By Rachel Dovey. On June 17, Oakland became the latest West Coast city to oppose crude oil transport by train. The city council’s unanimous vote had the ring of mere formality; the federal Department of Transportation is supposed to regulate railways. But with dozens of accidents in the last year alone and little enforcement by DOT, municipal …
Source: www.publicceo.com
By Dr. Ken Broda-Bahm: All reasonable people think like you do. They will notice what you notice, perceive it as you do, find it credible, or not, like you would, and they will be persuaded, or not, in the same way that you would. Okay, give it a moment of thought and you wouldn’t actually believe that. But fall back on your normal habits, and you may act as though that were true. You might make the tacit assumption when analyzing an audience that they are fundamentally like you are. It is a bias, and a strong one. Social scientists…
Source: www.persuasivelitigator.com
We saw this article in The New York Times and couldn’t overlook how wildly inaccurate it is, so we had some fun with it. I hope you will too.
Source: blog.walmart.com
By Angelique Carson, CIPP/US
With Safe Harbor constantly under fire, the binding corporate rules (BCR) process is becoming an increasingly attractive way for co
Source: www.privacyassociation.org
Negotiators would be well served by using odd, rather than round, numbers.So says Columbia University Business School Professor Malia Mason, co-author of last year’s published finding that bargaining
Source: www.linkedin.com
Speaking at the annual Stanford Directors College this week, SEC Chair Mary Jo White addressed the role of directors as gatekeepers for shareholders selfreporting and cooperating in SEC investigations and the relationship between the SECs whistleblower program and a companys own internal compliance programs.
Source: www.complianceweek.com
Does the NIST Framework for Improving Critical Infrastructure Cybersecurity create a standard for executive officers and boards of directors of private companies? Good question, right?
Short answer, it is at least developing into a standard in cybersecurity, although the Framework itself time and again says that it is voluntary. If the Framework isn’t currently a standard, although it might be, it will become one of the applicable standards, but not necessarily the only standard.
For executive officers and directors, whether you like or agree with the Framework, if you aren’t already in the process, you need to get comfortable with the Framework and include it in addition to your other processes in cybersecurity risk management. I expect that as cyber hacking problems and catastrophic events continue to occur, and they will occur, executives and board members including board members who are responsible for risk oversight will start to be asked about whether their organization uses the Framework, their organization’s stage of implementation and sophistication in cyber risk management, and other questions based on the Framework provisions.
See also, for example, the new NACD Cyber-Risk Oversight, Director’s Handbook Series, 2014 Edition, in conjunction with the Internet Security Alliance (ISA) and AIG, referring to the NIST Framework including at Principle 4, Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget, referencing the NIST Framework.
The NIST Framework core processes are: identify, protect, detect, respond and recover. But the details of those processes don’t tell anyone what specifically to do to prevent or protect a business or entity from a cyber hack or breach now or in the future. Thus, the possible standard is a process. What if the process is followed in good faith, but a breach still occurs including a catastrophic breach? In that circumstance is there a breach of duty by an officer, director or the business or entity? In that circumstance is there liability, assuming the required post-breach procedures are followed? I would argue no, there cannot be and is no breach of duty or liability. It is impossible to stop all hacks and breaches. If you have doubt, do an internet search for cyber hacks in 2014 to see the huge numbers of attacks, origins and targets.
The following is a link to the NIST Framework in pdf form, nist cybersecurity-framework-021214-final
Dave Tate, Esq.
I have updated my risk and uncertainty management process and oversight paper. Click on the following to view.
Risk & Uncertainty Management – Processes & Oversight Dave Tate Esq 07052014
Dave Tate, Esq.
This is a re-post of a 2013 post to a Reuters article about new oil rig safety regulations. Many of the regulations are relevant to other businesses and industries where catastrophic incidents can occur. In part, for example, the regulations require risk management processes, involvement of the entire enterprise, that there be specifically identified people who are responsible and accountable for the risk management, and risk management on a 24/7 basis with employee authority to shutdown operations in certain circumstances. Below I have posted the link to the Reuters article, and also a link to part of the applicable CFR (posted on http://www.law.cornell) if you want to look at the actual regulations.
U.S. launches new stop work rules for safety on oil rigs | Reuters.
http://www.law.cornell.edu/cfr/text/30/250.1902
Dave Tate, Esq. (San Francisco)
Linkedin connection, http://www.linkedin.com/in/davetateesq
See on Scoop.it – Tate – Law, Liability, Risk Management, Governance, D&O and Business
It is amazing to me that one of my most popular blog posts every month is “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!…
Norman usually has good comments on the topics of risk management, internal controls and internal audit. If you are interested in these topics you should read his blog. If the following link works, here is the link to PWC’s publication, http://www.pwc.com/en_US/us/corporate-governance/publications/assets/pwc-risk-appetite-management.pdf
Not being critical of PWC, but I don’t find their publication to be very helpful. It’s too general. What does it really mean? Can a board member satisfy his or her risk oversight duties by asking the general questions that PWC provides? Perhaps. But the questions don’t go far enough of course. Not nearly enough inquiry, but it is a starting point.
Risk management is a continual, ongoing task. Identify the categories of risk, identify specific risk or areas of risk in the categories, evaluate for each risk the seriousness if the risk occurrs and likelihood of occurrence which should help provide you with guidance on “risk appetite” (those of you who have read my posts know that I don’t like the current definitions and uses of the terms risk appetite and risk tolerance), evaluate the risk management processes currently in place for each risk, design and implement risk management processes or improved risk management processes for each risk as deemed necessary, appoint the person/people responsible for and owning the risk area(s) and processes, set time deadlines, monitor, follow-up, improve, and on and on.
The board is responsible for oversight. If risk oversight is included in the audit committee’s charter, the audit committee had better know what it is supposed to do and what it is doing. Consider, should the board have a separate risk management committee? I prefer the term risk and uncertainty management, but whatever.
Dave Tate
See on normanmarks.wordpress.com
AUDIT COMMITTEES, D&O, BUSINESS, COMPLIANCE, RISK, AUDITING, INVESTIGATIONS & LITIGATION 