Category Archives: Risk

Accountability and the Link to Senior Management Salaries – Can it be measured or assessed?

The recent Stimulus Bill passed in February 2009 called bank presidents up to Capital Hill to report how much they made and whether they took bonuses or not.  Most reported they made one million dollars a year and took no bonuses.   Of course, we might suspect that this was slight underreporting.

Is there a link we can assess between performance and compensation?  In a factory, where people are paid by piece work, that is, ten cents for each piece sewn, there is a direct correlation and you could probably provide other examples of direct pay for direct work.

Another place to look is sales compensation.  Again, salespeople are incentivized by commissions so there is the correlation — work harder, get paid more.  

But the farther you go up management food chain, the harder it is to see the relationship between production and/or success of the enterprise and the salary of senior management. 

A recent study by the Health Services Research found that doctors who were paid more for higher quality care did improve their performance. It examined whether patients seeing physicians participating in a “pay-for-performance” incentive program receive better care than those who saw non-participating physicians. The health plan that was examined reimburses physicians based on the quality of care they provide. 

What about in other industries?  In another study, they analyzed the 100 largest technology companies finds that those with the highest-paid CEOs in 2005 had the worst returns.    DolmatConnell & Partners, an executive compensation consulting firm based in Waltham, Mass., found there was an inverse correlation between tech CEO pay and shareholder returns over a one-year period.    Companies analyzed in the study included Cisco Systems, Dell, EMC, Google, Hewlett-Packard, IBM,  and Oracle, as well as telecommunications providers, technology services companies and products distributors.

Perhaps the answer lies in the amount of PERSONAL ACCOUNTABILITY the senior managers have in the success of the organization.  If high paid managers are isolated and insulated from the operations of the company, they may not be in a position to directly affect its success, whether you define success as higher stock price, profitability, improved EBITA or some less quantitative standard, such as, are the employees happier?

Organizations where management stays involved with the day to day operations and can use their influence and wisdom to influence the progress, might be able to make a bigger impact on success of the organization.

Credit Unions and NCUA regulators

According to several companies that track such things — the number one thing that NCUA regulators are asking credit unions for this year is a copy of their risk assessment.

With fifty-five new regulators planned for 2009, the NCUA also announced it’s plan to move to a twelve-month examination cycle.  This is in contrast to the previous 18-24 month examination cycle, and has prompted a written complaint by the Credit Union National Association (CUNA) which objects to adding new regulators, as well as objecting to the new examination cycle.

In fact, CUNA wrote, “We find this draconian and believe there is a more cooperative way in which NCUA and the state regulators can discuss this issue …”.   It may turn out to be more prudent than draconian, because these risk areas, which should be detailed in the risk assessment, are areas that many credit unions have ignored, or have managed to ‘get by’ with a homemade spreadsheet, which does little to identify or quantify risk.

In a risk adverse environment with regulator issues on television every day, CUNA did state that  “given the economic crisis and the need for NCUA to be able to continue reporting to Congress that it is handling problems well, CUNA is not opposing this change [the 12-month cycle]”, and continued, “Even so, we strongly support a reasonable phase-in period that focuses on problems and risk first.”

Looking at this, it seems that part of the problem is a disconnect between the financial regulators and the credit union senior management.  Management and the Board looks at these requirements as annoyances that have to be completed and keep them from more important work — like getting new members or new loans, instead of looking at the risk assessment as a support to their business process.

When viewed as an integral part of a business process, it is clear that the risk assessment supports management by providing a quantitative view of the entire IT program, or the entire operational processes of the credit union.   It supports management decisions directly by providing real justification for the controls that management and the Board need to implement; and by giving the NCUA regulators visibility into those decision processes.

It shows the logic of the decision process, i.e., why management decided to use biometrics on their laptops; or why they need to shift some of the security controls to their outsourced vendors and making the vendors more directly responsible for security.   This allows the regulators to give better advice, and support to the credit union, because there is a rational process that can be discussed and examined, to the overall benefit of improved operations for the credit union.

The intent of increased regulation is not always to aggrevate or criticize the credit union management, but can be positive force which allows the credit union to advance, gain new members and be more profitable.

TARP Risk

What is the risk associated with taking TARP money from the federal government?   If the government is going to create difficult milestones and lots of requirements — like limiting of CEO salaries and banning bonuses — it might not be the bonanza everyone seems to think.

We recently were contacted by a company that is turning into a bank just to get their share of the TARP and Stimulus dollars.  Of course, they may not understand the downside of being a bank which would include heavy regulatory compliance AND the ‘mark to market’ problems.

Thinking about a risk assessment for the TARP took another direction — what kind of formal risk process could be used by feds to judge whether a particular bank or company was TARP-worthy.   After you throw out all the joke lines — e.g., do they own corporate Gulfsteam jets?, then what would you look for?   Here’s a list of possible factors:

Value of company to overall economy
Ratio of bonuses to overall revenue
Ratio of CEO pay compared to overall revenue
Number of ‘retreats’ taken annually
Growth potential
Analysis of potentially impacting threats

These would be all mapped against the perceived value of the company in terms of dependencies, i.e., is the company the sole industry in its community or region?  

