Category Archives: Risk assessment

January 4, 2019 · 7:19 am

Catching up, part 3

Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/ and https://infogovnuggets.com/2019/01/04/catching-up-again-part-2/, and https://infogovnuggets.com/2019/01/04/catching-up-part-3/

  1. Conflicts with conflicts

    “Justice Department Chides McKinsey in Another Bankruptcy Case,” The Wall Street Journal, December 17, 2018.  McKinsey continues to fail to make what are viewed as adequate disclosures of conflicts when advising bankruptcy estates, and may not get paid for its work as a result.

  2. Voter data

    “Fight Over Voter Data Roils Democrats Ahead of Election,” The Wall Street Journal, December 17, 2018. Have Republicans been better than the Democrats at collecting and storing information?  What’s this worth?

  3. Your business partner wants you to call a shareholders’ meeting

    “Renault Urges Nissan to Call for Shareholder Meeting Following Nissan Indictment,” The Wall Street Journal, December 17, 2018.  Is this interfering with “your” governance?  Is this a compliance matter, or a partnership matter, where your partner is concerned that you are keeping your CEO as CEO while he sits in jail?

  4. Is a dance move “information”?

    “The ‘Fortnite’ Dance Move That Spawned a Lawsuit,” The Wall Street Journal, December 17, 2018.  While longer dance routine can be protected by copyright law (which was a bit surprising to me), not so (so far) for “snippets.”

  5. Hiding risk information may be a problem

    “Glencore-Controlled Miner to Be Fined by Canadian Authorities Over Congo Ops,” The Wall Street Journal, December 17, 2018.  Fine of $22 million for company and some of its former directors and executives for hiding the risks of doing business with someone connected to Congolese president.  Is a risk analysis information?  Can you hide that from the shareholders?

  6. Warning signs

    “Goldman Sachs Ignored 1MDB Warning Signs in Pursuit of Asian Business,.” The Wall Street Journal, December 18, 2018.  Can chasing business too hard lead one to ignore important information and sidestep important controls?  What controls can you put in place to avoid having this happen to you?  Is this an oversight issue?  Do criminal charges and huge fines lay ahead?

  7. VW vendor pleads

    “Volkswagen Supplier to Plead Guilty to Conspiracy, Pay $35 Million Fine in Emissions-Cheating Probe,” The Wall Street Journal, December 19, 2018. Company that designed the software used to fool or, as some say, cheat, the emission test pleads guilty to crime and pays a fine to US.  VW has paid more than $20 billion.  Is this just compliance-related, or is there also an information hook here?  Design a software to work around a government test.

  8. Looking for a whistleblower

    “Barclays Fined $15 Million by New York Over CEO’s Anti-Whistleblower Push,” The Wall Street Journal, December 19, 2018.  The CEO had tried to use the company’s security department to locate the writer of a letter critical of a recent hire.  He pressecd on, despite advice from the head lawyer and the chief compliance officer (costing him £642,000 in fines and £500,000 of his bonus).  So the shareholders pay more than the CEO did.  Go figure.

  9. Hiding the names of the guilty

    “Illinois Dioceses Withheld Names of Accused Priests, Report Says,” The Wall Street Journal, December 20, 2018.  Can you legally not disclose the name of an employee or a contractor who was accused of sexual abuse?  Is this a governance issue or a compliance issue or an information issue?  Or a reputation problem?

  10. Ethics and policies
    “Is It Really Five Stars? How to Spot Fake Amazon Reviews,” The Wall Street Journal, December 21, 2018. How Amazon goes about trying to separate the wheat from the chaff.  How does your company determine what’s a fake review and what’s the real deal?

  11. Information/price linkage

    “Room for Improvement? New Hotelier Tests an Algorithmic Pricing System,” The Wall Street Journal, December 22, 2018.  Using information about a customer and from a customer to establish the price for future sales to that customer.  Interesting linkages at a new hotel chain.

1 Comment

Filed under Collect, Communications, Compliance, Compliance (General), Controls, Corporation, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Investor relations, Management, Oversight, Ownership, Privacy, Records Management, Risk assessment, Supervision, Third parties, To report, Use, Value, Vendors

December 3, 2018 · 5:23 am

Coming up to speed

Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online).  Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016.  They knew about this in September, but reflects a breach that may go back to 2014.

So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face.  What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?

Does your M&A team think about information governance issues?  Is that an identified risk, with an identified (and owned) action plan?  Did the Board identify this as a risk?  What the value of this information considered part of the transaction value?  How was that reflected?

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value

November 19, 2018 · 9:14 am

Where’s Rosemary Woods?

“Trudeau Says Canadians Heard Khashoggi Tapes,” The Wall Street Journal, November 13, 2018 A7. Canadian intelligence officials hear audio tapes related to killing.

One assumes that this is a tape of some conversation picked up by intelligence folks after the killing, and not a recording of the killing itself.  Unless someone wanted to have proof for the boss.  Perhaps intelligence agencies spy on other governments or phone calls.

Often, people think information governance is all about the written word.  But the spoken word is information, too, whether it is recorded or not.  It’s just a problem of proof.  Is someone listening or taping your conversation?  Would it matter?

Leave a comment

Filed under Access, Accuracy, Communications, Controls, Definition, Duty, Governance, Government, Information, Internal controls, Risk assessment, Security, Third parties

November 19, 2018 · 9:01 am

Too much information?

“Boeing Withheld Data On Potential Hazards,” The Wall Street Journal, November 13, 2018 A1.  Did Boeing fail to disclose potential problems with its new flight-control feature?  Was that a factor in the Lion Air crash in Indonesia, killing 189 people?

Maybe this feature didn’t factor into the crash; we’ll have to wait for the cockpit voice recorder and the flight data recorder.  But if you know something and don’t tell other people who would like to know — well, that’s bad.  Even if you didn’t want to confuse them by providing them too much information.  Was it better “marketing” to tell their customers that they wouldn’t need as much training?

How do you decide how much information to provide your customers?  Are there problems you don’t mention?  Why?

Leave a comment

Filed under Access, Accuracy, Communicate, Communications, Controls, Corporation, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Management, Risk assessment, Third parties

November 13, 2018 · 9:36 am

Technology controls

“Wells Fargo Technology Under Scrutiny,” The Wall Street Journal, November 8, 2018 B11. Questions being raised about the technology the bank uses for cybersecurity and risk management.

Do you have the right technology to effectuate the controls you have placed around information?  Will your regulators agree?  If you are already on the regulator’s radar screen, will your controls measure up?

Leave a comment

Filed under Controls, Corporation, Duty, Governance, Internal controls, IT, Oversight, Protect, Protect assets, Risk assessment, Security, Technology

November 7, 2018 · 10:33 am

Consequences

“U.S. to Restrict Chip Maker,” The Wall Street Journal, October 30, 2018 A5.  Company accuses another company of stealing intellectual property. US government “restricts” US firms from dealing with the accused thief, which is owned by the Chinese government.

So, even though the accused thief has not been held legally liable, either civilly or criminally, the US government picks a winner.

Leaving that issue aside, does your risk analysis include this consequence when determining what could happen if someone at your company does something inappropriate with a third party’s intellectual property?  Do you have sufficient controls to address this risk?

Leave a comment

Filed under Compliance, Compliance (General), Controls, Governance, Internal controls, Oversight, Risk assessment

October 28, 2018 · 11:55 am

It’s all information

This blog explores, from time to time, the outer reaches of the intersection(s) of Information, Governance, and Compliance.

Consider, for a moment, a fingerprint.  Not what you normally consider “information.”  And one seldom thinks of “managing” a fingerprint.  Who owns your fingerprint?  But consider the value of a fingerprint, and both the failure to “manage” or control where that fingerprint can be found and the ability to find that fingerprint and locate its owner.  How much information governance is involved in this process?

“Fingerprint Leads to Arrest Of Bomb Suspect in Florida,” The Wall Street Journal, October 27, 2018 A1.  Alleged mail bomber’s fingerprint in a package sent to a legislator leads to arrest of suspect.

Which leads me to the question,”What is there that isn’t information that is managed or controlled in our lives, or a least directly related to information that is managed?”  I struggle to find an example of something that isn’t information, or directly related (perhaps somewhat remotely) to information that is managed or controlled.

 

Leave a comment

Filed under Access, Accuracy, Analytics, Collect, Compliance, Controls, Data quality, Definition, Duty of Care, Governance, Information, Management, Oversight, Ownership, Records Management, Risk assessment, Use, Value

July 31, 2018 · 1:13 pm

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

July 23, 2018 · 6:40 pm

Wells Fargo, revisited, again

“Wells Refunds Millions to Clients,” The Wall Street Journal, July 20, 2018 B1. Wells Fargo refunds insurance premiums to hundreds of thousands of customers who bought “add-on” services such as pet insurance, identity theft, home warranties, debt protection, and legal services.

This comes amidst an investigation by the CFPB as to whether the way these products were marketed was legal.

The last two years have been tough for Wells Fargo.  How deep did the cultural rot go?

File this one under (a) Governance and (b) Compliance.  And I guess under (c) Information, as well, if you do business with Wells Fargo.  Do the directors pay for this, too?

Leave a comment

Filed under Compliance, Compliance (General), Corporation, Culture, Directors, Duty, Governance, Information, Oversight, Risk assessment

May 29, 2018 · 4:38 pm

A Mayor’s challenge

“Probes, Cyberattack Distract Atlanta as It Pitches Amazon,” The Wall Street Journal, May 29, 2018 A3.  Investigations of former mayor and the aftermath of a ransomware attack hamper efforts to entice Amazon to the city.

Corporations should conduct structured risk assessments.  Do cities?

One assumes Atlanta has done a risk assessment and identified the risk of official misconduct.  Did it also capture the risk of a cyberattack?  Did the risk assessment suggest that if these risks occurred, Atlanta would lose the chance of phenomenal growth?

 

Leave a comment

Filed under Business Continuity, Communicate, Compliance, Compliance, Controls, Duty, Duty of Care, Governance, Government, Internal controls, IT, Management, Operations, Oversight, Protect assets, Risk assessment, Security, Third parties