French Caldwell
Research VP
11 years at Gartner
15 years IT industry
French Caldwell is a vice president in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio
by French Caldwell | December 23, 2011 | Comments Off
Imagine if we didn’t have Christmas at the end of the year? What would it be like in the cold dark northern hemisphere?
The New Year would probably still be a time of starting anew with a fresh perspective – but towards the end of the old year …? Perhaps at work instead of having office parties and passing presents around, we’d be totaling up all the things we did not get done. It would be kind of a sourpuss period of self-loathing and regrets at work. Instead thanks to Christmas, we pass around secret Santa gifts, take off early to get to our kids’ Christmas pageants, eat lots of sweet stuff, drink too much, and say and do things that hopefully in the joy of the season our friends and colleagues forgive us for by 2 January.
Well, I’m having my office party this afternoon – I’ll get together with a couple of neighbors who also work at home, and we’ll go chug some mocha frappuchinos at the local Starbucks, while looking forward to Sunday, Christmas Day. Home with family, friends and relatives celebrating a birth 2000 years ago. Peace, Hope and Love to all.
Category: Uncategorized Tags:
by French Caldwell | November 23, 2011 | 1 Comment
For Americans Thanksgiving is a wonderful holiday because it involves eating, playing with an oblong leather air bladder, and being thankful for the blessings of friends, family and prosperity. Even with all the influx of family, it tends to be one of the least stressful holidays.
However, as risk management professionals we must be careful to not ignore the risks to a good holiday. Please share this Gartner Thanksgiving Risk-Adjusted Value Model TM with family and friends to ensure that your strategic goals and objectives for the holiday are met.
For those not in the United States (or Canada – which has the jump on us for Thanksgiving by a month), the Holiday Management process is critical to all cultures, so please feel free to adjust this index as necessary for other holidays. See the Gartner Business Risk Model for more examples.
Best wishes for a wonderful Thanksgiving!
Category: GRC Risk Management Tags:
by French Caldwell | November 17, 2011 | Comments Off
The events today are an inflection point in social e-governance.
In my presentations on the Six Critical Uncertainties, I’ve said for years that social e-governance is the most pressing IT-led issue of our time. The political process is meant to resolve or at least manage public policy issues, but due to the rapid adoption of social technologies for organizing on public policy issues, the old political and governmental institutions for dealing with emerging public policy issues are eroding before our very eyes. The legacy political process is not failing because it doesn’t work, but rather it’s failing because the traditional institutions for managing emerging social issues – political parties, oversight hearings, the traditional media, regulators, etc – are being bypassed by networks that are much better at organizing through the use of social media and social technologies. Here’s an interesting account of the OWS protests today: http://www.businessinsider.com/live-occupy-wall-streets-early-morning-march-on-the-ny-stock-exchange-2011-11 And here’s the OWS site, where they even streamed live video feeds of the protests today: http://occupywallst.org/
And it’s not just OWS – social technology enabled groups like the Tea Parties and MoveOn have taken over from the political parties the mobilization of voters and political fundraising – so much so that the political parties are really not much of a resource for a candidate these days. One group, AmericansElect, is trying to bypass the presidential primary process, which if successful will suck out what wind remains in the political parties: http://www.americanselect.org/
By the way – for those who haven’t seen them before, here are all of the six critical uncertainties:
- Trust in the Connected Economy
- The Pace of Globalization
- The Regulation of Cyberspace
- The 5th Generation of Warfare
- Social E-Governance
- Sustainability
Everyone alive today has a stake in legacy political processes – the question is, how will they adapt? Or will they?
Category: Uncategorized public policy Tags:
by French Caldwell | November 2, 2011 | Comments Off
Many risk managers are still in a situation where they’d like to be able to contribute strategically, but they find themselves in the position of spending a lot of time still reacting to events. The upcoming annual meeting season is an opportunity for risk managers to show that they can be more than just the loss managers. Consider the issues that affect corporate strategies, including non-financial issues. Perhaps consider supplementary reporting for stakeholders who have more than just financial interests. And move to a year round effort of tracking both financial and non-financial risks — don’t just get started in November. For example, the Occupy movement is top of mind for many shareholders and corporate directors. Fairness in how employees are treated and how customers are treated is one major theme that is emerging from the Occupy protests – so what is your fairness index, and which strategic key performance indicators will this fairness index most impact? For those high-impact KPIs, the fairness index is a leading indicator of performance. So how could your enterprise improve the fairness index with respect to the strategic KPIs that are affected most?
Category: Risk Management Strategic Planning compliance public policy Tags: ERM, reputational risk
by French Caldwell | October 17, 2011 | Comments Off
This is my 13th Orlando Symposium as a Gartner analyst. I’m finding now that some clients are scheduling 1-1s because they know me and want to talk to me — regardless of what I cover as an analyst. That’s nice, but a bit of a challenge — I hate to tell you this, but I don’t cover endpoint security, server configuration management, vulnerability scanning or any of those other security operations types of things. I’ve been assigned to the security group long enough now that I know the terms, and I can nod knowingly and make an intelligent sounding “oh, certainly” when one of my fellow analysts makes an emphatic point — but I don’t know IT security, beyond its business importance, and I don’t think there is much chance that I ever will.
You see — I’m too busy with enterprise business risks to get too far down in the weeds on specific IT security risks and controls. Enterprise Risk Management and integrated Governance, Risk and Compliance are my forte — and they keep me very busy. Of course, if you want to talk about IT risks, I certainly can — but in the context of business objectives and ERM.
It’s a curious place where I find myself. In covering GRC, I’m straddling a fence between business intelligence, analytics and business process performance, and the risks to business performance, including regulatory risks, business risks, third party risks, and, yes, IT risks including IT security risks. It’s a tough balance with many different constituencies, including CIOs, CFOs, CROs, CCOs, CAOs and CISOs.
I know a lot of other CIOs, risk management and compliance professionals, and many other IT professionals at Gartner client organizations are trying to straddle that fence and deal with multiple constituencies too. Here at Gartner symposium, if you find yourself in that seat, I’d recommend you focus on presentations and workshops by Richard Hunter, Paul Proctor, and myself, French Caldwell. And if you want to stretch a bit and get into the relationship of risk management and business performance management, how about talking to some of my colleagues in 1-1 — particularly, Michael Smith and Michelle Cantara.
And of course, if you don’t catch us here at Sym, my colleagues and I are always available for any GRC topic after symposium through Gartner inquiry.
Category: GRC Risk Management compliance Tags: compliance, Gartner Symposium, GRC, strategy, symposium
by French Caldwell | October 11, 2011 | Comments Off
One characteristic of American recessions is an increase in innovation. People who are laid off start new businesses that challenge the market positions of their former employers with innovative offerings. Some of these new entrepreneurs will grow their businesses and go on to create new jobs for others.
No Bright Ideas
We all know people who’ve been in this situation, and most of us know some who’ve grown their businesses and hired others. I’ve regretted at times not joining with a friend who had a great idea and has grown a successful firm.
But what happens when this engine of growth stops? We would be in uncharted territory wouldn’t we? According to a report by Challenger, Gray and Christmas, an outplacement firm, that’s exactly where we are. Entrepreneurship in America has stalled. This situation is a systemic risk that if ignored by policy makers could chart a new and less prosperous course for American innovation. Perhaps now is the time to start removing barriers to would-be entrepreneurs. Also, investors in start-ups might want to consider that right now, there are fewer opportunities for investment — ideally, competition for putting money in the right places could increase and that may encourage more entrepreneurs.
Category: Risk Management Strategic Planning public policy Tags:
by French Caldwell | October 3, 2011 | 1 Comment
First of all — this post is just my personal observation on the opening of Open World and is not a Gartner position or statement. I’ve tracked Oracle first as a KM analyst and now as a GRC analyst for 12 years now, and I’ve seen them grow from a data management focus to business focus, but Open World has me asking, where did the business solution focus go?
Got big data problems? Got cloud angst? Just put all your worries in a big iron box. At least that’s what I took away after two hours of keynotes from Oracle and EMC executives this morning. Big data and the cloud are euphemisms for huge information management and business challenges, but listening to the keynotes, you’d think it’s just a technical problem. The proliferation of vast amounts of unstructured content and a revolution in IT provisioning models, and even digital dependent revenue streams are not issues to be trifled with. But at the opening of Open World, the dumbing down of these challenges is exactly what happened. The vision communicated is that the solution is that you can put it all in a big data box, or a BI machine.
