Flawless Compliance

This article comes from the November 2009 issue, and addresses one of the hottest topics in the industry today--cloud computing, and the risks involved. I've had numerous requests this year for my thoughts on how to handle "the cloud." Below is a brief summary of my take on the subject.

Managing Risk in Cloud Computing

There was no documented evidence of a black swan until the eighteenth century. Picture Source

Cloud computing seems to be the rage these days, but doesn’t it seem risky? This is something that’s definitely on peoples’ mind these days, and I’d like to spend a little bit of time in this article addressing the issue. The obvious answer is, “yes it’s very risky,” but why is it risky?

The key problem with cloud computing is it’s a black swan of sorts. This is a term popularized by Nassim Nicholas Taleb a couple of years ago in his book of the same name, and it references an outlier (i.e. low probability) event that has a dramatic impact. We’ve actually seen a few black swans in the last few years including the implosion of the global economic system, the uncovering of a series of unimaginable scandals, and the accelerated rise in popularity of cloud computing. Characteristically, black swans have significant impacts; however, they’re not always negative. Cloud computing and its rapid adoption in the industry is actually quite positive, however from a risk perspective the insomnia stems from the fact that we’ve never seen this before, so we don’t even know what to be afraid of.

I think if we address this basic concern, we can start to make progress. As an aside, please note that the concern is risk, not compliance. Compliance will not protect you against the risks of cloud computing, so don’t naively belay your fears with this crutch, as I’ve seen some companies do. Rules of compliance will progress, as we uncover, through a series of very unfortunate “risk events,” what the real risks of cloud computing are. This is more than a prediction—it’s a prophecy. Furthermore, the companies tangled up in these messes may or may not be compliant with the regulations of the times. It doesn’t matter. They will go down.

So, let’s get at the core of the issue. What’s the real risk with cloud computing? Fundamentally, you should be concerned that your information will get into the wrong hands. If it happens, this risk will manifest itself in any of a variety of problems depending on the type of information that’s compromised. If your customers’ personally identifiable information is breached, you’ll have privacy problems to deal with. If your company secrets are hacked or leaked, you’ve got competitive issues to deal with. And, if any of this goes public, your public relations department will be working overtime to restore your image.

Unfortunately, there’s no silver bullet here, but I do have some recommendations. By definition, when engaging with a cloud computing company, you’re surrendering control of your data to a third party so it goes without saying that this company should be an organization that you can absolutely trust. This is not the time to experiment with new vendors. Stick with large, well-known companies that are universally trusted, like Google, Microsoft and PayPal. This won’t give you any guarantees, but you need to know that if there is a breach, your cloud computing partner has more at stake than you do.

Second, guard the information that you have in the cloud. You don’t need to arbitrarily hand over all the company secrets to every cloud vendor that comes along. Try to build an interface model, where your cloud computing partner doesn’t even have access to sensitive information. For instance, don’t farm out the function of collecting personal information on your customers. That should be something you control behind your own gates.

Finally, know your own limitations. This may sound contrary to the second point raised above, but you need to know when it’s appropriate to let the experts handle things. A good example is credit card processing. Why would you put yourself at risk when processing credit cards online? Your credit card processor should have all the necessary controls in place to manage privacy issues around processing an order, so just let them handle it.

The cloud offers great opportunities for the brave, but don’t be foolish. With this opportunity will come great peril as the seemingly innocent black swan gracefully glides by. Know and trust your cloud partners as well as somebody you would give the keys to your house. In essence, that’s exactly what you’re doing.

Managing Risk in Cloud Computing

There was no documented evidence of a black swan until the eighteenth century. Picture Source

Cloud computing seems to be the rage these days, but doesn’t it seem risky? This is something that’s definitely on peoples’ mind these days, and I’d like to spend a little bit of time in this article addressing the issue. The obvious answer is, “yes it’s very risky,” but why is it risky?

The key problem with cloud computing is it’s a black swan of sorts. This is a term popularized by Nassim Nicholas Taleb a couple of years ago in his book of the same name, and it references an outlier (i.e. low probability) event that has a dramatic impact. We’ve actually seen a few black swans in the last few years including the implosion of the global economic system, the uncovering of a series of unimaginable scandals, and the accelerated rise in popularity of cloud computing. Characteristically, black swans have significant impacts; however, they’re not always negative. Cloud computing and its rapid adoption in the industry is actually quite positive, however from a risk perspective the insomnia stems from the fact that we’ve never seen this before, so we don’t even know what to be afraid of.

