How do you protect information in the event of an Event? Is this part of your business continuity plan? You do have a business continuity plan, right? Do you have a process to safeguard information you will need to resume operation?
“Second Black Box Eludes Search Teams,” The Wall Street Journal, November 3, 2018 A6. Divers are still searching for the cockpit voice recorder following the crash of Lion Air flight 610 in Indonesia.
Planes carry two “black boxes,” one a flight data recorder (which captures a lot of equipment operating data) and the other a cockpit voice recorder (which captures conversation in the cockpit). The information on these two boxes (which are actually neon orange) is used to determine the cause of a crash.
What information does your company generate that you would need to run your business following an “Event,” such as a computer crash or a hurricane, or whatever? Is that part of your normal operating policies and procedures? If you can’t get to that information, can you restart or run your business?
Is this an Information point (protecting information) , or a Governance point (having processes and procedures to protect mission-critical information), or a Compliance with policies and procedures?
Filed under Access, Business Case, Collection, Controls, Corporation, Duty, Governance, Information, Internal controls, Oversight, Protect, Protect assets, Risk, Use, Value
“Data Curbs Put Facebook in Bind,” The Wall Street Journal, July 31, 2018 B4. The GDPR in Europe places new restrictions on Facebook’s business model. The new rules make it harder for Facebook to get advertising revenue based on the views by users of the platform.
How well does your company prepare for changes in the law? Is this on your risk matrix?
What happens to your business if you or your customers can’t get to the Internet?
“Visa Hit by Outrage In Parts of Europe,” The Wall Street Journal, June 2, 2018 B12. Users of Visa cards in Europe couldn’t use their cards on Friday as the result of a hardware failure.
Are you prepared for a hardware failure that prevents your customers from reaching you? Is this an aspect of information governance? Business continuity planning? Both?
You make some promises, or strong indications, to a star performer that he or she is so above average, next year you will get ___ a year early. [Fill in the blank]
How do you handle a change in direction?
“Goldman’s Rising Stars Told to Hold,” The Wall Street Journal, May 26, 2018 B9. Two years ago, a group of high-potential employees were told they were on the fast track and would get promoted before the rest of their class. Now they are told there is no fast track this year.
How do you handle it when you have to tell your star performer that she/he’s not going to get what you told them they were going to get? Have you just put your crown jewels into play? How do you rebuild trust and confidence in your best and brightest?
Is this Information or Governance or just bad management? Does it matter whether you told them in writing or not? Is that a risk that was considered?
“New EU Rule Puts Scare Into Websites,” The Wall Street Journal, May 26, 2018 B4. US websites block access by people in the EU to avoid breach of new GPDR.
This raises several interesting questions.
- What’s the risk that your website collects or stores information in violation of the General Data Protection Regulation?
- Is it better to cut off service to people in the EU rather than to take the risk that you don’t comply with EU privacy legislation?
- Will this open up a new market for Google-like and Facebook-like European competitors?
- How will the users in the EU react?
- Just how hard is it to comply with the GDPR? You write a policy and take some internal steps to control your use of consumer information.
- Is this Y2K revisited?
- Is this Information, Governance, or Compliance? A combination of some all of those?
Filed under Access, Business Case, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Government, Interconnections, Internal controls, IT, New Implications, Oversight, Privacy, Protect assets, Risk, Technology
What happens to compliance when the CEO and her boyfriend collaborate to create a culture of secrecy and fear?
“Partners in Blood,” The Wall Street Journal, May 19, 2018 C1. Reports from the trenches at Theranos, which said it was able to run a range of tests from a few drops of blood; it couldn’t. SEC charges company with fraud, and investors lose millions.
While the implications of a relationship of the CEO goes to Governance, are there also links to Compliance and Information? What impact did the culture have on the company’s compliance? How do investors know about the nature of a CEO’s personal relationships leaking into the corporate environment?
Who should have seen this and reported it to someone? Why didn’t the directors smell a rat?
Filed under Board, Compliance, Culture, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Risk, Supervision, To report
“Wells Nears $1 Billion Settlement,” The Wall Street Journal, April 20, 2018 B1.
Wells Fargo is about to be (has been) fined close to $1 billion for irregularities regarding auto loans, auto insurance, and mortgage loans. This is the civil side. This is in addition to the $185 million for the account cramming scandal in 2016, where the bank opened new accounts and credit cards that consumers did not request. The Chief Risk Officer is also retiring.
Once again, the shareholders pay mightily for the sins of (mis-)management.
I am not sure what to say about the Nunes memo about the DOJ and the FBI and the FISA court, and classified information and governance and compliance. Too political to be educational.
So, the right-hand news item instead. “Fed Limits Wells Fargo Growth, Replaces Directors,” The Wall Street Journal, February 3, 2018 A1. Following a pretty bad year or two, following the customer cramming schedule or the auto insurance. A former CEO. Lower bonuses. Now the government takes control of a large bank and replaces the directors. Restricts the bank’s future growth. A 6% stock value drop, before this week’s really bad sell-off. Cost: $300-400 million. Government says, “We cannot tolerate pervasive and persistent misconduct at any bank ….”
What’s the value of compliance? Is it the possible loss of your ability to control your company? Is this a lesson for directors, in that they may lose their positions (but they don’t have to refund their fees)(yet- the derivative suits are coming soon). They didn’t even do that to BP! The Chief Risk Officer is also retiring later this year.
Business case for compliance or better risk management? For knowing what’s going on in your company? Not sure what the lesson is for the shareholders.
Filed under Board, Business Case, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk, Risk Assessment, Risk assessment, Supervision, To report
A fascinating area for exploration is the drafts that led to the final version. The dates, the wording, the recipients. Why do people keep drafts? Just because?
“Comey Originally Tougher On Clinton, The Wall Street Journal, November 7, 2017 A5. A Republican Senator discloses that Comey’s early draft of the exoneration document used the language “grossly negligent,” the statutory test.
I’ve referred to July 5, 2016 as the Day that Information Governance Died. That’s when the Director of the FBI announced his decision not to prosecute someone who had routinely violated the rules on handling secret documents, because “no reasonable prosecutor would bring charges.” Not to get into the politics of things, but how can you argue that following the rules is required when the Secretary of State isn’t held to the standards that apply to a Navy seaman?
That being said, why do people hold on to drafts? Because it’s easy? Or because it’s hard to get rid of them? There is seldom a reason to retain them beyond when the document is final. Maybe a phrase or a paragraph. But the entire document? How can we convince people not to keep drafts?
Filed under Compliance, Controls, Corporation, Discovery, Duty, Employees, Governance, Internal controls, Legal, Records Management, Risk
I am reminded of the Swiss cheese model for managing risk. See https://infogovnuggets.com/2014/10/02/swiss-cheese/.
The awful shooting at the church outside San Antonio. How many controls to manage the risk of a lunatic buying a gun failed? Certainly, the Air Force failed by not recording the circumstances of his dishonorable discharge and related matters. (Was this systemic? What about other branches? Were there incentives/disincentives?) And the fact that he had been in a mental institution wasn’t in the data base either. Who else failed?
And what about the self-certification, where a gun buyer needs to certify that he/she hasn’t done a bunch of bad things, which in turn is confirmed by the background check? Do self-certifications work? How much do you rely on having your employees sign an annual certification that they’ve read and understood (and don’t know of any violations of) your Code of Conduct? Does that provide any protection? Or does it just give you false comfort and a metric to measure?