Argh!!! — what has happened here? Where’s some vision for businesses who need better analytics, better understanding of rapidly changing business environments in an uncertain economy, and definitely better advice on the business challenges and opportunities of emerging technology.
Category: Uncategorized Tags:
by French Caldwell | September 27, 2011 | Comments Off
Headlining today’s Financial Times is a proposed European Commission rule to prohibit the Big Four audit firms from doing consulting work. The idea is that consulting and other advisory work that a Big Four firm would do for your company could compromise the independence of the statutory audits — leading to less transparency for investors.
This concern dates back at least to the Enron failure, in which senior Enron executives and auditors from Arthur Andersen colluded to misrepresent Enron’s earnings. In the aftermath of this and other corporate scandals ten years ago, Sarbanes-Oxley was enacted. Ernst & Young, KPMG, and PWC divested themselves of much, but not all, of their non-audit advisory and consulting services. Deloitte did not, and in many cases continued to do both audit and consulting work for the same clients. Over the last four years, E&Y, KPMG and PWC have re-built their consulting arms. Core audit work represents about 50% of Big Four revenue with the rest made up mostly of consulting and tax advisory.
Regardless of the merits of firms providing non-audit consulting and advisory services, or the merits of prohibiting them from doing so, the public policy concern over the independence of audit firms is real. The financial crisis increased the public distrust of audit firms, who rightly or wrongly are blamed for not raising red flags about the practices of their financial services clients.
So how truly independent are your auditors? Are they doing non-audit advisory or consulting at your firm? In customer reference checks of Big Four firms who provide enterprise GRC consulting, I found that in some cases Big Four firms were doing both consulting and auditing. Also it was common for a Big Four firm to be engaged on the basis of a recommendation from one of the client’s executives or board members. Competition was not as common as an engagement originating from relationships — which certainly raises a question of independence, but not necessarily collusion with the auditors.
However, if you are concerned about conflicts of interests for your audit firm, real or perceived, there is a simple check that you can do. Ask the senior audit partners to disclose in writing whether any part of their compensation or bonus, or that of other partners and managers on the audit team, is based on the non-audit work that their firm does or could do for your enterprise. If any of their compensation or bonus is based in part on non-audit work, no matter how much you, senior executives or board members like the firm, simply don’t engage that firm for non-audit work. And put that practice into written corporate policy. That way, your auditors will be focused objectively on your audit, and not on trying to help grow the consulting work.
Category: Uncategorized compliance public policy Tags:
by French Caldwell | September 24, 2011 | Comments Off
Mr. Oswald Gruebel blames himself for the UBS fraud and walks with no severance …
http://www.reuters.com/article/2011/09/24/us-ubs-idUSTRE78L7IB20110924
This is a complete turnaround from his first statement where he said it was not his fault – but good on him. Mr. Gruebel is setting the right tone for his peers – that’s good leadership, even though it follows folly.
After Tony Hayward saying he wanted his life back and Rupert Murdoch blaming everything on his minions, Mr. Gruebel’s decision to step down deserves some admiration. He’s raised the bar for other execs — there are dire consequences to your career if you captain a ship that runs hard aground.
Category: Uncategorized Tags:
by French Caldwell | March 31, 2011 | Comments Off
Shortly the Federal Trade Commission will publish in the Federal Register a proposed consent order as part of a settlement with Google with respect to privacy audits. The consent order comes about because of Google violating its own Gmail privacy policies when it launched Google Buzz. According to the FTC press release:
The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.
The proposed order will be open for public comment until 2 May, and comments can be made here: https://ftcpublic.commentworks.com/ftc/googlebuzz/
Whatever you think of Google and its policies, this is your opportunity to shape future federal privacy regulations. There’ve been various bills floating around on Capitol Hill for years, but none have made it into law. Capitol Hill lawmakers are watching this settlement with interest.
Category: compliance public policy Tags: compliance, Privacy, Public Policy
