Monthly Archives: October 2016

October 28, 2016 · 6:18 pm

The road not taken

A company does something sleazy, and pays $465 million in settlement.  But the company’s senior executives don’t get a salary hit.

“EpiPen Pact Unlikely to Affect Pay,” The Wall Street Journal, October 28, 2016 B2.  Mylan execs won’t suffer because their compensation is determined based on adjusted earnings that exclude the cost of settlements, such as the one the company is paying to the US Gov following allegations of Medicaid overcharges for the EpiPen.

Too bad the returns to the shareholders can’t be computed the same way.  What about the Board that agreed to this formula?  Didn’t directors use to have a fiduciary duty?

 

Leave a comment

Filed under Board, Controls, Directors, Duty, Duty of Care, Governance, Internal controls, Investor relations, Oversight, Oversight, Policy, Protect assets

October 28, 2016 · 6:09 pm

Who owns it?

Who owns your information?

“FCC Moves To Tighten Marketing Of Data,” The Wall Street Journal, October 28, 2016 A3.  Finally, consumers get some limited privacy protection.  Internet providers need to secure the customers’ ok before marketing their consumers’ sensitive information like search history.

Leaving aside that a customer’s right to privacy is somewhat shadowy and ill-defined, created as it was (sort of) by the Supreme Court, and that the FCC doesn’t have the charter to protect privacy, per se, this seems like a step in the right direction.  But are we just going to get another click-through we don’t read?

But nice to know that we have some rights with respect to our data.

Leave a comment

Filed under Access, Analytics, Business Case, Controls, Corporation, Definition, Duty, Governance, Information, New Implications, Ownership, Third parties, Uncategorized

October 28, 2016 · 5:55 pm

Who does the governing?

One aspect of information governance is who’s in charge?  Who “governs,” and how?

“Scrutiny Of Voting Procedures Set to Soar,” The Wall Street Journal, October 27, 2016 A4.  We could guess that a lot of folks would want to observe the US election process to make sure everything’s kosher.  You’d guess a bunch of state authorities, the Department of Justice, and the various political parties and their respective surrogates. But the Organization of American States (40) and the Organization for Security and Cooperation in Europe (500+ observers) were invited by the State Department.

Why?  What role do they have?  Do they own the process?  Do they report to someone who owns the process? (“They” could mean the OAS, the OSCE, or the State Department).

Leave a comment

Filed under Compliance, Governance, Ownership

October 22, 2016 · 10:33 am

Information delayed is information denied

What do you do when the governor doesn’t follow the rules?

“NIH Unit Delayed Report Of 2 Deaths From Study,” The Wall Street Journal, October 22, 2016 A3.  National Institutes of Health is a year late in  reporting the two deaths (aka “severe adverse events”) to the FDA, as required by law.

What do you do when employees fail to follow federal reporting requirements?  Do you fire the employees?  Penalize their bosses?  Convene a committee to study?

Leave a comment

Filed under Compliance, Compliance, Controls, Duty, Employees, Governance, Government, Internal controls, Legal, Management, Oversight, Protect assets, Requirements, To report

October 21, 2016 · 5:42 pm

Triple

Three blurbs today.

“Flawed Theranos Tests Hurt Patients,” The Wall Street Journal, October 21, 2016 A1.  Company that marketed a cheaper, better blood test faces problems after testing methodology was faulty.  Is your business selling information analytics?  Is this a risk you have identified, quantified, and protected against?

“Mining Executives Charged,” The Wall Street Journal, October 21, 2016 B5.  In November 2015, a dam collapsed, releasing sludge into a nearby river and killing 19 people.  The federal government filed criminal charges against current and former chief executive officers and other employees and consultants who inspected the dam.  In Brazil.  Compare and contrast the collapse of a dam in the US caused by an employee of the EPA, where no charges were filed.

“Louisville Gets Charges Over Escort Scandal,” The Wall Street Journal, October 21, 2016 D6.  The NCAA charged several staff members with for the University of Louisville men’s basketball team in a sex scandal. The current coach was accused of failing “to demonstrate that he monitored a member of his staff.”  Apparently,  a higher standard of behavior applies to managers of basketball than management in corporations or governments.

 

Leave a comment

Filed under Analytics, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Management, Oversight, Value

October 16, 2016 · 1:01 pm

Analytics

Analytics are one way through massive collections of information.  But do they taint the results?

“Algorithms Aren’t Biased, Coders May Be,” The Wall Street Journal, October 15, 2016 A2.  Coders may include hidden or unconscious biases in the metrics they select, which affect the reliability of the “decisions” algorithms make for you.

Can you rely on a black box too much?  Do you understand the devices you use and how they work?  Does somebody?  Can you provide oversight of a process you don’t understand?

Leave a comment

Filed under Accuracy, Analytics, Controls, Governance, Internal controls, Management, Oversight, Reliance, Use

October 15, 2016 · 12:46 pm

Does information governance include “crisis management”?

If “information governance” is how you go about managing the receipt, creation, use, storage, transfer, transmission, and disposal of all non-public information received or created in the course of a company’s business, then by definition the term touches upon how your company handles information in a crisis.

“Wells Fargo’s Botched Crisis Management,” The Wall Street Journal, October 14, 2016 A1.  Company and its senior management were excoriated for how they handled the account-shoving scandal.  Sure, over the years (3) they fired 5,300 employees, but the board didn’t know how many employees were fired until the outside regulators reported it.

How did senior management learn of the problem?  What did they do and when did they do it? How did they manage their receipt of that information?  How did they handle communications with the board, inside the bank, and the regulators?  And the press? Not well, one might surmise.  What impact on their brand?

I am not suggesting that the person (vel non) who “owns” information governance also “owns” crisis management, but certainly a poor crisis management response is one of the risks of poor information governance.  The consequences can be huge.  Did the board effectively oversee the operations?

 

Leave a comment

Filed under Board, Business Case, Collect, Communicate, Communications, Corporation, Culture, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Investor relations, Management, Oversight, Oversight, Risk, Use, Value

October 13, 2016 · 4:45 pm

Tale of Two Cities

Tale one:  The CEO of Wells Fargo quit (or was fired) following the account-shoving scandal.“Wells Chief Quits Under Attack,” The Wall Street Journal, October 13, 2016 A1.  Despite the shareholder returns he oversaw, he gets sacked following illegal actions by his troops.

Tale two: The EPA employee responsible for the huge spill from a gold mine in 2015 won’t be charged with criminal violations of environmental laws. “Charges Not Pursued Over Spill in River,” The Wall Street Journal, October 13, 2016.  Guess he/she had good lawyers.  Hard to see a similar outcome for a corporate employee who caused such a large spill.  Not sure the EPA itself was sued for its employee’s behavior, as a corporation would have been.

Will other CEOs be fired following illegal conduct by corporate employees?  Will other employees skate from criminal charges after having caused huge environmental spills?  Or is it a case of “shareholders pay”?

 

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Duty, Employees, Governance, Government, Internal controls, Management, Oversight, Oversight

October 12, 2016 · 2:24 pm

Governance without governors?

“Consumer Watchdog Rebuffed by Court,” The Wall Street Journal, October 12, 2016 A1. A federal appeals court rejects the President’s appointment of a bureaucrat who can’t be removed by the President.  The Constitution prohibits that.

A big problem with information governance is that it often isn’t clear who’s responsible and who’s accountable for information governance failures. Yes, the corporation is accountable to the State (or the Fed, or third parties, or some or all of them) for violations of law by the corporation’s agents.  And the employees of the corporation can be fired (and perhaps sued) for violating the law or corporation policy.  And the directors can be removed (and perhaps sued) for breaching their duty to the corporation and the shareholders.  And the shareholders pay the price of corporate failures.

Who’s in charge of information governance at your corporation?  Does your charter establish that?  If not, who?

 

 

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Protect assets, Protect information assets

October 6, 2016 · 2:29 pm

Those pesky contractors keep stealing my information!

One of the ways a company loses confidential information is through theft by contractors.  Watch that you are not engaging a recidivist.

“NSA Secrets Back in Spotlight,” The Wall Street Journal, October 6, 2016 A1.  The NSA hired a contractor (Booz Allen Hamilton).  One of the contractor’s employees is accused of stealing some NSA classified materials.

Who else worked for Booz Allen and, derivatively, the NSA?  Edward Snowden.

The good news is (1) there are no allegations of destruction and (2) Booz Allen has gained a lot of great crisis management experience, which it can hawk to its future clients.

The bad news, among other things, is that James Comey is not their friend.

 

Leave a comment

Filed under Access, Controls, Duty, Duty of Care, Governance, Information, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Value, Vendors