Looking to Engage, Empower, Achieve, or Improve, and Processes or Structure – Risk Management and COSO 2017 Enterprise Risk Management (ERM) Should Interest You

This post might also be called: why risk management should interest you as an employee, employer, student, educator, product or service provider, executive officer, director, or anyone who is trying to achieve or improve something.

I read a fair number of articles discussing the benefits of engaging and empowering employees and other people. But I see far fewer articles discussing a structure or processes for when employees or people are empowered or engaged. Let me suggest that you use risk management and the COSO 2017 enterprise risk management (ERM) framework to add structure or processes to your engagement, empowerment, etc.

Risk management and the COSO ERM framework are premised on identifying objectives, and then designing and implementing steps, or actions, or processes, or tasks to succeed in satisfying those objectives. So, just as examples, the framework can be used if you are dealing with a product or a service and if you are an employer, or an employee, or a supplier or vendor, or if you are an educator or a student, or if you are putting on an event or you are going to be a presenter at an event, or whatever, etc. And the framework can be used, as examples, to design or make a better or successful design, product, service, event, presentation, innovation, or learning experience, or to increase safety, or to increase efficiency or effectiveness, or to better get your message or point across, or to increase engagement and empowerment, or whatever, etc.

Most likely you already do some form or manner of risk management or enterprise risk management for some objectives, or perhaps for many objectives. Sometimes risk management is required, such as the requirement that boards and audit committees engage in oversight of risk management for at least some business entities, which also of course means that the entity must have some manner of risk management to oversee. And sometimes risk management process are required for certain specific products, services, industries, or other situations, and may also involve compliance with laws, statutes, regulations, rules, etc.

Risk management and enterprise risk management should be integrated into the organization’s regularly, ongoing and constant day-to-day activities and decision making processes to achieve strategies, objectives and tasks successfully – risk management and enterprise risk management should not be viewed as separate or standalone processes that occur only on an occasional or periodic basis.

Here is a link to the COSO enterprise risk management page, https://www.coso.org/Pages/erm.aspx

Below see also my Overview Of A Risk Management Process That You Can Use, a listing of the COSO Enterprise Risk Management (ERM) framework components and principles, and a summary of the framework implementation tiers (i.e., the extent to which an entity has implemented risk management) for the National Institute of Standards and Technology (NIST) Framework For Improving Critical Infrastructure Cybersecurity.

David Tate, Esq.

 

 

 

HR and Internal Audit – Both Trying to Earn More Respect and a Place at the Table – Suggestions . . . .

I have provided below two links, one to an article by the Society for Human Resource Management (SHRM), and the other by Internal Audit 360.

The SHRM article discusses HR’s desire for a place at the C-Suite table, the difficulties that HR is having getting there, and suggestions that might help.

The Internal Audit 360 article discusses the possibility of Internal Audit becoming involved in auditing (internally) the status of sexual harassment and culture at the entity. For years I have read articles about Internal Audit wanted to become more useful, valued and respected, and to become more than a function that audits after the fact.

HR is instrumental for day-to-day operations, and is looking for a seat at the C-Suite table. HR is or has the opportunity to be involved with the culture of the entity.

Internal Audit generally isn’t thought of as being instrumental for day-to-day operations, but Internal Audit should already have an invitation to help the Audit Committee with its oversight responsibilities; should already meet with, report to and in some manner help the C-Suite; and might meet with the Board. Nevertheless, Internal Audit is primarily thought of as a function that audits financial operations, internal controls, fraud and sometimes aspects of risk management. The new 2017 COSO ERM (enterprise risk management) framework lists culture and governance as the first and most important components of enterprise risk management. Thus, the door might be open for Internal Audit to become involved in (internally) auditing culture and the various aspects of culture. You will find more of my prior posts about 2017 COSO ERM and risk management processes at http://lawriskgov.com

I have suggestions for HR. Read the SHRM article linked below – it is a good article, with at least broad suggestions to better help HR position itself as a valued function and get to the C-Suite table. Additionally, I suggest that HR also at the same time aim for meeting with the Audit Committee or Risk Management Committee, and the Board, on issues relating to “culture” and the Company’s reputation with employees and as an employer – and also promote, promote, promote yourself. Directors are interested in the entity’s culture and reputation as an employer, at least currently, and hopefully on into the future.

I also have suggestions for Internal Audit. Read the SHRM article. And, if you want to be involved in the internal audit of culture, governance, risk management processes, sexual harassment, or similar issues, actions and activities, get busy establishing your qualifications and knowledge in those areas, develop criteria and an audit plan in at least one (or more) of those areas that will provide worthwhile value to executive management and Directors – and promote, promote, promote yourself.