I think if we address this basic concern, we can start to make progress. As an aside, please note that the concern is risk, not compliance. Compliance will not protect you against the risks of cloud computing, so don’t naively belay your fears with this crutch, as I’ve seen some companies do. Rules of compliance will progress, as we uncover, through a series of very unfortunate “risk events,” what the real risks of cloud computing are. This is more than a prediction—it’s a prophecy. Furthermore, the companies tangled up in these messes may or may not be compliant with the regulations of the times. It doesn’t matter. They will go down.

So, let’s get at the core of the issue. What’s the real risk with cloud computing? Fundamentally, you should be concerned that your information will get into the wrong hands. If it happens, this risk will manifest itself in any of a variety of problems depending on the type of information that’s compromised. If your customers’ personally identifiable information is breached, you’ll have privacy problems to deal with. If your company secrets are hacked or leaked, you’ve got competitive issues to deal with. And, if any of this goes public, your public relations department will be working overtime to restore your image.

Unfortunately, there’s no silver bullet here, but I do have some recommendations. By definition, when engaging with a cloud computing company, you’re surrendering control of your data to a third party so it goes without saying that this company should be an organization that you can absolutely trust. This is not the time to experiment with new vendors. Stick with large, well-known companies that are universally trusted, like Google, Microsoft and PayPal. This won’t give you any guarantees, but you need to know that if there is a breach, your cloud computing partner has more at stake than you do.

Second, guard the information that you have in the cloud. You don’t need to arbitrarily hand over all the company secrets to every cloud vendor that comes along. Try to build an interface model, where your cloud computing partner doesn’t even have access to sensitive information. For instance, don’t farm out the function of collecting personal information on your customers. That should be something you control behind your own gates.

Finally, know your own limitations. This may sound contrary to the second point raised above, but you need to know when it’s appropriate to let the experts handle things. A good example is credit card processing. Why would you put yourself at risk when processing credit cards online? Your credit card processor should have all the necessary controls in place to manage privacy issues around processing an order, so just let them handle it.

The cloud offers great opportunities for the brave, but don’t be foolish. With this opportunity will come great peril as the seemingly innocent black swan gracefully glides by. Know and trust your cloud partners as well as somebody you would give the keys to your house. In essence, that’s exactly what you’re doing.

Dear Sarbanes-Oxley, We’ve Had Enough

I don’t understand why we continue to belabor the implications of Sarbanes-Oxley (SOX). The evidence is in and it’s not working. Sarbanes-Oxley is government bureaucracy at its glorious, inefficient and ineffective best, and if anybody has any sense they won’t continue to fish, they’ll cut bait.

ComplianceWeek blogger Melissa Aguilar covered a story on 404 this month, about yet another attempt to amend the Sarbanes-Oxley Act. According to Melissa:

“Two amendments to delay or even rescind Section 404 for many companies came before the House Financial Services Committee on Wednesday, a surprise move that left investor advocates fulminating to anyone who would listen. One amendment to postpone Section 404(b) until 2011 for non-accelerated filers did pass on a voice vote, and will come before the full committee for a roll-call vote on Nov. 4…

A separate amendment, offered by Rep. John Adler, D-N.J., would have gone even further: exempting all companies with less than $700 million in market capitalization from Section 404(b), which would include many filers already complying with it.”

I’d like to opine on this for a minute. Since 2002, Sarbanes-Oxley has been nothing but a huge mess. That’s why it needs to keep being amended. If it worked, they would just leave it alone. I understand the original intent, but once again good intentions were met with bloated, inefficient legislation which did nothing more than create immense and undeserved wealth for accounting and law firms at the expense of Corporate America.

After the overwhelming and egregious acts of corporate con-artists like Enron and MCI Worldcom, something needed to be done. There’s no question about that. However the hallmark of good leadership is decisions that lead to results that are effective, and as a bonus efficient. Sarbanes-Oxley is neither, and I don’t understand why they continue to let this governmental Godzilla torment the generally honest and hardworking businesses of America that keep this nation running.

Please understand this point about your compliance program. Effectiveness is everything. You must know if your compliance program is effective, and if it is not, kill it—and start over quickly. It’s serving no purpose, and it’s draining resources. And in this time of economic uncertainty, the last thing your company needs is an ineffective compliance program draining money and human resources.

How do I know it’s ineffective? It’s pretty simple, let’s look at the evidence. When SOX first rolled out, companies poured millions of real dollars into trying to “comply.” I was working with large clients like Sun Microsystems at the time, and was personally involved in some of these efforts. Reams of documentation, produced by armies of people spending countless hours resulted in millions and millions and millions of dollars in expense. We had external auditors and internal auditors and objective third parties. We had lawyers and accountants and accountants’ lawyers and lawyers’ accountants all working as diligently as possible to achieve the holy grail of SOX compliance. Of course, this was the story at just about every large accelerated filer. The costs were so grandiose that non-accelerated filers were paralyzed with panic and rightly so; how in the world would they be able to afford this? They’ve been pushing back ever since, and the SEC grants them extension after extension to file, while they try to figure out how the cost will impact them (more tax dollars at work). Even after the “final” extension, it seems now that they’re rescinding the finality of the final extension, to extend the filing date yet one more time.

And we’ve done all this work for what? So that corporate scandal cannot harm the good American people. SOX was positioned as the rainbow for white collar crime against the innocent working class; a covenant of peace between the US government and the American people that the devastating floods of corporate greed would never inflict financial injury to the hard working American family again.

Fast forward a short seven years, and the entire economy collapses under—drum roll please—corporate greed. How could this happen? We spent trillions on SOX compliance to avoid this very thing. How on earth could this happen?

Do you know what happens when you wear loose shorts on the north shore beaches of Hawaii? The waves there will pound you into the sand, and within three minutes, your shorts will be gone. Good intentions, bad results.

America just got pantsed, the SOX shorts are too loose. I believe Representative Jon Adler is heading in the right direction. Better to just kill the whole thing, but of course that won’t happen. It makes too much sense.

A New Committee Investigates the Crash of 2008

Chairman Phil Angelides, head of the Financial Crisis Inquiry Commission. Picture Source

This month marks the one year anniversary of the largest financial meltdown this generation has ever seen. Only people approaching centenarian status (only 100,000 in the entire United States) can fully “appreciate” the return of such a financial implosion. Did you lose a small fortune in 2008? Even if you didn’t I’m sure you’re curious as to how something like this could ever happen. With any luck, we’ll know the answer to that soon.

The FCIC (Financial Crisis Inquiry Commission), headed by Chairman Phil Angelides, met for the first time this month. The FCIC is a US government commission of 10 bipartisan representatives whose sole responsibility is to come up with a reason for why the financial catastrophe of 2008 happened, and what we can do to prevent something like this from happening in the future. Chairman Angelides has until the end of 2010 to come up with an answer. If this sounds like a long stretch of time to you, don’t be fooled. In actuality, 15 months is a very short time to get something of this magnitude accomplished.

According to new deal 2.0 who captured the entire text of the opening remarks, Angelides stated that:

“We have been called upon to conduct a full and fair investigation in the best interests of the nation — pursuing the truth, uncovering the facts, and providing an unbiased, historical accounting of what brought our financial system and our economy to its knees. This is what the American people deserve and this is what we are obliged to do. In this critical instance, if we do not learn from history, we are unlikely to fully recover from it.”

I’m quite sure you’re abreast of how crash of 2008 is affecting the nation, but as Angelides continues he reminds us of the devastation this financial typhoon has caused so far:

• 7 million Americans have lost their jobs in the last year
• 25 million Americans are either unemployed, under-employed, or resigned from looking anymore. This is over 16% of our total workforce.
• 10 million homes have touched the foreclosure process in the last 3 years, with 2 million homes taken as casualty.
• 13 trillion dollars of wealth evaporated last year. That’s 13,000,000,000,000 American dollars.

Angelides and his crew have a big job ahead of them, but shockingly it won’t be the first time America has been required to investigate a financial collapse of this magnitude. Angelides has been referred to as the New Pecora Commission, “affectionately” named after Ferdinand Pecora, the chief counsel and investigator for the former Senate Banking and Currency Committee. This committee was formed shortly after the financial meltdown in 1929 that caused the Great Depression. Their job—get to the root cause of what happened.

Pecora didn’t start with the committee however. In fact, he was preceded by three others who held the lead counsel position. Two were fired due to ineffectiveness, and the other resigned when denied subpoena power. According to the history books, Pecora was relentless in his investigation. In search of the truth without regard for any consequence, he opened up floodlights on the filth and grime the financial cockroaches of the time had created at the expense of the everyday, ordinary investors. The pressure of being exposed was so great on the president of National City Bank (now Citigroup) he was forced to resign. After the dust settled, Pecora published a recap of the investigation in a book called, “Wall Street Under Oath,” from which this now popular passage comes:

"Bitterly hostile was Wall Street to the enactment of the regulatory legislation. Had there been full disclosure of what was being done in furtherance of these schemes, they could not long have survived the fierce light of publicity and criticism. Legal chicanery and pitch darkness were the banker's stoutest allies."

