Category Archives: Who is in charge?

Who’s the boss?

To have governance, is a single point of accountability required?

“Workers Deal With Too Many Bosses,” The Wall Street Journal, August 21, 2018 B1.  According  to a recent poll, two-thirds of employees have more than one boss.  Some employees respond by trying to manage their bosses.

From a Governance perspective, if you have multiple bosses, who sets your priorities?  Who establishes the policies and procedures and instructions that you, as an employee, must follow?  How does one resolve conflicts?

And which one person in your organization bears responsibility/accountability for the overall Governance of your company’s Information?  Your company’s overall Compliance with law and with company policy and procedures?

Without such a single point of accountability/responsibility, who gets punished if things don’t go right?  If no one is held responsible/accountable at the C-suite level, do you really have a program-in-fact, as opposed to a program-on-paper?

 

Advertisements

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Supervision, Who is in charge?

Gee, what could go wrong?

“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”

I can see what’s in it for Facebook, and maybe for the banks.  But isn’t this your information?  Shouldn’t you have some control what the banks do with it?  Are you comfortable with the controls the banks and Facebook will place on this information?  It might be convenient for you, but at what risk?

Do we remember Cambridge Analytica?  Will Facebook try to do this in Europe?

To whom do you complain?  Your elected representative?  Your bank?  The state or federal regulators?

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?

It’s not just VW

Often, a corporation’s violation of law don’t result in a conviction of the senior officers or directors.  Sometimes it does, and when it does, that’s a powerful compliance message.

“Audi CEO Is Arrested In Emissions Scandal,” The Wall Street Journal, June 19, 2018 A1. Executive jailed in Germany to prevent obstruction of ongoing investigation into emissions testing scandal at VW.

This goes to Governance, Compliance, and Information.

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Oversight, To report, Who is in charge?

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

Compelled speech

“HHS Probes Rules on Giving Abortion Information,” The Wall Street Journal, June 1, 2018 A4.  HHS Office for Civil Rights investigates state requirements that crisis pregnancy centers must advise women about abortion services.

Leave the political/moral issues aside, and look at this from an information governance perspective.  Who mandates what information you must provide to your customers?  And are they (the mandaters) allowed to require that?

What are the limits on the government’s ability to require you to provide information to third parties? Is the U.S. Constitution a law or a policy?  Or is it Governance?

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Government, Internal controls, Third parties, Who is in charge?

Bait and switch?

You make some promises, or strong indications, to a star performer that he or she is so above average, next year you will get ___ a year early.  [Fill in the blank]

How do you handle a change in direction?

“Goldman’s Rising Stars Told to Hold,” The Wall Street Journal, May 26, 2018 B9.  Two years ago, a group of high-potential employees were told they were on the fast track and would get promoted before the rest of their class.  Now they are told there is no fast track this year.

How do you handle it when you have to tell your star performer that she/he’s not going to get what you told them they were going to get?  Have you just put your crown jewels into play?  How do you rebuild trust and confidence in your best and brightest?

Is this Information or Governance or just bad management?  Does it matter whether you told them in writing or not?  Is that a risk that was considered?

 

Leave a comment

Filed under Definition, Duty of Care, Governance, Information, Protect assets, Risk, Who is in charge?

Private speech v. public speech

Can your employer restrict what political statements you make in the course of your employment, when you’re getting paid to wear your company shirt on television?

Maybe.

“NFL Adopts New Anthem Policy,” The Wall Street Journal, May 24, A14. Teams (but not players) can be fined if NFL players on the field do not stand for the National Anthem.

Governance

  • Who has the power to make what rules governing whom, and how violations of those rules will be enforced?
  • The League has the power to govern teams, but not players?  (See reference to collective bargaining agreement below.)
  • Will this redirect any fan displeasure away from the NFL and onto the individual teams or players?

Information

  • Is an employee’s political speech information?
  • If information is received, created, or distributed by a company’s employees during the workday in the workplace, is that information company information?
  • If it’s company information, can’t the company limit that distribution?

Compliance

  • Does enforcing rules against the teams and not the players work?
  • Does this comply with the collective bargaining agreement?  Is that why the policy doesn’t apply to the actual players, and just the teams?

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Definition, Duty, Employees, Governance, Information, Internal controls, Oversight, Policy, Risk assessment, Third parties, Who is in charge?