French Caldwell
Research VP
11 years at Gartner
15 years IT industry
French Caldwell is a vice president in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio
by French Caldwell | October 3, 2011 | 1 Comment
First of all — this post is just my personal observation on the opening of Open World and is not a Gartner position or statement. I’ve tracked Oracle first as a KM analyst and now as a GRC analyst for 12 years now, and I’ve seen them grow from a data management focus to business focus, but Open World has me asking, where did the business solution focus go?
Got big data problems? Got cloud angst? Just put all your worries in a big iron box. At least that’s what I took away after two hours of keynotes from Oracle and EMC executives this morning. Big data and the cloud are euphemisms for huge information management and business challenges, but listening to the keynotes, you’d think it’s just a technical problem. The proliferation of vast amounts of unstructured content and a revolution in IT provisioning models, and even digital dependent revenue streams are not issues to be trifled with. But at the opening of Open World, the dumbing down of these challenges is exactly what happened. The vision communicated is that the solution is that you can put it all in a big data box, or a BI machine.
Argh!!! — what has happened here? Where’s some vision for businesses who need better analytics, better understanding of rapidly changing business environments in an uncertain economy, and definitely better advice on the business challenges and opportunities of emerging technology.
Category: Uncategorized Tags:
by French Caldwell | September 27, 2011 | Comments Off
Headlining today’s Financial Times is a proposed European Commission rule to prohibit the Big Four audit firms from doing consulting work. The idea is that consulting and other advisory work that a Big Four firm would do for your company could compromise the independence of the statutory audits — leading to less transparency for investors.
This concern dates back at least to the Enron failure, in which senior Enron executives and auditors from Arthur Andersen colluded to misrepresent Enron’s earnings. In the aftermath of this and other corporate scandals ten years ago, Sarbanes-Oxley was enacted. Ernst & Young, KPMG, and PWC divested themselves of much, but not all, of their non-audit advisory and consulting services. Deloitte did not, and in many cases continued to do both audit and consulting work for the same clients. Over the last four years, E&Y, KPMG and PWC have re-built their consulting arms. Core audit work represents about 50% of Big Four revenue with the rest made up mostly of consulting and tax advisory.
Regardless of the merits of firms providing non-audit consulting and advisory services, or the merits of prohibiting them from doing so, the public policy concern over the independence of audit firms is real. The financial crisis increased the public distrust of audit firms, who rightly or wrongly are blamed for not raising red flags about the practices of their financial services clients.
So how truly independent are your auditors? Are they doing non-audit advisory or consulting at your firm? In customer reference checks of Big Four firms who provide enterprise GRC consulting, I found that in some cases Big Four firms were doing both consulting and auditing. Also it was common for a Big Four firm to be engaged on the basis of a recommendation from one of the client’s executives or board members. Competition was not as common as an engagement originating from relationships — which certainly raises a question of independence, but not necessarily collusion with the auditors.
However, if you are concerned about conflicts of interests for your audit firm, real or perceived, there is a simple check that you can do. Ask the senior audit partners to disclose in writing whether any part of their compensation or bonus, or that of other partners and managers on the audit team, is based on the non-audit work that their firm does or could do for your enterprise. If any of their compensation or bonus is based in part on non-audit work, no matter how much you, senior executives or board members like the firm, simply don’t engage that firm for non-audit work. And put that practice into written corporate policy. That way, your auditors will be focused objectively on your audit, and not on trying to help grow the consulting work.
Category: compliance public policy Uncategorized Tags:
by French Caldwell | September 24, 2011 | Comments Off
Mr. Oswald Gruebel blames himself for the UBS fraud and walks with no severance …
http://www.reuters.com/article/2011/09/24/us-ubs-idUSTRE78L7IB20110924
This is a complete turnaround from his first statement where he said it was not his fault – but good on him. Mr. Gruebel is setting the right tone for his peers – that’s good leadership, even though it follows folly.
After Tony Hayward saying he wanted his life back and Rupert Murdoch blaming everything on his minions, Mr. Gruebel’s decision to step down deserves some admiration. He’s raised the bar for other execs — there are dire consequences to your career if you captain a ship that runs hard aground.
