Category Archives: Risk assessment

Catching up, part 3

Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/ and https://infogovnuggets.com/2019/01/04/catching-up-again-part-2/, and https://infogovnuggets.com/2019/01/04/catching-up-part-3/

  1. Conflicts with conflicts

    “Justice Department Chides McKinsey in Another Bankruptcy Case,” The Wall Street Journal, December 17, 2018.  McKinsey continues to fail to make what are viewed as adequate disclosures of conflicts when advising bankruptcy estates, and may not get paid for its work as a result.

  2. Voter data

    “Fight Over Voter Data Roils Democrats Ahead of Election,” The Wall Street Journal, December 17, 2018. Have Republicans been better than the Democrats at collecting and storing information?  What’s this worth?

  3. Your business partner wants you to call a shareholders’ meeting

    “Renault Urges Nissan to Call for Shareholder Meeting Following Nissan Indictment,” The Wall Street Journal, December 17, 2018.  Is this interfering with “your” governance?  Is this a compliance matter, or a partnership matter, where your partner is concerned that you are keeping your CEO as CEO while he sits in jail?

  4. Is a dance move “information”?

    “The ‘Fortnite’ Dance Move That Spawned a Lawsuit,” The Wall Street Journal, December 17, 2018.  While longer dance routine can be protected by copyright law (which was a bit surprising to me), not so (so far) for “snippets.”

  5. Hiding risk information may be a problem

    “Glencore-Controlled Miner to Be Fined by Canadian Authorities Over Congo Ops,” The Wall Street Journal, December 17, 2018.  Fine of $22 million for company and some of its former directors and executives for hiding the risks of doing business with someone connected to Congolese president.  Is a risk analysis information?  Can you hide that from the shareholders?

  6. Warning signs

    “Goldman Sachs Ignored 1MDB Warning Signs in Pursuit of Asian Business,.” The Wall Street Journal, December 18, 2018.  Can chasing business too hard lead one to ignore important information and sidestep important controls?  What controls can you put in place to avoid having this happen to you?  Is this an oversight issue?  Do criminal charges and huge fines lay ahead?

  7. VW vendor pleads

    “Volkswagen Supplier to Plead Guilty to Conspiracy, Pay $35 Million Fine in Emissions-Cheating Probe,” The Wall Street Journal, December 19, 2018. Company that designed the software used to fool or, as some say, cheat, the emission test pleads guilty to crime and pays a fine to US.  VW has paid more than $20 billion.  Is this just compliance-related, or is there also an information hook here?  Design a software to work around a government test.

  8. Looking for a whistleblower

    “Barclays Fined $15 Million by New York Over CEO’s Anti-Whistleblower Push,” The Wall Street Journal, December 19, 2018.  The CEO had tried to use the company’s security department to locate the writer of a letter critical of a recent hire.  He pressecd on, despite advice from the head lawyer and the chief compliance officer (costing him £642,000 in fines and £500,000 of his bonus).  So the shareholders pay more than the CEO did.  Go figure.

  9. Hiding the names of the guilty

    “Illinois Dioceses Withheld Names of Accused Priests, Report Says,” The Wall Street Journal, December 20, 2018.  Can you legally not disclose the name of an employee or a contractor who was accused of sexual abuse?  Is this a governance issue or a compliance issue or an information issue?  Or a reputation problem?

  10. Ethics and policies
    “Is It Really Five Stars? How to Spot Fake Amazon Reviews,” The Wall Street Journal, December 21, 2018. How Amazon goes about trying to separate the wheat from the chaff.  How does your company determine what’s a fake review and what’s the real deal?

  11. Information/price linkage

    “Room for Improvement? New Hotelier Tests an Algorithmic Pricing System,” The Wall Street Journal, December 22, 2018.  Using information about a customer and from a customer to establish the price for future sales to that customer.  Interesting linkages at a new hotel chain.

Advertisements

1 Comment

Filed under Collect, Communications, Compliance, Compliance (General), Controls, Corporation, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Investor relations, Management, Oversight, Ownership, Privacy, Records Management, Risk assessment, Supervision, Third parties, To report, Use, Value, Vendors

Coming up to speed

Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online).  Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016.  They knew about this in September, but reflects a breach that may go back to 2014.

