by French Caldwell | October 4, 2013 | 3 Comments
If you follow the shutdown news, you’ll no doubt hear some talking heads saying the shutdown will last a few more days, and some cleverer pundits starting to link the timing for the shutdown to the debt limit deadline of 17 October. Business, government and IT executives need a scenario on which to base longer term decision making related to the shutdown, so I’ve put on my inside the beltway strategist hat and come up with one. I hope it helps.
First, the background. Without going into political issues at stake, it’s clear that Congress is hopelessly deadlocked. Neither political party is in control of Congress, and both parties are split further by factions. There’s no clear path forward for a bipartisan coalition to pass a continuing resolution to fund government operations, and to raise the debt limit. We are in a constitutional crisis.
With this deadlock, consider the following probabilities:
1 — There will be no agreement on a continuing resolution before 15 October, the next payday for government employees (0.8 probability).
2 — The debt limit will not be raised by 15 October, two days before the ceiling is reached (0.5 probability).
3 — If the debt limit is not raised, the Department of the Treasury will identify further extraordinary means to extend the debt limit for at most two more weeks through the end of October (0.4 probability).
4 — Come 1 November the U.S. government will not pay some of its bills, perhaps things like Medicare reimbursements and utilities of some federal facilities (0.2 probability).
As the above probabilities play out, the following scenario becomes more likely:
- Government agencies will be told to identify the absolute minimum skeleton crew required to maintain public safety and security. Courts will shutdown.
- Plans for the use of National Guard and other military units to protect abandoned federal facilities will be established.
- The government will announce a prioritization plan that will focus on paying many items not affected by the continuing resolution such as social security, veterans benefits, and interest payments on government debt.
- It is highly unlikely, a virtually nil probability, that the U.S. Government will default on its debt. Rather than allow even a temporary default, it is likely that as the ultimate debt limit is approached, Congress will pass incremental increases in the debt ceiling to assure world markets of a commitment not to default.
Federal agencies should assume a prolonged governmental shutdown which may require mothballing some facilities that current continuity of operations (COOP) plans assume will stay operational. State and local governments, and businesses that depend on federal data and federal IT systems should assume that data will not be available for up to two months.
This scenario is not the absolute worst case. Rather it is a worst probable case. In 2010 and 2011, the Belgian government was deadlocked for over a year, but a caretaker government was able to pass a budget and continue running governmental services until a new government could be formed. The U.S. Government constitutionally does not have that flexibility and it is mammothly consequential to the global economy, both of which mitigate against a prolonged constitutional deadlock, but also magnify the shock of one.
Category: public policy Strategic Planning Uncategorized Tags:
by French Caldwell | July 17, 2013 | 2 Comments
Colleagues today were discussing again the Snowden revelations about service providers giving governments access to digital business and social media data. One colleague suggested that we should not use the term back door in this context since by the traditional IT security definition this would imply that government agencies had direct access to the operational systems of service providers.
That’s a good point. Another way to think about the access for governments is that it’s the back screen door that is left unlocked. The door to the house remains locked. Facebook, Yahoo and others are putting out things on the back porch that the government milkman can pick up.
When talking to relatives and friends, they seem okay with that. But when I raise to them that if Facebook is doing that for NSA, don’t you think they are doing it for other governments, then they get a bit nervous.
But they still insist that they don’t put anything on Facebook that would get them in trouble. And then I ask, are all your friends doing the same? And what about their friends? What if you get scooped up in an investigation because you have a relationship, even 2nd or 3rd degree, with someone else? What if you were denied a clearance on that basis, or a job?
I guess we just don’t remember history.
Category: Cybersecurity public policy Social Technology Uncategorized Tags:
by French Caldwell | May 23, 2013 | 1 Comment
As John Wheeler and I work on the updated Enterprise GRC Platform magic quadrant, I wonder what has happened to many of the vendors that used to brief us. Actually, I know where they are, and now and then I’ll see them at a trade show, or shoot them an e-mail asking for an update. I always tell these vendors to make sure they stay in touch with, at a minimum, an annual briefing. Some do, some don’t.
Not keeping the analysts up to date is a mistake. Everyday I recommend vendors to clients that are looking for solutions, and often those recommendations include vendors who have a special capability, industry domain knowledge, or geographic focus, but who do not meet all the magic quadrant inclusion criteria.
Another thing I do is make sure I include vendors in other research, such as hype cycles. For instance in the enterprise GRC platforms profile on the GRC hype cycle, I include vendors who have updated me in the last year, and I remove any who have not. Same for the continuous controls monitoring profile. So the best way to get yourself removed from the “example vendors” on the hype cycle is to make sure you do not brief the analysts.
Vendors are also often mentioned in technology overview notes. Sure, I’ll reach out to try to get them to brief me for the third party risk management and social GRC notes I’m working on, but could I miss a particular vendor because they have not kept in touch? Yes, I could.
Category: Uncategorized Tags:
by French Caldwell | May 1, 2013 | 1 Comment
I just returned from the MetricStream GRC Summit in Las Vegas where I presented a keynote on risk management and performance. The summit was very well planned, organized, and executed. The speakers and panel participants talked not just theory but provided practical examples of the benefits and challenges of using GRC technologies to improve their risk management and compliance programs.
Last week I made a similar keynote to the Institute of Internal Auditors Quebec chapter. In both keynotes, I focused on the ERM/GRC blueprint concept that John Wheeler and I published in March. This blueprint provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. After each session, attendees asked if I could meet with their boards of directors and share this concept and the strategic drivers of GRC. It’s exciting to see this very positive reaction to the idea that GRC can positively impact business value creation.
In a sidebar conversation at the MetricStream summit, an investor told me that he’s excited that GRC is becoming a true risk management platform that can integrate with processes throughout a company – he sees it as the next ERP. I agree the GRC marketplace is a good investment, but GRC platforms are not going to become super embedded in the enterprise by orchestrating risk management – they will do so by orchestrating business performance. Some vendors are starting to recognize this, and more will follow. In less than three years, all leading GRC vendors will support integrated performance and risk management.
PS — At the MetricStream GRC summit, putting my colleague Paul Proctor on a panel with Network Frontier’s Dorian Cougias was a stroke of genius — no one in that non-IT audience could understand the security geek-speak those two got into, but they were so entertaining that no one cared.
Category: GRC Risk Management Uncategorized Tags:
by French Caldwell | February 6, 2013 | Comments Off
Even as the economic recovery gains momentum, risk management and compliance are still growing in importance. This trend should continue until there is a shift politically and culturally toward deregulation. In the Gartner CEO survey, regulatory risk was ranked as the number one business risk, and in the Gartner Forbes Board survey, risk management, legal and compliance were areas least likely to be cut. The hiring trends reported in this CFO article bear out that demand for risk management and compliance professionals is very strong.
Six Finance Jobs Ripe for Hiring in 2013
Hiring | February 05, 2013 | CFO.com | US What finance positions in the financial services industry will be hot in 2013? While economic and political uncertainty held back job growth in 2012, this year hiring activity is expected to be strong in six areas in particular, according to a new report from…
[Read more →]
Category: compliance Legal IT Risk Management Tags:
by French Caldwell | January 30, 2013 | Comments Off
I’m on the road this week — first Boston for client visits and then PwC’s industry analyst summit, and now New York for a day at the LegalTech conference. What struck me most with PwC is how they were talking SMAC — the convergence of social, mobile, analytic and cloud technologies — what Gartner calls the Nexus of Forces. All the consulting firms are looking at how they can take advantage of this convergence and most are focusing on marketing as the buyer. What was different about PwC’s SMAC is that they see major dislocation for business models, and hence the opportunity for digital transformation engagements across the enterprise, not just with marketing. At the same time the Nexus is affecting PwC’s business model as well, and to grow they are focusing on how to take advantage of the consulting market consolidation.
Now at LegalTech, it’s easy to see that the legal profession is being hit hard by the Nexus. Technology vendors are responding to new social compliance demands, and the challenges of discovery of social media. And law firms are seeing emerging legal services, and a move toward do-it-yourself technologies for corporate counsel. But the bigger long term issue for corporate counsel and law firms is that SMAC technologies are changing the very way that people engage with corporations and governments, and hence corporate business models and systems of government must rapidly change or they will fail. This is a major challenge for corporate counsels whose basic role is to ensure that their companies and agencies are in compliance with regulations and laws.
Complicating the matter is that corporate counsels are not well supported by the IT organization. A survey by Gartner and ALM showed that 80% of Chief Legal Officers say that the legal department has no formal support from the IT organization. This will only further complicate digital transformation for those companies, and inhibits the CLO’s ability to protect the company legally through a period of tremendous business disruption.
At Gartner, we’ve formed a collaborative working group of analysts who are looking at the challenges and solutions for legal IT support. This group is already producing research on legal IT support — storage and archiving, e-discovery, social media compliance, social risk management, enterprise legal management, GRC and more. And we look forward to working with CIOs and other IT leaders who are building the architectures to better support the CLO.
Category: Cloud compliance Legal IT Social Technology Tags:
by French Caldwell | January 25, 2013 | 1 Comment
I’ve read through new draft guidance from U.S. financial services regulators on the use of social media. What struck me most is that instead of taking a compliance and control point of view, it talks instead of risks, and the need to ensure that social media risks are included in your risk management program. That’s not to say that FSIs should take the guidance as merely advisory – as I learned in the Navy, a suggestion from a senior officer is an order.
So here a few of the orders from the draft guidance:
- Although this guidance does not impose additional obligations on financial institutions, as with any new process or product channel, financial institutions must manage potential risks associated with social media usage and access
- The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing
- Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate
- Components of a risk management program should include the following:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance
- A due diligence process for selecting and managing third-party service provider relationships
- An employee training program
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance
- Appropriate reporting to the financial institution’s board of directors or senior management
And the last sentence of the draft is a comprehensive mandate — As with any product channel, financial institutions must manage potential risks to the financial institution and consumers by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within this guidance.
What this all means for FSIs is that in the next couple of years, you will have regulators examining your social media risk management programs. Sure, right now they’ve got plenty to keep them busy – Dodd Frank is only about a third done. But let’s not forget, there’s a new kid in town, the Consumer Finance Protection Board; in the social media risk area they don’t face a lot of competition from other regulators – what a great place to carve out quickly some new turf.
CIOs, start working now with your legal counsel and government affairs to draft your comments. And for Gartner clients, I’d recommend that before you submit the comments, you run them by us. My colleagues, Stessa Cohen, Carol Rozwell, Andrew Walls, and I who are tracking social compliance and risk management are pleased to talk with you and provide our feedback.
Some Recommended Reading:
Gartner Fellows Interview With Patricia Flynn, Vice President at Fidelity Investments: Managing Social Media Compliance
Social Media Best Practices That Deliver Bank CEO Priorities
Use Gartner’s Social Business Program Maturity Model to Plan Your Next Move
Security Tools for Control of Social Media Usage
Category: compliance public policy Risk Management Social Technology Tags:
by French Caldwell | January 23, 2013 | Comments Off
“I have seen war…. I hate war.” Whenever I see this FDR quote at his memorial in DC, I unwillingly substitute the word ‘e-mail’ for ‘war.’
I have seen e-mail. It’s blunt force and unwieldy – it turns brilliant discourse into foggy stew.
It’s the default when your processes don’t work.
It’s a panacea for our shy natures – we don’t have to talk to anyone.
It enables procrastination.
It helps us pass the buck – by sending an e-mail we claim we did something, when in fact we did nothing.
I could go on about all the negative sides of our nature enabled by e-mail, but I’ll spare you.
I hate e-mail.
What made me think of this today was a long e-mail string that started with some comment on a McKinsey Quarterly interview of KM guru, Don Tapscott. Dr. Tapscott wants us to use social and collaboration tools, instead of e-mail — which is fine, and for team project oriented work is well proven and perfectly acceptable.
But like it or not, and I don’t like it, e-mail is the default social collaboration tool for most workers these days, and that’s not likely to change even with the advent of social media — in fact, don’t most of us look at social media after we get an e-mail telling us that someone commented or poked us? Well, there ya go, folks.
Category: Social Technology Tags:
by French Caldwell | January 9, 2013 | Comments Off
It could be awfully confusing to try to make sense out of today’s FT. A front page article highlights that the US is headed toward energy independence, which is a boon to energy intensive industries — heavy manufacturing, high tech manufacturing, petrochemicals, and even IT services. On the other hand, a lead opinion piece touts Big Data, not Big Oil, as the salvation of American manufacturing.
