To Lead, Create a Shared Vision

Harvard business review january 2009

In the January 2009 issue of the Harvard Business Review is a short Forethought piece on the importance of leaders creating vision: To Lead, Create a Shared Vision.

James M. Kouzes and Barry Z. Posner emphasize the important of leaders creating vision for their organization and develop a forward-looking capacity. But rather than leaders thinking that they themselves need to be the visionary, the authors think it is more important to get input from the people in your organization to develop the vision.

Too many leaders act as “emissaries from the future, delivering the news of how their markets and organizations will be transformed.” Instead, “constituents want visions of the future that reflect their own aspirations. They want to hear how their dreams will come true and their hopes will be fulfilled.” The best way to lead people into the future is to connect with them in the present.

What does this mean for compliance?

When putting together and maintaining your compliance program, you need to seek input from as many people as possible. It is too late to get buy-in after the policy is already drafted. Send early drafts to a wide population of the organization for review and comment. They may surprise you by pointing out weaknesses and ambiguity in the policy draft.

By sending drafts, you also emphasize the importance of the policy and its existence.  Many studies have shown that people need to be exposed to a policy several times before they can even remember that it exists. Circulating drafts can accomplish some of that information awareness.

Whistleblowing in Europe – Legal Aspects

hotline

Jonathan Armstrong of Eversheds gave this webinar. (You can watch it yourself after a free registration: Whistelblowing: Challenges in running a helpline in Europe) These are my notes:

Why have a hotline? A hotline can help the headquarters connect with offices abroad. They can help internalize issues and the flow of information. The main reason for a hotline is because of a legislative requirement. Sarbanes-Oxley is the most well known legislation.

The main legal issues implicated: privacy, data security (particularly for third party providers), labor law, HR issues, and Third Party contracts. Although the more issues covered in the helpline, then there will be more legal issues involved.

The history of hotlines really starts with SOX, then were impacted by the 2005 privacy cases in France, then the works council issue in Germany and France in 2005.

The CNIL guidelines limits the hotline to “serious” cases. They have a quick prepacked list of items that you can set up a hotline. If you are outside the parameters, then you need approval. He recommends getting local counsel for the French approach.

The EU has formed the Article 29 Committee. CNIL took the lead in drafting so it looks more like France than the US. It discourages anonymous complaints. It discourages advertising that complaints can be made anonymously. It also gives defense rights to the accused. There is a two month retention period which makes it hard to track patterns. There should be a penalty for bad faith complaints. It expects reports to be investigated within the jurisdiction of the problem. It makes it hard to centralize investigators.

Image is by oyxman and made available through Wikimedia Commons: Tall Red K6 Phone Box.jpg.

GAO Report on Sovereign Wealth Funds

gao-logo

The U.S. Government Accountability Office has released its second report on Sovereign Wealth Funds: Laws Limiting Foreign Investment Affect Certain U.S. Assets and Agencies Have Various Enforcement Processes (.pdf). This report was sent to the Committee on Banking, Housing, and Urban Affairs in the U.S. Senate.

The Report found the United States is generally open to foreign investment, except for sector-specific restrictions. The banking, agriculture, transportation, natural resources and energy, communications, and defense sectors have federal laws that apply to foreign investment specifically. These sectors have laws that contain provisions that either restrict the level of foreign investment, limit the use of a foreign-owned asset, or at least require approval or disclosure of any foreign investments.

In addition to these specific limitations, there is the broad power under the Defense Production Act of 1950 granted to the CFIUS to review a foreign acquisition, merger, or takeover of a U.S. business that is determined to threaten the national security of the United States.

Restrictions on foreign investment in real estate also exist in many states. According to a Alien Land Ownership Guide from the National Association of Realtors, 37 U.S. states had some type of law affecting foreign ownership of real estate. Most of the laws are merely a requirement that a foreign investor register as a company doing business in the state before purchasing property. Some states specifically prohibit foreign ownership of certain types of land. One common type of real property restriction was for agricultural land. Fifteen states having some law governing foreign ownership in this area.

