Category Archives: Business Case

Lessons learned?

I am not sure what to say about the Nunes memo about the DOJ and the FBI and the FISA court, and classified information and governance and compliance.  Too political to be educational.

So, the right-hand news item instead.  “Fed Limits Wells Fargo Growth, Replaces Directors,” The Wall Street Journal, February 3, 2018 A1.  Following a pretty bad year or two, following the customer cramming schedule or the auto insurance.  A former CEO. Lower bonuses.  Now the government takes control of a large bank and replaces the directors.  Restricts the bank’s future growth.  A 6% stock value drop, before this week’s really bad sell-off.  Cost: $300-400 million. Government says, “We cannot tolerate pervasive and persistent misconduct at any bank ….”

What’s the value of compliance?  Is it the possible loss of your ability to control your company?  Is this a lesson for directors, in that they may lose their positions (but they don’t have to refund their fees)(yet- the derivative suits are coming soon).  They didn’t even do that to BP!  The Chief Risk Officer is also retiring later this year.

Business case for compliance or better risk management?  For knowing what’s going on in your company?  Not sure what the lesson is for the shareholders.

Advertisements

Leave a comment

Filed under Board, Business Case, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk, Risk Assessment, Risk assessment, Supervision, To report

Cybersecurity

Cybersecurity involves protecting the enterprise from internal or external attack and responding after the enterprise has been attacked.  How do you ensure your business continues to operate if its cybersecurity is breached?  It’s not just sending notices to affected customers and paying for credit watches.

“Banks Create Cyber Doomsday System,” The Wall Street Journal, December 4, 2017 B1.  By requiring banks and credit unions to back up their data so that operations can be restored after a breach.  This also protects confidence in the overall banking system.

Do you have a business continuity plan?  Does it address how you will access your critical information so that you can continue to operate?

What’s surprising is that this is newsworthy.

Leave a comment

Filed under Access, Board, Business Case, Business Continuity, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Interconnections, Internal controls, IT, Operations, Oversight, Protect assets, Protect information assets, Security, Value

Drafts

A fascinating area for exploration is the drafts that led to the final version.  The dates, the wording, the recipients.  Why do people keep drafts?  Just because?

“Comey Originally Tougher On Clinton, The Wall Street Journal, November 7, 2017 A5.  A Republican Senator discloses that Comey’s early draft of the exoneration document used the language “grossly negligent,” the statutory test.

I’ve referred to July 5, 2016 as the Day that Information Governance Died.  That’s when the Director of the FBI announced his decision not to prosecute someone who had routinely violated the rules on handling secret documents, because “no reasonable prosecutor would bring charges.”  Not to get into the politics of things, but how can you argue that following the rules is required when the Secretary of State isn’t held to the standards that apply to a Navy seaman?

That being said, why do people hold on to drafts?  Because it’s easy?  Or because it’s hard to get rid of them?  There is seldom a reason to retain them beyond when the document is final.  Maybe a phrase or a paragraph.  But the entire document?  How can we convince people not to keep drafts?

 

 

Leave a comment

Filed under Compliance, Controls, Corporation, Discovery, Duty, Employees, Governance, Internal controls, Legal, Records Management, Risk

Swiss cheese, revisited

I am reminded of the Swiss cheese model for managing risk.  See https://infogovnuggets.com/2014/10/02/swiss-cheese/.

The awful shooting at the church outside San Antonio.  How many controls to manage the risk of a lunatic buying a gun failed?  Certainly, the Air Force failed by not recording the circumstances of his dishonorable discharge and related matters. (Was this systemic?  What about other branches?  Were there incentives/disincentives?)  And the fact that he had been in a mental institution wasn’t in the data base either. Who else failed?

And what about the self-certification, where a gun buyer needs to certify that he/she hasn’t done a bunch of bad things, which in turn is confirmed by the background check?  Do self-certifications work?  How much do you rely on having your employees sign an annual certification that they’ve read and understood (and don’t know of any violations of) your Code of Conduct?  Does that provide any protection?  Or does it just give you false comfort and a metric to measure?

 

Leave a comment

Filed under Compliance Verification, Risk

Violating patents

Violating the patents of others can be expensive.

“Qualcomm Feels Sting of Fine and War with Apple,” The Wall Street Journal, November 2, 2017 B4.  Between a fine of almost $800 million and a major customer (Apple) withholding royalty payments for patent licenses, profit drops $1.4 billion for the fourth quarter.

As you attempt to quantify the risk of violating the intellectual property rights of others, this provides some data points.  Were the directors aware of this risk?  If not, why not?  If they were, what does that say about them?

2 Comments

Filed under Compliance, Corporation, Directors, Duty, Governance, Oversight, Requirements, Risk

Is your doctor up to date on cybersecurity?

“Pacemaker Fix Against Hackers Raises New Fears,” The Wall Street Journal, October 21, 2017 B4.  Will updating the software crash your pacemaker?  Fix to prevent a potential hacker pathway.

A couple of information points.  Software is information.  Limiting unauthorized access to “my” pacemaker seems to be something the manufacturer should be responsible for.  Who manages the risk of hacking?  What about the risk of the change itself?  Is this a doctor’s call or the patient’s call?

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Governance, Interconnections, Internal controls, IT, Risk, Security, Third parties

Electrical banana (reprise)

Slack is a new communications software in use in many companies.  Do your policies deal with the implications of the use and misuse of yet another new technology?  How will you handle this when litigation comes in?

“Tips to Tighten Slack Users’ Skills,” The Wall Street Journal, October 12, 2017 B4.

Leave a comment

Filed under Access, Communications, Compliance, Content, Controls, Corporation, Discovery, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, IT, Legal, New Implications, Oversight, Policy, Protect assets, Security