So, which is it? It really depends on what you might see as the fundamental economic problem facing the US. Stratfor’s CEO George Friedman published a heartfelt piece yesterday on the crisis of the American middle class. In it he clearly differentiates between economic gains, which the FT piece on Big Data highlights, and the prosperity or lack of it for the middle class. Friedman convincingly illustrates that what’s good for the economy is not necessarily good for middle class workers and families.
The application of Big Data to manufacturing and supply chains can help to make American manufacturing more competitive, mostly through ongoing gains in productivity. For workers who keep their jobs in the next Big Data led productivity push, that’s great, but productivity gains often lead many to lose their jobs. And it may even help to bring some manufacturing back on shore, which is good for the economy, but as highly automated as repatriated manufacturing can be, it is not necessarily a big job booster.
On the other hand, lower and more stable energy costs have a direct impact on the bottom line irrespective of productivity. Bringing supply chains closer to home and low emission, low cost natural gas energy sources will enable gains in well-paid manufacturing employment as well in sustainability performance. My colleague Stephen Stokes predicts: “By 2016, 60% of global manufacturers will focus on the upstream supply chain for sustainability reporting, analysis and performance improvement.”
And new jobs start with the exploration and production of natural gas and oil in regions like the great plains and the mid west that were hit hard by economic shifts over the last several decades. With lower energy costs, and sources of energy close to traditional centers of manufacturing, the US middle class will indubitably benefit, starting at the pump and continuing with gains in employment.
Big Oil trumps Big Data, right? Not quite. With lower energy costs, US CIOs will see the economics of off shoring shift as well. Off shoring has already been hit by higher wages in developing economies, and now with the US having a competitive differentiator on energy costs, data processing and storage could shift back to the US as well. While there is not a lot of correlation between the location of data centers and the analysis and application of big data, off shore centers enable developing economies to develop higher value IT services like Big Data analytics. Lower energy cost in the US could slow that trend enabling the US to maintain a significant lead in the analysis and application of Big Data.
Within manufacturing sectors, we could see the development of a synergistic relationship between Big Oil and Big Data — the former lowering the cost of doing business in the US and re-invigorating the middle class, and the latter driving ongoing gains in productivity and innovation enabling ongoing economic gains — a virtuous circle of Big Oil and Big Data.
Category: Applications public policy Strategic Planning Tags:
by French Caldwell | January 4, 2013 | 1 Comment
Wow — less than two years to settle the Google antitrust case. Remember the Microsoft antitrust case — it seemed to drag on forever.
One difference here is that the Google case was handled by the FTC, which has become the de-facto consumer information technology industry regulator. At the time of the Microsoft case, there was no regulatory regime for the IT industry, and in fact Microsoft was just establishing its Washington based government affairs office. Today both Microsoft and Google have large government affairs organizations, and they are involved heavily with several IT trade associations and other Washington (and Brussels) based lobbying and industry groups.
In 1999 when I joined Gartner the idea that the IT industry would be heavily involved in and impacted by public policy was radical. Yet, I got the support of many of my colleagues to form the Technology and Public Policy research community. That community produced a lot of early Gartner research on public policy, the last of which was a special report when President Obama first took office. The community was also the foundation for the Risk Management and Compliance research community which took off like a rocket after Sarbanes-Oxley and continues this day as a vibrant thought leadership community in Gartner.
Today, the idea that CIOs and enterprise architects should consider public policy and the regulatory environment in the development of their strategies and execution of major IT initiatives is common place. Planning and budgeting professionals often incorporate the idea without even having to explicitly think about it anymore. The same is true of Gartner research — in 1999, the terms compliance, regulatory and risk management were rarely found in Gartner research — now they are commonplace even among analysts who are not regular participants in the Risk Management and Compliance research community — which by the way has expanded to the point that it is now many RCs — Risk Management, Compliance and Legal, IT Audit, Privacy and BCM. None of those existed in 1999.
But what triggered this post is how quickly the Google case was settled. Partly it was due to the FTC handling the case instead of the DoJ — so there is acknowledgement in Washington that the FTC has purview over the consumer facing IT industry. This acknowledgement goes a long way in establishing the long term regulatory regime for IT, but it is by far not conclusive. Two major issues for IT regulation in the U.S. remain outstanding — cybersecurity, particularly as related to critical infrastructure protection, and consumer privacy. These two issues butt up against another area of IT regulation that has also been conclusively established — that is national security, the government’s right to snoop.
Category: Uncategorized Tags: