Category Archives: Risk

Drafts

A fascinating area for exploration is the drafts that led to the final version.  The dates, the wording, the recipients.  Why do people keep drafts?  Just because?

“Comey Originally Tougher On Clinton, The Wall Street Journal, November 7, 2017 A5.  A Republican Senator discloses that Comey’s early draft of the exoneration document used the language “grossly negligent,” the statutory test.

I’ve referred to July 5, 2016 as the Day that Information Governance Died.  That’s when the Director of the FBI announced his decision not to prosecute someone who had routinely violated the rules on handling secret documents, because “no reasonable prosecutor would bring charges.”  Not to get into the politics of things, but how can you argue that following the rules is required when the Secretary of State isn’t held to the standards that apply to a Navy seaman?

That being said, why do people hold on to drafts?  Because it’s easy?  Or because it’s hard to get rid of them?  There is seldom a reason to retain them beyond when the document is final.  Maybe a phrase or a paragraph.  But the entire document?  How can we convince people not to keep drafts?

 

 

Advertisements

Leave a comment

Filed under Legal, Discovery, Risk, Records Management, Governance, Controls, Internal controls, Compliance, Duty, Employees, Corporation

Swiss cheese, revisited

I am reminded of the Swiss cheese model for managing risk.  See https://infogovnuggets.com/2014/10/02/swiss-cheese/.

The awful shooting at the church outside San Antonio.  How many controls to manage the risk of a lunatic buying a gun failed?  Certainly, the Air Force failed by not recording the circumstances of his dishonorable discharge and related matters. (Was this systemic?  What about other branches?  Were there incentives/disincentives?)  And the fact that he had been in a mental institution wasn’t in the data base either. Who else failed?

And what about the self-certification, where a gun buyer needs to certify that he/she hasn’t done a bunch of bad things, which in turn is confirmed by the background check?  Do self-certifications work?  How much do you rely on having your employees sign an annual certification that they’ve read and understood (and don’t know of any violations of) your Code of Conduct?  Does that provide any protection?  Or does it just give you false comfort and a metric to measure?

 

Leave a comment

Filed under Compliance Verification, Risk

Violating patents

Violating the patents of others can be expensive.

“Qualcomm Feels Sting of Fine and War with Apple,” The Wall Street Journal, November 2, 2017 B4.  Between a fine of almost $800 million and a major customer (Apple) withholding royalty payments for patent licenses, profit drops $1.4 billion for the fourth quarter.

As you attempt to quantify the risk of violating the intellectual property rights of others, this provides some data points.  Were the directors aware of this risk?  If not, why not?  If they were, what does that say about them?

Leave a comment

Filed under Compliance, Corporation, Directors, Duty, Governance, Oversight, Requirements, Risk

Is your doctor up to date on cybersecurity?

“Pacemaker Fix Against Hackers Raises New Fears,” The Wall Street Journal, October 21, 2017 B4.  Will updating the software crash your pacemaker?  Fix to prevent a potential hacker pathway.

A couple of information points.  Software is information.  Limiting unauthorized access to “my” pacemaker seems to be something the manufacturer should be responsible for.  Who manages the risk of hacking?  What about the risk of the change itself?  Is this a doctor’s call or the patient’s call?

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Governance, Interconnections, Internal controls, IT, Risk, Security, Third parties

Labels matter

In the case of another serial offender, “Mylan Settles U.S. Claims on EpiPen,” The Wall Street Journal, August 18, 2017 B5.  Mylan pays $465 million for misclassifying the EpiPen as a generic, which affects how Medicaid reimbursements are made.

Funny how Mylan is so careful to not make mistakes that result in them getting less money.  The current shareholders keep getting these large bills.

Leave a comment

Filed under Accuracy, Business Case, Controls, Corporation, Culture, Definition, Duty, Governance, Information, Internal controls, Oversight, Protect assets, Risk

Ransomware Week

“Faux Ransomware Does Damage,” The Wall Street Journal, June 30, 2017 B3.  Motive for recent attacks was not blackmail, but just disruption.  The files that were attacked may not be recoverable.  “Malware Leaves Big Law Firm Hobbled,” The Wall Street Journal, June 30, 2017 B3.  DLA Piper shuts down after its computer systems hit.  “Hospital Is Forced To Scrap Computers,” The Wall Street Journal, June 30, 2017 B3. West Virginia hospital tosses its entire computer network after cyberattack.

Have the Visigoths gathered at the gate?  If we can’t protect our computers and the information they contain and send, does our civilization survive?  Is IT now more important that all the other functions?

Leave a comment

Filed under Access, Business Case, Business Continuity, Controls, Information, Interconnections, IT, Operations, Risk, Security, Value

Snitches get stitches

Apparently, keeping the identities of confidential informants secret poses some challenges.  Are there information governance lessons to be learned?

“Inmates Targeting Informants,” The Wall Street Journal, June 21, 2017 A3. “[C]lose to 700 witnesses and informants believed to have cooperated with the government have been threatened, wounded or killed” over three years.  One source of information: online court records that provide clues as to who cooperated with the prosecutors.  Some inmates may be posting their sentencing files to establish their bona fides.

Hard to classify this in this blog.  Does this pertain to

  • the value of accurate and complete information
  • the risk in making information widely available
  • the government’s duty to protect informants
  • the government’s duty to have a transparent criminal justice system
  • a defendant’s right to confront his/her accusers
  • the need for security and the difficulty in providing it
  • the proactive value of disclosure
  • the fact that information can be misused
  • the difficulty in creating effective controls
  • other?

 

Leave a comment

Filed under Access, Accuracy, Communications, Compliance, Controls, Data quality, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Privacy, Protect assets, Risk, Third parties, Value