HR and Internal Audit might also consider discussing together areas of similar interest with a view toward combining or collaborating their different but compatible strengths and areas of experience.

Here is the SHRM article. SHRM – for HR – How to Earn the Trust of Your CEO – HR is Losing the Confidence of the C-Suite, click on the following link for the discussion, https://www.shrm.org/resourcesandtools/hr-topics/employee-relations/pages/hr-is-losing-the-confidence-of-the-c-suite-.aspx

Here is the Internal Audit 360 article. Internal Audit 360 – sexual harassment issues rooted more in culture than policy, click on the following link for the discussion, https://internalaudit360.com/sexual-harassment-issues-rooted-more-in-culture-than-policy/

Best to you, David Tate, Esq. Royse Law Firm, with offices in northern and southern California

The following is a summary of the 2017 COSO ERM framework components:

COSO Enterprise Risk Management Framework ERM Components and Principles

Additional materials of interest:

Audit Committee 5 Lines of Defense 10222017 David W. Tate, Esq. jpg

 

NIST Cybersecurity Framework Tiers Summary

The Business Judgment Rule

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

 

We need a new push for civility in how we communicate with, and in how we physically and mentally treat each other – audio and text

Note: I originally posted this to http://lawriskgov.com on November 21, 2017 – it certainly is still relevant today!

See audio and text of this post below.  David Tate, Esq.

Audio:

 

Text:

Hello, I’m David Tate. I’m a California litigation attorney, and I also handle governance and risk management.

We need a new push for civility in how we communicate with, and in how we physically and mentally treat each other.

Do these ring a bell:

Name calling;

Gross hyperbole, unsupported assertions, or mischaracterizations; or

Destructive talk for no other purpose except to denigrate, disparage, vilify, belittle, bully or demonize the other person or argument?

This is a tough topic because generally, and constitutionally people are entitled to their right of opinion, expression and communication or speech, and the manner in which they do it – people legitimately do express themselves and act in different manners, as long as it isn’t unlawful.

And people are entitled and encouraged to advocate for their positions. Indeed, if you don’t advocate, your voice will not be heard.

Censorship, and regulating speech in general, are not the answer as they can tend to lead to oppression or at least suppression of speech, ideas, information and communication.

Often there is no clear bright line over which people should not cross in their communications. Sometimes those issues end up in court before a jury.

I’m just saying that with all-the-time, instantaneous 24-hour news and social media, and with what I am hearing and seeing daily, it seems clear that we need a new push for civility in how we communicate with, and in how we physically and mentally treat each other.

And I would like to see all of us, including people who are in positions of leadership or power, and who should have integrity, make that push and encourage others to also do so.

Who knows, maybe there will be a new interest in teaching and learning oral and written communication and persuasion methods and techniques, and in spotting false, misleading or unsupported techniques and arguments.

That’s all for now. You need to consult with an attorney or appropriate professional about your situation. This blog post or video or audio is not an advertisement or solicitation for services inside or outside of California. Thanks for listening, reading or viewing.

David Tate, Esq., Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. http://rroyselaw.com

New York City Adds Law Requiring Reasonable Accommodation “Cooperative Dialogue” And Documentation

I have copied and pasted below the recently enacted New York City Local Law requiring the parties (in situations of employment, housing and public accommodations) to engage in “cooperative dialogue” about reasonable accommodations for the various situations listed, including, for example, for disability, pregnancy and childbirth, religious, and domestic violence needs and situations).

In particular, even if your situation is not covered by New York City law, I believe you will find interesting the definition of “cooperative dialogue” and how the cooperative dialogue should be conducted and documented. On those two points, the law provides as follows:

Cooperative dialogue. The term “cooperative dialogue” means the process by which a covered entity and a person entitled to an accommodation, or who may be entitled to an accommodation under the law, engage in good faith in a written or oral dialogue concerning the person’s accommodation needs; potential accommodations that may address the person’s accommodation needs, including alternatives to a requested accommodation; and the difficulties that such potential accommodations may pose for the covered entity

* * * * * *

(d)  Upon reaching a final determination at the conclusion of a cooperative dialogue pursuant to paragraphs (a) and (c) of this subdivision, the covered entity shall provide any person requesting an accommodation  who participated in the cooperative dialogue with a written final determination identifying any accommodation granted or denied.

 (e) The determination that no reasonable accommodation would enable the person requesting an accommodation to satisfy the essential requisites of a job or enjoy the right or rights in question may only be made after the parties have engaged, or the covered entity has attempted to engage, in a cooperative dialogue.

The law enacts reasonable accommodation “cooperative dialogue” and documentation requirements that are more specific than the currently existing law. We will see if such specific requirements are similarly enacted by California statewide, or by local cities in California.

Best to you,

David Tate, Esq.

————————————————————————————————–

Below is the recently enacted New York City Local Law:

To amend the administrative code of the city of New York, to require covered entities to engage in a cooperative dialogue with persons who are or may be entitled to reasonable accommodations

Be it enacted by the Council as follows:

Section 1.  Section 8-102 of the administrative code of the city of New York is amended by adding a new subdivision in alphabetical order to read as follows:

Cooperative dialogue. The term “cooperative dialogue” means the process by which a covered entity and a person entitled to an accommodation, or who may be entitled to an accommodation under the law, engage in good faith in a written or oral dialogue concerning the person’s accommodation needs; potential accommodations that may address the person’s accommodation needs, including alternatives to a requested accommodation; and the difficulties that such potential accommodations may pose for the covered entity.

§ 2. Section 8-107 of the administrative code of the city of New York is hereby amended by adding a new subdivision 28 to read as follows:

28. Reasonable accommodation; cooperative dialogue.

(a) Employment. It shall be an unlawful discriminatory practice for an employer, labor

organization or employment agency or an employee or agent thereof to refuse or otherwise fail to engage in a cooperative dialogue within a reasonable time with a person who has requested an accommodation or who the covered entity has notice may require such an accommodation:

(1) For religious needs as provided in subdivision 3 of this section;

(2) Related to a disability as provided in subdivision 15 of this section;

(3) Related to pregnancy, childbirth or a related medical condition as provided in subdivision 22 of this section; or

(4) For such person’s needs as a victim of domestic violence,  sex  offenses  or  stalking  as provided in subdivision 27 of this section.

(b) Public accommodations. It shall be an unlawful discriminatory practice for any person who is the owner, franchisor, franchisee, lessor, lessee, proprietor, manager, superintendent, agent or employee of any place or provider of public accommodation to refuse or otherwise fail to engage in a cooperative dialogue within a reasonable time with a person who has requested an accommodation or who the covered entity has notice may require an accommodation related to disability as provided in subdivision 15 of this section.

(c) Housing accommodation. It shall be an unlawful discriminatory practice for an owner, lessor, lessee, sublessee, assignee, or managing agent of, or other person having the right to sell, rent or lease or approve the sale, rental or lease of a housing accommodation, constructed or to be constructed, or an interest therein, or any agency or employee thereof to refuse or otherwise fail to engage in a cooperative dialogue within a reasonable time with a person who has requested an accommodation or who the covered entity has notice may require an accommodation related to disability as provided in subdivision 15 of this section.

(d)  Upon reaching a final determination at the conclusion of a cooperative dialogue pursuant to paragraphs (a) and (c) of this subdivision, the covered entity shall provide any person requesting an accommodation  who participated in the cooperative dialogue with a written final determination identifying any accommodation granted or denied.

(e) The determination that no reasonable accommodation would enable the person requesting an accommodation to satisfy the essential requisites of a job or enjoy the right or rights in question may only be made after the parties have engaged, or the covered entity has attempted to engage, in a cooperative dialogue.

(f) Rights and obligations set forth in this subdivision are supplemental to and independent of the rights and obligations provided by subdivisions 3, 15, 22 and 27. A covered entity’s compliance with this subdivision is not a defense to a claim of not providing a reasonable accommodation under provisions of title 8 other than this subdivision.

Factors Influencing Corporate Culture – Chart From The IIA – Plus, Let’s Agree Upon Sample Culture And Governance Audit Programs

Passing this along, a chart from the Institute of Internal Auditors, identifying factors that influence corporate culture. I’m not sure about some of the ranking – particularly training and enforcement through disciplinary measures – it seems to me that those two categories would be ranked higher, and at about the same level as the establishment of a code of conduct (i.e., immediately below the first two ranked factors). Just comments for thought.

This chart came from a discussion about how to audit culture, and that it can be audited. As noted, for years auditors have tended to stay away from auditing culture, and I’ll also add governance as an audit area that auditors, internal and external, tend to stay away from, which is really perplexing since for years it has been known that culture is an important indicator of the possibility of fraud and unlawful acts. But, if I’m not mistaken, from my years of audit, when designing or planning the audit, doesn’t the external auditor already to some extent do an evaluation of and take into consideration the estimated reliability of the financial recordkeeping processes and internal controls – and wouldn’t that, or doesn’t that, or shouldn’t that, already to some extent take into consideration aspects of culture and governance?

Now both the COSO 2013 internal control framework and the new 2017 COSO enterprise risk management (ERM) framework list culture and governance as important framework criteria. Culture and governance are the first, underlying criteria in the new COSO ERM framework. And many other organizations are now promoting culture, including the National Association of Corporate Directors. Risk management and enterprise risk management should not be viewed as separate or standalone processes occurring on an occasional or periodic basis – instead, they should be integrated into the ongoing and constant decision making processes for achieving identified objectives.

LET’S NOW HAVE A PUBLIC DISCUSSION TO DEVELOP CRITERIA AND STEPS FOR SAMPLE AUDIT PROGRAMS FOR (1) CULTURE AND (2) GOVERNANCE!

And, I say a “public discussion” because public and private businesses, nonprofits and governmental entities, and their auditors, will then have criteria to try to meet or exceed. Note, however, that I am not advocating that the criteria and steps create a legal standard. Internal controls and risk management design are highly discretionary – any effort to create a broad legal standard, other than, for example, the business judgment rule, will be met with extreme resistance, and very most likely failure and an inability to move these topics forward.

So . . . if you are an internal auditor, or an external auditor, how would you, or how do you, describe to management and the audit committee, and perhaps the board, the steps that you would take to audit the entity’s culture and the entity’s governance?

 

See also my blogs at http://californiaestatetrust.com and at http://lawriskgov.com/

 

Audit Committee 5 Lines of Defense 10222017 David W. Tate, Esq. jpg

 

 

Claim for violation of nondisclosure agreement must establish that the information disclosed was true

Nondisclosure agreements are in the news. Here’s an interesting aspect of making a claim that a nondisclosure agreement was violated – plaintiff’s claim for violation of a nondisclosure agreement must establish that the alleged wrongful disclosure was of confidential but true information, which was covered by the nondisclosure agreement. Of course, there are also other important issues relating to whether or not a nondisclosure agreement was breached – such as, for example, whether the holder of the privilege (e.g., the plaintiff employer) can actually prevent the disclosure, or reporting of the information to all sources or just some sources (such as, for example, to the police or to a regulatory entity or to the board of directors, compared to the press or the public), or whether, regardless of the existence of the nondisclosure agreement, the person disclosing the information has standing and a right to bring a legal action relative to the event or occurrence from which the information arose (such as, for example, in a situation of alleged unlawful discrimination or harassment).

See, e.g., Glassdoor, Inc. v. Superior Court (2017) 9 cal. App. 5th 623, which held:

“An employer cannot establish a claim for breach of a nondisclosure agreement unless it is prepared to prove, and does prove, that the defendant disclosed actual confidential information, i.e., that his or her statements were, in some relevant degree, true. Nothing in this record would sustain a finding that the CEO’s statements—reported by Doe inaccurately, according to MZ—had this effect.

MZ’s hesitation on this point may be understandable, because Doe’s supposed disclosures do not cast MZ in a favorable light. But MZ cannot be excused from the requisite showing merely because proving a prima facie case might be embarrassing to it. If Doe accurately disclosed company policy, or the CEO’s statements regarding that policy, it was incumbent upon MZ to present evidence to that effect. Instead it denied the accuracy of Doe’s report without identifying any real confidential information it might be understood to have disclosed. MZ therefore failed to establish a prima facie case predicated on Doe’s account of the CEO’s statements.”

As an additional requirement, in trade secret cases the holder of the secret (e.g., the plaintiff employer) is required to describe the trade secret so that the court and the defendant are sufficiently apprised of the confidential information that is alleged to have been wrongfully disclosed – thus, since the disclosure of that confidential information by the holder of the secret would mean that the trade secret information is no longer secret and would therefore invalidate the holder’s entire case of trade secret secrecy, keeping that information confidential, while also sufficiently disclosing that information to the court and to the defendant is a requirement that must be carefully accomplished. Thus, for example, for California state court nondisclosure and trade secret cases, see also Cal. Civ. Code §3426.5, which states in part that the Uniform Trade Secrets Act, requires the trial court to “preserve the secrecy of an alleged trade secret by reasonable means, which may include granting protective orders in connection with discovery proceedings, holding in-camera hearings, sealing the records of the action, and ordering any person involved in the litigation not to disclose an alleged trade secret without prior court approval.”

That’s all for now. Of course, each situation is different.

David Tate, Esq., Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. http://rroyselaw.com