This blog looks at the intersection of Information, Governance, and Compliance. Normally, when one hears “Compliance,” one assumes it means compliance with law. But Compliance also extends to compliance with policy.
“Barnes & Noble Cites Policy In Firing,” The Wall Street Journal, July 5, 2016 B1. B&N CEO and a member of the board fired after a little more than a year for violation of a so-far-undisclosed company policy.. No severance package. Ouch.
What sort of message does that send to the rank and file when the CEO gets punished for violating company policy? Does that extend beyond the policy the CEO is accused of violating? Is that why the specific policy wasn’t mentioned?
I assume this was for a violation more serious than failing to follow the company’s Records Retention Policy. But aren’t all violations of company policy by the CEO equally serious? Aren’t all violations of policy equal, or are there capital “P” policies, and small “p” policies? How does an employee tell the difference?
And the company chose to publicize at least the basic reason for the firing; does it do that in all firings for policy non-compliance? Does the CEO have more or less privacy rights than the lowest-paid employee?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Policy, Privacy
“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10. Companies aren’t buying as much privacy insurance as people thought.
Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased. Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls. Insurance is a mitigation in case your controls aren’t totally effective.
Are these companies doing the same with other risks to other assets? Or is you private data somehow different?
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value
Eventually, you’re talking real money.
“Volkswagen Fined $1 Billion in Germany,” The Wall Street Journal, June 14, 2018 B4. Fine for “dereliction of management oversight” following the diesel emissions-testing scandal. Somewhat broader than a Caremark claim.
Will the directors have to pay anything out of their pockets? Or just their shareholders’ pockets?
Filed under Board, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Directors, Duty, Governance, Internal controls, Oversight, Oversight
Gosh, it happened again!
“Facebook Gave Out User Data Despite Pledge,” The Wall Street Journal, June 9, 2018 A1. Notwithstanding a commitment not to do so, Facebook continued to give some companies access to user information.
How many times can you lie before people call you a liar? Or take judicial notice? What is the culture at Facebook? Who’s responsible? Accountable?
Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Privacy, Protect assets
“Starbucks Takes as Break For Its Antibias Training,” The Wall Street Journal, May 30, 2018 B2. Starbuck’s shuts down for several hours to train its employees on what “bias” means. Response to incident when two men were arrested for refusing to either buy something or leave the store. Cost: $10 million and counting.
While some may view this as a large publicity stunt, or post-crisis communication/image repair, others may see it as a strong statement of what Starbuck’s culture is or will be. Starbuck’s also changed its policy of not allowing non-customers to sit in its stores and use its restrooms.
What happens when you have one policy (no bias) that conflicts with another policy (restrooms for customers only)? How are employees supposed to know which policy to follow?
Does your company have policies that conflict with one another?
Filed under Board, Communications, Compliance, Compliance (General), Controls, Culture, Culture, Duty, Employees, Governance, Internal controls, Oversight, Policy
What happens to compliance when the CEO and her boyfriend collaborate to create a culture of secrecy and fear?
“Partners in Blood,” The Wall Street Journal, May 19, 2018 C1. Reports from the trenches at Theranos, which said it was able to run a range of tests from a few drops of blood; it couldn’t. SEC charges company with fraud, and investors lose millions.
While the implications of a relationship of the CEO goes to Governance, are there also links to Compliance and Information? What impact did the culture have on the company’s compliance? How do investors know about the nature of a CEO’s personal relationships leaking into the corporate environment?
Who should have seen this and reported it to someone? Why didn’t the directors smell a rat?
Filed under Board, Compliance, Culture, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Risk, Supervision, To report