Janet Yeomans

From the real world: the relationship between boards and IT strategy committees

October 2, 2016 by Janet Yeomans Leave a Comment

Though ISACA indicates otherwise, having a board member serve on the IT strategy committee is not common practice. In fact, I have neither experienced nor heard of a single incidence of an independent board member sitting on the IT strategy committee. The only circumstance under which I can imagine it happening would be one in which corporate executives (employees of the company) are also board members. In this case, wearing his/her corporate hat, the director could coincidentally be a member of both the IT strategy committee and the board. However, the roles are distinct.

To clarify: the board’s activities with respect to IT governance (including strategy) are to approve and to oversee.

Wells Fargo: controls?

September 13, 2016 by Janet Yeomans Leave a Comment

You’ve probably read accounts of the fraud at Wells Fargo in connection with cross-selling. Over 5,000 employees were involved over a span of 5 years! Here’s a good account of the situation by Andrew Ross Sorkin as reported in the New York Times: http://p.nytimes.com/email/re?location=InCMR7g4BCJTYuyKqXu41lOnxEkBWiqW&user_id=6284346ca2298b52bdd18ccab28c3e1d&email_type=eta&task_id=1473770462575991&regi_id=0.

For you to ponder:

How could the gap between Mr. Stumpf’s words and the actions of his employees have developed and persisted?
What controls might have prevented the activity or at least detected it in the very early stages?
What does the massive scale and duration of the fraud suggest about risk management at Wells Fargo?
How did the illicit activity escape the notice of both the internal and external auditors?
Finally, how did it go undetected by bank regulators?

Accountability also seems to be absent from the Wells Fargo culture judging by the fact that the executive in charge of the the area of the bank in question decided to “retire” and will leave with a bonus of $124.6 million.

Challenge: controls for a disruptive application of blockchain technology

September 1, 2016 by Janet Yeomans Leave a Comment

Perhaps you’re familiar with blockchain technology which first came into the public domain in connection with Bitcoin. It’s a distributed ledger technology that has obvious potential uses beyond cryptocurrencies. People in the investment world became interested early because of the cumbersome way in which financial transactions are settled and recorded today – lots of middlemen resulting in many points at which something could go wrong, high costs and slow time frames. A perfect situation for a disruptive technology!

The article, http://finops.co/trading/blockchain-for-us-settlement-three-two-one-takeoff/, describes an initiative to form an industry advisory group to run a blockchain trial. This group will need to get it right: this is a new technology whose adoption will disrupt the old ways the financial markets. If their trial is robust and produces positive results, the benefits will be enormous. What is absolutely critical is that the trial not produce a false positive – that is, the conclusion that the trial has been successful when in fact the trial process was flawed in some way. In this case, the damage could also be enormous.

Suppose the advisory group reached out to you to ask your advice on how to structure the control environment for their trial program. What elements might you suggest they consider? For example, you might ask them to define the decision making process. In this case, would regulatory oversight from an established body such as the SEC be appropriate or does the past model not apply? How will the testing be conducted and how will weaknesses in the process be identified and addressed? Who should be responsible for reviewing results from a business perspective?

The point here is that in a fast-changing world, some of the most important IT governance challenges are complicated and have no established roadmap. The best we can do is stick with fundamentals: the right things done right will form the basis for a good governance structure.