“Barnes & Noble Details CEO Firing,” The Wall Street Journal, October 31, 2018 B1. CEO allegedly fired for sexual harassment and bullying, and interfering with the sale of B&N.
So, the CEO gets canned. No severance package. What message does this send to the rest of the organization (and, indeed, to other CEOs and other companies)? How does the Board look on this one? From a Compliance standpoint, and a Governance one, looks pretty good.
Might this be a pretext? Could he have been fired for some other reason?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Internal controls, Oversight, Supervision
One of the consequences of non-compliance is a higher level of scrutiny from the regulators.
“Wells Fargo Places Two Executives On Leave,” The Wall Street Journal, October 25, 2018 B10. The Comptroller of the Currency sent letters to two WF executives about their failures of oversight at the bank in connection with WF’s sales practices. Execs (chief administrative officer and chief auditor) placed on leave and removed from operating committee.
Boy, does that ever not look good on your resume.
Why did the regulator have to do this? One reason is that WF didn’t do it itself. Would your compliance system do better? Do the directors still have their jobs?
Filed under Board, Compliance, Compliance (General), Corporation, Culture, Directors, Duty, Employees, Governance, Government, Oversight, Supervision, To report
“Facebook Hackers Access Nearly 50 Million Accounts,” The Wall Street Journal, September 29, 2018 A1. Unknown hackers may have gotten access as early as July 2017 by exploiting flaws in the system’s code. May have taken over your account and gotten to your posts and private messages, and may have the credentials to access other services, like Tinder and Spotify.
Is Facebook responsible for making sure its site is secure? How did the executive in charge of safety and security miss this? Does the Board at Facebook have liability? Facebook no longer has a Chief Security Officer.
Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Protect assets, Protect information assets, Security, Technology, Third parties
What you do when an important executive is alleged to have violated company policy says a lot about your compliance program.
“Claims About Executive Tested Uber Overhaul,” The Wall Street Journal, September 27, 2018 B3. Senior executive investigated; rather than being terminated, he received a formal warning (apparently, informal was not sufficient), his bonus was reduced Why do you give bonuses to people who violate company policy?), and was required to take sensitivity training.
This at a company that had a rather sordid history of sexual harassment.
How will Uber convince its remaining employees that this time it is serious? Do you believe them? Is this an effective compliance program under the Federal Sentencing Guidelines, assuming that’s the appropriate measure?
Where’s the Board? Do they care?
Filed under Board, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Uncategorized
“CBS to Weigh CEO’s Fate,” The Wall Street Journal, July 30, 2018 A1. Discussion over whether CEO accused of sexual harassment should stand down while the investigation continues.
Curious that Urban Meyer has to stand aside while an investigation into whether he should have reported domestic abuse by an assistant coach 9 years earlier at a different school, but Leslie Moonves remains on board as the CEO of CBS. See https://infogovnuggets.com/2018/08/07/caesars-wife/
What does it say about a company’s culture when, in the current environment, the CEO can remain in his job during such an investigation? How convinced are the rank-and-file employees that the sexual harassment policy is real, or just a piece of paper? Are the directors serious about this policy? What about other policies?
Filed under Board, Compliance, Compliance, Compliance (General), Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Policy
Knowledge, or lack thereof, is often a good defense.
“Fiat Says It Didn’t Know CEO was Ill,” The Wall Street Journal, July 27, 2018 B1. Company says privacy of health care information meant they didn’t know that their CEO had been sick for a year.
Who knew or should have known? Was this insider information that would affect the value of investments?
Should the Board have known? Did the CEO have a duty to disclose? For more than a year!
Governance, Compliance, and Information. All in one. Add a dash of privacy.
Filed under Access, Accuracy, Board, Communications, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Privacy, To report, Uncategorized
This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors