Risk Management – Is Anyone Doing It, Yes Some Are – Is There An Agreement On How It Should Be Done, No Definitely Not

Here is a link to a discussion by Matt Kelly of Compliance Week about risk management, suggesting or perhaps stating that risk management is being done by financial institutions and some other public corporations, but it is a mixed bag, and, in my words, risk management and how to do it really have not caught on. And then below the link to Matt’s discussion, I have pasted in this post my response to Matt. Here is the link to Matt’s very interesting discussion – please read it, CLICK HERE.

And here’s my response to Matt’s post. Good discussion Matt. I’m not sure everything in the discussion correlates, but I believe the underlying points are true. Your discussion caused me to think about all of the many, many emails that I receive about new risk management discussions and posts, and some of them are by me. But have they done much good? I question whether they have. I’m not being critical, just truthful. Hordes of risk management, and internal control, and governance discussions and posts are created monthly, and for many, many years. But I have come to believe that people most often take action only if they are presented with a specific situation that they know demands that they take action, or they are required to by law, statute, or regulation, or they are required to by rule, sometimes (such as stock exchange rules), or it becomes an expected practice, sometimes (such as an expected practice in the community or perhaps by a professional organization such as the NACD, etc.). Otherwise, the requirement that the organization, or the board, or the audit committee, or the risk committee is responsible for risk management is simply too vague and indefinite. And that’s the way it is.

Dave Tate, Esq., San Francisco and throughout California, http://directorofficernews.com



Everyone Needs An On-Call Crisis Quick Response Attorney

California Nonprofit Board and Director Standards of Care

This blog post includes a video about California nonprofit board and director standards of care including discussions about the business judgment rule, the Nonprofit Integrity Act, risk management, audit committees, and board and committee self-evaluation. Below the video you will also find a link to my paper discussing those topics in detail. Please pass this blog post to everyone who would be interested in these materials. Thank you. Dave Tate, Esq. (San Francisco and California).

Click on the following link for the paper discussing California nonprofit board and director standards of care, Nonprofit Board and Director Standard of Care David Tate Esq 05252015

Social Security Risk Management – Congress and President Get a “D” and a NIST Tier 1 or 2 Rating

I’m going to rant a little in this “fun” post. Another week, another article about social security going broke, about tweaks to “fix” it by payroll tax increases, cutting benefits, taxing benefits, and/or raising the age to receive benefits. The following is another disheartening article about the doom of social security, about beginning in 2017 and thereafter new increases in the age to receive benefits, that even those reductions in benefits won’t “fix” social security, and that those increases originated way back in 1983.  For the article Click Here.  The point is, 1983 was over 30 years ago, and even before that it was known that social security was failing. The options are not good for anyone who has paid for social security for all of their working life, or even just for a significant number of years, for younger people (in their 20’s and 30’s) who are new or relatively new to the mandatory social security payment program, or for people who are somewhere in the middle (in their 40’s). I suspect that few people would voluntarily pay into such a system if they were allowed to vote on it today.

I don’t fault elected representatives who speak up and propose new fixes, because social security has to be fixed. It’s just that none of the options are good. I have already lost when you consider the amounts that my employers and I have paid into social security over my working life. And that was money year after year that could have been better used for many other things.

The President is the CEO of social security. Congress, the Senate and the House, are the Board of Directors. That means whomever is in office at the time, and in the case of the social security system, that means year after year, decade after decade.  Let me just say that if social security was a company the CEO and the Board would all be fired, or the program would have been terminated or really fixed or altered decades ago.

Have you seen the NIST – National Institute of Standards and Technology – Framework for Improving Critical Infrastructure Cybersecurity? The Framework originated in 2014, as a U.S. Government recognized outline for risk management steps in cybersecurity. The following is an August 31, 2014, blog post discussing the Framework, Click Here. You will note that the Framework includes a Tier rating system for how developed an entity’s risk management system is, Tier 1 being the worst and Tier 4 being the best. Below I have copied and pasted the four Tiers. Based on the NIST Tier descriptions, I rate social security system design and risk management at Tier 1, or perhaps a Tier 2 rating. You give it your rating. Social security is not even close to the Tier 4 rating that it should have given that payments into social security are forced on people, the astronomical amount of money that is withheld and paid into the system each pay period, and how people really are entirely dependent on the honesty and integrity of the system’s operation, management and risk management, including the honesty and integrity of the President as CEO and Congress as the Board. Below are the NIST Tiers. Enjoy.

Dave Tate, Esq. (San Francisco/California).

NIST Tiers:

Tier 1: Partial (first and lowest level of risk management practices) – Risk management practices are not formalized.  Risk is managed on an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level.  An organization may not have the processes in place to participate in coordination or collaboration with other entities.

Tier 2: Risk Informed (second level of risk management practices) – Risk management practices are approved by management but may not be established as organizational wide policy.  The organization knows its role in the larger ecosystem but has not formalized its capabilities to interact and share information externally.

Tier 3: Repeatable (third level of risk management practices) – The organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide approach to manage cybersecurity risk. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Tier 4: Adaptive (forth and highest level of risk management practices) – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity is part of the organizational culture and evolves from an awareness of previous activities, information share by other sources, and continuous awareness of activities on their systems and networks. The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.

* * * * *

Audit Committee Self-Evaluation Form For Your Use

Audit committee self-evaluation form for your use, click on the following: Audit Committee Self-Evaluation Form David Tate Esq 10302014
Dave Tate, Esq. (San Francisco/California)

More On Brady Evidence And Discipline – Careful What You Wish For, And If You Are A Player, Don’t Email, Text Or Leave Messages

The following is a link to the NFL statement on the Patriot’s violations (from NFL.com) Click Here. In relevant part for the purpose of this blog post, the statement states:

“‘Here, there are several factors that merit strong consideration in assessing discipline. The first is the club’s prior record. In 2007 the club and several individuals were sanctioned for videotaping signals of opposing defensive coaches in violation of the Constitution and Bylaws. Under the Integrity of the Game Policy, this prior violation of competitive rules was properly considered in determining the discipline in this case. (Tate comment: why is a 2007 violation, especially on an entirely different issue, so important to this alleged 2015 violation 8 years later – that is like punishing the team twice for the 2007 violation, which also is a violation that is totally unrelated. The NFL would have been better advised to not include the 2007 violation in its current evaluation).

“Another important consideration identified in the Policy is ‘the extent to which the club and relevant individuals cooperated with the investigation.’ The Wells report identifies two significant failures in this respect. The first involves the refusal by the club’s attorneys to make Mr. McNally available for an additional interview, despite numerous requests by Mr. Wells and a cautionary note in writing of the club’s obligation to cooperate in the investigation. The second was the failure of Tom Brady to produce any electronic evidence (emails, texts, etc.), despite being offered extraordinary safeguards by the investigators to protect unrelated personal information. Although we do not hold the club directly responsible for Mr. Brady’s refusal to cooperate, it remains significant that the quarterback of the team failed to cooperate fully with the investigation.

“Finally, it is significant that key witnesses — Mr. Brady, Mr. Jastremski, and Mr. McNally — were not fully candid during the investigation.

“In accepting the findings of the report, we note that the report identified no evidence of wrongdoing or knowledge of wrongdoing on the part of any member of the coaching staff, including Head Coach Bill Belichick, or by any Patriots‘ staff member other than Mr. Jastremski and Mr. McNally, including head equipment manager Dave Schoenfeld. Similarly, the Wells report is clear that Patriots ownership and executives did not participate in any way in the misconduct, or have knowledge of the misconduct.

“Nonetheless, it remains a fundamental principle that the club is responsible for the actions of club employees. This principle has been applied to many prior cases. Thus, while no discipline should or will be imposed personally on any owner or executive at the Patriots, discipline is appropriately imposed on the club.”

From Troy Vincent’s letter to Tom Brady:

“With respect to your particular involvement, the report established that there is substantial and credible evidence to conclude you were at least generally aware of the actions of the Patriots‘ employees involved in the deflation of the footballs and that it was unlikely that their actions were done without your knowledge. Moreover, the report documents your failure to cooperate fully and candidly with the investigation, including by refusing to produce any relevant electronic evidence (emails, texts, etc.), despite being offered extraordinary safeguards by the investigators to protect unrelated personal information, and by providing testimony that the report concludes was not plausible and contradicted by other evidence.

“Your actions as set forth in the report clearly constitute conduct detrimental to the integrity of and public confidence in the game of professional football. The integrity of the game is of paramount importance to everyone in our league, and requires unshakable commitment to fairness and compliance with the playing rules. Each player, no matter how accomplished and otherwise respected, has an obligation to comply with the rules and must be held accountable for his actions when those rules are violated and the public’s confidence in the game is called into question.'”


Tate comments.

However, as I have previously blogged on May 7, with respect to Tom Brady the Wells Report concluded:  “We nevertheless believe, based on the totality of the evidence, that it is more probable than not that Brady was at least generally aware of the inappropriate activities of McNally and Jastremski,” and doesn’t that set precedence for discipline of other players and teams in the future.  The statement against Brady is considerably less certain, and it contains two standards: “more probable than not” and “that Brady was at least generally aware of inappropriate activities.”  I understand the first standard.  I don’t see that the second standard has a definition, at least not at law, and I doubt under the Collective Bargaining Agreement. It appears that the standard stated is something like “it is more probable than not that it is more probable than not.” You can be certain that the Wells investigation was very detailed and that Wells thought long and hard about the wording that was used in the Wells Report – if he could have straightforward said that more probable than not Brady was involved in a directive that the footballs be deflated, the Report would have so stated.  Whereas some of the other teams or players might want Brady disciplined, I would suggest that considering precedence for allegations of wrongdoing by other players and teams in the future, they might want to reconsider their wishes in this situation and based on the standards being used.

I also note that the NFL statement on the Patriot’s violations does not appear to mirror the Wells Report wording on findings against Mr. Brady. Further, I would suggest that the vague and broad statement about Brady being “generally aware of the inappropriate activities of McNally and Jastremski” says nothing about when Mr. Brady had that knowledge, i.e., before, during or after the game, or what his alleged “general awareness” was.

Finally, I have previously noted that if Mr. Brady did not totally cooperate in the investigation, i.e., if he did not produce requested phone, text or email messages, under the Collective Bargaining Agreement there might be evidence to discipline on that particular violation. However, the NFL statement on the Patriot’s violations does not contain sufficient detail or information about which phone, text or email messages were requested, or the protections that the NFL offered to Mr. Brady. Didn’t the NFL also demand that other people produce phone, text or email messages that they received from Mr. Brady about the football inflation issue, and didn’t the NFL receive those communications?  Further, as it might be possible to claim lack of cooperation in most incidents, this could be viewed as a catch-all violation unless it is supported with substantial specific detail, evidence and prejudice to the NFL.

I would also suggest that in future incidents players will have more in mind not to leave phone messages, or to text or email as those actions could be used against them.  At least in this circumstance there is no evidence that phone messages, texts or emails were deleted after the issue or possible dispute arose – there is or can be a requirement to preserve evidence.

That’s all for now.

Dave Tate (San Francisco/California)

My other blog, http://californiaestatetrust.com, trust, estate, conservatorship and elder abuse litigation.



Important new IFAC paper on risk management

With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization. This is one of…

Click on the following link for the discussion: normanmarks.wordpress.com

Tate comment: currently I’m just passing this along. Evaluation and comments will follow. Norman certainly indicates that this is an important paper by IFAC. How, if at all, might it impact, add to, or create a standard of care or process for risk management including auditor evaluation and/or audit committee or risk committee oversight? More to follow.  Dave Tate, Esq. (San Francisco / California)