Category Archives: Governance, Risk & Compliance

Do the Risks of Cloud Computing Outweigh Benefits?

Posted on by

cloud computing

The idea of cloud computing, or internet-based computing, has become very popular over the past few years with its innovative cost benefits and efficiency. And as more organizations look to switch from company-owned hardware to per-use service-based models, the benefits of cloud computing have been touted over and over again. But what about the risks?

Well, according to The Information Systems Audit and Control Association (ISACA), many feel the risks of such computing outweigh the benefits. In fact, 45% of those surveyed in ISACA’s first annual IT Risk/Reward Barometer survey feel that way. In addition:

The IT Risk/Reward Barometer found that only 10% of respondents’ organizations plan to use cloud computing for mission-critical IT services and one in four (26%) do not plan to use it for any IT services.

Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued economic uncertainty and despite the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower level of risk in 2010. Similarly, 79% will invest the same amount or only slightly more in risk management and compliance in 2010.

“The cloud represents a major change in how computing resources will be utilized, so it’s not surprising that IT professionals have concerns about risk vs. reward trade-offs,” says Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “But risk and value are two sides of the same coin. If cloud computing is treated as a major governance initiative involving a broad set of stakeholders, it has the potential to yield benefits that can equal or outweigh the risks.”

The survey also revealed organizations’ attitudes and behaviors related to IT risk management. According to the IT professionals questioned, only 22% of organizations are very effective at integrating IT risk management with their overall business risk management. And, as usual, every organization employs people who further contribute to the company’s IT risks. The Barometer found that the top three high-risk ways in which employees contribute to risky business are:

  • Not protecting confidential work data appropriately (50%)
  • Not fully understanding IT policies (33%)
  • Using non-approved software or online services for their work (32%)

“Many employees are working around controls and using non-approved devices and programs so they have the tools they need to do their jobs,” said John Pironti, member of ISACA’s Certification Committee and president of IP Architects LLC. “Instead of prohibiting certain technologies, organizations should try to learn why their employees feel they need these technologies and train employees to use them safely.”

As with anything, proper training is essential to reducing inherent risks. As the popularity of cloud computing grows, organizations will be forced to step up their employee training while more responsiblity will be placed on IT professionals. Is it all worth it? Is cloud computing worth the risk?

Picture 8

Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued economic uncertainty and despite the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower level of risk in 2010. Similarly, 79 percent will invest the same amount or only slightly more in risk management and compliance in 2010.

When Unpaid Internships Become Illegal

Posted on by

I’m not sure if you’ve heard, but times is hard on the boulevard. Even after some decent news on job creation in March that led President Obama to say “we are beginning to turn the corner,” the unemployment rate remains at a troubling 9.7%. That’s a really, really bad number — particularly when you look at the level of growth still needed to make any significant dent in the jobless rate.

The economy needs to add more than 100,000 jobs a month just to absorb new entrants into the labor market, let alone provide a livelihood for the 15 million Americans already looking for work. Without constant, robust growth, the unemployment rate won’t budge. Indeed, the Congressional Budget Office has projected that the rate will hover around 10 percent for the rest of the year.

It is no surprise, then, that more and more out-of-work people are more and more willing to do anything they can if it might lead to a job. Even work for free.

Students and recent college grads have suffered through unpaid internships in hopes that the experience would lead to something better in the future. Heck, I did two in addition to working at my college newspaper for free. But the economic downturn has created an environment where many companies are seeing these opportunities more as a chance to get some free labor rather than provide educational opportunities for the future middle managers of America. And not only is against the spirit of an internship — it is against the law.

Convinced that many unpaid internships violate minimum wage laws, officials in Oregon, California and other states have begun investigations and fined employers. Last year, M. Patricia Smith, then New York’s labor commissioner, ordered investigations into several firms’ internships. Now, as the federal Labor Department’s top law enforcement official, she and the wage and hour division are stepping up enforcement nationwide.

