Monthly Archives: April 2017

4 for Thursday

There were four pieces in today’s WSJ relevant to governance or information governance, or both.

“Currency Trading Data Hint at Leaks in U.K.,” The Wall Street Journal, April 27, 2017 B1. Indications that some investors are getting a sneak peek at UK statistics before they are published.  Does this go to access or to the calculus of the value of information including a factor for timeliness?

“FCC Chief Rails At Net Neutrality,” The Wall Street Journal, April 27, 2017 B1.  Is the government right in trying to control how information is accessed over the internet, or how (high-speed) access to that information is priced?  Who governs the internet, if any one?

“United Cites Litany of Failures,” The Wall Street Journal, April 27, 2017 B1.  CEO says “‘We let our policies and procedures get in the way of doing the right thing.'”  CEO also to give up his role as Chairman of the Board. A CEO taking accountability for the actions of employees on his watch – remarkable.  United also took out full-page ad.  Intersection of governance and crisis management.

“Hedge Fund Bets on ‘Big Data,'” The Wall Street Journal, April 27, 2017 B11.  Investments in analytics to identify profitable trades.  Timeliness of information is a factor in the value of that information.

Leave a comment

Filed under Access, Analytics, Board, Business Case, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, New Implications, Oversight, Oversight, Protect assets, Risk, Third parties, Value

Nearly governance

The shareholders at Wells Fargo almost exercised “governance” over the Board of Directors.

“Wells Fargo Directors Face Shareholders’ Ire,” The Wall Street Journal, April 26, 2017 A1.  Several directors were nearly voted out at the annual meeting on Tuesday, following the Board’s failure to provide sufficient oversight to prevent or even discover the account cramming scandal that persisted over several years.

Directors have a duty of oversight; they are fiduciaries, after all.  If they breach that duty, the shareholders can either bring a derivative suit and try to impose individual liability (or reach the insurance), or vote the rascals out of office, thereby besmirching their reputation.  But neither remedy is easy.  Shareholders face several hurdles to impose governance on the Board.

At least it’s a shot across the bow.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Directors, Duty, Duty of Care, Governance, Inform shareholders, Investor relations, Oversight, Oversight, Supervision


I don’t do this often.  But I wanted to take a moment to be shamelessly self-promotional.

I gave a presentation at the ARMA Spring Conference in Houston on April 25, 2017.  The subject was Information Governance, and dealt with how to establish effective relationships with others in your organization with an interest in managing information.  I have a rough cut of the presentation, together with an audio track, on my personal consulting website, at  Here’s a link: Information Governance ARMA Spring 2017. This is an MP4 file done with an old copy of Camtasia, and runs about 46 minutes.

My intended takeaways include:

  • a simplified definition of “information governance,” focusing on the What and a bit of the How and a bit of the Who
  • “Information” includes both written and unwritten information
  • there are three universal duties of employees in most common law jurisdictions, like the US: the duty to comply with the law while doing your work for the company; the duty to comply with corporate instructions and policies; and the duty to report material violations.
  • a matrix approach to dealing with your fellow travelers.

I hope you find it useful.

Leave a comment

Filed under Definition, Duty, Employees, Governance, Information


A necessary element of governance is that you have rules, or standards, to which the governed are supposed to adhere. Problems often arise when people don’t follow the rules. But can slavishly following the rules be as bad?  Depends on the rules.

“Behind United Airlines’ Fateful Decision to Call Police,” The Wall Street Journal, April 17, 2017 B1.   United has a strong demand and control system, and a system that rewards tenure over merit.  Rules for everything.  Rules that apply even to the third-party operator of last week’s flight from Chicago.

But who instituted a rule that requires having police haul a non-disruptive, paying passenger off a flight?  Seemed like a good idea at the time, I guess.  Hard to imagine this happening at an airline that hired attitudes rather than resumes.

Is a corporate cultural norm that would have avoided this also a part of governance?  Is that the “ethics” part of ethics and compliance?

Leave a comment

Filed under Board, Compliance, Controls, Corporation, Culture, Culture, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Risk assessment, Third parties, Vendors


Can you get too much information?  Yes.

“KPMG Fires Partners Over Leak,” The Wall Street Journal, April 12, 2017 B1. KPMG fired 5 partners, including the head of the audit practice and the national managing partner for audit quality and professional practice(and the vice chairman of audit, after information from the PCAOB (a regulatory oversight agency) was leaked by a now-former PCAOB employee. (BTW, they also audited Wells Fargo when the account cramming was going on, among others).

Unusual to learn of the firing of partners, and the details.  One might surmise KPMG indeed has zero tolerance, at least when there’s no apparent defense.

Another in the long line of crises around information mismanagement.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Culture, Duty, Employees, Governance, Government, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Oversight, Supervision

Tuesday Trifecta

Tuesday’s WSJ had three articles of note.

“Wells Slams Former Bosses’ High-Pressure Sales Tactics,” The Wall Street Journal, April 11, 2017 A1.  Former CEO and board members failed to adequately supervise, leading to the account-cramming scandal.  A proxy advisory firm recommends voting against 12 of bank’s directors.  Not reported lawsuits against the directors at the time of the scandal, or since. Yet.

