You may not be old enough or nerdy enough to remember the Romulan cloaking device from the original Star Trek. But I do/am.
“Fake Signals and Illegal Flags: How North Korea Uses Clandestine Shipping to Fund Regime,” The Wall Street Journal, November 29, 2018 (online). How do shipments still arrive in and leave from North Korea, notwithstanding the various sanctions on the regime there? Apparently, it’s blue smoke and mirrors.
I raise this here for two reasons. First, in the North Korean story this is a bunch of information being generated that is deliberately false, and the compliance types struggle to deal with it in order to enforce the applicable rules. The enforcers use satellites and data analytics; the shippers use deception and semi-legal and illegal stratagems.
Second, what extremes might your employees go to to avoid being detected when they are doing something they know is wrong, and how well prepared are you to deal with it? Do you have the proper controls and investigative procedures? What should you look at to confirm that what you’re being told is true?
Filed under Collect, Compliance, Compliance, Compliance (General), Controls, Corporation, Data quality, Directors, Duty, Employees, Governance, Information, Internal controls, Management, Oversight, Policy, Supervision, Third parties, To report, Use
“Mueller Accuses Paul Manafort of Lying to FBI After Plea Agreement, The Wall Street Journal, November 26, 2018 (online). Did Manafort lie after he reached a plea deal?
Information is not limited to what you write in a document or an email. It includes verbal utterances. How do you control your “verbal utterances” when the penalty for lying to the FBI can result in 20 years in prison, regardless of what happened prior to your plea deal?
So, this involves Information (verbal statements are information), Compliance (lying to the FBI exposes you to 20 years’ in prison for each offense), and Governance (how do you avoid making an untrue utterance?). Do your policies and controls address verbal information, and, generally, not lying to the FBI? Need they?
This blog tends to mention cases where senior executives get (or don’t get) punished for their alleged misdeeds. The spin is often that the seniors don’t get punished as hard as the worker bees.
But what happens when the CEO gets put in jail for his or her alleged misdeeds, which may have led to under-reporting in the company’s financials for the past five years?
“Carlos Ghosn’s Arrest Rocks Auto Empire,” The Wall Street Journal, November 21, 2018 (online). Nissan’s CEO jailed for allegedly under-reporting his earnings by several tens of millions of dollars.
How do you explain this to the worker bees? What’s the culture at the top? How did the Board not catch this? Were there not controls in place? Might the shareholders be a bit upset?
More a Governance and a Compliance issue, perhaps, although if one looks, one could find some information-related failures.
Filed under Board, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Culture, Culture, Data quality, Directors, Duty, Duty of Care, Governance, Internal controls, Oversight, Oversight
“Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online). Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016. They knew about this in September, but reflects a breach that may go back to 2014.
So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face. What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?
Does your M&A team think about information governance issues? Is that an identified risk, with an identified (and owned) action plan? Did the Board identify this as a risk? What the value of this information considered part of the transaction value? How was that reflected?
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value
If you are looking to invest, it would be nice to know if the broker who has been recommended to you has a history of complaints by his/her customers or employers. If you are the prospective broker, it would be good to be able to present a clean record, even if your record isn’t clean.
“Brokers Purge Their Records,” The Wall Street Journal, November 19, 2018 B1. Brokers can request that complaints be expunged from the records of the industry-funded regulator. So, were you to ask you would be told there’s no record.
So, what is a clean record worth, when a dirty record can be so easily laundered? I guess there may be multiple definitions of “record,” one of which is documentation of a business activity or decision, and the other of which is a conviction.
On the internet, no one knows you’re a dog.
Who governs access to the White House? The Executive or the Judiciary?
“Judge Grants CNN’s Press-Pass Motion,” The Wall Street Journal, November 17, 2018 A3. Reporter’s due process rights “appear to have been violated” when his access to the White House itself is restricted.
Who controls access to your building? To your floor? To your office? To your desk? To your computer? To your company’s information?
How do they do it?
In the absence of a written rule, who governs what behavior is permitted in a press briefing within the White House? The White House? The “press corps”? The courts? The Secret Service?
“UC System is Sued for Data On Admissions,” The Wall Street Journal, November 16, 2018 A2. Is the state university using race inappropriately in making admissions decisions?
The government has different obligations with respect to information than a private company. Government also collects a lot of information. What controls are in place to allow and to prevent the disclosure of this information? What about for non-core activities, like running the state’s university system?
Filed under Access, Collect, Compliance, Compliance, Controls, Duty, Governance, Government, Internal controls, Management, Third parties, To report, Use