Archive

Archive for the ‘Risk Management’ Category

Auditing Career: Dealing with Mentally Unstable Managers

Sigmund Freud, founder of psychoanalysis, smok...

Image via Wikipedia

The subject of “mental stability” is a mine field that has kept Psychologists and Psychiatrists busy since Sigmund Freud first proposed to make the study of human behavior into a hard science.    Today, the meaning  of mental stability is still not well defined in the social sciences, so it is extremely difficult for those of us outside of those fields to discuss it, define it or pass judgment on it.   However, like pornography, a  lack of mental stability in people, specially in the workplace, is something most of us recognize when we see it.   As auditors, many of us have had to deal with mentally unstable people at different times and  at different levels of the corporate world, including those at executive levels tasked with making significant decisions for their organizations.   The effects of mental illness often cause serious negative impacts on the departments and the people the sick individuals interact with.   But, because mental illness is still a taboo subject in corporate America, these people remain in their high level posts “undiscovered” for years.   As auditors we often hear about managers who constantly change their minds or have difficulties making up their minds for the simplest of things, or directors who have sleeping  disorders and call their staff’s at 3:00 AM to criticize their peers or  to brainstorm strategies without end.    Or, the abusive vice-president who obtains pleasure from humiliating her staff in public, insults minorities with “indirect” comments and makes disgusting facial contortions when talking to junior employees.  And, one I personally remember… the supervisor who  reprimands his team for following the very procedures and policies he instituted a few months earlier.    When the person with these types of  instabilities is your boss, you have a problem.

I’ve written this article as a result of a discussion I recently held with a Psychologist who specializes in Organizational Psychology, and she pointed out to my amazement, that in corporate America it is better to be an alcoholic or drug addict than to have a mental disorder.   In 2010, most personnel departments address employee and executive level addictions with a variety of solutions such as 12 step programs,  psychotherapy, etc., but mental illness, because of the difficulty in “proving it” carries legal issues that scares the average personnel manager, and so it is awkwardly “ignored.”   This process of ignoring the destructive behaviors of  mentally unstable managers or executives often includes an “unofficial” gag around direct discussions on the behaviors of the individual,  instead “politically correct” comments like, “you have to be extremely patient to work with Mike,” or “Helen is a little eccentric,” or “Herbert is impulsive and a little abrasive” are heard.  At the end of the day folks like Mike, Helen and Herbert terrorize their staffs, ignore business controls, make a mockery of policies and procedures and create an atmosphere of tension that often damages a respectful and cooperative work environment.   Worse than that, these individuals almost always chase away good talent and bring about unnecessary risk exposures to the entire company.    All of these things have indirect impacts on the work of auditors.    I am going to use the “How many controls are enough” example below, to bring the point home.

One of the most common questions asked of auditors is “how many controls do we really need?”  The question is often a legitimate one, but it can also hide a myriad of other  issues that have little to do with risk management, compliance and audit.   Variations of the too many or too few question sometimes come  from low level staffers looking to “reduce unnecessary work,” but at other times you hear it from business managers, before Risk Assessment work begins, explaining that “given the fact that we know what our weaknesses are, and we have good controls already, why should we bother evaluating controls and looking for new ones?”  At other times you hear the classic given by over zealous project managers, “we only have 10 minutes to discuss each control, so lets get this over with quickly.”   Then there is the direct comment:  “This is all a waste of time and I don’t give a %$#@ about  you, controls or the audit department.”  Most of these excuses or arguments are not presented by mentally unstable people, but some are.   When used by mentally unstable people, watch out because all hell breaks lose, and you find yourself in a swamp full of snakes.

Dealing with these challenges is an art most auditors need to perfect.   How indeed should these questions be answered, especially to people who do not understand the basics of controls, compliance and risks we auditors carry in our heads.   How can all these complex legalistic requirements be translated for people who do not care to understand them, or have no intellectual ability or lack the attention span to “get it” within the short periods of time allotted to the process?   These are our normal challenges with “normal” people.   The challenges when dealing with mentally unstable managers may be insurmountable.   Clearly conveying the message in a professional manner doesn’t cut it.  Preparing nice PowerPoint presentations doesn’t cut it.  Speaking in a low tone when they are screaming and insulting you doesn’t cut it.   What my Psychologist friend pointed out is that  these folks are sick, and not misbehaving or involved in temporary tantrums.   As untreated sick people, they often can not control what they are doing.  If you do not accept this fact, you will hit your head against the wall trying to interact  with them in ways that work for normal folks, but do not for the mentally unstable.   You must also understand that these events are not your fault since most mental disorders start early in a person’s life, way before you had the unfortunate luck of stepping in the person’s path.