Is the company a critical element in the military industrial complex — does it have Defense implications?

Does it represent an underrepresented or endangered industry?

Past record for regulatory compliance.  It might be interesting to see how compliant the company was with previous regulations, as an indicator as to whether they would comply with all TARP/Stimulus bill requirements.

Obviously there might be a subjective edge to these ratings and the Government Accountability Office (GAO) would have to be the agency to administer these risk assessments.

Probably the hardest part would be ensuring that the recommendations made by GAO would be honored by the legislators.   But I like the risk model applied to the TARP.

Risks that Derail

I have been neglecting my blog, but I have a very good excuse.  I have just survived one of the worst experiences someone can have — watching a dear sister die unexpectedly from a brain tumor. 

It brings up lots of issues — one is, “Gee, maybe all that about cell phones and brain tumors is really true!”.   Another relation has two small children and they BOTH have had a brain tumor, and they under five years old.   If I lived in their neighborhood, I would check the water supply first.

My sister Linda was my baby sister, two years younger than me.  We were as close as twins and even had our own language.  I spent two weeks up at Lake Tahoe with her this summer.   Ten days after that she attended a wedding in Minneapolis and collapsed at the wedding.  Of course, she was perfectly healthy, married to a doctor, swam two miles a day in the lake, only ate healthy food, flossed constantly — you get the idea.  

After her collapse, it was four months until she died in a coma.  The decline was fierce and frightening.  And it took my nuclear family which was five people only a few years ago, down to two left — just me and my younger brother.  Nothing like getting shoved in front of the generational train.

So I did my risk assessment four months ago and decided that I should spend as much time with my sister as possible, so I have been flying back and forth from Annapolis to Davis, California (in the vast Central Valley), since the 8th of September.     And now I’m back.

It did give me a new appreciation of the problems of carrying medical records around and having them available for the next healthcare provider.  Just one rotate-able brain scan takes up almost two CDs — files too big to email, almost too big to fit in my oversized purse.

Having done everything I could, but left with the inevitable result, I am back to thinking about risk and consequences.  And thinking about loss, and how to avoid it in the future.

And how to encourage others to avoid it, too.   Loss Prevention through Risk Assessment — that’s going to be my mantra in 2009.  That and remembering my wonderful sister, Linda Lee .

I hope you will take the journey with me.

 

                                                   — Caroline Hamilton

Assessing PCI Compliance — World’s Biggest Standard

Everyone has a credit card these days.  Ever take it out and take a good look at that little magnetic strip on the back of a credit card?  It’s only about 2 1/2 inches long and quite thin.  That little strip contains all the personal information about you — your name, address, password, mother’s maiden name, perhaps your social security number and your financial account number and even more information about your account.

Who wrote the program that ended up on that magnetic strip? Are there copies of that magnetic strip information stored somewhere?  And this is only ONE card; you probably have a wallet full of them.

These payment cards (PC= Payment Card Industry) are the biggest deal in information security these days because of a new standard call the PCI-DSS standard (Payment Card Industry- Data Security Standard).  The PCI Security Standards Council, which created the standard, was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Credit card companies want you to charge it and they know that concerns about identity theft might possibly slow down your card use — so it is in their best interests to make sure that a solid security standard is in place to protect you.  The standard has turned into a requirement for everyone who takes a credit card and that turns out to be literally millions of grocers, retailers, online retail outlets, government agencies, convenience stores, utilities — almost everyone.  So the PCI-DSS standard may be the most widely applied information (data) security standard in the world.

With such a widespread and critical standard, there is confusion about how to meet the standard because just doing a self-assessment isn’t enough — you are also required to do penetration tests on your systems that handle and transmit this electronic customer information and ATTEST that you use the standard in your information systems.  

This includes having strong firewalls that protect cardholder data and making sure to remove
the generic vendor-supplied passwords; using good storage devices for sensitive customer information and encrypting data that flows over your network.  In addition, the card manager has to use anti-virus software, and also build secure systems.  Once proper controls are in place, these controls need to be monitored and tested. 

Doing a full compliance and vulnerability assessment annually is the best way to make sure that you can prove you have done all the specific activities required in the PCI-DSS standard.  The assessment actually breaks the entire standard down into smaller, manageable chunks and then each one is monitored, or validated, with an audit trail, so that is easy to prove that you have evaluated your organization’s compliance with the PCI-DSS standard.

The PCI-DSS standard is actually mild, as information security standards go, and not as far-reaching or intrusive as, for example, the HIPAA standard (Healthcare Insurance Portability and Accountability Act) which has completely revised the way healthcare organizations do business.  Nor is it as complicated as the BSA (Bank Secrecy Act) or the International Standards Organization’s 27001 standard (ISO 27001 and 27002).  

After the infamous TJMAXX identify theft incident — consumers should welcome the PCI standard and retailers and others affected by it should be grateful that is just another way of encouraging good information security practices.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security