Category: Uncategorized Tags:
by French Caldwell | March 31, 2011 | Comments Off
Shortly the Federal Trade Commission will publish in the Federal Register a proposed consent order as part of a settlement with Google with respect to privacy audits. The consent order comes about because of Google violating its own Gmail privacy policies when it launched Google Buzz. According to the FTC press release:
The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices.
The proposed order will be open for public comment until 2 May, and comments can be made here: https://ftcpublic.commentworks.com/ftc/googlebuzz/
Whatever you think of Google and its policies, this is your opportunity to shape future federal privacy regulations. There’ve been various bills floating around on Capitol Hill for years, but none have made it into law. Capitol Hill lawmakers are watching this settlement with interest.
Category: compliance public policy Tags: compliance, Privacy, Public Policy
by French Caldwell | February 8, 2011 | 1 Comment
Arguably if you are an authoritarian leader who is threatened to be deposed, you view social media that your opponents use to organize protests as a threat. On the other hand, if your supporters can use it to organize counter-protests, then you might see it as an opportunity — perhaps this explains why Egyptians saw their Internet and cell phone services cut off and then turned back on — or maybe it was outside political pressure that got things turned back on, but I doubt it.
Politics and social media have become so intertwined that separation is impossible, for either side, and the political process will never be the same. But old political orders are most threatened. WikiLeaks has bypassed traditional diplomacy and may have been the trigger for the changes we are witnessing in the Middle East. And protesters are organizing spontaneously with Twitter and SMS. In the U.S., traditional political parties have suffered while political movements like moveon.org and the tea parties are ascendant, and money is walking away from the parties and toward these new movements. In authoritarian regimes, the political party and the government are a single entity, and if the political party suffers, then so does the government, even more so. Still, authoritarian regimes are becoming as dependent on social media as their opponents (13,110 people “like” Vladimir Putin on Facebook — though he has inspired many spoof accounts), but they have more to fear from the change that the incorporation of social media into the culture brings.
All this raises critical questions — can governments really engage citizens effectively with social media, or are social media a way for citizens to bypass the traditional political process and thereby government? If traditional governmental institutions for societal discourse are bypassed, what results — e-democracy or e-anarchy?
Category: Risk Management Tags: governance, Public Policy, reputational risk, Risk Management, strategy, Systemic Risk
by French Caldwell | January 25, 2011 | Comments Off
Aunt Elsie never went to the grocery store. She’d call in her grocery list over the phone, and the grocer would deliver. One day in the 1950s, Aunt Elsie called my grandmother and said, “Emily, do you ever shop at a supermarket?” My grandmother said of course she did, and Aunt Elsie asked to accompany Granny on her next trip to the supermarket.
So a week later Aunt Elsie and Granny go to the supermarket, and Aunt Elsie is amazed at the variety of products available. Walking down one aisle, Aunt Elsie hands a jar to Granny and exclaims, “Look at this Emily, they’re making butter out of peanuts!”
I’m sure many risk managers are seeing the Aunt Elsie syndrome every day, and it can be a bit irritating. What you have known for years, that how well risks are managed affects all processes and all business objectives profoundly, is now being learned by others.
When she went to the supermarket, Aunt Elsie saw all the possibilities that she had never before considered. And now I see some retailers like Amazon and Walmart are rediscovering the business model of home delivery of groceries, and making it economically feasible. And unlike in Aunt Elsie’s time, you don’t have to go to a physical supermarket to be exposed to new products, or new recipes for old products. This is a great example of how to turn the Aunt Elsie syndrome into a new revenue stream.
Risk management is poised to revolutionize business in the same way that e-commerce and customer relationship management have. And perhaps even more profoundly, as it is so closely tied to governance and has the potential to affect how decisions are made and how businesses are run. As analytics, monitoring, and other business intelligence and business process management technologies are applied to risk management, it is going to profoundly change what is possible.
Are you ready for your profession to become as important to the rest of the business as financial management is? If not, you could well be replaced by energetic new people with fresh ideas on how to apply risk management to generate new opportunities and new revenue. Look for risk as opportunity to be a key theme of the Risk Management Program at Gartner’s Security and Risk Management Summit this June.
