment

Filed under Analytics, Collection, Controls, Culture, Directors, Duty, Employees, Governance, Internal controls, IT, Management, Oversight, Protect assets, Risk, Security, Use

Whose information is whose?

Here’s the situation: a contractor issued a phone to one of its employees.  The now-former employee is accused of insider trading based on third-party information he allegedly accessed while employed.  The SEC wants his passcode for the company phone.  Employee asserts Fifth Amendment protection (although he now lives in China – citizenship not clear).

“Judge Rules Phone Passcodes Are Protected Information,” The Wall Street Journal, September 25, 2015 A3.  Judge rules that since the employee never shared the passcode with his employer, he can invoke the Fifth, as the passcodes are personal, and not company, information.

Leaving aside whether non-citizens can invoke the Fifth Amendment (which speaks in terms of “no person”), does this mean that the company now has to require employees with a company-issued phone to use a company-supplied passcode?  Can the company require exiting employees to provide their phone code?  If a company doesn’t take these steps, what does that say?

Leave a comment

Filed under Access, Business Case, Collection, Controls, Duty, Employees, Governance, Information, Internal controls, IT, Management, Ownership, Risk, Security

Oh, those pesky emails

Investigation into potential FCPA violations for J.P. Morgan’s hiring of the sons and daughters of high-ranking Chinese officials; was this an attempt to get more business from the Chinese government?

“Executive Pushed for Hires at J.P. Morgan,” The Wall Street Journal, September 21, 2015 C1. Emails surface from the chairman of J.P. Morgan China at the time linking the hiring to business.

Why do higher-ups write dumb stuff?  Because they don’t understand the law or because they don’t understand the relative permanence of email?  Or because they don’t care?  Or weren’t sufficiently educated in the requirements?

Leave a comment

Filed under Controls, Duty, Employees, Information, Internal controls

Paving over the cow path?

“The Data-Driven Rebirth of a Salesman,” The Wall Street Journal, September 18, 2015 B1.  Sales departments using data and technology and analytics to avoid being cut out of the buyers’ process.

Do you have information on your prospective customers that does more than help you identify sales prospects?  Does that information actually help the customer?  If not, will potential buyer bypass you and buy direct, online?  Is technology adding value (to the customer) or merely making an out-of-date sales process more efficient?

Leave a comment

Filed under Analytics, Business Case, Collect, Information, Management, New Implications, Use, Value

Who gets prosecuted?

A company gets ready to plead guilty to criminal wire fraud for making misleading statements and concealing information about a safety issue.  Fine will be close to a billion dollars.

“GM Close to Criminal Settlement,” The Wall Street Journal, September 17, 2015 A1. Settlement looms on faulty ignition switches.

A key quotation: “[P]rosecutors are likely to open themselves to criticism if they don’t bring criminal charges against individuals at GM.” Really?

Why saddle the (comparatively innocent) shareholders of the company with a $900 million settlement and not penalize the actual employees who concealed the information and misled everyone?  Sure, they may have been fired, but is that enough?

Leaving aside the timing issue in penalizing today’s shareholders for something that occurred when they weren’t shareholders, wouldn’t throwing some mid-level or high-level executives in jail send a stronger message?  I guess the shareholders can sue the directors under a Caremark theory and the corporation could sue the fired employees for the loss.  Now, that would send a message, at GM and elsewhere.


Leave a comment

Filed under Board, Business Case, Compliance, Compliance Verification, Controls, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Risk

Two stories, one theme

Two stories from today’s WSJ, both turning on the issue of who owns the information you generate using appliances.

“Internet of Things Spurs Rush,” The Wall Street Journal, September 16, 2015 B6.  Companies harvesting data from the sensors in vehicles and thermostats struggle a bit to find a way to use that information.

“What Apple Doesn’t Want To Know About You,” The Wall Street Journal, September 16, 2015 D1. Apples struggles to provide useful services without compromising your privacy (more).

Information is different from other assets.  It has one value when you alone have it.  It has another when a company can also see it and leverages it to make a better product (or to sell you a different, not-necessarily-better) product or service.

Are “we” getting a fair portion of the value derived from “our” information?

Leave a comment

Filed under Ownership, Value

Stealing information is bad

“Firm Settles Over Hacked News Releases,” The Wall Street Journal, September 15, 2015 C1.  The Wall Street Journal [link to PDF of article] Firms accused of hacking news releases prior to publication and trading on the information ahead of the market.

Once you provide the news release to the wire service, what controls do you have over the security that the wire service employs?  Does that matter to you as much as it matters to the SEC?  The settlement was $30 million.

Leave a comment

Filed under Controls, Governance, Ownership