The Report’s recommendation for Executive Action:

To enhance their oversight of sectors subject to laws restricting or requiring disclosure of foreign investments, we recommend that the Chairman of the FCC and the Secretaries of Agriculture and Transportation review the current sources of the information their agencies currently monitor to detect changes in ownership of U.S. assets— which are subject to restriction or disclosure requirements applicable to foreign investors—and assess the value of supplementing these sources with information from other government and private data sources on investment transactions.

References:

FBAR Deadline

The deadline for Foreign Bank Account Reporting is June 30. The  Report of Foreign Bank and Financial Account is IRS TD F 90-22.1 (.pdf).

Any United States person who has a financial interest in or signature authority, or other authority over any financial account in a foreign country, if the aggregate value of these accounts exceeds $10,000 at any time during the calendar year must file the report. An FBAR must be filed whether or not the foreign account generates any income.

The IRS has engaged in a large-scale initiative to seek out taxpayers with undisclosed accounts overseas. While in the past the prosecution of those failing to comply with the Foreign Bank Account Reports reporting requirements have been rare, following enactment of the Patriot Act of 2001, the IRS appears ready, willing and able to crack down on the non-compliant.

The granting, by IRS, of an extension to file Federal income tax returns does not extend the due date for filing an FBAR.   There is no extension available for filing the FBAR.

There are a few exceptions to the filing requirement.

An officer or employee of a bank which is currently examined by Federal bank supervisory agencies for soundness and safety need not report that he has signature or other authority over a foreign bank, securities or other financial account maintained by the bank, if the officer or employee has NO personal financial interest in the account.

An officer or employee of a domestic corporation whose equity securities are listed upon any United States national securities exchange or which has assets exceeding $10 million and has 500 or more shareholders of record need not file such a report concerning signature or other authority over a foreign financial account of the corporation, if he has NO personal financial interest in the account and he has been advised in writing by the chief financial officer or similar responsible officer of the corporation that the corporation has filed a current report, which includes that account.

An officer or employee of a domestic subsidiary of such a domestic corporation need not file this report concerning signature or other authority over the foreign financial account if the domestic parent meets the above requirements, he has no personal financial interest in the account, and he has been advised in writing by the responsible officer of the parent that the subsidiary has filed a current report which includes that account.

An officer or employee of a foreign subsidiary more than 50% owned by such a domestic corporation need not file this report concerning signature or other authority over the foreign financial account if the employee or officer has no personal financial interest in the account, and he has been advised in writing by the responsible officer of the parent that the parent has filed a current report which includes that account.

Accounts in U.S. military banking facilities, operated by a United States financial institution to serve U.S. Government installations abroad, are not considered as accounts in a foreign country.

The willful failure to disclose foreign accounts, or to report all of the information required on an FBAR, can result in severe civil and criminal penalties. The civil penalty amount is limited to the greater of $25,000 or the balance in the account at the time of violation, up to a maximum of $100,000 per violation. Criminal violations of the FBAR rules can result in a fine of not more than $ 250,000 or 5 years in prison or both.

Section 5314 of the Bank Secrecy Act of 1970 authorizes the Secretary of the Treasury to require residents or citizens of the United States to keep records and/or file reports concerning transactions with any foreign agency. (31 U.S.C. §5314) The provisions resulted from concern that foreign financial institutions located in jurisdictions having laws of secrecy with respect to bank activity were being extensively used to violate or evade domestic criminal tax and regulatory requirements.

References:

Cloud Computing and Compliance

kelly-matt-smallCompliance Week editor Matt Kelly and I talked  about “cloud computing” and how such IT systems can affect compliance. Listen to the conversation. (Time: 8.5 min.; file size: 7.7 Mb)

Let’s try to define cloud computing a little better. It really encompasses a broad swath of services that can be put into three main groups. Infrastructure as a service provides virtual servers and data storage that users can configure. Platform as a service that lets developers write applications using hosted software and development tools. Software as a service which provides hardware and software applications So the provider hosts both the application and the data. that range from specialized functions, such as supplier information management, to desktop applications, such as word processing and spreadsheets.

You will listen to hear about the compliance issues:

Twitter and Compliance

twitter_button

I was struck recently by the power and misconceptions around Twitter, the current press darling of Web 2.0. On one side is the enormous power of Twitter to crowdsource the news. The fallout of the Iran elections was better covered on Twitter than the mainstream media. At one point I watched CNN only to see the anchors reading from Twitter and displaying images posted to Twitter applications.

On the other side is the misconception that Twitter communications are not regulated by the SEC or FINRA. Everyone can acknowledge that the regulations have not caught up with the current tools of web 2.0. But the existing rules were drafted broad enough to cover all electronic communication. Twitter is clearly electronic communication.

Last week at at Jeff Pulver’s 140 Characters Conference in New York an attendee said “Twitter allows us to say f— you to the SEC!”  Earlier this week there was a quote in Forbes.com that “Since brokers have to save instant messages and e-mail, but thus far have no such mandate for tweets….”

The SEC and FINRA may have more pressing issues on its hands, but the existing rules cover the use of Twitter. Sure the rules could be more explicit. But ignore them at your peril.

If you are a registered representative, you should take a look at FINRA’s Guide to the Internet.  The features of Twitter could be considered an advertisement, sales literature, or correspondence. The direct message feature is correspondence. If your Twitter feed is unprotected, each twitter post would be considered an advertisement. If your Twitter feed is protected it would be considered sales literature.

The SEC’s Guidance on the use of web sites (SEC Release 34-58288) does not give the clearest guidance. But it is clear that the rules are independent of the platform and the technology.

Insider trading, wrongful public disclosure and fraud and prohibited regardless of the communication tool. That includes Twitter.

Companies that have to monitor electronic communications should add Twitter to the mix. As the Iran election showed us, blocking access is ineffective. You should adopt a policy for Twitter or a revise your existing policies to specifically include it.  Twitter has become too popular and powerful as a tool to ignore.

Thanks to Alex Howard of Digiphile and SearchCompliance.com for pointing out both stories.

References:

Compliance for Enterprise 2.0 at Lockheed Martin

mcafee

Andrew McAfee, Associate Professor at Harvard Business School lead a discussion with Christopher Keohane, Social Media Program Product Manager at  Lockheed Martin IS&GS – CIO – Architecture Services and Shawn Dahlen, Social Media Program Manager, Lockheed Martin IS&GS CIO Office to talk about their Unity enterprise 2.0 platform at Lockheed Martin.

The Lockheed Martin guys really caught the attention of the crowd in their smaller session at the 2008 edition of the Enterprise 2.0 Conference. This earned them a seat on the big stage.

Business Case

They started with the business case. The 9-11 Commission noted that one of the problems was that information was siloed at the intelligence agencies. As a government contractor, Lockheed pays close attention to the government’s position. The appeal of a enterprise 2.0 / collaboration platform was the ability to create content and share it among the team.

In addressing the ROI concern, they made it easy by making a small investment. There was a budget available of a few thousand dollars for experimental projects. They got up and running in a small group with that small investment. [If your investment is small, the return does not have to be big to find a positive ROI. Start small.]

Legal Concerns

They knew legal would have questions and raise concerns. Christopher and Shawn approached them early to help with approval and buy-in. Legal was unfamiliar with the tools. But they were familiar with export laws, data privacy limitations and other considerations that needed to be in place.

Legal was able to help design the controls, processes, and procedures that would need to be in place to make Unity compliant with the laws that affect the internal operations of the company. They did not leave legal as a last minute approval to check the box. They got them engaged to help identify risks and problems.

[If you don’t bring legal into the process and leave them with a late in the process “yes” or “no” decision. You’re going to get a “NO!” Inevitably you will not have addressed an internal policy or regulatory concern. Especially if the project is being run out of the IT group, where they are often not involved in the business processes.]

Evolution versus Revolution

To echo the keynotes on Tuesday, Shawn and Christopher took an approach that was both evolutionary and revolutionary. Migrating from MS Word documents to blogs and wikis is evolutionary. Opening up the information for sharing is revolutionary.

The Generational Issue

Shawn and Christopher pointed out that the generational issue runs both ways when using 2.0 tools. They acknowledge that their team was a bunch of 20-somethings. They had trouble figuring out how to use these tools in the business setting. They had trouble using them to collaborate among themselves.

The older generation and managers of the business understand the business process. They were surprised that heir most prolific bloggers are 40-something senior managers. ( I am not surprised. I had the same experience at my old law firm when we started deploying 2.0 tools. The partners and senior attorneys contributed more information than the younger associates.) It is the seasoned workers who have the knowledge and understand the business needs.  If the tools are easy enough to use, they will use them.

Technology

They used Microsoft’s SharePoint as the platform for Unity. When pushed, they neither endorsed the product nor said anything bad about it. They did acknowledge the difficulty in trying to customize the platform for different groups. The users found the tools easy to use and easy to see the migration from Word to blogs and wikis.

[I had a discussion with Mary Abraham of Above and Beyond KM about the Snake Oil of Social Media.  As we became seasoned in our businesses, we learned to silo information because the technology siloed it for us. Email became our information source and collaboration tool. Email is inherently siloed. Trying to make it open does not work. My theory is that if you want to change the culture, you also need to change the technology tools.]

Summary

Sean and Christopher also found that you need to ground enterprise 2.0 in the needs of the business. Don’t be afraid of social media. Embrace it. Apply it to your business challenges.

McAfee Update

Professor McAfee is leaving Harvard next month to become a Principal Research Scientist within the Center for Digital Business at the Sloan School of Management. And his book, Enterprise 2.0, is coming out in the fall. You can download the first chapter for a sneak preview.

Other Coverage

Photo Credit

Thanks to Alex Howard of Digiphile and SearchCompliance.com for giving me permission to use his photo in this blog post.

Enterprise 2.0 Keynotes on Tuesday

evening in the clouds panel

After Monday night’s Evening in the Cloud (That is me in the middle of the picture during the Evening in the Cloud), Tuesday turned to social media and collaboration in the keynote presentations on the big stage.

It was a mixed bag of presentations. There were glimpses of how organizations can use enterprise 2.0 and web 2.0 tools to further the goals of the organization. What was missing, was the compelling case for adopting the tools and devoting the resources to that adoption. There were a few points from the compliance perspective that popped up in the presentations. I thought I would share some of my thoughts and notes from these presentations.

my.barackobama.com: The Secrets of Obama’s New Media Juggernaut

Jascha Franklin-Hodge, Chief Technology Officer & Founding Partner, Blue State Digital started off talking about some of the success of the presidential campaign:

  • 1 billion emails to 13 million addresses
  • Over 1 million text message subscribers
  • 200,000 offline events planned through the website
  • 145 YouTube viewing hours
  • Of the $770 million raised, 65% came through the website

Although this presentation was interesting I was hard-pressed to see how the lessons learned from the presidential campaign could be applied to the use of these tools inside an enterprise. (Although the bleeding heart liberal in me enjoyed seeing the great success story.)

He did emphasize the need for measurement, which is dear to the hearts of compliance professionals. They measured everything, tested their assumptions and redesigned the visuals and tools based on the data.

Throwing Sheep in the Boardroom: How Online Social Networking Will Transform Your Life, Work and World

I don’t have much that’s nice to say about this presentation. So I won’t.

Hello from Booz Allen Hamilton

Booz Allen won the Innovation Award from the Open Enterprise 2009. Walton Smith gave his insights on their enterprise 2.0 platform. It looked great! (In the interest of disclosure, Booz Allen is a large tenant in my employer’s portfolio.)

Walton started with the business case. They need ways to better capture the tacit and explicit knowledge in the organization. There is a tremendous need to identify expertise and allow people to find that expertise. They are looking to add thousands of employees over the next few years and need to get those employees up and running quickly. On a typical day, over half of their people are working at client sites. Outlook was their de facto collaboration tool.

They deployed Hello, their enterprise 2.0 tool, to address these concerns. It sounds like a success. Over 40% of the firm has added content. Another 1% to 2% of new users are adding content each week. The technology is mash of technologies, many of which are open source platforms.

Given the short time allotted, we were not able to see much detail about the operations of Hello. From what I saw, it was just what I thought a large professional services firm needed. Walton’s description matched up with the vision I had for the redesign of Goodwin Procter’s iNet (before I left).

Walton did address some of the compliance concerns. In responding to a question about posting inappropriate content, Walton had this great statement: “I can’t prevent you from being stupid, but now I can see how stupid you are.” As to EU data privacy, they had lots of discussions with legal on what people could post about themselves. Legal wanted to exclude all non-US from Hello. They came to a compromise, but I am not sure what it was. For departed employees, they keep the content and the profile. They merely add a banner that the person has left the company. They want to preserve the intellectual capital footprint.

Enterprise 2.0 Reality Check – What’s Working, What’s Not, What’s Next

Matthew Fraser was back to moderate a panel of Christian Finn, Director of SharePoint Product Management, Microsoft, Nate Nash, Senior Manager, BearingPoint, Neil Callahan, Executive Vice President, mktg, and Ross Mayfield, President, Chairman and Co-founder, Socialtext. There was lots of talk of whether enterprise 2.0 was an evolution or revolution. One commenter in the crowd said the panel was an I’m a Mac, I’m a PC ad. There was a fair amount of discussion about the ROI for enterprise. Some panelists and audience members were dismissive of needing a monetary ROI. They likened it to email. Nobody asks for the ROI on email.

I don’t agree with these thoughts. When email was first adopted in the enterprise there was an ROI calculation. It was cheaper and faster to send an email, than to send a message through the post office. There is a reason we get so much spam. It is cheap and easy. Businesses may no longer calculate the ROI, but they did as part of the adoption process. Event though now it is just an assumption that you have email in the business. There was a compelling reason to adopt.

Meeting People

Web 2.0 is not about sitting in your basement. It is about meeting people. Besides the presentations it was able to run into and chat with a bunch of great people. I had a great lunch with David Hobbie of Goodwin Procter and Rachel Happe of The Community Roundtable in the fake Irish restaurant.

It was great to spend some time talking with Carl Frappaolo and Dan Keldsen of Information Architected. Unfortunately, I missed the session but I was able to chat with Jessica Lipnak and Jeff Stamps of NetAge. Alex Howard of Digiphile and SearchCompliance.com was there covering the conference and having great conversations. I apparently got Mark Masterson fired up about compliance because we chatted about it for a while.

I also had some short chats with Luis Suarez of IBM, Joe Wehr of DBMI, and Ming Kwan formerly of nGenera and now at Nokia.

Michael Idinopulos of SocialText gave me a great tour of the latest release of their product. Their new marketing strategy is to offer SocialText free for less than 50 users. Chris McGrath and I talked about Thought Farmer. I kind of beat him up over records management and wikis. Cheryl McKinnon gave me a great presentation on some compelling OpenText products.

I will back on Wednesday for a few sessions and will try to distribute any insights.

Evening in the Cloud and Compliance

enterprise2

The The Evening in the Cloud session at the Enterprise 2.0 Conference was fun. David Berlind Editor-At-Large and General Manager of TechWeb was the moderator. I sat in the customer role beside Christopher Reichert of the MIT Sloan CIO Symposium. Sean Poulley VP Online Collaboration Services of IBM, Rajen Sheth Senior Product Manager of Google Apps, and Mike Feinberg Senior VP, Cloud Infrastructure of EMC each gave an eight minute pitch for their product.

If you read yesterday’s post (Compliance and Cloud Computing at Enterprise 2.0), you knew what my questions would be for the vendors. These three vendors represented big guns who I am sure have been asked those questions before. The session was obviously driven by vendors. Hopefully, my list of questions can be used by other attendees to quiz the vendors.

Google, IBM and EMC focused on the infrastructure aspect of cloud computing. From a compliance perspective, the application piece of cloud computing poses more of the issues. Maybe I will be able to tackle some of those issues with vendors when the Exhibition Hall opens on Tuesday.

Brenda Michelson live-blogged the session on her elemental links blog: @ Enterprise 2.0 Evening in the Cloud Panel discussion. It is as good a summary as I could have written.

The session was recorded and will be available on line at some point. I’llpost and update when I come across the recording.

Compliance and Cloud Computing at Enterprise 2.0

enterprise 2.0 conference

Monday night, I am heading over to the The Evening in the Cloud program at this year’s Enterprise 2.0 Conference. They asked me to help grill the vendors on compliance issue

More software and business operations are being pushed into the cloud.  Why buy the hardware and software when someone else will run them for you?

I thought I would put together my thoughts on some of the compliance issues I think about when it comes to cloud computing.

Records Management.

One aspect of records management is ensuring that important records are kept. Importance can be either because of a business need or a regulatory requirement. The other aspect is data destruction. Once that record is not important and no longer required to be kept, you want to make sure it is destroyed and destroyed forever. Multiple backups in multiple places of old records is huge headache when forced into e-discovery and the delivery of records as part of litigation.

Compliance Logs.

Whether you’re in the midst of an audit or an investigation, thorough logs are the key to proving compliance. So how do you prove your organization is (or was) compliant when you aren’t able to maintain logs? Audit trails must be auditable.

Terms of Service.

Consumers are used to clicking through the Terms of Service without reading it. Businesses will read it and want to negotiate it. If the vendor’s Terms of Service has a typical consumer provision allowing the vendor to unilaterally change it, throw that vendor out the door and don’t bother talking with them.

Investigations

You need to address how a forensic examination of the systems can be run as part of government or internal investigation of wrongdoing.

Geography

It is not truly a cloud. There are physical servers that are sitting in a building somewhere. That physical location subjects them to the law of that jurisdiction. There are obviously some countries that you do not want. (Anyone in North Korea?) There are also some questionable locations. There are some companies that don’t want their operations being run on servers located in China. You should not be surprised that some companies do not want their servers in the United States because of the confiscatory provisions of the US PATRIOT Act.

Data Privacy

Geography also implicates personal data privacy. If you are using the cloud service to host information about people (employees or customers) you need to think about how the service compliance with the multitude of personal data privacy laws. The most difficult is probably the EU Data Protection Directive.

Multi-User

If your information is combined with another company’s information on the same server, you risk being subject to their wrongdoing. There was a well-publicized raid of a server farm, with law enforcement seizing servers, shutting down businesses with their operations running on those servers.

Credit Card Processing

If you are processing payments, you need to be PCI DSS compliant. If the vendor asks what PCI means, throw them out.

Vendor should have a SAS 70 Type II Audit.

SAS 70 was designed to provide a highly specialized audit of an organization’s internal controls to ensure the proper handling of client data. SAS 70 Type II certification ensures that client data is protected in a data center that is using industry-leading best practices in information technology and security. Vendors that undergo a SAS 70 Type II audit are stringently evaluated on such elements as systems, technology, facilities, personnel management, and detailed processes for handling client data. At the end of a six-month process, vendors receive a comprehensive audit report that includes a description of their operational controls and a description of the auditor’s tests of operating effectiveness. At regular intervals after the initial audit, vendors go through additional audits to maintain their SAS 70 Type II status. In brief, SAS 70 provides assurance that a vendor has put in place comprehensive systems to ensure data security.

Of course, there are other issues.  Depending on your industry, some of these may be more of a concern than others.

References: