Where’s my Newspaper?

The Fading Relevance of Print Media

The move did not come as a huge surprise, as Scripps CEO Rich Boehne attempted to unload the failing news business late last year. According The Rocky Mountain News itself,

“On Dec. 4, Boehne announced that Scripps was looking for a buyer for the Rocky and its 50 percent interest in the Denver Newspaper Agency, the company that handles business matters for the papers. The move came because of financial losses in Denver, including $16 million in 2008.”

We’ve been hearing for years now about the demise of the print newspaper by the same zealots that profess about the paperless office being right around the corner. I’ve generally resisted this school of thought, however the current economic atomic bomb might be just enough to tip the scales of doom for even the most prominent of newspapers.

Just in the last few months, we’ve learned of bankruptcies that might seal the fate for the Chicago Tribune, the Los Angeles Times, the Star Tribune in Minneapolis, the Philadelphia Inquirer, the Philadelphia Daily News, and the New Haven Register. Closer to my home, Hearst Corp. announced this month that they might be shutting down our iconic San Francisco Chronicle, unless they can come up with a way to reduce expenses.

The thing to understand is this. Even if newspapers go the way of the dinosaurs, the demand for information is not going away. In fact it is only going to increase. Classically, newspapers have been a key medium for receiving our news. As a nation, and as a globe, we may make the determination that newspapers are not necessary anymore, by simply choosing to receive the same information from somewhere else.

Focusing on the ends instead of the means should be a philosophy integral to your compliance program. If the big newspapers fail, it will be because of their business model, not lack of demand for information. In the same way, your compliance program will fail if you focus too much on the process, and not enough on the objective. The objective of your compliance processes is to control for risk, not to blindly follow a bunch of processes—even if the processes are given to you by a mandating agency. This is a key mistake that people make, and it is part of the reason for the economic mess that we’re in right now.

Take for instance, the compliance policies around lending to subprimes. I’m sure a lot of loans were issued to high-risk, subprime mortgage holders, and I’m sure in most cases all the documented compliance policies and procedures were properly followed. And still, we’ve seen an unprecedented number of subprime borrowers that simply cannot make their payments, and consequently default on their loans, causing a record number of foreclosures across the country. Why?

It’s because all the lending institutions were concerned about was following the process, and nobody was looking at the key objective of making sure these borrowers would repay their loans. Now if somebody decided to do a retrospective audit to make sure proper compliance policy was adhered to by the subprime lenders, would it really matter?

Guard the objectives of your compliance program carefully. This is the real demand, not the medium realized by your compliance processes. And just like the newspaper industry, if your medium is not fulfilling the objective of adequately controlling your risks, maybe it’s time to retire the old processes and find another way.

Recovery.gov

Transparency in the New Administration

Being curious, I visited the site the other day, and I have to tell you as a professional in the accountability and transparency business, I’m quite impressed with the direction it’s going. Whether or not the site will live up to its claims remains to be seen, however the idea is terrific and so far it looks very good. I invite you to visit this site if you haven’t been there already.

The front page currently features a nice bar graph that quickly tells me that the bulk of the $790 billion fund is going toward tax relief, state and local fiscal relief, and infrastructure. There’s also a nice milestone chart that tells me when things are slated to happen, like the March 3rd milestone when Federal Agencies will begin reporting the use of funds. Finally, there’s a video of President Obama himself, briefly explaining how the site is going to develop in the coming months.

A quick jump to the “Accountability and Transparency” page explains that President Obama:

“has identified five crucial objectives for Federal agencies, to ensure that:

• Recovery funds are awarded and distributed in a prompt, fair, and reasonable manner;
• The recipients and uses of all recovery funds are transparent to the public, and that the public benefits of these funds are reported clearly, accurately, and in a timely manner;
• Recovery funds are used for authorized purposes and every step is taken to prevent instances of fraud, waste, error, and abuse;
• Projects funded under the recovery legislation avoid unnecessary delays and cost overruns; and,
• Programs meet specific goals and targets, and contribute to improved performance on broad economic indicators.”

This is a great example of how to communicate high level policy. It’s brief, clean, and simple, and it’s not buried in some obscure location, rendered in 5 point type. In a few seconds, you know exactly where he stands, and what the objectives are for this transparency initiative.

If you listen to Obama’s intro, he explains that as tax dollars are actually spent, we will be able track exactly where all the money is going. I’m not sure how he intends to report this information, but if it’s in alignment with what has already been started, it should be pretty informative and comprehensive.

In the spirit of accountability and transparency, you should model what’s been done here. As you organize your compliance program, think about transparency and the direction President Obama is taking with this new website. As you know, I’ve done a lot of thought leading around the concept of a compliance data system, and ideas like this are a great extension of what I’m talking about. This site is a perfect example of how you can leverage business intelligence and web reporting to communicate important information about your compliance program.

To be honest, I’m a little skeptical at this point if the government can actually pull this off properly, but that doesn’t mean you cannot. Regardless of what stage your compliance program is in, organize a team of IT professionals to aid in a communication effort along the lines of Obama’s Recovery.gov. It’s a great starting point for your own transparency efforts.

Compliance by Example

Using PCI to Build a Great Compliance Program

The PCI Data Security Standard Requirements and Security Assessment Procedures. Download the specification here, and visit the PCI Security Standards Council's website here.

The PCI DSS is a set of requirements designed to ensure effective data security for merchants that handle credit card transactions. However, even if your company or department has nothing to do with accepting credit cards, there’s a lot to be learned from the way the PCI Security Standards Council has organized its compliance guidance. They’ve provided a stellar example of how to do it right.

Here are some key points about the way the PCI Security Standards Council has organized compliance around PCI DSS that I’d like to see you to leverage into your compliance program:

Key Point # 1: Build an Effective Website for Communication

It seems obvious in this day and age, but I’ve seen too many websites that are hard to navigate and confusing to use. This usually happens when the compliance website is of little importance to the overall effort, and the responsibility falls on whoever happens to volunteer for the task. This is a mistake. Communication is key in any compliance program, and your website is a primary tool to accomplish this.

What I like about the PCI Security Standards Council’s website, is that it’s very easy to find any and all the information you need to know. The home page is organized in blocks. This makes it easy to quickly find what I need to know. Also, in a few clicks I can download the actual standard (currently in version 1.2), which is very well done.

Key Point # 2: Communicate your High Level Policy Briefly and in a Prominent Location

As soon as I navigate to the PCI DSS section of the website (the council handles more standards than the PCI DSS), I get a brief overview of what PCI DSS is all about, and I get a 30-second look at all 12 requirements, grouped into 6 sections. Within minutes, you can effectively digest exactly what PCI DSS is trying to accomplish, and the high level requirements that will support these goals.

This is very similar to what we’ve seen at Recovery.gov. Within once click from the home page, you have a one page, quickly consumable outline of everything involved. This is exactly what you want to do for your program, both for your own internal efforts, and for easy communication externally.

Key Point # 3: Build a Detailed Specification Document with Assessment Instructions

The PCI DSS Specification that you can download from the website is one of the best I’ve seen, and it is a great example of how yours should be constructed. To illustrate how thorough it is, it takes 73 pages to flush out only 12 requirements. Although it’s detailed, it’s not superfluous or boring. The pages are spent very carefully explaining each requirement in detail with supporting information for full comprehension.

But it provides more than information; it provides specific instructions for how to properly execute compliance. Each of the 12 requirements is broken down into a hierarchy of lower level requirements, and each lower level requirement contains a testing procedure. The testing procedure tells auditors exactly what to do to make sure the requirement is met.

In addition, the specification includes:

• Instructions for how to report on compliance
• A very good discussion on compensating controls, and how they may be used
• A worksheet for companies that want to use compensating controls, including example entries
• Templates for attestation

It’s obvious that a lot of thought was put into organizing the PCI compliance effort, and in my professional opinion it’s a job well done. When you get a chance, take a look at their website, and specification, even if your business has nothing to do with accepting credit cards. If your program is put together in the same spirit, you’ll be in good shape.

Good Night, Good Knight

Inflated Returns Brings Down Texas Billionaire

Sir R. Allen Stanford. . Picture Source

Well, unlike Madoff, the SEC figured this one out and promptly filed a complaint alleging that Stanford cooked up an investment scheme centered around an $8 billion CD program that promised improbable returns. 8 percent on a CD—yeah I guess that’s improbable.

It took a while to catch up with Stanford, but the FBI finally tracked him down a few days after the complaint was filed, in Virgnia. All assets processed through Stanford’s firm have been frozen until things get sorted out. This has more than a few of the 30,000 investors in his firm a little irritated.

I don’t blame them a bit, however let’s use some common sense here. The old saying, “if it’s too good to be true, it probably is” has been drummed into our heads since birth. Yet for some reason, we always seem to test this theory, and always end up with the same disappointing results.

I’m not suggesting that you stay away from taking risks, however safe bets with big rewards just don’t exist. The next time somebody offers you an 8 percent CD, it’s probably best to just pass.

This Might Take a While

How to Make an Auditor Nervous

Picture Source

Make sure auditors don’t see abnormal status reports like this. Although it may be an honest mistake, it’s a big red flag that you might not have things under control. Put programmatic boundary guards around anything that might be reported in an audit. Catch unusual values like negative times and trillion dollar revenues before they’re displayed on the screen.

And if it really is going to take 46368 days to retrieve an auditor’s query, you might want to rethink the design of your data system.