Annual Performance Reviews – love or hate ’em ?


The time between Thanksgiving and the Holiday Season break is most typically when companies review their employees performance. Most everyone has their views on Annual Performance Reviews since we are all involved either as a reviewer or reviewee. I created the following poll on LinkedIn to gauge what people thought about the annual review process – take a look here. I was very surprised by the results.

The post today is not a lesson in Human Resource Management, but I do often think about how people in Compliance, Legal and Information Security are really reviewed in terms of their job performance. In sales its easy – how much did you sell?

The conversation for a Compliance Officer or a Chief Security Officer is more complicated – how many FCPA infractions did you investigate or how many security breaches did you uncover? These roles are about protection and prevention and for the most part the teams operate in stealth mode and are seen to be doing their best work when nothing bad is happening. So a good performance review is about “nothing bad happened or nothing bad was uncovered”. Right? Wrong!

The best Compliance or Security Officers are actually “looking for bad stuff”, they are not sitting back complacently believing that their fort is secure. The very fact that “bad stuff has not happened” is the very reason to look harder. They are pre-emptive or pro-active and their mantra is to “find bad stuff before it happens”. Lofty aspirations, perhaps?

So shouldn’t performance be [at least partly] measured on vigilance and awareness rather than simply policies, processes and how well a team reacts to bad stuff as and when it happens?

Believe it or not we come across the “don’t tell me what I don’t want to know” attitude everyday. Catelas has an ability to look inside the business and monitor, yes monitor, how business gets done. Or more accurately we visualize the communications patterns of a company to understand “who knows who” and “how well”. For compliance and security groups we are used as a monitoring solution to better understand company relationships – who in my company has relationships with X, where you can fill in the blank X to be competitor, press, government official, etc.

But my point is that for many companies we often have to water down the “monitoring” term because our audience (the Compliance or Security Officer) does not want to look deeper than the job dictates. They are not interested in pro-actively seeking out potentially bad stuff for fear of finding something. Sure I understand that these teams are max’ed out or are operating within the Risk Profile of their company, etc, but in this age of Whistle-blowers and Self-Reporting, I honestly believe that the CCO in particular needs to step out of his or her comfort zone and start being more proactive. Blind ignorance is no longer an excuse.

What do you think?

Internal Investigations continue to rise


The latest Fulbright & Jaworski Litigation Trends Survey is out – slightly less litigation in 2011 compared to 2010, yet the cost of litigation per company rose. However, regulatory actions and internal investigations are climbing.

The report also reveals that whistle-blowers remain a concern in the coming year stating that one-quarter of respondents anticipate an increase in the number of claims or lawsuits brought by whistle-blowers next year. This year, 22% of respondents said their organizations were subjected to whistle-blower allegations. I suspect that this percentage has been increasing steadily over the last few years, but 25% !!! That certainly registers on the “take-notice” meter.

I also listened to a TechLaw10 podcast #42 this week, where Jonathan Armstrong was talking about the many challenges of internal investigations… more regulations, businesses being more global, more value on corporate data, more employee turnover. This last one certainly resonated – the work force of today statistically averages 2.2 years per company, a far cry from our Dads’ generation when jobs were for life. Whether people today are stealing corporate secrets more than they were before is not the issue; but the chance of this happening is significantly higher simply because people move around more and it is much easier to ‘take’ secret data with you.

All put together, I sense the perfect storm brewing to corroborate this trend of increasing investigations.

So to the people who actually have to do the work and respond to this trend, my question is how are you coping? In this economy it is not simply a case of asking General Counsel for a bigger budget – more people and more technology. It’s more complicated than that. It requires putting together a well thought out “mini-business plan” – what are the key areas of focus, how do you prioritize investigations, when and how do you deploy resources (locally and internationally), what policies and processes do you have to train and educate employees, etc. And of course if additional resources are required they need to be justified via an ROI calculation. This last piece is absolutely key – coming from the sales side, believe me, sales commission are directly proportional to a customer’s ROI.

Faced with an increase in internal investigations, the key is to use technology to your advantage – at Catelas, we are all about upfront intelligence – arming you with the facts about a case as early as possible, so that you can prioritize your investigations, spending time on the important, not the trivial, one’s, collecting only the relevant data specific to that investigation and thereby saving time and cost per investigation.

If you are interested in learning more, look here.

A new age of Whistle-Blowers


I read an interesting article last week by Joelle Scott about the “secret” whistle-blower at BNY Mellon. It turns out that Grant Wilson was the undercover whistle-blower who detailed how the bank had allegedly overcharged investors in their currency trades and defrauded investors for years.

This from the article… “So what is shocking about the BNY whistleblower is not that he exists but rather that he worked in conjunction with attorneys, regulators and fraud heroes to provide evidence for a massive lawsuit against his employer (the Justice Department and the NY Attorney General are seeking over $2billion from the bank).  This is almost as shocking as when the government used wiretaps to confirm and reveal the enormous insider-trading ring orchestrated by Raj Rajaratnam and his cohorts.”

In a shady world of fraud and corruption, law enforcement is to be applauded for making inroads by planting undercover agents into corporations or getting increased help from insiders.

But coming from the Information Security business, it does make me think about the people we work with that we take for granted on a day-to-day basis. Not if they are potential whistle-blowers, but the opposite. Are any of these colleagues working on the dark-side: do they have relationships with corrupt organizations, are they providing sensitive information to competitors? Do they have relationships that might be harmful to the company? Bar a cursory background check when an employee enters a company, the truth is, we really don’t know.

Worse, we only potentially find out once a crime has been committed, long after the horse has bolted from the stable.

And that is why Catelas is all about Relationships – it all comes down to ‘who you know’.