If fortune favors the United States we’ll know the answers in days to come. This time around we have a nice head start. It didn’t take a committee or a commission to expose the historic scandal of Bernie Madoff or the AIG blowout party paid for by taxpayer dollars. That said, I’m sure we’ll dig up even more dirt on Wall Street between now and the end of 2010.

With the right roadblocks cleared, I think the new committee has a good shot of uncovering some root causes; however, if they even remotely believe that we’ll uncover the secret for preventing economic ruin in the future, they’re drinking the Kool-Aid. I hate to be negative on this, but it seems like we just went through this eighty years ago, and didn’t learn a thing. The 1929 investigation uncovered greedy bankers taking advantage of ordinary people to the point where Americans lost their jobs, retirement, and life savings. Does this sound familiar at all?

Regardless of whatever new law they come up with, or who they put in jail for the next 150 years, the sad news is, if you maintain a proper diet and exercise regularly, you might get to see this happen all over again in 2088. I hope you’re ready for it.

A Look at GE’s Decision to Settle with the SEC for $50 Million

The GE Building (formerly the RCA Building) located in Rockefeller Center in downtown New York City. Picture Source

General Electric recently settled with the SEC for $50 million after a protracted stance against the government’s allegations of improper accounting. Was this a smart move, or should they have kept fighting? Let’s see.

The SEC accused GE of four separate accounting irregularities in 2002 and 2003 involving among other things, revenue recognition and interest rate swaps.

Almost 3 million pages of documents later and $200 million in accounting and legal fees over the period of more than four years and they finally decide to throw in the towel and settle. For the record, GE does not admit or deny that it violated any accounting rules however it does admit that errors were made.

So if you’re GE four years ago and you have a crystal ball that can look forward to August of 2009, what action do you take? It seems reasonable to settle up front instead of sinking $200 million plus four years of your corporate life into this mess, and still handing over $50 million to settle. I’m not even sure that offer was on the table when the SEC started, but these are the kinds of decisions that need to be made early on in the process.

The decision to fight or fold is a tough one, especially if you feel you’re in the right. Even with all the colorful language when a company settles, it’s hard to shake the image of guilt in the public eye. It’s also hard to anticipate what reverberations are waiting for you after the settlement (i.e. now you’re a target for other attacks). However, what will it cost you to fight? The answer to this question is so elusive that it’s rare to find a company that gets this right.

Instead what typically happens is what just happened to GE. At the moment the allegation is lobbed, the knee-jerk reaction is to defend. Once the defense is in place, it becomes the “status-quo” to keep paying lawyers, accountants, and other consultants to defend the allegations. Fees continue to mount for years, until somebody wakes up and realized the insanity of it all.

Here’s my advice for how to handle the fight or fold decision. If you know you’re guilty, fold fast to get it over with. First of all, it’s the ethical thing to do. And second, holding on to the fantasy that you’ll beat the government by playing the arbitration between reality and evidence is a losing game.

If you know you’re innocent, you need to embark on a very thoughtful exercise. You must assess within a certain degree of confidence, what that cost of proving your innocence will be. Gather all the stakeholders together, and create a detailed plan of what needs to be done, who will do it, and most importantly how much it will all cost. Document your assumptions, and do a thorough risk analysis.

Your plan should be decomposed into areas you can prove that will reduce the settlement amount if it comes to that. The government will probably start with a very high number. In your assessment you will probably find ways to demonstrate to the government that their number is higher than it needs to be. For instance, you might be able to rather easily convince them that you are not trying to defraud anyone, by demonstrating that you have proper policies and procedures in place. You should start there, then continue with other ways you might be able to prove your innocence.

The key is to decide ahead of time, what resource limit (i.e. time, cost, and people) you’re going to put into this defense, and stick to it. Of course, this can be adjusted down over time if the government starts conceding on their settlement amount, but never allow this limit to drift upwards.

If you don’t know whether or not you’re innocent you have a different problem. In this case, organize your defense, but make it a priority to find out the truth for yourself. Don’t assume anything, and certainly don’t try to defend a position you’re not sure of yourself!

In my opinion, it was the right thing for GE to settle but they took way too long. I don’t think they decided four years ago that $200 million was their limit. Regardless, that’s their outcome and they have to deal with it. I hope you never have to make this decision for your company, but if you do I hope you’ll be smart about it.