My Psychologist friend jokingly suggested that auditors receive training  on how to interact with people suffering with  Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment.    A company’s culture is a very complex organism.   Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts.    Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations.  They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion.    Because of these things, it is easy for mentally unstable people to “hide” in the open.   In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture.    For example, a manager who regularly works 8:00 AM to 9:00 PM (without asking for extra compensation), keeps to himself,  does not take well to change, drives his staff like cattle, but surpasses his quotas, may be highly “appreciated” by his superiors.   In these types of organizations calls to perform, comply with and produce results based on COSO, CobiT, As-5, PCAOB, SOX, ITIL, etc… are ignored, stone walled, analyzed to death or “adjusted” to the point of non-recognition.    So, answering the “why do we need these controls?” question can be tricky if you happen to be in the wrong organization or before an unstable manager.   Reaching an “understanding” on the need for a dozen or less controls can drag-on for twelve to eighteen months, or more, easily.  Usually, the conclusion of these torturous wasteful exercises is reached via discussions or negotiations that have little to do with the compliance, legal or operational issues originally brought to the table.

Most accountants, auditors, lawyers and IT folks I know have no training on dealings with folks with mental health problems in the workplace.   I do not know of anyone who can say they  would know how to deal with either mentally unstable managers (those whom they report to) or mental instability in those they audit.   Our capitalist system proposes that business people function in a balanced manner because the marketplace acts as an invisible counter-weight to bad or irrational decisions and bad behaviors.     By some miracle the “marketplace” is self policing, self healing and a good arbitrator of even mental health.    The marketplace is supposed to distribute higher profits to those who play by this rule.   This neat picture of social and economic behaviors however is flawed.   It assumes that all human beings are primarily motivated and controlled by money.   Because of this simplistic view, even the smallest of our corporate organizations can be inhabited by well dressed and impressive looking people with serious mental illnesses.   Given the epidemic levels of untreated Attention Deficit Disorders, Personality disorders and bipolar disorders in our society, why is it taboo to conclude that these are also at epidemic levels in corporate America?   During the hiring process, when most mental disorders can be identified, most organizations do not ask if the candidate has had a history of mental illness, and current law does not obligate the candidate to disclose the information.

So, what do you do when you determine, based on the “pornography” (when you see it you know it) test, that your boss is mentally unstable?   The answer given by my Psychologist friend is simple and direct.   The answer is to look for another job as soon as possible, especially if you determine that the organization turns a blind eye to the problem.   Many mental disorders are not curable, even though, they are treatable if the person obtains long term consistent help, medications and therapy.   Given the manner in which our society works, and our corporations are structured, working under a mentally unstable person is a no win situation.   Any organization that maintains a person of authority ignoring his/her signs of mental illness is not a healthy organization and may have  other serious problems hidden just under the surface.   The responsibility of an auditor is to deal with reality in a transparent manner, trying to report risks that may impact stockholder value, assisting management with control’s and solutions for better performance and detecting potential fraudulent acts.   When those who manage the audit function, compliance or risk management are mentally unstable, the integrity and reliability of those functions can be in question.

What do you do when you determine, based on the “pornography” (when you see it you know it) test, that someone you are auditing is mentally unstable?   The answer depends on whether the mental instability is known in the organization or not.   If it’s known, but there is an “unofficial” gag situation, where the personnel department  and other managers ignore it, you have a challenge at hand.   As an auditor, you have discovered a risk to the organization, you probably also have evidence that the person may be ignoring policies and procedures, is abusive to staff and may have even tampered with audit samples.   However, he has held the job for 15 years and each year he gets his bonus and good reviews.   His boss of 15 years, a man related to the CFO and a major share holder said the guy is “colorful” but “OK.”  To help you make the decision, here are a few queries you should answer:

  • What is the likelihood that you are the only auditor during the last 15 years to find these irregularities?
  • Why would the inner circle consider this unstable person “OK” and take the risks associated with his illness?
  • What do other auditors know about the situation, and what do they say?
  • What is the company “culture” like, regarding others who ignore and break company policies and procedures?
  • Is HR aware and concerned about the problems with the manager and his staff.
  • Are there previous audit reports citing the manager, his department or any compliance issues linked to him?
  • Are there others in the company with similar conditions?
  • Has your superior expressed concern over how you may report the findings, without giving you adequate reasons for the concerns?
  • Are the issues, risks and failures discovered by the auditor been in effect for a long time, in a way that knowledge of them have been an “open secret” requiring that multiple individuals “play along” in order not to make waves?
  • Has there been an insinuation, a gossip or small talk to the effect that the auditors should not pursue issues with the individual in question because of his “connections” in the company?

