Wikis, Learning, Teaching and Compliance

wikipedia

I am a believer that the use of 2.0 tools can help compliance professionals. (Hopefully, this blog is a part of that proof.)

Moving to the inherently open communication of 2.0 tools from the inherently private channel communication of email can expose sunlight on behavior and expose information. Incorrect information and behavior can be corrected. Bad information and bad behavior can be seen and stopped before it snowballs into something larger.

I often hear people take the position that the digital youngsters coming out of college can use these Web 2.0 tools as easily as dialing a phone or that they are demanding them in the workplace. I don’t think that’s not true.

Law Schools and Wikis

Eric Goldman and Luis Villa shared their experiences in using wikis as part of their classrooms. It certainly sounds like their students struggled with using these tools, both behind the firewall and in the public Wikipedia.

In Mr. Goldman’s case he offered his law students the opportunity to publish an article in Wikipedia for 20% of their grade. About a quarter of the students in his cyberlaw class at Santa Clara University School of Law took him up on his offer.

In reaction to that article, Mr. Villa recounted his experience using a school-hosted wiki as part of his classes at Columbia Law School.

Other wiki concepts, like extensive linking, or publishing drafts to the world in wiki-style, were apparently even more strange to most of my classmates. None of the four class wikis were deeply interlinked or cross-referenced, outside of what was necessary to create a table of contents and occasional outlinks to wikipedia. Similarly, few students were willing to post works-in-progress to the wiki and refine them there- most students preferred to work privately and then put a final text into the wiki.

Collaboration Between Generations

I found the same to be true at my old law firm. In particular, the younger attorneys did not want interim drafts to be seen and were reluctant to contribute content. The more seasoned attorneys were more willing to edit and add information. The vast majority of article creation was limited to a small group.

In my view, younger team members are reluctant to produce content because they do not want to expose their lack of knowledge, they do not want to expose themselves for criticism and they have little grasp of the technology.

The lack of knowledge is true regardless of how you teach collaboration. It would seem silly to put the youngest members of the team in charge of the team’s knowledge and content production. They have the least understanding of the subject matter.

Dealing with Criticism

The criticism issue has two parts. On one side, I don’t think students are taught to collaborate. They go through school being graded on their individual performance. The few classes that grade as a team are outliers.

The second issue is the internal culture of  your company. Collaboration requires trust. You need to work as a team and avoid individual blame. It also requires sharing the credit for good work among the team. That is just how your company or group at the company operates. Technology does not change culture.

The Technology

As both Goldman and Villa point out, the technology is still a barrier. There are many inherent limitation in a wiki that you don’t have with Microsoft Word. I think the wiki markup language is a mistake. I think platforms should just use html based code.

Regardless of the underlying code, web-based documents do not have the rich formatting of Word. Arguably, you don’t need the vast majority of that formatting. It’s still very frustrating when something easy to do in Word is hard to do in a wiki.

Printing is another issue. In the end you may want to print hard copies. I have experienced widely different quality in what happens when a wiki page goes to the printer.

Wiki for One

I have to admit that I have not been preaching the benefits of 2.0 tools within my company. I use them purely as a knowledge tool for me. I use this blog and an internal wiki to store information for me to find as part of the compliance program. Most of the company is numbers driven, something for which web 2.0 tools are poorly suited.

I did collaborate with a summer intern on a compliance project using the wiki. I had the same experience as Goldman and Villa. Using a wiki did not come naturally to her. It took time for me to develop the trust for her to use it effectively.

In the end we worked together to create a tremendous amount of content for the compliance program that is well-organized and easy to find.

Other Examples

Over the last year I have seen an increase in the public use of Web 2.0 tools by compliance professionals. There has been a dramatic increase in the use of blogs. You can look at my blogroll for other examples.

One to take a close look at is Kathleen Edmond’s Blog. She publishes disciplinary examples from Best Buy. As you might expect, the examples do not include specific people or products. She is able to get the ethics story from Best Buy out into the public. She can get comments on her reasoning and the results.

Sources:

Madoff Losses Down from $65 Billion to $20 Billion

How do you value fraud?

When the Madoff ponzi scheme collapsed the claim was that there was $65 billion in losses. That was the total dollar value on the account statements given to investors. Of course, that number was fictional because there were not real assets behind those numbers.

The trustee overseeing the liquidation of the assets looked at the cash that came into Madoff and the cash that came out. The bankruptcy judge agreed. In a decision filed on Monday, Federal Bankruptcy Judge Burton R. Lifland ruled that losses should be defined as the difference between the cash paid into a Madoff account and the amount withdrawn before the fraud collapsed in mid-December 2008.

The Madoff trustee, Irving H. Picard, took the position that “the only verifiable amounts” reflected in the Madoff records are the differences between how much investors put into their accounts and how much they took out.

The result is that those investors who didn’t pull out their initial capital will get a greater percentage of their money out than those who took withdrawals from their accounts.

To put it another way, the people are getting the greatest percentage of money back are:

  1. Those who least need the money. Since they took less money out they presumably have other income or capital to support their needs.
  2. Those most trusting of Madoff.  Since they trusted Madoff, they did not pull money out of their investment accounts. They rode those returns and let their fictional returns keep accumulating.

Those who took out more cash from Madoff than they put in were labeled the “net winners” and get nothing. Even worse, it looks like the “net winners” may have to give back some of their “winnings” to the bankruptcy estate to pay off the net losers.

Of course, the opposite ruling is just as bad since the early investors would be paid by later investors, effectively extending the Ponzi scheme.

The judge is taking the position that people should be put back to their position as if they had not invested with Madoff. In the end its going to bad for all the investors. It’s just a question of who feels the most pain.

Sources:

Data breach Sharing Framework

verizon business logo

With the Massachusetts Data Privacy Law now in place (and presumably you are in compliance with it), you need to think about what to do if you have an incident.

Verizon has published the Verizon Incident Sharing Framework to help.

Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

The framework is set up to help classify incidents, their discovery, mitigation and impact.

Sources:

Data Breaches and Knowledge Management

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic  review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

Today is the Deadline for the Massachusetts Data Privacy Law

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before January 1, 2009 January 1, 2010 March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of .

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

Compliance Bits and Pieces for February 26

Here are some interesting compliance related stories from the past week:

List of Troubled Banks at 16-Year Peak, F.D.I.C. Says by Eric Dash in the New York Times

After weathering the nation’s worst run of bank failures in nearly two decades, the Federal Deposit Insurance Corporation announced Tuesday that it had added 450 institutions to its list of challenged lenders in 2009 and warned that the industry was likely to remain under stress.

Rakoff Backs BofA Accord, Unhappily By DAN FITZPATRICK, KARA SCANNELL And CHAD BRAY in the Wall Street Journal

A federal judge harshly criticized but approved a $150 million settlement Monday between Bank of America Corp. and the Securities & Exchange Commission, resolving claims the bank should have disclosed billions in losses at Merrill Lynch & Co. before it was acquired by the bank. U.S. District Judge Jed S. Rakoff said the fine was “paltry” when considering the Merrill merger “could have been a bank-destroying disaster if the U.S. taxpayer had not saved the day.”

SEC Announces Efforts to Educate Investors About Participating in Corporate Elections – SEC Press Release

The series of measures include amending the SEC’s e-proxy rules, issuing an Investor Alert, and creating new Internet resources that explain the proxy voting process in plain language.

Supreme Court Sets Oral Argument in Quon v. Arch Wireless for April 19, 2010 in the Hunton & Williams Privacy & Information Security Law Blog

The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co. Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies. Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law.

The All-In-One FCPA Enforcement List from the FCPA Blog

This is really it. A snapshot of (we think) all FCPA-related ongoing prosecutions, pending sentencings, extraditions, at-large fugitives, and appeals.

How To Write a Code of Ethics by Josh Spiro in Inc.

A code of ethics can help a business determine its priorities and values. It can also help you down the line if one of your employees or vendors drags you into legal trouble.

Another Charge in Madoff Fraud

The SEC has charged Daniel Bonventre, Madoff’s Director of Operations, with securities fraud.

“According to the SEC’s complaint, Bonventre was responsible for the firm’s general ledger and financial statements that were materially misstated because they did not reflect the manner in which investor funds were maintained and used. Bonventure ensured that BMIS financial reports did not reflect the firm’s massive liabilities to investors or the corresponding assets received from investors. To hide the fact that BMIS normally operated at a significant loss, the firm used more than $750 million in investor funds to artificially improve reported revenue and income.

The SEC alleges that Bonventre also helped Madoff, his lieutenant Frank DiPascali, Jr., and others orchestrate lies to investors and regulators when investment advisory operations at BMIS came under review. With Bonventre’s assistance, they made serial misrepresentations to external reviewers by manufacturing reams of false reports and data.”

This is the SEC’s seventh enforcement action in the Madoff fraud since the scheme collapsed in December 2008. The Commission previously charged Madoff and BMIS, DiPascali, and auditors David G. Friehling and Friehling & Horowitz CPAs, P.C., who have all pleaded guilty to criminal charges related to their conduct. The SEC also charged certain feeder funds with committing securities fraud, and charged two computer programmers at Madoff’s firm for their roles in covering up the scheme.

Sources:

SEC Press Release – SEC Charges Madoff’s Director of Operations with Falsifying Accounting Records and Siphoning Investor Funds

SEC Decides to Think Further About IFRS

The Securities and Exchange Commission voted to issue a statement that lays out its position regarding global accounting standards. They want to make it clear that “the Commission continues to believe that a single set of high-quality globally accepted accounting standards would benefit U.S investors.”

By 2011, the SEC will decide whether to incorporate IFRS into the U.S. financial reporting system, and if so, when and how. In trying to reach a decision, the SEC has published a Work Plan. It has six key areas:

  • Sufficient Development and Application of IFRS for the U.S. Domestic Reporting System
    • Comprehensiveness
    • Auditabilitity and Enforceability
    • Consistent and High-Quality Application
  • The Independence of Standard Setting for the Benefit of Investors
  • Investor Understanding and Education Regarding IFRS
  • Examination of the U.S. Regulatory Environment that Would Be Affected by a Change in Accounting Standards
  • The Impact on Issuers, Both Large and Small, Including Changes to Accounting Systems, Changes to Contractual Arrangements, Corporate Governance Considerations, and Litigation Contingencies
  • Human Capital Readiness

Certainly it would be better to have a single universal accounting standard. But is IFRS better than GAAP, worse than GAAP, or just different?

Sources:

Keeping Your Colleagues Honest

Mary C. Gentile put together a great piece on how to challenge unethical behavior at work in the March issue of the Harvard Business Review: Keeping Your Colleagues Honest.

She starts with four rationalizations for staying silent when encountering an ethical problem:

  • It’s standard practice.
  • It’s not a big deal.
  • It’s not my responsibility.
  • I want to be loyal.

The meat of the article is about helping a manager to speak up when confronted with an ethical problem.

  • Treat the conflict as a business matter.
  • Recognize that this is part of your job.
  • Be Yourself.
  • Challenge the rationalizations.
  • Turn newbie status into an asset.
  • Expose faulty either/or thinking.
  • Make long-term risks more concrete.
  • Present an alternative.

I particularly liked her use of the rationalization argument.

“If people make the point that an issue is not your responsibility, you are in a strong position to press ahead—in using this rationalization, they have already conceded that the behavior is wrong, or at least questionable. They are not arguing with your assessment; they’re looking for a way to avoid the conversation.”

She also pulls out the New York Times technique on rationalization: “If it is expected , are we comfortable being public about it?” I usually amplify this to ask “Would you be comfortable with this being told in a story on the front page of the New York Times?”

The full article is behind the paywall at HBR.org.

Mary C. Gentile is a senior research scholar at Babson College in Wellesley, Massachusetts. Her book Giving Voice to Values is forthcoming from Yale University Press in September 2010.