Category: Risk Management Tags: governance, GRC, opportunity, performance, Risk, Risk Management
by French Caldwell | January 21, 2011 | Comments Off
In the drugstore the other day, my wife was searching for Tylenol Cold and Flu. She insists that’s the only thing that works when she has a cold and with the onset of winter she wanted to make sure the medicine cabinet was stocked. We searched and searched, but where almost any Tylenol product was supposed to be the shelves were empty. She was just about to buy the store brand, but finally in the back behind some other products she found the Tylenol.
Many consumers are finding the same problem – the shelf spaces for many Johnson and Johnson brands are empty. Due to quality assurance problems, the company has halted production lines for many of its products temporarily. Not all consumers have as much brand loyalty as my wife, and they are quickly turning to store brands – and the question is: Once it resolves the QA issues, will J&J get them back?
Brands are meant to help consumers make a decision without having to think real hard about what goes into creating the goods or services that are covered by the brand. A drug brand means that the consumer doesn’t have to think about whether the manufacturing process is controlled well enough to provide the right dosage and to keep out contaminants. If the brand is damaged and consumer does have to think about those types of things, then why not just buy the cheaper store brand.
J&J wrote the playbook on crisis management, and they are held up as the model in risk management circles for what to do in a crisis. In this latest crisis, they’ve pulled products and halted production lines until they get the problem solved. There was an embarrassing incident of stealth recalls, but overall McNeil PPC, owner of J&J, is following the playbook J&J wrote during the Tylenol scare three decades ago.
Toyota too followed that playbook last year, halting sales of its vehicles. And so did BP with the Gulf Oil spill. Competitors in each case are taking advantage of the situation, and none of these incidents have been without embarrassing gaffs and delays. Class action lawsuits are adding to the costs.
There are certainly a lot of lessons to be learned from each of these incidents and the case studies will fill issues management texts for years. One key lesson that must not be overlooked is that if you add quality to your brand, or green to your brand, or fair trade to your brand, your intention may be to add value to the brand, but you are also adding new risks to the brand. Ensure you understand and can manage the risks of whatever you tie to your brand. Crisis management is what you do when risk management fails.
Category: Risk Management Strategic Planning Tags: crisis management, Public Policy, reputational risk, Risk Management
by French Caldwell | October 27, 2010 | Comments Off
![abc_blocks[1]](http://blogs.gartner.com/french_caldwell/files/2010/10/abc_blocks1.jpg)
Anti-fraud, -Bribery, -Corruption. New ABC laws and accelerating enforcement of old ones were the messages from attorney Mark Mendelsohn at the Washington, DC, meeting of the Directors Roundtable Wednesday morning. Mark is with law firm Paul Weiss and is a former Department of Justice prosecutor who until six months ago headed up the team responsible for enforcement of the Foreign Corrupt Practices Act. Mark cited new whistleblower incentives in Dodd-Frank, the broad-reaching U.K. Anti-Bribery Act that goes into effect April 2011, and international cooperation of ABC regulators as just some of the trends that corporate boards must pay attention to.
And as soon as I got back in the office, I saw a news article about GlaxoSmithKline’s $750,000,000 settlement with the Department of Justice — and the whistleblower got $96,000,000! Such a large payout to a whistleblower is unprecedented, but under the new Dodd-Frank rules, it will become the norm.
So boards now have massive incentives to pay attention to ABC compliance. I expect much more emphasis from legal departments on getting the IT organization involved with technologies that can monitor automatically for potential violations of ethics policies, and Legal GRC solutions which can help corporate compliance officers and general counsels better manage their ABC compliance.
There will be more on this new ABC role for the IT organization in future Gartner research, including an update to the 2009 Hype Cycle for Legal and Regulatory Information Governance which should publish in the next couple of weeks. In the meantime, check out the 2010 Hype Cycle on Regulations and Related Standards for the impact of regulatory risks, and the 2010 Hype Cycle on GRC Technologies for the broad view of technologies being applied for risk management and compliance. I’m also seeing more interest from legal departments in Enterprise GRC Platforms which can help corporate compliance officers and general counsels to track the impact of regulatory changes and ensure that employees and business partners have attested to ABC and ethics policies.
Category: Uncategorized Tags:
by French Caldwell | October 20, 2010 | 1 Comment
One of the biggest barriers to growth in the cloud services marketplace is uncertainty about the risks. In their latest white paper, Evaluating Cloud Computing Risk for the Enterprise, BITS, which manages the Shared Assessments Program — a vendor risk management standard, has provided a framework for assessing cloud risks and determining the appropriate controls. To start with, BITS differentiates the controls for traditional IT services models from those required to address cloud risks:
1. Common Cloud Controls: These are mature control areas associated with traditional IT
services environments that are also applicable to cloud-based services, and whose audit
mechanisms are considered mature.
2. Delta Cloud Controls: These are higher-risk control areas that have particular relevance to
cloud environments, and whose cloud audit mechanisms are less mature.
In the new guidance, BITS also provides assessment considerations for Delta Cloud Controls in 12 categories:
1. Multi-Tenant Platforms
2. Multi-Client Prioritization
3. Agile Delivery
4. Virtualization
5. Data Location, Cloud Layers and Cloud Providers
6. Cloud Management: Roles and Division of Responsibilities
7. Contracts, Data Privacy and Jurisdictional Issues
8. Identity and Log Management
9. Web Application Security
10. Cloud Vendor Interdependence and Governance
11. Data Retention, Management, Recovery and Destruction Cycles
12. E-Discovery and Forensics
This work by BITS complements the Shared Assessments Program which provides overall guidance for evaluating risks of traditional and cloud service providers. It should go a long way to enabling effective risk assessments of cloud services, thus beginning to lower the biggest market barrier for cloud providers. BITS makes no claims that this new cloud risk evaluation guidance is exhaustive, but it’s a good start, and enterprises should use this new guidance as an element of their cloud strategies and vendor risk management efforts.
Category: Uncategorized Tags:
by French Caldwell | October 13, 2010 | Comments Off
The 2010 Enterprise GRC Platforms Magic Quadrant is quite surprising in the number of vendor moves from one quadrant to another. The main reason for this shift is the increasing number and complexity of functions demanded by buyers. GRC has always been a tough slog for vendors — the goal is to have a platform that satisfies a number of internal buyers, each engaged in different compliance and risk management activities, but all having the common goals of improving business performance and corporate governance. Certainly many of the users have goals short of the overall corporate objective, such as improving IT governance, getting the SOX group off of spreadsheets, or improving the productivity of internal auditors — but in the end, improving corporate governance is the ultimate goal, with the idea that better governance should improve the ability of the enterprise to achieve its business objectives.
But something is happening along the way — since so many activities have a direct tie-in to corporate governance — and what doesn’t — there are more and more functions that the enterprise GRC platform needs to support. Some of the vendors are moving into the IT GRC management area — and you can see several of them in the Gartner IT GRCM marketscope. Others are adding more quantitative analytics to engage more directly with both the financial services market and meet the increasingly sophisticated needs of risk management professionals in all industries. Being able to report risk-adjusted business performance is encouraging the ERP vendors and even best-of-breed vendors to add performance management capabilities, and the related emphasis on business process is reflected in GRC offerings from BPM vendors. Demand for advanced reporting is driving GRC vendors to integrate their offerings with leading BI vendors, and for leading BI vendors to advance their own positions in the GRC market. Vendors are also adding boatloads of specialized capabilities such as vendor risk management, business continuity planning, and industry specific compliance. Content is also becoming a significant differentiation, and the three major content services vendors have GRC software strategies.
A big question for the future of this market is can the vendors satisfy multiple buyers — internal audit, enterprise risk management, corporate compliance, finance, IT, legal, and the board — on a single platform. The vendors in the 2010 Enterprise GRC Platforms Magic Quadrant each have strengths in how they are approaching this challenge. Still, no single vendor meets all the market challenges, and since the market continues to get more demanding, none are likely to do so for some time yet. So, there remains the prospect that the market could split along key differentiators such as quantitative capabilities, content services, and buying-center-specific characteristics.
Category: Uncategorized Tags:
