Integrating Google Wave into the Enterprise

enterpise 2.0

I’m attending the Enterprise 2.0 Conference in San Francisco. I’m sharing my notes from this session.

  • Andy Fox, Vice President, Engineering, Novell
  • Alexander Dreiling, Program Manager, SAP
  • Gregory D’Alesandre, Product Manager, Google Wave
  • Chad Wathington, VP, Product Development, ThoughtWorks

Greg started off, giving a brief demo of Google Wave and the concept. (I started using Google Wave a few weeks ago, but it has left me a bit confused. You can find me at [email protected].) Most other existing communications tools are a poor substitute for face-to-face communication. But at times, electronic communication can be better if you can get real time communication and enable multiple people contributing and editing at the same time.

They started off with no lock-down because the first thing most deployments do is lock down features and editing rights. He did state that the tool is currently very buggy and still being tested.

Alex came up next to show what SAP built on top of Google Wave for business process management. They built a gadget called Gravity. He has a flow chart, with each action box contributed by different people. He also showed an analysis gadget showing  graphs and charts related to the process.

Chad showed how he integrated his company’s project management tool called Mingle with Google Wave. He showed how you can bring data from Mingle into a Wave. They can also create a new task in Mingle through a Google Wave. Each task in Mingle can show the Google Waves that mention that task.

Andy showed Novell’s Pulse. Novell latched onto the Wave Federation Protocol that allows the serves to interact and allow real-time collaboration across platforms. Andy emphasized the benefits of real-time collaboration.

Greg came back and said that most of Google Wave code will be open-sourced. It’s not clear what the business model will be for Google.

Social Media: Policy Formation & Risk Management

Enterprise 2.0 San Francisco 2009

Today, I am in San Francisco at the Enterprise 2.0 Conference at the Moscone Center, speaking on a panel about social media policies.

I gave a presentation on Cloud Computing at the 2009 version of the Conference in Boston: Evening in the Cloud and Compliance and a presentation on blogging at the 2008 version of the Enterprise 2.0 Conference in Boston: What Blogging Brings to Business.

I was happy to hear that the conference was still interested in having me, even though I have been moving away from the Enterprise 2.0 space.

Here is the session description for today’s panel presentation:

Policy formation, risk management, media relations, and governance programs become a critical requirement as organizations assess implications to the enterprise arising from employee participation in social networking sites and use of media. Issues related to security, confidentiality, intellectual property, data loss protection, brand image, compliance, and human resources (i.e., ethics/conduct) are critical to address before problems arise.

  • e2 Moderator – Mike Gotta, Principal Analyst, Burton Group
  • Speaker – Christopher Burgess, Senior Security Advisor, Cisco
  • Speaker – Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners (that’s me)
  • Speaker – Scott Mark, Enterprise Application Architect, Medtronic

First up, we plan to ask the audience whether they are interested in policy issue for internal deployments (Enterprise 2.0) or issues related to public uses (Web 2.0). The session description is broad enough that attendees may be expecting either. As it happens, most of the same issues are present in Enterprise 2.0 and Web 2.0. The conference itself has been including both. Since many of the innovations are coming from the public web 2.0 side, ahead of the enterprise side.

Rather than put the audience to sleep with a bunch of PowerPoint presentations, we are planning a discussion of the issues. Since I needed to organize my talking points, I figured I would make them into a blog post so that I could find them.

Having a Social Media Policy

From my perspective, the first thing a company needs to decide is what stance to take on the use of these tools: Pro, Con, or Neutral. Few companies are ready to fully embrace 2.0 tools.

Regardless of the stance it is important to have a policy for social media tools. Blocking access, by itself, is not a policy. It is easy to access the sites from a mobile device of home computer. Blocking access on the office network is just an annoyance.

The policy can also act as an educational tool for the employees of the company.

Security, Confidentiality, Data Loss Protection

These concerns are true for any communication media or portable storage.  Enterprise 2.0 and Web 2.0 do not pose unique challenges for these issues.

The difference is the main benefit you’ll hear at the Enterprise 2.0 conference; these tools make things more findable. Before Google, it was hard to find things on the WWW. Google changed that, making web content easier to find. Most Enterprise 2.0 platforms exploit some of the same things that make content findable. Remember that it’s not just the bad things that are findable. These tools also make the good things findable.

The importance of good policies and education is to make the good things vastly outnumber the bad things.

Off-Duty Activities.

What is personal? What is work? What is your time? What is the office’s time? Those are issues that most companies are wrestling with as the economy moves to more of a 24 hour economy. Regardless, an employer will have a hard time disciplining an employee for things they do “off-the-clock.” Here are some specific state laws on the topic.

Colorado – Colo. Rev. Stat. § 24-34-402.5: In Colorado, it is an unfair employment practice to fire employees for engaging in lawful activities that take place off the employer’s premises during nonworking hours unless (a) the activities engaged in relate to a bona fide occupational requirement or is reasonably and rationally related to the employment activities and responsibilities of a particular employee or a particular group of employees, rather than to all employees of the employer; or (b) the activities engaged in create a conflict of interest with any responsibilities to the employer or the appearance of such a conflict of interest.

New York – N.Y. Lab. Law § 201-d(2)(c): Employers in New York cannot take any adverse action against an employee on account of that employee’s engagement in legal recreational activities if the employee engages in the activities outside of working hours, off of the employer’s premises, without using the employer’s property.

North Dakota – N.D. Cent. Code § 14-02.4-03: Employers may not take adverse action against an employee or applicant on account of the employee’s or applicant’s “participation in lawful activity off the employer’s premises during nonworking hours which is not in direct conflict with the essential business-related interests of the employer.”

Overtime

If hourly employees are using these tools off hours for the benefit of the company, there is a potential wage claim.

Data Privacy

The European data privacy laws need to be considered as part of a Web 2.0 or an Enterprise 2.0 deployment. These data privacy laws regulated the collection of personal information and the transmission of the personal information to another country.

In the US we think of data privacy as social security numbers and financial account information. Medical information has also fallen into that category. But the European view of personal data is as much about your religious and ethnic information as it is about those other categories of information.

A deployment as simple as publishing an internal photobook of personnel would violate the European data privacy laws.

First Amendment

The First Amendment protects citizens from government censorship. First Amendment rights will apply if you work for the government. Otherwise, employees are generally free to exercise their First Amendment rights as ex-employees.

Internally, it is best to avoid religious and political discussions. (Unless your organization is a religious or political organization.)

Labor Relations and Union Organizing Activity

While employers are permitted to lay out policies as to what employees may blog about in relation to work, employers cannot implement policies that have the effect of chilling an employee’s exercise of his or her Section 7 rights under the National Labor Relations Act-, nor can employers discipline employees for blogging about “wages, hours, or terms or conditions of employment,” such as the company’s pay scale or vacation policy. See Timekeeping Sys., Inc., 323 N.L.R.B. 244 (1997).

Additionally, outright bans on blogging about the employer will likely be viewed as an unreasonable impediment to self-organization in violation of the NLRA. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), cert. denied, 537 U.S. 1193 (2003) (In this case, the court found that blogging that involved an employee attacking his company’s management and president online may trigger “concerted activity” provisions under federal labor laws.).

Anonymity

Although staying anonymous (or using pseudonym) sounds like a good way to keep out of trouble, it’s hard to stay anonymous on the internet for long if someone wants to find you.

Internally, there is little need to be anonymous. I have heard example of feedback tools that preserve anonymity.

One example of the issues that come from anonymity/pseudonym is the Cisco Patent Troll Tracker blog case.

Identifying Your Employer and Use of Company Name or Company Logo

Once you identify yourself as an employee of the company, what you publish will be associated with the company.

One should also consider what happens to Web 2.0/Enterprise 2.0 content when an employee leaves. Internal is easier to deal with since the employee has left. It is easy enough to keep the content published and the user id showing that the person left the company.

