28 April 2008

Corporate Governance: Testing for Organizational Disease...

In our continuing series on Security Governance we now turn to Corporate Governance: Testing for Organizational Disease.

It's been three years since a 25 year sentence was handed down in the Worldcom corporate governance and fraud case, it's obvious that prosecuting white collar crime cases is a real challenge.

In the HealthSouth Corp. fraud trial, the jury made a different decision and the CEO was acquited.

Some lawyers suggested white-collar cases are inevitably difficult to present to jurors, whether they live in Birmingham or New York. "It's different from a drug deal or a bank robbery," said Donald Stern, a Boston attorney who was formerly that city's top federal prosecutor. "It's not obvious that a crime has been committed."

What the Board of Director's and Executive Management do know is that it's time to make some more changes in Corporate Governance initiatives. The relationships with the shareholders is bound to continue to be a challenge for any management team and they realize that they must be creating a culture full of ethics and risk management principles.

At the end of the day it comes down to the evidence presented to the jury. And the evidence is typically a presentation of information utilizing forensic methods of discovery. Dr. Thomas R. O'Connor at NCWC has some interesting background on the subject of "Investigative Methods of Forensic Accounting."

Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.

Red Flags of Organizational Behavior:

1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.

2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.

3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.

4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.

5. Poor computer security -- the organization doesn't seem to care about computer security, has slack password controls, hasn't invested in antivirus, firewalls, IDS, logfiles, data warehousing, data mining, or the budget and personnel assigned to IS. Simultaneously, the organization seems over-concerned with minor matters, like whether employees are downloading music, chatting, playing games, or viewing porn.

6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.

As we move forward on strategies for improving ethics and protecting corporate assets it's clear that educating board members and employees to the symptoms of corporate disease can be a key initiative. That education and awareness program could be the beginning of a whole new era of high performing companies. And for that matter, the programs effectiveness may be the first test of any organizations health.

06 April 2008

Rule-Set Reset: Evidence Life Cycles...

Here are a few of the "Top of Mind" topics these days at the nexus of Legal Risk and "Defining the New Rules Sets" for Information Management and Digital Forensics. What is a "Rule-Set Reset"?

When a crisis triggers your realization that your world is woefully lacking certain types of rules, you start making up those new rules with a vengeance (e.g., the Patriot Act and the doctrine of preemption following 9/11). Such a rule-set reset can be a very good thing. But it can also be a very dangerous time, because in your rush to fill in all the rule-set gaps, your cure may end up being worse than your disease.

  • The Computer as Witness--What The Courts Allow.
  • Improper and Negligent Records Hold Practices.
  • Calculating Settlement Values in a Digital World..
  • Economics of Electronic Discovery.
  • Evaluating Outside Law Firms: Competing for Client Revenue.
  • Discovering the Legal Value of Electronic Information.
  • Chain of Custody Controls and Vulnerabilities.
  • Logs, Metadata and Backups.
  • Evidence Life Cycle Management.
  • Operational Risks in Existing Corporate Information Management Practices.

These topics and more are worth investing time, resources and manpower for vital learning, education and convergence within the legal department of your institution. Why? Just ask Waters Edge Consulting. Because just preparing for ESI custodian depositions under Rule 30(b)(6) will not be enough for your team to win these days. It's going to take substantially more investment in governance strategy execution within the ranks of the CIO, CSO and General Counsel in the aftermath of the sub-prime "Armageddon."

Today, many organizations have Enterprise Records Management (ERM) systems that provide clear guidelines for data retention and destruction. In addition, organizations facing frequent lawsuits often use Electronic Data Discovery (EDD) vendors and outside counsel to process and review electronically stored information (ESI) during discovery.

Unfortunately, neither solution creates a framework that recognizes all data as potential evidence and puts a consistent methodology in place for handling it efficiently and cost effectively.

Evidence Lifecycle Management (ELM) is such a framework. An ELM system, such as MatterSpace from WorkProducts, provides:

  • Automated identification, preservation, and collection of structured and unstructured matter-specific ESI from all accessible eRecords sources
  • Role-based collaboration and communications that drive all case-specific ESI activities
  • Auditing and reporting of all ESI communications and events, including litigation holds

ELM bridges the gap between ERM and EDD, speeding up ESI delivery while reducing the risk and cost of ESI processing and legal review.

A prudent governance execution strategy would include a ratio of new learning, education and policy development combined with the correct tools and managed services. Yet how do you determine the right recipe for your institution? After all, you are unique and unlike any other organization out there.

The fact is that it has to be customized to your exact size, exposures and vulnerabilities. You first have to establish the baseline and develop the foundation for making the right decisions in the right order. Most importantly, it has to be co-designed with the legal team and the custodians of the information if you are to ever find any chance of success. Underlying all of the dialogue on who a particular matter relates to and where the information is located brings up another area that is imperative to the overall resilience of the organization. Continuity of Operations.

At the end of the day, this is what you are really buying. True DataVaulting means exchanging the headaches and liability of maintaining your own backups for the simplicity and convenience of contractually backed Service Level Agreements (SLAs).

Without effective DataVaulting, DRP and overall Continuity of Operations as an underlying foundation for managing the life cycle and longevity of your institutions records, you may already be subjected to the increased risk of fines and non-compliance sanctions from FINRA or the SEC.

The correct Business Resilience Architecture begins with a firm statement of applicability for your institution. The statement of applicability (SOA) is the architectural blueprint that identifies controls that are pertinent to your environment, and explains how and why they are appropriate. The SOA is derived from the output of a comprehensive operational risk assessment and development of an enterprise wide "Early Warning System."

Centre-left leaders from around the world called on Saturday for urgent reform of global financial institutions to prevent a recurrence of the credit crisis.

About a dozen leaders, brought together by Prime Minister Gordon Brown, issued a communique urging the International Monetary Fund to help develop an effective early warning system to guard against financial risks to the global economy.

Australian Prime Minister Kevin Rudd said the world had to learn the lessons from the credit crisis, sparked eight months ago by massive default on U.S. sub-prime mortgage debt.

"Too often in the past when these sorts of events have occurred ... the lessons are lost. The lessons must be learned and applied, otherwise we will face a very rocky future indeed," Rudd told a news conference after the "Progressive Governance" conference outside London.

The leaders, also including South African President Thabo Mbeki, New Zealand Prime Minister Helen Clark and Austrian Chancellor Alfred Gusenbauer, gathered just before key Group of Seven and IMF meetings in Washington next week which will discuss the financial turbulence.

Also attending were the heads of the IMF, World Trade Organisation (WTO), the African Development Bank and several U.N. agencies.