Category Archives: Governance

Who checks the checkers?

Compliance with law and compliance with policy and procedure are relatively easy to establish.  But compliance with ethics?

“Journal Reporter Fired Over Ethics,” The Wall Street Journal, June 22, 2017 A2.  A foreign affairs reporter at The Wall Street Journal was fired for something related to “his dealings with an aviation tycoon whom he had cultivated as a source.”  Further details weren’t provided.  It may have been the offer from the tycoon of a share in one of his companies.  Perhaps he wasn’t totally honest with the paper about something (but we don’t know what, yet).  A violation of journalistic ethics?

All this may have been revealed following a hack of email or text messages, or both.

Seems a bit squishy without more details as to what were the ethics and what was the violation.  Were I a reporter for the paper, I’d be curious what the lines were and how were they crossed.  This perhaps goes beyond the common stricture of “Don’t lie, cheat, or steal.”

Were this a corporate exec or a governmental official, would we get more detail?  Who checks the checkers?

Leave a comment

Filed under Compliance, Controls, Culture, Duty, Employees, Governance, Internal controls, IT, Oversight, Security

Criminal charges for a CEO

Corporations get charged with criminal conduct from time to time.  But seldom does the CEO at the time also get charged.

“Barclays Hit With Fraud Charges,” The Wall Street Journal, June 21, 2017 B1.  Charges of fraud and illegal payments filed against the bank and its former CEO (and a few other executives) in the UK.

As usual, the shareholders get the bill for any fines (and any diminution in share value).  Curiously absent were any charges against the directors of the Bank’s Board at the time.  But maybe the failure of the Board to detect this level of criminal activity will result in civil suits against the directors for negligent supervision.

Maybe Shearman & Stirling can write another report. (See Wells Fargo posts, supra).  Willie Sutton wasn’t the only crook who knew where the money is/was.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Protect assets, Risk assessment, Supervision

Snitches get stitches

Apparently, keeping the identities of confidential informants secret poses some challenges.  Are there information governance lessons to be learned?

“Inmates Targeting Informants,” The Wall Street Journal, June 21, 2017 A3. “[C]lose to 700 witnesses and informants believed to have cooperated with the government have been threatened, wounded or killed” over three years.  One source of information: online court records that provide clues as to who cooperated with the prosecutors.  Some inmates may be posting their sentencing files to establish their bona fides.

Hard to classify this in this blog.  Does this pertain to

  • the value of accurate and complete information
  • the risk in making information widely available
  • the government’s duty to protect informants
  • the government’s duty to have a transparent criminal justice system
  • a defendant’s right to confront his/her accusers
  • the need for security and the difficulty in providing it
  • the proactive value of disclosure
  • the fact that information can be misused
  • the difficulty in creating effective controls
  • other?

 

Leave a comment

Filed under Access, Accuracy, Communications, Compliance, Controls, Data quality, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Privacy, Protect assets, Risk, Third parties, Value

Duty of Directos

One of my common themes is the duty of directors.  They get paid a lot of money to act as fiduciaries for the company’s shareholders.

“Warren Keeps Pressure on Wells,” The Wall Street Journal, June 20, 2017 B10.  Senator Elizabeth Warren (D. Mass.) is leaning on the Federal Reserve (arguably an independent body) to remove 12 directors who served on Wells Fargo’s Board when the account- cramming scandal was going on.  Other problems have emerged at Wells Fargo since then.

The shareholders didn’t/couldn’t vote them out in April, and so far (as I know) the directors haven’t been held personally liable for negligent oversight.  So it’s nice that someone is still pursuing the people in charge at the time that (some of the) bad things were happening.

Some executives got fired or their bonuses were docked.  The shareholders lost a bundle in fines and penalties paid by the company.  It would be nice if the directors were held responsible and accountable — not just to penalize them, but to put other directors on notice of what they are getting paid to do, and for whom.

Would be nice to have a poster child for the director’s duty.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment, Supervision

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under IT, Security, Governance, Protect assets, Controls, Third parties, Board, Management, Protect information assets, Protect, Oversight, Access, Duty, Vendors, Corporation

Weakest link

Where do you start if you want to pierce a corporation’s cybersecurity protections?  The CEO.

“Goldman, Citi Bosses Duped by Email Prankster,” The Wall Street Journal, June 13, 2017 B11.  Although nothing confidential was leaked, the CEOs bought into phishing emails.

Hard to blame the Chief Information Security Officer.  One assumes there’s a policy in place, but can you write a policy to protect against this?  Who else in the corporation isn’t following the existing policy?  How do you fix? Two-factor authentication for every email to/from a senior exec?  Encryption?

Leave a comment

Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Policy, Security

What will you (or they) need twenty years from now?

How do you forecast what information the company will need twenty years from now, long after your retirement?

“First Job of Dismantling Nuclear Plants: Find a Russian Speaker,” The Wall Street Journal, June 12, 2017 A1.  Dismantling engineers encounter problems when trying to decontaminate and tear down an old nuclear facility.  The engineering drawings are not necessarily accurate as-built diagrams, and a lot of the language is Russian.

An organization needs a lot of information.  One area is “What information will we need when it’s time to dismantle this great thing we just built?”  Is this information governance, records management, or knowledge management?  Does it matter?  Who owns this problem?  This same problem  came up in my prior life when looking at the information requirements to shut down and dismantle a North Sea oil platform – a lot of that information needs to be captured at the front end and during the life of the facility, and maintained until the facility is removed.

Leave a comment

Filed under Accuracy, Collect, Controls, Governance, Internal controls, Knowledge Management, Management, Oversight, Use