So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face.  What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?

Does your M&A team think about information governance issues?  Is that an identified risk, with an identified (and owned) action plan?  Did the Board identify this as a risk?  What the value of this information considered part of the transaction value?  How was that reflected?

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value

Where’s Rosemary Woods?

“Trudeau Says Canadians Heard Khashoggi Tapes,” The Wall Street Journal, November 13, 2018 A7. Canadian intelligence officials hear audio tapes related to killing.

One assumes that this is a tape of some conversation picked up by intelligence folks after the killing, and not a recording of the killing itself.  Unless someone wanted to have proof for the boss.  Perhaps intelligence agencies spy on other governments or phone calls.

Often, people think information governance is all about the written word.  But the spoken word is information, too, whether it is recorded or not.  It’s just a problem of proof.  Is someone listening or taping your conversation?  Would it matter?

Leave a comment

Filed under Access, Accuracy, Communications, Controls, Definition, Duty, Governance, Government, Information, Internal controls, Risk assessment, Security, Third parties

Too much information?

“Boeing Withheld Data On Potential Hazards,” The Wall Street Journal, November 13, 2018 A1.  Did Boeing fail to disclose potential problems with its new flight-control feature?  Was that a factor in the Lion Air crash in Indonesia, killing 189 people?

Maybe this feature didn’t factor into the crash; we’ll have to wait for the cockpit voice recorder and the flight data recorder.  But if you know something and don’t tell other people who would like to know — well, that’s bad.  Even if you didn’t want to confuse them by providing them too much information.  Was it better “marketing” to tell their customers that they wouldn’t need as much training?

How do you decide how much information to provide your customers?  Are there problems you don’t mention?  Why?

Leave a comment

Filed under Access, Accuracy, Communicate, Communications, Controls, Corporation, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Management, Risk assessment, Third parties

Technology controls

“Wells Fargo Technology Under Scrutiny,” The Wall Street Journal, November 8, 2018 B11. Questions being raised about the technology the bank uses for cybersecurity and risk management.

Do you have the right technology to effectuate the controls you have placed around information?  Will your regulators agree?  If you are already on the regulator’s radar screen, will your controls measure up?

Leave a comment

Filed under Controls, Corporation, Duty, Governance, Internal controls, IT, Oversight, Protect, Protect assets, Risk assessment, Security, Technology

Consequences

“U.S. to Restrict Chip Maker,” The Wall Street Journal, October 30, 2018 A5.  Company accuses another company of stealing intellectual property. US government “restricts” US firms from dealing with the accused thief, which is owned by the Chinese government.

So, even though the accused thief has not been held legally liable, either civilly or criminally, the US government picks a winner.

Leaving that issue aside, does your risk analysis include this consequence when determining what could happen if someone at your company does something inappropriate with a third party’s intellectual property?  Do you have sufficient controls to address this risk?

Leave a comment

Filed under Compliance, Compliance (General), Controls, Governance, Internal controls, Oversight, Risk assessment

It’s all information

This blog explores, from time to time, the outer reaches of the intersection(s) of Information, Governance, and Compliance.

Consider, for a moment, a fingerprint.  Not what you normally consider “information.”  And one seldom thinks of “managing” a fingerprint.  Who owns your fingerprint?  But consider the value of a fingerprint, and both the failure to “manage” or control where that fingerprint can be found and the ability to find that fingerprint and locate its owner.  How much information governance is involved in this process?

“Fingerprint Leads to Arrest Of Bomb Suspect in Florida,” The Wall Street Journal, October 27, 2018 A1.  Alleged mail bomber’s fingerprint in a package sent to a legislator leads to arrest of suspect.

Which leads me to the question,”What is there that isn’t information that is managed or controlled in our lives, or a least directly related to information that is managed?”  I struggle to find an example of something that isn’t information, or directly related (perhaps somewhat remotely) to information that is managed or controlled.

 

Leave a comment

Filed under Access, Accuracy, Analytics, Collect, Compliance, Controls, Data quality, Definition, Duty of Care, Governance, Information, Management, Oversight, Ownership, Records Management, Risk assessment, Use, Value