With Web 2.0, there are more issues to consider. Can the employee take a blog with them? If it is on their domain, the company will have a hard time stopping them from taking it with them. If the blog is on a company domain or subdomain, it’s probably going to stay with the company.

Productivity Drain

There are some legitimate concerns that employee productivity will be diminished when they are allowed to use web 2.0 tools or Enterprise 2.0 tools are deployed internally. You need to be prepared to address these concerns.

Recommendations

A true recommendation is generally a good thing. There are specific regulatory limitations for lawyers and registered investment advisers using public recommendations.

If a supervisor gives an employee a good recommendation on LinkedIn, it will be hard to later discharge the employee for poor performance.

Criticizing the Company

Some criticism can be considered whistle-blowing and be subject to legal protections. If the employee’s negative comments concern the employee’s reasonably held belief that the company is engaging in illegal activity, the employee may also be protected under whistleblower protection laws.

Monitoring and Discipline

One of the key reasons for adopting a policy is to discipline for bad behavior. The policy sets the behavior standard. Employees are expected to live up to that standard.

The other use of the policy is for eduction. The better purpose for a policy to prevent the person from partaking in the bad behavior at the onset.

Using E 2.0 tools to Draft

One thing I encourage is to use the enterprise 2. 0 tools to help draft the policy. Put a draft policy up on a blog for comment.

Examples of Social Media Policies

Here are some good examples in helping to draft your own policy:

Further Reading on Social Media Policies

Some more reading for you:

Doug’s Collection of Social Media Policies and Articles:
http://delicious.com/dougcornelius/blogging_policy

Compliance for Enterprise 2.0 at Lockheed Martin

mcafee

Andrew McAfee, Associate Professor at Harvard Business School lead a discussion with Christopher Keohane, Social Media Program Product Manager at  Lockheed Martin IS&GS – CIO – Architecture Services and Shawn Dahlen, Social Media Program Manager, Lockheed Martin IS&GS CIO Office to talk about their Unity enterprise 2.0 platform at Lockheed Martin.

The Lockheed Martin guys really caught the attention of the crowd in their smaller session at the 2008 edition of the Enterprise 2.0 Conference. This earned them a seat on the big stage.

Business Case

They started with the business case. The 9-11 Commission noted that one of the problems was that information was siloed at the intelligence agencies. As a government contractor, Lockheed pays close attention to the government’s position. The appeal of a enterprise 2.0 / collaboration platform was the ability to create content and share it among the team.

In addressing the ROI concern, they made it easy by making a small investment. There was a budget available of a few thousand dollars for experimental projects. They got up and running in a small group with that small investment. [If your investment is small, the return does not have to be big to find a positive ROI. Start small.]

Legal Concerns

They knew legal would have questions and raise concerns. Christopher and Shawn approached them early to help with approval and buy-in. Legal was unfamiliar with the tools. But they were familiar with export laws, data privacy limitations and other considerations that needed to be in place.

Legal was able to help design the controls, processes, and procedures that would need to be in place to make Unity compliant with the laws that affect the internal operations of the company. They did not leave legal as a last minute approval to check the box. They got them engaged to help identify risks and problems.

[If you don’t bring legal into the process and leave them with a late in the process “yes” or “no” decision. You’re going to get a “NO!” Inevitably you will not have addressed an internal policy or regulatory concern. Especially if the project is being run out of the IT group, where they are often not involved in the business processes.]

Evolution versus Revolution

To echo the keynotes on Tuesday, Shawn and Christopher took an approach that was both evolutionary and revolutionary. Migrating from MS Word documents to blogs and wikis is evolutionary. Opening up the information for sharing is revolutionary.

The Generational Issue

Shawn and Christopher pointed out that the generational issue runs both ways when using 2.0 tools. They acknowledge that their team was a bunch of 20-somethings. They had trouble figuring out how to use these tools in the business setting. They had trouble using them to collaborate among themselves.

The older generation and managers of the business understand the business process. They were surprised that heir most prolific bloggers are 40-something senior managers. ( I am not surprised. I had the same experience at my old law firm when we started deploying 2.0 tools. The partners and senior attorneys contributed more information than the younger associates.) It is the seasoned workers who have the knowledge and understand the business needs.  If the tools are easy enough to use, they will use them.

Technology

They used Microsoft’s SharePoint as the platform for Unity. When pushed, they neither endorsed the product nor said anything bad about it. They did acknowledge the difficulty in trying to customize the platform for different groups. The users found the tools easy to use and easy to see the migration from Word to blogs and wikis.

[I had a discussion with Mary Abraham of Above and Beyond KM about the Snake Oil of Social Media.  As we became seasoned in our businesses, we learned to silo information because the technology siloed it for us. Email became our information source and collaboration tool. Email is inherently siloed. Trying to make it open does not work. My theory is that if you want to change the culture, you also need to change the technology tools.]

Summary

Sean and Christopher also found that you need to ground enterprise 2.0 in the needs of the business. Don’t be afraid of social media. Embrace it. Apply it to your business challenges.

McAfee Update

Professor McAfee is leaving Harvard next month to become a Principal Research Scientist within the Center for Digital Business at the Sloan School of Management. And his book, Enterprise 2.0, is coming out in the fall. You can download the first chapter for a sneak preview.

Other Coverage

Photo Credit

Thanks to Alex Howard of Digiphile and SearchCompliance.com for giving me permission to use his photo in this blog post.

Enterprise 2.0 Keynotes on Tuesday

evening in the clouds panel

After Monday night’s Evening in the Cloud (That is me in the middle of the picture during the Evening in the Cloud), Tuesday turned to social media and collaboration in the keynote presentations on the big stage.

It was a mixed bag of presentations. There were glimpses of how organizations can use enterprise 2.0 and web 2.0 tools to further the goals of the organization. What was missing, was the compelling case for adopting the tools and devoting the resources to that adoption. There were a few points from the compliance perspective that popped up in the presentations. I thought I would share some of my thoughts and notes from these presentations.

my.barackobama.com: The Secrets of Obama’s New Media Juggernaut

Jascha Franklin-Hodge, Chief Technology Officer & Founding Partner, Blue State Digital started off talking about some of the success of the presidential campaign:

  • 1 billion emails to 13 million addresses
  • Over 1 million text message subscribers
  • 200,000 offline events planned through the website
  • 145 YouTube viewing hours
  • Of the $770 million raised, 65% came through the website

Although this presentation was interesting I was hard-pressed to see how the lessons learned from the presidential campaign could be applied to the use of these tools inside an enterprise. (Although the bleeding heart liberal in me enjoyed seeing the great success story.)

He did emphasize the need for measurement, which is dear to the hearts of compliance professionals. They measured everything, tested their assumptions and redesigned the visuals and tools based on the data.

Throwing Sheep in the Boardroom: How Online Social Networking Will Transform Your Life, Work and World

I don’t have much that’s nice to say about this presentation. So I won’t.

Hello from Booz Allen Hamilton

Booz Allen won the Innovation Award from the Open Enterprise 2009. Walton Smith gave his insights on their enterprise 2.0 platform. It looked great! (In the interest of disclosure, Booz Allen is a large tenant in my employer’s portfolio.)

Walton started with the business case. They need ways to better capture the tacit and explicit knowledge in the organization. There is a tremendous need to identify expertise and allow people to find that expertise. They are looking to add thousands of employees over the next few years and need to get those employees up and running quickly. On a typical day, over half of their people are working at client sites. Outlook was their de facto collaboration tool.

They deployed Hello, their enterprise 2.0 tool, to address these concerns. It sounds like a success. Over 40% of the firm has added content. Another 1% to 2% of new users are adding content each week. The technology is mash of technologies, many of which are open source platforms.

Given the short time allotted, we were not able to see much detail about the operations of Hello. From what I saw, it was just what I thought a large professional services firm needed. Walton’s description matched up with the vision I had for the redesign of Goodwin Procter’s iNet (before I left).

Walton did address some of the compliance concerns. In responding to a question about posting inappropriate content, Walton had this great statement: “I can’t prevent you from being stupid, but now I can see how stupid you are.” As to EU data privacy, they had lots of discussions with legal on what people could post about themselves. Legal wanted to exclude all non-US from Hello. They came to a compromise, but I am not sure what it was. For departed employees, they keep the content and the profile. They merely add a banner that the person has left the company. They want to preserve the intellectual capital footprint.

Enterprise 2.0 Reality Check – What’s Working, What’s Not, What’s Next

Matthew Fraser was back to moderate a panel of Christian Finn, Director of SharePoint Product Management, Microsoft, Nate Nash, Senior Manager, BearingPoint, Neil Callahan, Executive Vice President, mktg, and Ross Mayfield, President, Chairman and Co-founder, Socialtext. There was lots of talk of whether enterprise 2.0 was an evolution or revolution. One commenter in the crowd said the panel was an I’m a Mac, I’m a PC ad. There was a fair amount of discussion about the ROI for enterprise. Some panelists and audience members were dismissive of needing a monetary ROI. They likened it to email. Nobody asks for the ROI on email.

I don’t agree with these thoughts. When email was first adopted in the enterprise there was an ROI calculation. It was cheaper and faster to send an email, than to send a message through the post office. There is a reason we get so much spam. It is cheap and easy. Businesses may no longer calculate the ROI, but they did as part of the adoption process. Event though now it is just an assumption that you have email in the business. There was a compelling reason to adopt.

Meeting People

Web 2.0 is not about sitting in your basement. It is about meeting people. Besides the presentations it was able to run into and chat with a bunch of great people. I had a great lunch with David Hobbie of Goodwin Procter and Rachel Happe of The Community Roundtable in the fake Irish restaurant.

It was great to spend some time talking with Carl Frappaolo and Dan Keldsen of Information Architected. Unfortunately, I missed the session but I was able to chat with Jessica Lipnak and Jeff Stamps of NetAge. Alex Howard of Digiphile and SearchCompliance.com was there covering the conference and having great conversations. I apparently got Mark Masterson fired up about compliance because we chatted about it for a while.

I also had some short chats with Luis Suarez of IBM, Joe Wehr of DBMI, and Ming Kwan formerly of nGenera and now at Nokia.

Michael Idinopulos of SocialText gave me a great tour of the latest release of their product. Their new marketing strategy is to offer SocialText free for less than 50 users. Chris McGrath and I talked about Thought Farmer. I kind of beat him up over records management and wikis. Cheryl McKinnon gave me a great presentation on some compelling OpenText products.

I will back on Wednesday for a few sessions and will try to distribute any insights.

Evening in the Cloud and Compliance

enterprise2

The The Evening in the Cloud session at the Enterprise 2.0 Conference was fun. David Berlind Editor-At-Large and General Manager of TechWeb was the moderator. I sat in the customer role beside Christopher Reichert of the MIT Sloan CIO Symposium. Sean Poulley VP Online Collaboration Services of IBM, Rajen Sheth Senior Product Manager of Google Apps, and Mike Feinberg Senior VP, Cloud Infrastructure of EMC each gave an eight minute pitch for their product.

If you read yesterday’s post (Compliance and Cloud Computing at Enterprise 2.0), you knew what my questions would be for the vendors. These three vendors represented big guns who I am sure have been asked those questions before. The session was obviously driven by vendors. Hopefully, my list of questions can be used by other attendees to quiz the vendors.

Google, IBM and EMC focused on the infrastructure aspect of cloud computing. From a compliance perspective, the application piece of cloud computing poses more of the issues. Maybe I will be able to tackle some of those issues with vendors when the Exhibition Hall opens on Tuesday.

Brenda Michelson live-blogged the session on her elemental links blog: @ Enterprise 2.0 Evening in the Cloud Panel discussion. It is as good a summary as I could have written.

The session was recorded and will be available on line at some point. I’llpost and update when I come across the recording.

Wrap Up of Compliance Week Conference

compliance-week-conference

It was a great few days in Washington D.C. at my first Compliance Week Conference.  The conference was packed with great presentations and discussions over its three days. In particular, it was great to spend time with Bruce Carton, Francine McKenna, Scott Cohen, Matty Kelly and Alex Howard.

Below are links to some stories from the conference:

For Compliance Week subscribers:

Fighting a cold during the conference, I was the guy generating the cacophony of coughs.  But I did manage to keep notes during the sessions I attended:

I am looking forward to Compliance Week 2010.

UPDATED with new links

Your Compliance Program and Enforcement

compliance-week-dark-blue

This session at Compliance Week Conference 2009 was another “dark session” so I am not sharing detailed notes, merely a perspective on some issues that were presented. John Roth, an Assistant U.S. Attorney in the Fraud and Corruption Section shared his insights and Bruce Carton did his best Phil Donahue impression by eliciting questions from the audience.

There was a big turnout for this session. The organizers were only expecting 20-30 and ended up with over 100. Anything said by Mr. Roth was his opinion alone and not necessarily those of his office or the Attorney General.

One item was the difference between the Principles of Prosecution in the U.S. Attorney General’s Handbook and the Federal Sentencing Guidelines. The Guidelines only come into play once the organization has been indicted and convicted. The Principles of Prosecution help the Attorney General’s Office decide whether to prosecute in the first place. The Guidelines are a product of compromise between the Attorney General, the defense bar and federal judges. At this point they have also been made discretionary instead of mandatory. It seems that compliance programs should be more focused on the Principles of Prosecution instead of the Federal Sentencing Guidelines.

There was much discussion that it is much easier to identify a bad compliance program (or no compliance program) than a good compliance program. Much of the learning comes from failures of compliance programs instead of the successes.

Prosecution success causes more prosecution in those areas. FCPA prosecutions are increasing because they are being successful. We can expect to see more. The were rumors that the FBI has formed a squad to focus on FCPA criminal investigations.

The S&P Assessments

compliance-week-blue

My notes, live, from the Compliance Week Conference session by Steven Dreyer who is overseeing Standard & Poor’s program to assess corporate ERM efforts as part of credit ratings. Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings (.pdf)

S&P’s ERM review for non-financial companies will be based primarily on information provided by issuers in public disclosures and through discussions with S&P analysts. S&P does not require written responses to these questions, but will certainly consider them if provided to supplement or make more efficient our in-person discussions.

  • What are the company’s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?
  • What is management doing about top risks?
  • What size quarterly operating or cash loss has management and the board agreed is tolerable?
  • Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure success of risk management activities?
  • How would a loss from a key risk impact incentive compensation of top management and on planning/budgeting?
  • Tell us about discussions about risk management that have taken place at the board level or among top management when making strategic decisions.
  • Give an example of how your company responded to a recent “surprise” in your industry and describe whether the surprise affected your company and others differently.

All S&P cares about is the ability of the company to repay its debt. Corporate social responsibility is nice, but does not affect credit. S&P does not lower a credit rating on an airline because of a plane crash. They care about cash flow. They do care if a risk is a risk to cash flow. S&P is not a missionary for ERM.

So why are they adding ERM to credit ratings to non-financial institutions?

  • Enhance Analytical Process & Focus
  • Create More Forward-Looking Ratings
  • Better Insights and Communication on Management
  • Differentiate Better

Non-financial institutions tend to die very slow deaths. Financial institutions have the potential to fall off a cliff and disappear quickly. For non-financial institutions, ERM is a means to see inside the enterprise to see how they may be able to bounce back from issues and crises.

Every company has an appetite risk and a tolerance for risk. By focusing on risk management, there is some insight about how they treat risk, the appetite and the tolerance.

What Is S&P Not Looking For… (These mindsets can actually hinder effectiveness):

  • Eliminating all risks
  • Cramming together disparate policies
  • Solely compliance/disclosure requirements
  • Replacement for internal controls
  • A shiny new software program
  • Naming a CRO and calling it a day

“The reviews will focus predominantly on risk-management culture and strategic risk management, two universally applicable aspects of ERM.” – Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings, May 7, 2008

Culture = Communications, Frameworks, Roles, Policies, Metrics, Influence

Strategic = Identification and Updating Process, Impact on Key Decisions

Here are some ERM discussion topics he offered:

  • How are key risks identified, updated, and dealt with?
  • How is risk tolerance defined and communicated?
  • Who “owns” risk in the organization and how is success measured?
  • What is the board’s involvement in risk management?
  • How did your company respond to _______________ ?

Ultimately, they are looking for evidence of effectiveness. They are planning to release the criteria during the fourth quarter of 2009. They are currently in the process of benchmarking and comparing information. They are thinking about using a rating scale, but there is a concern that people will focus on the number and not the nuances that went into the number.

A counter-intuitive result was that the companies that responded quicker to questions were more accurate than those that took longer. The quick result was because they had better access to their information. The longer response was because the information was hard to find and less reliable.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Harvey Pitt on Ethical Cultures in a Down Economy – Compliance Week Keynote

compliance-week-conference

My notes, live, from the Compliance Week keynote speech by Harvey Pitt on Ethical Cultures in a Down Economy:

After a very brief introduction (especially compared to yesterday’s keynote) by Scott Cohen, Mr. Pitt dove into an entertaining and informative speech.

Learning from history is in fact virtually impossible. The only thing we only learn from history is that we never learn from history. It is the science of what never happens twice.

Cutting corners may have some short term benefits, but endanger your long term success. This century has barely begun and we already have plethora of financial scandals. So many high-flying companies have come crashing down, destroying the companies and the investors. We have to avoid failures at all corporate levels that every person within the company is responsible for being a watchdog for transgressions.

It seems that we never learned from the Enron era scandals. Business scandals are inevitable, as is the follow-up government action. But those too often only focus on the last crisis and do not look ahead to potential new issues. SOX did not prevent the current economic crisis and its failures of corporate governance. It is inevitable that new laws will come out to address the crisis that just happened. Mr. Pitt seems skeptical that they will prevent the next set of crisis and failures.

Mr. Pitt thinks directors will be held accountable for the failures of their organization and the failure of their risk management. he thinks the answer is simple. The long term success of a company is the ability to survive under “Corporate Darwinism.” Only those with the best governance and the most ethical culture will survive. The regulatory and prosecutorial environment is going to be hostile for the foreseeable future. Being law-abiding only gets you so far. It is not same as acting honestly and ethically.

Something always go wrong.

Good corporate ethics is not just talking the talk, but also walking the walk. You need to recognize that an ounce of prevention is worth a pound of cure. You need to minimize risk and continually assess the risk. You need to deal with the risk before the next crisis.

Be a Boy Scout and “Be Prepared.” It is better to be ahead of the curve and ready for what may be coming.

Knowledge is power. You need full and complete information in order to assess risk and govern the organization. The most dangerous risk is the risk you are nor aware of. You need to make sure that information flows up the chain and throughout the organization.

Don’t shoot the messenger. Risk management should not be thought as a cost center.

Make sure that everyone is “invested” in the organization. It is part of everyone’s job description to be alert for potential problems, addressing problems and resolving problems. You need to engage all employees in developing and running the program.

There is no such thing as a “small” ethical problem. They always grow into a big problem if left unaddressed. Not every breach is a hanging offense, but they all need to be treated seriously.

It’s the quality not the quantity that counts. You can have binders full of policies. But they are useless if employees are not aware of them and ignore them.

Pay for integrity. If boards want to show the importance of ethics, they need to tie compensation to it. They need to place a cost for failures as well.

Trust, but verify. Ask the tough questions and examine the underlying premise of their information. You need to make sure your conclusions are sound.

The third little pig had it right. You can’t build your house out of flimsy materials.

Treat everyone who cries wolf as if they are credible. It is the warning you ignore that is more likely to hurt your organization. It’s not how complaints are raised. The only issue is whether there is any truth to the claims. You need to find the truth. The only way to find out is to respond to the call and investigate.

If you manage for the short term, you will not be around in the long term.

At the end of his speech, Mr. Pitt sat down with Mr. Cohen.

Mr. Pitt pointed out that government failed to have effective risk management during the current financial crisis.

He thinks SOX was hastily drafted. It was necessary because of the upheaval and government needed to show that it would put up with that kind of behavior. He thinks SOX has been ineffective. It is approached as a liability issue and treated with a check the box mentality. We would not have had the most recent crisis if SOX was effective.

What me need now is not more regulation or less regulation, it is smarter regulation. Businesses sit back and wait for government to tell them what they are doing wrong and then don’t like what the government tells them to do. Businesses need to discover problems before they become a problem.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Richard Ketchum Keynote from the Compliance Week Conference

compliance-week-green

My notes, live, from the Richard Ketchum keynote at the Compliance Week Conference. Mr. Ketchum is the newly named chairman and CEO of FINRA.

It is a terribly important time as financial markets are in the process of transformation. It was two years ago when the first signs of the credit crisis appeared. The silver lining is that the crisis offers an opportunity to reform the financial markets.

Mr. Ketchum moved onto the idea of a systemic risk regulator. He thinks some regulator will be in place. As to whether it is a single entity or a council of regulators, Mr. Ketchum stated that some of the risk and problems came from loosely regulated entities and in transactions that were not transparent. He thinks value of a systemic regulator is good but thinks we need to focus on the function of this new regulator. He wants to avoid duplication and also to avoid things falling through the cracks.

He looked to the Federal Reserve as regulator that had a broad mandate to see big problems. They were less able to focus on the detail of regular reporting and maintenance. He thinks the new systemic regulator should not replace existing regulators. He also did not seem to like the idea of breaking up the SEC. They are very involved in many aspects of the markets and have a breadth of experience and controls in place.

He moved on to the issue of short selling in the marketplace.  There are several proposals being reviewed as a result of the fierce short-selling that happened in September and October. He thinks the selling that happened during that time was most long sellers, not short sellers. Short selling may have caused the disappearance of any buyers. He seems to be leaning toward a circuit-breaker when a company’s stock is under pressure. He did not seem to give a straight answer.

He moved onto the subject of derivatives. The market provides a great deal of leverage, has a great deal of inefficiency and is very transparent. The derivatives markets also react quicker than the equity markets. He thinks the key is transparency so we can see the movement and the risk. The opacity of the derivatives markets contributed to the plunge in the investment markets.

He moved onto the lessons we could learn from volatile markets. He thinks we need to revisit diligence and reduce our reliance on ratings to get a better understanding of the security (in particular asset-backed securities). You need to keep the creators of the securities away from the ratings of the securities.

He thinks compliance needs to be infused into more functions. He thinks compliance officers can look at the risks and not rely on assumptions. You need to make sure that decisions that benefit the company do not come at the expense of the company’s clients or customers.

Nobody feels good about the implosion of the financial markets. FINRA is re-evaluating their internal processes to see what they could do better. He pointed out the new FINRA Whistleblower hotline. FINRA is looking at ways to make sure things do not fall through the cracks.

He thinks the biggest gap is the different regimes between broker-dealers and investment advisers. He thinks investment advisers need to be more regulated and more closely examined. he does recognize that there are different risks and different concerns. You can’t throw the same rulebook at them, but he thinks you need to keep a closer eye on them.

The keystone moving forward is winning back the trust of investors. Without trust, the markets are paralyzed. Fraud impoverishes the few; distrust impoverishes many.

In the chat session, Matt put the Madoff scenario in front of Mr. Ketchum. He thinks that is the great example of having different regimes for broker-dealers and investment advisers. FINRA could not look over the wall at the advisory side of the business.

There is no definition of a systemic risk. Mr. Ketchum thinks it is one that can impact the financial marketplace as a whole and not just an individual institution.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)