Many regulators say that violations are widespread, but that it is unusually hard to mount a major enforcement effort because interns are often afraid to file complaints. Many fear they will become known as troublemakers in their chosen field, endangering their chances with a potential future employer.

The Labor Department says it is cracking down on firms that fail to pay interns properly and expanding efforts to educate companies, colleges and students on the law regarding internships.

“If you’re a for-profit employer or you want to pursue an internship with a for-profit employer, there aren’t going to be many circumstances where you can have an internship and not be paid and still be in compliance with the law,” said Nancy J. Leppink, the acting director of the department’s wage and hour division.

As always (… OK … “as often”), we were out ahead of the curve on this story and ran a piece warning employers about unpaid internships waaaay back in July 2008. Joel W. Rice of the law firm Fisher & Phillips expected an increase in unpaid internships — for all the wrong reasons — as the economy faltered following the collapse of Bear Sterns and came up with the following guidance in regards to the Department of Labor’s six criteria for gauging whether or not an unpaid internship is legal.

In a nutshell, the spirit of the law is to ensure that the intern is getting more out of the experience than the employer, but Rice’s insights will help you recognize whether or not your internship program is kosher.

1. Is the training similar to that which would be given in a vocational school?

If the intern receives training in the types of skills or intellectual prerequisites for success in your field, it will increase the chances you satisfy this criterion. Certainly, if the internship is in conjunction with an academic program for which the intern is required to write a paper or provide periodic written reports, this will help satisfy DOL officials. If the intern is only performing basic clerical work-such as answering phones and handling mail, however, this would not be characteristic of vocational school training.

2. Is the training primarily for the benefit of the intern? Is there some indication that the intern is benefiting from the program, in terms of training, exposure to the industry and contacts for potential job opportunities?

If your interns are earning academic credit, this criterion is more than likely satisfied. The focus of the internship should not be upon the free labor that the intern is providing; it should be upon the educational benefit to the intern. Communications to the intern should stress the value of the program to them, not how valuable they are to you. Fairly or unfairly, your communications to the intern could convey the erroneous impression that the program is primarily for the company’s benefit.

3. Does the intern displace regular employees or work under their observation?

To the extent the intern is involved with tasks such as answering phones, delivering mail and other clerical activities, it could be perceived as lightening the workload of existing employees. If the intern is working under someone else’s close supervision, then displacement is less likely to be found. An individual should be assigned to observe, or at least periodically monitor, the intern’s activities.

4. Does the company derive immediate advantages from the intern’s activities?

To the extent the company is primarily utilizing the intern to get needed work accomplished, it looks like it is deriving an immediate economic advantage from the intern’s presence. Instead, to satisfy this component, there should be more of an emphasis on the learning opportunity for the intern, the training afforded by the company. It also helps if there is and an indication that the company is committing some of its resources to such training, perhaps to the detriment of operations.

5. Is the intern entitled to a job at the conclusion of the training period?

Interns are often hopeful that the experience will lead to a position with the company. Understandably, many companies view the internship program as a low-risk opportunity to evaluate potential candidates for full-time employment. While it is permissible to give consideration to your interns when assessing your employment needs, there should be no guarantee of employment at the end of the internship.

6. Does the intern understand they are not entitled to wages for the training time?

This final part of the test is self-explanatory. The best practice would be to write this in an introductory letter to the intern on the nature of the program.

internships interns

If you think this looks like “Free Labor,” the Department of Labor might want a word with you.

EPA Aims to Strengthen Drinking Water Regulations

Posted on by

Obviously, EPA chief Lisa Jackson has been reading the Risk Management Monitor.

Because yesterday, just on the heels of some extensive coverage by us on water quality concerns (this one last week from Emily and this post yesterday from me), the EPA announced a major shift in how it will regulate the nation’s drinking water, focusing specifically on protecting people from the potentially harmful chemicals that have become increasingly prevalent in recent decades.

EPA’s current approach to protecting drinking water involves assessing each individual contaminant, which can take many years, according to the agency. The new strategy seeks to achieve protections more quickly and cost-effectively with strategies like advanced treatment technologies that address several pollutants at once.

Additionally, Jackson said, the agency plans to use programs in tandem to address water pollution, rather than view them in so-called silos. Jackson said EPA can use the Federal Insecticide, Fungicide and Rodenticide Act, which regulates pesticides, as well as the Toxic Substances Control Act to assess the risk of chemicals and stop contaminants before they get into drinking water.

Jackson broke down the new strategy at the Association of Metropolitan Water Agencies’ annual conference.

The strategy, Jackson said, contains four key components: addressing contaminants in groups rather than individually, fostering the development of new treatment technologies, using multiple statutes to safeguard water supplies, and enhancing state and local partnerships.

In its official release, the EPA went into even more depth, identifying several substances that would now be put under more scrutiny through regulations.

In the newly finalized review of existing drinking water standards, EPA determined that scientific advances allow for stricter regulations for the carcinogenic compounds tetrachloroethylene, trichloroethylene, acrylamide and epichlorohydrin. Tetrachloroethylene and trichloroethylene are used in industrial and/or textile processing and can be introduced into drinking water from contaminated ground or surface water sources. Acrylamide and epichlorohydrin are impurities that can be introduced into drinking water during the water treatment process. Within the next year, EPA will initiate rulemaking efforts to revise the tetrachloroethylene and trichloroethylene standards using the strategy’s framework.

Of course, nothing has changed yet legally and until the environmental watchdog actually does “initiate rulemaking efforts,” the status quo will remain the status quo.

Notes the New York Times:

Until new policies and rules are unveiled, it is difficult to say precisely how these shifts will affect Americans. Some within the E.P.A. and Congress remain skeptical.

“There is a history of this agency making big announcements, and then changing very little,” said an agency regulator who was not authorized to speak to the media. “The real test will be to see how many new chemicals have been regulated six months from now.”

Currently, only 91 contaminants are regulated by the Safe Drinking Water Act, though more than 60,000 chemicals are used within the United States. No chemicals have been added to that list since 2000.

Rhetorically, it’s a good start. We will see how long it takes to actually make any difference.

And, as evidenced by the graphic below (found at I Love Charts), there isn’t a lot of time — or water — left to waste.

global water supply

Bailed Out Execs Now Have a Salary Cap

Posted on by

Now that we all have universal health care (wait? It doesn’t really kick in for four more years? Oh), the White House has given us another piece of progress from the “probably should have happened a long time ago” file.

Yes, now that only a handful companies are still benefitting greatly from public assistance, the administration has agreed to cap the pay for the top 25 executives of the five companies “still receiving extraordinary aid” via bailout. And really, it’s more like three companies since it comes down to only AIG, GM and its financing company GMAC, and Chrysler and its financing company Chrysler Financial.

Feinberg’s announcement was the administration’s latest effort to deal with public outrage over bonus payments provided to executives at companies receiving billions of dollars in taxpayer support.

Detailing the 2010 pay rules, Feinberg said cash salaries would be capped at $500,000 for 82 percent of the top 25 executives at the five firms. These executives would have to receive any further compensation in stock. Feinberg is seeking to link the executives’ decisions more closely to the success of their companies.

In addition, “pay czar” Kenneth Feinberg is also mandating that 419 companies that benefitted from bailout money before February 17, 2009, give detailed information on any salaries in excess of $500,000 paid to executives in late 2008 and early 2009. What exactly Feinberg plans to do with this information eludes me, but companies have 30 days to comply.

Under the law, Feinberg cannot require executives to return any compensation such as 2008 bonuses that he deems excessive. But Feinberg said he would review the compensation paid during that period to see if any of it could be deemed “inconsistent with the public interest.”

I think many interested members of the public could tell Kenneth their thoughts on that topic immediately, but it’s nice to know that he will have some more detailed info into the matter next month.

greedy executive businessman

Before the cap, he would have been carrying three bags.