These ten questions should give you a sense of where things are regarding the mentally unstable individual, his social connections in the company, the corporate, legal and business culture that nourished him for 15 years, and how you may best proceed.    If the answers to these questions lead you to believe that the organization has been aware of the problem, you may be better off working elsewhere.    If  multi-billion dollar organizations are reluctant to address these issues and resolve them, you need to carefully think about how you can maintain your professionalism and ethics as an auditor, and that may only be achieved by going elsewhere.   When the organization is ready to address the issues at hand, or when it is forced to by the legal system, you can read about it in the newspapers.   But, an inquisitive person may ask, “in this situation, don’t you have an obligation to report this information to your superiors?”    The answer is “Yes.”  But, if they already know about it and want you to keep your mouth shut, what can you do?   If you stay in the job, you  are in essence taking part in a conspiracy and cover-up little different than those that  occur during a financial fraud, and if it blows up, you will have as the auditor, to answer some hard questions as to what you knew and when you knew it.   Most interestingly, will be how you answer the “why did you not report it” question.

If your queries on the other hand lead you to conclude that you have a new finding, and the mentally unstable person’s condition is unknown to others in audit, HR and/or legal, you should, in consultation with the Chief Audit Officer or audit Director, find a strategy to address the issue and report it according to said strategy.   If the company has a policy for addressing mental health issues, you should consult it and incorporate its guidelines in your approach and documentation.    This process will likely not be smooth and easy.   Imagine if your findings lead to a psychiatric determination that the CFO has bipolar disorder.   Can this finding become a “material weakness” from a SOX perspective?   It can be argued that the symptoms of bi-polar disorder in the CFO can negatively impact financial reporting!   How would you write this up in the 10k and what would constitute an acceptable “remediation?”   Can the board call for the removal of the CFO because of this?   When do the lawyers step in?

To be fair to all.   Not all organizations deal with mental illness problems in a bad manner.   Many organizations have invested money, time and have trained their HR and legal departments in ways to address this serious challenge.   But, to do so everyone has to admit to the problem and an entire new set of corporate policies and guidelines need to be adopted on how to fairly address mental illness in the workplace.    As auditors, you will likely see more and more of these situations as the problem in the general population gains media attention and more people are diagnosed with these disorders.   It is also important to note that those who suffer from mental disorders, although sometimes disruptive, conflict prone or unpredictable in the work environment, should not be stigmatized or abused because of their illnesses.    The mentally unstable deserve professional treatment for their sake and for the sake of those around them.   Without it, they pose risks that will not go away by simply ignoring them.

As always, I will welcome reader comments on the subject, especially if they are based on real life work experiences.    Thanks for reading!

Enhanced by Zemanta
Advertisements

Book Review: “The New Data Imperative: Managing Real-Time Risk in Capital Markets” by Dr. Raj Nathan, Irfan Khan, & Sinan Baskan

Nude Sunbathing
Image by STML via Flickr

It seems that since the arrival of the Great Recession everyone has rushed a book out explaining why it happened and how to prevent it in the future.   The feeding frenzy includes folks from all sorts of backgrounds who barely know what Sarbanes-Oxley, a financial statement or a CobiT control is.  For many of these “experts,” the reasons for the recession are clearly not financial or regulatory or linked to Globalization, but deeply ingrained in our dysfunctional and narcissistic society and by nasty “capitalism,” which to many is as deadly a tormentor of society as the Black Plague was 700 years ago.   The damage caused by the recession is viewed as evidence that there is a need to educate the masses in new righteous ways to make money and  legislate new rules over corporate conduct.   The new Robin Hoods of course  are poised to make lots of money by selling new training programs, conducting seminars in Las Vegas and devising new green and “humane” ways to dismantle capitalism.

