123 Failed Banks…the Killer Gap
123 banks have now been closed this year and questions continue to mount with each bank closing.
One of the questions is: What role is the Killer Gap playing in these bank closures?
Have you heard of the Killer Gap?
The Killer Gap is the result of the following trends:
- Mounting Risks
- Increasing Costs (Security, Compliance, Business Continuity, Management, etc.)
- Escalating Regulations
- Changing Economic Conditions
Combined with:
- Decreasing Budgets
- Limited Resources
- Traditional Management Tools
- Poor/Outdated Decision Making
This widening gap presents difficult challenges for every organizational leader and their organization and can lead to expensive, embarrassing and business ending results.
Is your organization prepared to control and manage the Killer Gap?
Aligning Security and Company Risk – Lessons Learned from Others’ Mistakes
Excellent Lessons Learned from Major Incidents
There is a saying that no leader will live long enough to learn from their own mistakes, so great leaders learn from other people’s mistakes too.
As I was reviewing titles from the November issue of Security Management (an ASIS publication) and on the lookout for lessons learned, I came across the following title: Aligning Security and Company Risk
I clicked on the link and read an article that featured two major security/compliance incidents and what steps leaders from General Dynamics Corporation and Providence Health & Services took after major incidents occurred at their organizations.
The article really got my attention when I read the first paragraph:
After a major incident, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.
The article offers lessons learned from two organizational leaders who realized their security, compliance and business management efforts needed to be better aligned and that no technology solution was going to “fix” their problems, gaps and weaknesses.
Are you organization’s security, compliance and risk management efforts aligned?
Does your organization have policies and procedures that help all appropriate personnel understand how your organization’s business processes are aligned?
Do all appropriate personnel understand their specific roles, responsibilities and obligations with respect to Security Management? Compliance Management? Risk Management? Reputation Management?
Does your organization need to modernize outdated, fragmented or manually intensive efforts that are making your organization vulnerable to expensive risks or a major incident?
In my experiences performing risk, vulnerability, compliance, safety and continuity assessments…most organizations can definitely learn from other leaders’ and other organizations’ mistakes sooner than later.
House Ethics Committee Standards Breach – Lessons Learned Part Two
Teachable Moments vs. Ongoing Awareness Reminders
As a follow up to the previous blog regarding the sensitive ethics document from the Committee on Standards that ended up in the hands of The Washington Post, I wanted to take a look at teachable moments vs. ongoing awareness reminders.
If you go to the Committee on Standards of Official Conduct web site and look up their training requirements for 2009 you will see an example of once-a-year training requirements and you will see individual training requirements are based on pay scales. This seems ironic to me since the Committee on Standards blamed a low-level staffer for the unauthorized access to the sensitive ethics document.
One thing we know from years and years of data is that people do not do things because they are taught…people do things because they are reminded.
What is the lesson learned here? Once-a-year training is not effective.
What are other lessons learned? To be effective, once-a-year training should be complemented with ongoing reminders about:
- Situational Awareness
- Risks
- Threats
- Best Practices
- Regulations
- Technology Usage
- Information Sharing Guidelines
- Information Handling Requirements
- Legal Due Diligence
- And other related issues
What other lessons learned or questions does this Committee on Standards incident reveal?
- Should “low-level staffers” receive different training based on salary?
- Should detailees, fellows, unpaid interns, or any other individuals who are employed by an organization and paid for less than 60 days be exempt from training?
- Should new employees be allowed to work with sensitive information before training has been completed or be given 60 days to attend live or online training?
- If live training is provided, will individuals remember everything that was blasted at them via the “megaphone training approach”?
Interestingly enough, the previous questions are directly related to existing guidelines on the Committee of Standards of Official Conduct web site regarding 2009 Ethics Training.
This incident seems to be a great teachable moment about the importance of lessons learned questions that need to be answered and updates that need to be provided to all appropriate individuals as ongoing awareness reminders.
House Ethics Committee Standards Breach – Lessons Learned
Low-Level Staffer Blamed for Committee on Standards Breach
In case you missed the story last week, multiple lessons learned and teachable moments have emerged from an incident involving a sensitive ethics committee document that ended up in the hands of the Washington Post. The ethics document exposed numerous ongoing investigations into the conduct of more than two dozen House members.
Most articles seem to be blaming the unauthorized access to the sensitive ethics document on a low-level staffer working from home on their personal laptop using a peer-to-peer file-sharing program which provided unauthorized access to the ethics document.
Asking good questions can be a great way to identify Lessons learned and teachable moments, for example:
- How many employees/contractors have access to sensitive and confidential information?
- How many employees/contractors in your organization work from home?
- How many employees/contractors in your organization use a personal laptop for organization related purposes?
- How many employees/contractors in your organization use peer-to-peer file sharing programs?
Do you have clear policies and procedures and enforcement and consequences defined for each of these situations?
Do you have the ability to track and document awareness and accountability at the individual-level? (Or as the Ethics Committee defines it – low-level staffers?)
How do you keep all appropriate individuals updated on new risks, new regulations, new policies and new teachable moments?
Next lessons learned blog will look at teachable moments and ongoing reminders and which works better…
Ohio Storage Bins Stolen – One Man’s Trash Is Another Man’s….
We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information.
In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities. Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers.
A few questions this incident brings to mind:
- Should personal data be stored outside of buildings?
- Should trash/storage bins be removable?
- Should trash/storage bins be monitored by video cameras?
- How should data waiting to be shredded be handled and secured?
- Does your organization have policies and procedures for data waiting to be shredded?
- Does your organization have information handling agreement with shredder vendors?
When it comes to protecting customers’ personal information, many other questions come to mind and many risks and issues have been discussed in previous Lessons Learned Blog entries.
Oh! And don’t forget this lesson learned provides yet another ‘red flag’ that should be added to your FACTA Red Flag Rule program and communicated to all appropriate personnel.
Common Elements of Failed Financial Institutions (FDIC)
Yes, I admit it…I was surfing the FDIC web site this past weekend and I was spending some time reviewing past Financial Institution Letters that the FDIC releases to advise the banking industry of supervisory changes and guidelines.
I came across a Financial Institution Letter for Newly Insured FDIC-Supervised Depository Institutions that included the new changes, as well as a list of common elements from troubled or failed institutions.
The list offers some potential lessons learned for organizational leaders (board of directors, executive management, compliance and others) and so I thought I would share the list.
- Rapid growth
- Over-reliance on volatile funding, including brokered deposits
- Concentrations without compensatory management controls
- Significant deviations from approved business plans
- Noncompliance with conditions in the deposit insurance orders
- Weak risk management practices
- Unseasoned loan portfolios, which masked the potential deterioration during an economic downturn
- Weak compliance management systems leading to significant consumer protection problems
- Involvement in certain third-party relationships with little or no oversight
The list identifies the difficulties and complexities of “connecting the dots” and reminds bank leaders about many different types of “dots” that need better management to ensure better results.
If you are an organizational leader in the financial sector, this is good information!
HHS Strengthens HIPAA Enforcement
If you were busy getting your costume ready for Halloween, you might have missed the news release from HHS on October 30, 2009. This news release should be taken seriously by all covered entities and organizational leaders that have responsibilities for protected health information (PHI)
The news release announces that HHS has issued an interim final rule to strengthen its enforcement of the rules within HIPAA to conform to the HIPAA enforcement regulations made by the HITECH Act.
As you may remember, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, which modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after February 18, 2009.
I am curious if organizational leaders are taking notice of a trend that is catching on with strengthening enforcement of regulations?
The FDIC, OSHA, SEC, FINRA, FTC and others have announced they are also strengthening enforcement of regulations.
Are organizational leaders are paying attention and taking steps to strengthen their management programs?
Stay tuned….
Fact or Fiction with Tweets and Web Sites
The battle of the megaphones…it’s on!
The California Public Employees’ Retirement System (CalPERS) has launched a web site to target misinformation and offers a way to let its members, employees, employers and others keep up with issues in national health care reform, pension investments and security.
CalPERSResponds.com is the new web site that will also link to its social media posts on Twitter, Facebook and YouTube.
According to Patricia Macht, CalPERS director of external affairs, “There’s a lot of information and misinformation about CalPERS” and “We hope this site will help separate the facts from fiction and provide some education, insight and clarity to these issues.”
So now that multiple social networking sites are here to stay, are other organizations also planning to build a bigger microphone so they can shout over the top of the other microphones?
Megaphones – especially bigger and louder ones – are they really the most effective or efficient solution for communicating information to trusted members, employees and partners when information overload is already a serious problem?
