Category Archives: Policy

Weakest link

Where do you start if you want to pierce a corporation’s cybersecurity protections?  The CEO.

“Goldman, Citi Bosses Duped by Email Prankster,” The Wall Street Journal, June 13, 2017 B11.  Although nothing confidential was leaked, the CEOs bought into phishing emails.

Hard to blame the Chief Information Security Officer.  One assumes there’s a policy in place, but can you write a policy to protect against this?  Who else in the corporation isn’t following the existing policy?  How do you fix? Two-factor authentication for every email to/from a senior exec?  Encryption?

Leave a comment

Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Policy, Security

The self-governing company

Uber fired the executive at the heart of the dispute with Google over self-driving cars.  The exec failed to meet a deadline to comply with a court order to turn over documents in a trade secret case over self-driving cars. “Uber Fires Executive At Center Of Suit,” The Wall Street Journal, May 31, 2017 A1.

Lesson?  If you hire an employee from a competitor and he’s accused of stealing his former employer’s trade secrets, try your best to look good.

What’s your process for keeping new employees, especially from competitors, from damaging your business and your reputation by bringing in your competitor’s trade secrets?  Did you follow it, or is it just there for show?

Leave a comment

Filed under Communications, Compliance, Controls, Corporation, Duty, Employees, Governance, Information, Internal controls, Management, Managers, Oversight, Ownership, Policy, Protect, Third parties, Value

It’s not Caesar’s wife – it’s Caesar

How do you enforce a non-retaliation policy when the CEO ignores it?

“Barclays CEO is Probed Over Bid to Unmask Whistleblower,” The Wall Street Journal, April 10, 2017 (online).  CEO attempts to learn the identity of an employee who criticized the hiring of one of the CEO’s buddies.  He asked his internal security folks to find out who was the author; he was rebuffed the first time (he was told it would be inappropriate), but persisted by asking them to look into it again.

Where does one start?  Sounds like a law school exam question.  “Analyze and discuss.”

How do you enforce a policy (or any policy) when the CEO ignores it?  This time it was anti-retaliation; next time he might not hold the handrail, or violate some other company policy.  What does the organization see when the CEO does this?

Here, he got a formal reprimand and will lose some bonus.  How can he remain in his post?  How does this discipline compare to what others have gotten for similar misconduct?  Will the Board members be reelected?  What message would terminating his employment send? If he violates some other policy (large or small) in the future, can the shareholders sue the directors individually for grossly negligent oversight?

Not sure how long an “A” answer would need to be.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Internal controls, Management, Managers, Oversight, Oversight, Policy

Deception strategy

How do you prevent the competition from punking your business?  Caller ID helps the pizza delivery business identify who’s calling.

“Uber Used Program to Evade Authorities,” The Wall Street Journal, March 6, 2017 B4.  Uber apparently wrote its terms of service, and monitors data on who and where calls are coming from, to reduce competitors’ interfering with its business (by making fake calls).  Also identifies people suspected of running a law enforcement sting operation.

So Uber looks for clues to see if you’re a regulator.  Do you use a burner phone?  Does your credit card belong to a regulatory agency? Is this using information to assist the achievement of your business model?

Leave a comment

Filed under Access, Accuracy, Analytics, Business Case, Collect, Controls, Governance, Management, New Implications, Operations, Policy, Protect assets, Risk assessment, Use, Use

Wealth Mismanagement

Yes, the Oscars ceremony had its information mix-up, when Warren Beatty was given the wrong envelope.  But who was (and “was” is probably the operative word) in charge of calculating and communicating the cost basis for stock?

“Morgan Stanley Gave Clients Wrong Data,” The Wall Street Journal, February 28, 2017 B9.  Firm miscalculated the cost basis, and therefore the gain, on sales of stocks by the firm’s wealth-management clients for 5 years.  Anticipated cost: $70 million.

How do you ensure that the right information is getting to the right place (person) at the right time?  What controls do you have in place?  Are those controls people, process, or technology?  While it took PWC a few minutes to correct the error at the Oscars, it took Morgan Stanley five years.  Who had the better process?

Leave a comment

Filed under Accuracy, Collect, Communicate, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, Management, Managers, Oversight, Policy, Protect, Protect assets, Use

The reason for policies

What happens when company employees don’t follow company policies?

“J.P. Morgan Settles Asia Jobs Probe,” The Wall Street Journal, November 18, 2016 B1.  The company apparently had a policy prohibiting the hiring the sons and daughters of clients and potential clients.  Then it created a program to do exactly that in Asia, resulting in a lot of red faces and $264 million in fines for FCPA violations.

Why do you have the policies you have?  Some are to assist compliance with law, while others just make good business sense.  Why, exactly, would you fast-track the hiring of  the offspring of clients and potential clients?  Because they were the best and the brightest, or because doing so “facilitated” relationships?  To obtain or retain business?

Who’s going to get fired?  Who, ultimately, is going to pay the fine?

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Legal, Management, Oversight, Policy, Requirements, Risk

Failure to report up

Some laws require you to tell the government stuff.

“Penn State Fined for Crime Reporting Lapses,” The Wall Street Journal, November 4, 2016 A2.  Federal law requires schools to report crimes correctly, and Penn State didn’t report various items about football coach Jerry Sandusky.

At common law, employees have a duty to their employer to report violations of company policy.  Most companies have a policy against violating law.  Do employees routinely do this?  Is this a major compliance gap?

Leave a comment

Filed under Business Case, Compliance, Corporation, Data quality, Definition, Duty, Employees, Governance, Information, Legal, Oversight, Policy, Requirements, Risk, To report