Corporations get charged with criminal conduct from time to time. But seldom does the CEO at the time also get charged.
“Barclays Hit With Fraud Charges,” The Wall Street Journal, June 21, 2017 B1. Charges of fraud and illegal payments filed against the bank and its former CEO (and a few other executives) in the UK.
As usual, the shareholders get the bill for any fines (and any diminution in share value). Curiously absent were any charges against the directors of the Bank’s Board at the time. But maybe the failure of the Board to detect this level of criminal activity will result in civil suits against the directors for negligent supervision.
Maybe Shearman & Stirling can write another report. (See Wells Fargo posts, supra). Willie Sutton wasn’t the only crook who knew where the money is/was.
Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Protect assets, Risk assessment, Supervision
Apparently, keeping the identities of confidential informants secret poses some challenges. Are there information governance lessons to be learned?
“Inmates Targeting Informants,” The Wall Street Journal, June 21, 2017 A3. “[C]lose to 700 witnesses and informants believed to have cooperated with the government have been threatened, wounded or killed” over three years. One source of information: online court records that provide clues as to who cooperated with the prosecutors. Some inmates may be posting their sentencing files to establish their bona fides.
Hard to classify this in this blog. Does this pertain to
- the value of accurate and complete information
- the risk in making information widely available
- the government’s duty to protect informants
- the government’s duty to have a transparent criminal justice system
- a defendant’s right to confront his/her accusers
- the need for security and the difficulty in providing it
- the proactive value of disclosure
- the fact that information can be misused
- the difficulty in creating effective controls
Filed under Access, Accuracy, Communications, Compliance, Controls, Data quality, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Privacy, Protect assets, Risk, Third parties, Value
One of my common themes is the duty of directors. They get paid a lot of money to act as fiduciaries for the company’s shareholders.
“Warren Keeps Pressure on Wells,” The Wall Street Journal, June 20, 2017 B10. Senator Elizabeth Warren (D. Mass.) is leaning on the Federal Reserve (arguably an independent body) to remove 12 directors who served on Wells Fargo’s Board when the account- cramming scandal was going on. Other problems have emerged at Wells Fargo since then.
The shareholders didn’t/couldn’t vote them out in April, and so far (as I know) the directors haven’t been held personally liable for negligent oversight. So it’s nice that someone is still pursuing the people in charge at the time that (some of the) bad things were happening.
Some executives got fired or their bonuses were docked. The shareholders lost a bundle in fines and penalties paid by the company. It would be nice if the directors were held responsible and accountable — not just to penalize them, but to put other directors on notice of what they are getting paid to do, and for whom.
Would be nice to have a poster child for the director’s duty.
Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment, Supervision
Where do you start if you want to pierce a corporation’s cybersecurity protections? The CEO.
“Goldman, Citi Bosses Duped by Email Prankster,” The Wall Street Journal, June 13, 2017 B11. Although nothing confidential was leaked, the CEOs bought into phishing emails.
Hard to blame the Chief Information Security Officer. One assumes there’s a policy in place, but can you write a policy to protect against this? Who else in the corporation isn’t following the existing policy? How do you fix? Two-factor authentication for every email to/from a senior exec? Encryption?
Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Policy, Security
One might suppose accountability and responsibility apply to CEOs. Then, again ….
“Gymnastics Boss Paid Severance,” The Wall Street Journal, June 3, 2017 A9. The CEO, who was nominally in charge when the team doctor for the women’s gymnastics team allegedly abused female gymnasts, gets a $1 million severance package.
One wonders what the Board would have paid him if they fired him for cause. The gymnastics federation reportedly sat on the results of an internal investigation of the sexual abuse allegations for five weeks. The CEO said the federation didn’t have an obligation to report sexual abuse by its coaches to law enforcement. Didn’t the ex-president of Penn State just get sentenced to jail for similar acts or omissions?
One of the Board’s fundamental jobs is to hire the CEO; another is oversight. Everyone has a duty to report violations of law. It would appear either the Board or the CEO or the Federation wasn’t doing its or his job. Maybe the Board gets severance, too. What do the shareholders get?
Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, To report
Directors are a fundamental part of corporate governance, standing between ownership (the shareholders) and management. and owing fiduciary duties of care and loyalty to the shareholders. It’s not an honorary role.
But what if they are willfully or negligently blind when major problems arise, and don’t even know enough to ask management about them?
“Theranos Directors Missed Red Flags,” The Wall Street Journal, May 31, 2017 B1. Retired Admiral Gary Roughead and former Secretary of State George Shultz apparently failed to ask key questions, or any questions at all. Hard to claim protection of the business judgment rule when you don’t make a judgment.
I thought all I had to do was show up and cash the checks. You mean I needed to understand what the business did? I have no background in this business. What do you mean the insurance may not cover me?
Filed under Board, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight
Two front-page items today relating to information and governance and compliance, or some combination thereof.
“Trump Shared Secrets With Russians,” The Wall Street Journal, May 16, 2016 A1. President Trump shared with the Russians “sensitive intelligence” received from an ally. May have compromised the source.
“Hack Probe Zeroes In on How Virus Invaded Networks,” The Wall Street Journal, May 16, 2016 A1. WannaCry ransomware infects various networks worldwide. Similar to an NSA hack, or are you still using XP?
Regardless whether the President shared actual sources and methods, or just enough to figure them out, this bears scrutiny. What impact (cost) will this have on future intelligence sharing by allies? Who in your organization has access to secret stuff, and how well do they manage it?
As for WannaCry, are we really only secure as our weakest link? Lots and lots of links.
Filed under Access, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Protect assets, Security, Third parties, Value