“At Barclays, a Probe of the CEO,” The Wall Street Journal, April 11, 2017 A1 (linking to an article on B1).  UK regulators join the probe of the current CEO’s attempt to learn the identity of the author of a letter complaining about the hiring or one of the CEO’s buddies.  Barclays is investigating.  Watch this space.

A United Passenger’s Treatment Stirs Furor,” The Wall Street Journal, April 11, 2017 A1.  United is pilloried after a man is dragged off a plane being operated by one of United’s contractors.

Takeaways (different from Lessons Learned):

  • most major business scandals/crises are attributed to a management failure, of one type or another (see The Lessons of Longford).
  • CEO’s need assistance to prevent them from doing dumb stuff.
  • You can be liable when one of your contractors ignores your prime mission in a customer-facing business.

Interestingly enough, all of these would be good teaching cases in a course on crisis management.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Supervision, Vendors

It’s not Caesar’s wife – it’s Caesar

How do you enforce a non-retaliation policy when the CEO ignores it?

“Barclays CEO is Probed Over Bid to Unmask Whistleblower,” The Wall Street Journal, April 10, 2017 (online).  CEO attempts to learn the identity of an employee who criticized the hiring of one of the CEO’s buddies.  He asked his internal security folks to find out who was the author; he was rebuffed the first time (he was told it would be inappropriate), but persisted by asking them to look into it again.

Where does one start?  Sounds like a law school exam question.  “Analyze and discuss.”

How do you enforce a policy (or any policy) when the CEO ignores it?  This time it was anti-retaliation; next time he might not hold the handrail, or violate some other company policy.  What does the organization see when the CEO does this?

Here, he got a formal reprimand and will lose some bonus.  How can he remain in his post?  How does this discipline compare to what others have gotten for similar misconduct?  Will the Board members be reelected?  What message would terminating his employment send? If he violates some other policy (large or small) in the future, can the shareholders sue the directors individually for grossly negligent oversight?

Not sure how long an “A” answer would need to be.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Internal controls, Management, Managers, Oversight, Oversight, Policy

Smoke may come from multiple fires

When you discover a weakness in one of your control systems and fix it, do you proclaim success and return to normal operating status?  May be you should look around a bit more.

“Wells Uncovers More Abuses,” The Wall Street Journal, April 6, 2017 B6.  Wells Fargo, home of the account-cramming scandal affecting retail banking customers that led to the CEO’s resignation and his bonus being cancelled, finds it had other problems, as well.  Appears the merchant service business division was inflating data and potentially misleading commercial customers, much as the retail banking division had.

What might it say about your culture if two widely different divisions were both engaged in cheating their customers?  Are there gaps in your control systems?  How do you fix the deeper problem?  At least they’re still looking (or at least finding).

Leave a comment

Filed under Compliance, Compliance, Controls, Culture, Governance, Internal controls, Management

What does the Susan Rice saga tell us?

Without getting into the politics, there are a lot of lessons from the current kerfuffle over Susan Rice and the unmasking of names in security reports.


  • one defines “Information Governance” as how an organization manages its information, and
  • the names of the US citizen(s) are clearly information received in the course of the organization’s business, and
  • Ms. Rice was clearly an employee (and therefore an agent) of the organization

Then we get insight into how the organization manages that information.

How does the organization restrict who can see what and how does it restrict and track the transfer of that information and how does it restrict or control the storage of that information?  These restrictions are designed to make sure that agents of the organization comply with the applicable statutes and policies against disclosure and misuse.  Who “owns” this information?  Who (beyond the person who doesn’t follow the restrictions) in the organization is responsible (and accountable) if those restrictions are not followed?  Can people injured by the breach (if any) sue the organization whose agent breached the law?  How does the behavior here measure up against the ten-part measuring stick of compliance under Federal Sentencing Guidelines Manual, and if the answer is “not well,” then who gets penlaized?  Who, if anyone, had a duty to report up when they saw that information had been unmasked and distributed (if indeed it was distributed)?

Interesting parallels to the Information Governance issue in the corporate environment.

“House Panel Wants Rice to Testify,” The Wall Street Journal, April 5, 2017 A1.

Leave a comment

Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Employees, Governance, Government, Internal controls, Management, Oversight, Supervision, To report

Scylla & Charibdis

Does it matter whether information is stored in the US or overseas, if the same person controls the storage?

“Google and U.S. Fight Over Data,” The Wall Street Journal, April 4, 2017 B4.  Google no longer captures information stored overseas in response to US warrants.  Google isn’t alone.  The government says Google is impeding investigations.  Google calls for an investigation of the government’s conduct, which ignores a US Court of Appeals decision that says information on foreign servers is beyond US jurisdiction.

Where are you going to store your data? In the US, subject to government warrants, or overseas, where different privacy protections apply?  You’re between a rock and a hard place.  The Federal Rules of Civil Procedure provide yet another standard, which is not necessarily limited to the US.


Leave a comment

Filed under Access, Controls, Corporation, Discovery, Duty, Government, Internal controls, Legal