Category Archives: Supervision

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Advertisements

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

Risk and Developers

After Hurricane Harvey, Houston residents could be heard asking, “What building developer would decide to build houses in a flood plain?” “Why would a City Official push such a project?” “Who would buy a house there?” “How would they ever get insurance?”  Similar discussions in flood-prone areas in Florida.

“Homes Were Built Despite Documented Lava Threat,” The Wall Street Journal, May 29, 2018 A3.  Affordable homes were built in an area with a history of lava risk.

Did we have any controls in place?  How were these controls implemented?  How many of them failed?  Who is responsible/accountable?

Next thing you know, we’ll rebuild houses in the same site.  Somebody else will pay for it.

If you always do what you’ve always done, you will always get what you always got.

Leave a comment

Filed under Communications, Controls, Corporation, Duty, Duty of Care, Governance, Government, Oversight, Supervision

Sniff test

What happens to compliance when the CEO and her boyfriend collaborate to create a culture of secrecy and fear?

“Partners in Blood,” The Wall Street Journal, May 19, 2018 C1.  Reports from the trenches at Theranos, which said it was able to run a range of tests from a few drops of blood; it couldn’t.  SEC charges company with fraud, and investors lose millions.

While the implications of a relationship of the CEO goes to Governance, are there also links to Compliance and Information?  What impact did the culture have on the company’s compliance?  How do investors know about the nature of a CEO’s personal relationships leaking into the corporate environment?

Who should have seen this and reported it to someone?  Why didn’t the directors smell a rat?

Leave a comment

Filed under Board, Compliance, Culture, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Risk, Supervision, To report

Shoes of the centipede

“Wells Fargo Faces More Woe Over Client Data,” The Wall Street Journal, May 18, 2018 B1.  Another shoe drops at Wells Fargo (when will it ever end?) after disclosure that employees in the wholesale business (non-consumer) banking side changed and added customer information without approval.  Reason: to meet a compliance deadline.

Is there another organization with so many compliance failures?  It started with consumer banking and credit cards and now seems to have permeated the entire enterprise.  Is it risky to call this an enterprise?  What influenced their behavior?  Why are the directors not in the dock?  Weren’t they in charge of establishing and ensuring the culture of compliance?  This is a bank, for God’s sake.

Is it easier to find someone who was or wasn’t involved in some type of bad behavior at Wells Fargo?

Leave a comment

Filed under Accuracy, Board, Compliance (General), Controls, Corporation, Culture, Culture, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Managers, Oversight, Oversight, Supervision

What does a lawyer do if the client ignores his advice?

The CEO arranged to hire one of his buddies for a senior job with the company.  Someone ( employees? a shareholder?) sent a letter to a member of the Board complaining about the hiring.  The CEO asked Security to find out who wrote the letter, despite being told by Compliance and the General Counsel not to.  He persisted.

“Barclays CEO Hit With Penalties of $1.5 Million,” The Wall Street Journal, May 12, 2018 B1.  UK regulators fined him nearly $870,000 for a ”serious error of judgment.'”

What does it say about a company when the CEO doesn’t listen to the company’s General Counsel or Compliance department?  Is this a governance problem, a compliance problem, or an HR problem?  Costs the shareholders about the same.  And did either the General Counsel or Compliance advise the Board that the C?  What happened to them?

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Employees, Governance, Internal controls, Lawyers, Oversight, Supervision, To report

To the surprise of no one

“Wells Kept Client’s Fund Fee Rebates,” The Wall Street Journal, May 10, 2018 B1.  Wells Fargo apparently failed to pass on fee rebates that Wells Fargo had received for a pension fund for which Wells Fargo acted as a trustee.

Whether it’s a process issue or a culture issue, lack of supervision, general incompetence, or a way of doing business, is anyone surprised?  Is it only at one pension fund?  Who knows?

Leave a comment

Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Governance, Internal controls, Oversight, Supervision, Third parties, To report, Vendors

It is indeed a world-wide web

“Tech Firms Update Privacy Protections,” The Wall Street Journal, May 8, 2018 B4.  Firms adjust their privacy policies to comply with European restrictions, even where the European restrictions don’t apply.

The US tried, with some success, to export the joys of ediscovery in litigation; Europe has successfully imposed/influenced privacy restrictions beyond their borders.

Is this just standardization for the convenience of the firms, or for the protection of their customers?  Does it matter?

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Interconnections, IT, Oversight, Policy, Privacy, Protect assets, Supervision, Third parties