Although, writen by Sybase excecutives, The New Data Imperative by Dr. Raj Nathan, Irfan Khan and Sinan Baskan is not one of those new opportunistic books I am so disappointed to see in the book stores today.   This book is a breath of fresh air in that it does not overshoot its scope and intent.   Although, discussing the recession and using it as a backdrop, the book in its 115 pages manages to convey the what, how, when and why of the information infrastructure behind today’s globalized financial markets, and why changes to these are needed.  It does this in language that is understandable to non-technical business people (auditors, compliance, legal and financial management), who for the most part  are the ones who need to understand these things, so they can participate in future implementations and improvements to existing  systems.

In the next three to five years Risk Management will see an increase in the complexity of analysis,  the need for faster data acquisition, faster reporting and the integration of more diverse data sources from in-house and  from “the cloud.”   Not to mention a likely increase in Regulatory Compliance  mandates.  For these reasons, the way we approach the infrastructure that supports the  Risk Management function(s) needs to be  re-conceptualized.    “The New Data Imperative” provides a quick snapshot of how to achieve this.  The book looks at the state of current Risk Management “silos,”  their data feeds, analysis cycles, reporting structures and overall data infrastructure, explaining why these current systems fell short during the recent financial crisis and provides us with a well conceptualized picture of how to transition, often without major and costly changes, into the data environments needed for the new Risk Management processes now being proposed by regulators, the Big Four and some of the leading international financial standards organizations.

In addition to its clarity, in my opinion the book serves another important purpose.   That of attempting to educate “legacy” type IT managers who in many organizations today have “stale” skill sets and  are often ignorant of industry best practices  and trends.   As many an experienced IT auditor can confirm,  these managers are ill prepared for the future  and  can not visualize the infrastructure changes needed to implement and maintain the Enterprise Risk Management systems of the post Great Recession era.  Because these folks can not visualize the future, they tend to be serious obstacles to improving performance and strategically positioning IT investments for competitive advantage.    Although, high in authority because of seniority or organizational politics,  these folks have managed to carve out positions where they appear to provide value not by what they do, but by how they stop others from doing.   They are in a way the “Gate Keepers” against innovation and process improvements.    If by some miracle some of  these individuals were to read “The New Data Imperative,” I think great technological achievements would take place in their organizations.

If you are an IT Auditor or a Risk Manager for a financial institution, I highly recommend that you familiarize yourself with this book.   I believe the book will bring you up to date on the latest real time risk management concepts and will open your eyes to some of the technological challenges we will be facing in the next three to five years as Enterprise Risk Management evolves to a more mature level.

Because the book is small and unassuming, I also recommend it as a gift for those “legacy” type IT managers I mentioned earlier.   It may be the most eye opening technology book they’ve read in the last 10 years!

If you’re wondering about the “Nude Sunbathing” sign above…. let me explain why it’s here.   This picture was taken last July one block away from the Jacob Javitz Convention Center in NYC, on the day the National Enterprise Risk Management Club of Buenos Aires, Argentina, was holding its national awards for the most creative use of Twitter in a crisis situation.   When members saw this sign they Twitted all the participants, and half the Jacob Javitz Center emptied as the men rushed to the Hudson River to watch the annoyed sun bathers.   Now the question being debated by serious Harvard sociologists is:  Did Twitter empty out the Jacob Javitz Center, or was it the naked sunbathers and their uncontrollable effects on the hot Latins from Argentina?

Enhanced by Zemanta

New from DRII – Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA)

Atlantic_City_02

Atlantic City, New Jersey

New Audit track for Business Continuity Professionals and IT Auditors. If you are an experienced Auditor or Business Continuity Planner, this is your opportunity to get certified as a Business Continuity Auditor by the leading BCP organization in the USA.   DRI International will be offering training in Atlantic City, New Jersey this coming April.    For more information on this course, see the notice from DRII below:

Two opportunities for the training you want!

The National Fire Protection Association (NFPA) and the Disaster Recovery Institute International (DRI) have joined forces to create an education and certification program that will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations. Certifications available are: Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA).

Through this program, participants will be able to apply the key components of disaster/emergency management and business continuity, the relevant standards, laws and regulations, the process of risk assessment, vulnerability analysis, loss prevention, risk mitigation, and develop, implement, test and maintain their plans and procedures.

The course will cover existing legal and regulatory requirements by industry and country, as well as emerging requirements, including  BS25999, SS540, US PL 110-53 (PS-Prep), NFPA 1600, ASIS, DRI International’s professional practices, financial services, insurance, healthcare, utilities, public sector guidance and a host of others will be explored.  It will also cover the processes by which disaster/emergency management and business continuity programs are initiated with an eye toward corporate governance, policy, and procedures.  More in depth emergency and disaster management will be provided by NFPA.

At the end of the course, a unique. audit track, qualifying examination is conducted and individuals who have passed will be eligible to apply for certification as a Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA). The certification level (CBCA or CBCLA) will be granted based upon the amount of demonstrated audit experience of the applicant. Those seeking the CBCLA designation will be required to provide references to verify that they have at least five years of active audit experience.

For course and education related questions please call the DRII Education Department on:    Toll free numbers: 866-542-3744 and 866-535-3744

This course is designed for novice & experienced corporate planners, internal & external auditors…

Course Name: BCLE-AUD

Start Date : 04/26/2010

End Date : 04/30/2010

Course Cost: $2900.00

Instructor: Not Specified

Location:

Atlantic City Convention Center

1 Miss America Way

Atlantic City, NJ  08401

DRII The Institute For Continuity Management.

This was not a paid promotional announcement.

Enhanced by Zemanta

Enterprise Security: Cheating on Your IT Security Audits

Darknet
Image by Computer Science Geek via Flickr

I recently read a good article regarding IT Security Audits which I thought many readers would be interested in.   Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business.   However, it is a taboo subject that rarely gets any media attention and few ever discuss in public.   When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs).  Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of  the samples and evidence provided to us before we can accept them.

The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls.   Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%.   Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:

“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”

To continue reading this interesting story, please click the link below:

What do you think.   Am I stretching it here by thinking that the real figure may be higher than 20% ?   Leave a comment (anonymously if you like).

Enhanced by Zemanta

Enterprise Risk Management – A one-day course led by James Lam, author of Enterprise Risk Management

I took this picture at the 2005 US Open.
Image via Wikipedia

November 4, 2009
9:00 am to  5:00 pm
New York City

WHAT YOU WILL LEARN:

  • Establishing a strong business case for ERM, and overcoming organizational barriers
  • Developing a practical ERM framework and implementation plan
  • Demonstrating tangible benefits from ERM adoption
  • Implementing and integrating ERM into strategic and business decisions
  • Establishing effective risk management policies and explicit risk tolerance levels
  • Developing effective dashboard reporting for senior management and the board
  • Creating an effective feedback loop for ERM performance

For further information on this event from PRMIA, please click the link below:

Shared via AddThis

The photo above shows the turn out at the last Chess championship between Latvia and Jamaica held in Mozambique last year.    Soon after this picture was taken the audience rioted because the sound system broke down and no one was able to tell when the game was over.   This event is an example of why Enterprise Risk Management needs to be taken more seriously.

Enhanced by Zemanta

Tools for Quantifying Risk Exposure are Few

Risk Matrix
Image by Martin Burns via Flickr

I found this excellent article from Information Security Resources on the availability of tools for quantifying risk exposures.   I thought those of you involved in Risk Management and Risk Analysis will find it informative.  Below is an excerpt from the story.  You can read the entire story by following the link at the bottom if this post:

“In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk.

I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations.

Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident.

The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.

This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk.

Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.”

To read the rest of the story, from Information Security Resources, please click the link below:

Shared via AddThis

Enhanced by Zemanta

5 Security Lessons From Real-World Data Breaches

Syntho Saur
Image by david via Flickr

I think everyone involved in IT Security knows that the majority of IT Security incidents are not reported outside the organizations in which they occur.   This excerpt from an article published in InformationWeek.com should be of interest to IT Security folks as well as CIO’s.   To read the full article follow the link at the bottom of the post:

“The unwritten rule among companies is that the less said about security breaches, the better. For every public revelation of stolen data there are dozens of breaches that don’t make the news.

This code of silence might avoid angering partners and customers, and sidestep a public relations mess, but it makes it harder for the industry as a whole to learn from mistakes and improve information security and risk management practices. That’s why this article draws on direct observations from real-world security breaches on which we’ve performed forensic investigations, to help companies understand how breaches happen and what to do about them.”

The full article from InformationWeek.com is in the link below:

Shared via AddThis

If you haven’t been able to figure it out yet, the photo above is of the famous Japanese Sumo wrestler Kami Nobugama disguised as a toy Godzilla, when he was attempting to break into a Department of Defense apparatus on September 10, 2001.   This formerly classified photo was sent to us by Mr. M. Icon using secure Steganography.

Enhanced by Zemanta