Category Archives: Vendors

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under IT, Security, Governance, Protect assets, Controls, Third parties, Board, Management, Protect information assets, Protect, Oversight, Access, Duty, Vendors, Corporation

We have a Winner

What do you do when you discover who violated the law by leaking a classified document?  You arrest them.

“Contractor Charged in Leak,” The Wall Street Journal, June 6, 2017 A4.  Reality Winner, an employee of a contractor for the NSA, was arrested and charged for leaking a classified document to the news media.  A criminal offense.

Interesting story of how the government found out.  A news agency provided a copy of the document and requested the government to confirm its accuracy.  The government could tell from looking at the copy that it had been folded, and concluded someone printed it out and sneaked it out.  IT logs showed six people had printed it out.  The computer of one of them showed email contact with a news agency.  When questioned, Ms. Winner fessed up.

Common themes:  the NSA needs to watch the employees of its contractors carefully; IT has a record, somewhere; criminals get arrested; a newspaper can inadvertently disclose confidential sources.


Leave a comment

Filed under Access, Controls, Corporation, Duty, Employees, Governance, Government, Information, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Vendors

You manage what you measure

If the Board asks how much the company paid for something, “I don’t know” isn’t a good answer.  Neither is “We can’t track that today.”

“Algorithms Help Calpers Tally Fees,” The Wall Street Journal, May 23, 2017 B1. The question was how much the pension plan had paid private-equity managers in performance fees.  It turns out the answer was $3.4 billion, over 25 years, with $490 million last year.  Answer was derived using algorithms.

“It took five years to develop a new data collection system that requires private-equity managers to fill out various templates describing their various fees.”

How comforting – a self-graded exam for $3.4 billion in fees.

What’s information worth?  How can you manage without it?  How did they?

Leave a comment

Filed under Access, Analytics, Board, Collect, Controls, Corporation, Data quality, Directors, Duty, Governance, Information, Internal controls, Management, Operations, Oversight, Oversight, Protect information assets, Third parties, Use, Use, Value, Vendors


A necessary element of governance is that you have rules, or standards, to which the governed are supposed to adhere. Problems often arise when people don’t follow the rules. But can slavishly following the rules be as bad?  Depends on the rules.

“Behind United Airlines’ Fateful Decision to Call Police,” The Wall Street Journal, April 17, 2017 B1.   United has a strong demand and control system, and a system that rewards tenure over merit.  Rules for everything.  Rules that apply even to the third-party operator of last week’s flight from Chicago.

But who instituted a rule that requires having police haul a non-disruptive, paying passenger off a flight?  Seemed like a good idea at the time, I guess.  Hard to imagine this happening at an airline that hired attitudes rather than resumes.

Is a corporate cultural norm that would have avoided this also a part of governance?  Is that the “ethics” part of ethics and compliance?

Leave a comment

Filed under Board, Compliance, Controls, Corporation, Culture, Culture, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Risk assessment, Third parties, Vendors

Tuesday Trifecta

Tuesday’s WSJ had three articles of note.

“Wells Slams Former Bosses’ High-Pressure Sales Tactics,” The Wall Street Journal, April 11, 2017 A1.  Former CEO and board members failed to adequately supervise, leading to the account-cramming scandal.  A proxy advisory firm recommends voting against 12 of bank’s directors.  Not reported lawsuits against the directors at the time of the scandal, or since. Yet.

“At Barclays, a Probe of the CEO,” The Wall Street Journal, April 11, 2017 A1 (linking to an article on B1).  UK regulators join the probe of the current CEO’s attempt to learn the identity of the author of a letter complaining about the hiring or one of the CEO’s buddies.  Barclays is investigating.  Watch this space.

A United Passenger’s Treatment Stirs Furor,” The Wall Street Journal, April 11, 2017 A1.  United is pilloried after a man is dragged off a plane being operated by one of United’s contractors.

Takeaways (different from Lessons Learned):

  • most major business scandals/crises are attributed to a management failure, of one type or another (see The Lessons of Longford).
  • CEO’s need assistance to prevent them from doing dumb stuff.
  • You can be liable when one of your contractors ignores your prime mission in a customer-facing business.

Interestingly enough, all of these would be good teaching cases in a course on crisis management.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Supervision, Vendors

Test reports

Are you in a business that provides test results of your product to your prospective customers?

“Takata Pleads Guilty in Air-Bag Case,” The Wall Street Journal, February 28, 2017 B3.  Pays $25 million criminal fine and $975 million in other penalties, having plead guilty to one (1) count of providing misleading test reports on its air bags.

Having “faulty” information is bad enough.  But transmitting it to others? Priceless.

Leave a comment

Filed under Accuracy, Board, Compliance, Compliance, Controls, Corporation, Culture, Culture, Data quality, Duty, Governance, Oversight, Oversight, Protect information assets, Supervision, Vendors

Due diligence in M&A

“H-P Deal Leads to Indictment,” The Wall Street Journal, November 12, 2016 B4.  Autonomy’s former CFO indicted for fraud in the sale of the company to Hewlitt-Packard.

This was fairly bog-standard alleged fraud, albeit on a much grander scale (nearly $9 billion).  Follows a $100 million payment by H-P to some of its shareholders.

Is this a value-of-information case or a value-of-compliance case (for Autonomy)?  Or just poor due diligence by H-P?  How did Autonomy’s board miss this?  How did H-P (and it’s lawyers and investment advisers) miss this, pre-acquisition?  Might this be worthy of another post- Caremark decision on negligent oversight?  If not, what will it take to hold a board liable for failing to meet its fiduciary duties?

Leave a comment

Filed under Accuracy, Board, Collect, Communicate, Compliance, Compliance, Compliance, Compliance Verification, Controls, Corporation, Data quality, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Reliance, Third parties, Value, Vendors