Category Archives: Risk Assessment

Don’t forget who your audience is

“Angry Users Are Threat to Facebook,” The Wall Street Journal, March 23, 2018 B1.  User reaction to the use of user data may imperil FB; users lose trust.

For a company recently valued at $500 billion, the loss of a customer base and momentum may be terminal.  Or at least painful.  Just because they didn’t take care of its users’ information.

Again, is this an information governance blog or a crisis management and response blog?  The issues seem to overlap a good deal of late.  Is this just a risk of the business, or does it say something about the company’s culture or governance?  What exactly is FB selling, and to whom?  What was their reputation?

Advertisements

Leave a comment

Filed under Board, Controls, Corporation, Culture, Culture, Duty, Governance, Internal controls, Oversight, Oversight, Protect assets, Protect information assets, Risk Assessment, Third parties, Vendors

Lessons learned?

I am not sure what to say about the Nunes memo about the DOJ and the FBI and the FISA court, and classified information and governance and compliance.  Too political to be educational.

So, the right-hand news item instead.  “Fed Limits Wells Fargo Growth, Replaces Directors,” The Wall Street Journal, February 3, 2018 A1.  Following a pretty bad year or two, following the customer cramming schedule or the auto insurance.  A former CEO. Lower bonuses.  Now the government takes control of a large bank and replaces the directors.  Restricts the bank’s future growth.  A 6% stock value drop, before this week’s really bad sell-off.  Cost: $300-400 million. Government says, “We cannot tolerate pervasive and persistent misconduct at any bank ….”

What’s the value of compliance?  Is it the possible loss of your ability to control your company?  Is this a lesson for directors, in that they may lose their positions (but they don’t have to refund their fees)(yet- the derivative suits are coming soon).  They didn’t even do that to BP!  The Chief Risk Officer is also retiring later this year.

Business case for compliance or better risk management?  For knowing what’s going on in your company?  Not sure what the lesson is for the shareholders.

Leave a comment

Filed under Board, Business Case, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk, Risk Assessment, Risk assessment, Supervision, To report

The Hack of All Hacks

The Yahoo hack may have affected 1.5 billion customers.  But in terms of targeted hacks, OPM was pretty big.  There’s a new contender for the Hack of Hacks.

“Equifax Reveals Huge Breach,” The Wall Street Journal, September 8, 2017 A1.  The records (name, address, Social Security number, birth date, etc.) of 143 million US consumers at the credit reporting company have been hacked. That’s roughly half the US.  And they sat on it for awhile (since they discovered in on July 29).

Will this fundamentally change the landscape?  Will we see EU-level privacy controls in the US?  Will the directors of Equifax face personal liability for not ensuring the information was protected?  How can you protect your Social Security Number five years from now?  How will credit decisions be made in the future?

 

Leave a comment

Filed under Access, Accuracy, Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Oversight, Oversight, Privacy, Protect assets, Protect information assets, Risk Assessment, Security, Supervision, Value, Vendors

Duty of Directors

One of my common themes is the duty of directors.  They get paid a lot of money to act as fiduciaries for the company’s shareholders.

“Warren Keeps Pressure on Wells,” The Wall Street Journal, June 20, 2017 B10.  Senator Elizabeth Warren (D. Mass.) is leaning on the Federal Reserve (arguably an independent body) to remove 12 directors who served on Wells Fargo’s Board when the account- cramming scandal was going on.  Other problems have emerged at Wells Fargo since then.

The shareholders didn’t/couldn’t vote them out in April, and so far (as I know) the directors haven’t been held personally liable for negligent oversight.  So it’s nice that someone is still pursuing the people in charge at the time that (some of the) bad things were happening.

Some executives got fired or their bonuses were docked.  The shareholders lost a bundle in fines and penalties paid by the company.  It would be nice if the directors were held responsible and accountable — not just to penalize them, but to put other directors on notice of what they are getting paid to do, and for whom.

Would be nice to have a poster child for the director’s duty.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment, Supervision

Do you track what’s the normal cost?

“Venezuela Alleges Fraud in $1.3 Billion Oil-Rig Lease,” The Wall Street Journal, March 16, 2017 A10.  “Officials at PdVSA [the state oil company in Venezuela] were accused of embezzlement by paying inflated fees.”

How do you track whether the company is paying inflated fees to companies owned by Saudi princes, with a no-bid contract to an industry newcomer?  You do track that, don’t you?  As a director you would want to make sure that people weren’t paying too much for service contracts.  Why would the state oil company pay inflated rates?  Aren’t these bribes going the ‘wrong’ way?  Or was it just waste and incompetence?  The difference is only $250,000 a day for seven years.

Do you consider the information governance aspects of the FCPA, beyond the books and records?  It is good that the government checks.

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Definition, Directors, Duty, Employees, Governance, Government, Information, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment

Access risk

Do you think about the risk of the failure of a critical information transfer system?

“Bank Lost Its Ability To Process Payments,” The Wall Street Journal, December 8, 2016 B8. The Bank of New York Mellon temporarily lost its access to the SWIFT network, used to process payments within the banking system.  Over nineteen hours.

Does your business have a similar business continuity risk, where a critical information transmission system is unavailable?  Have you identified that risk and quantified its potential impact?  Do you have controls (people, process, or technology, or some combination) to prevent the occurrence, or to limit its impact?  Is this a Board responsibility?  If not the Board, who?

Leave a comment

Filed under Access, Board, Controls, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Management, Protect, Risk, Risk Assessment, Risk assessment, Value