How Small Irish Businesses Avoid the GDPR Sting

by GDPR (General Data Protection Regulation)GovernanceOperational ReviewQuality AssuranceRegulatory Compliance

Accountants providing chartered accounting services and tax advice are alerting smaller Irish companies to the consequences of the pending General Data Protection Regulation (GDPR). They believe these are going to feel the most pain come 25 May 2018, if they do not implement GDPR by then. We are trying our best to help avoid this situation by providing advice.

How to Kick the GDPR Ball into Play

The Irish Information Commissioner’s Office has produced a toolkit regarding where’s best to start. They suggest beginning with an information security assessment to determine the gaps companies need to close. Once quantified, this leads naturally to a plan of action, and resources needed to fulfil it. Here’s how to go about it:

1. Start by assessing your current ability to identify, assess, and manage threats to customer data security. Have you done anything at all to date? You must be holding some customer information surely, and it is highly likely the GDPR applies to you.

2. Next, review your company’s current customer data security policies. Are they documented and approved, or do new employees discover them sitting next to Nellie? Rate yourself on a scale where ten is successful implementation.

3. Now consider how well you have pinned responsibilities on individuals to implement policies and take the lead on GDPR. The latter should be the business owner, or a board member with clout to make things happen.

4. By now, you should have a grasp of the scale of work ahead of you, remembering the EU deadline is 25 May 2018. If this sounds overwhelming, consider outsourcing to your accountant or a specialist provider.

5. Under the General Data Protection Regulation you have only 72 hours to report a breach of customer data security to the Information Commissioner’s Office. Do you have a quality assurance mechanism to oversee this?

Tangible Things to Bring Your Own People on Board

With all the changes going on, there is a risk of your employees regarding GDPR as ‘another management idea going nowhere.’ Thus, it is important to incorporate the new EU regulations in staff training, particularly with regard to data security generally. They may fully come on board only once they see tangible signs of progress. You should in any case put the following measures in place unless you already have them:

1. A secure area for your servers and for any paperwork your customers provided. This implies access control on a need-to-know basis to protect the information against loss, damage, and theft.

2. A protocol for storage media and record disposal when you no longer require them or something supersedes them. You are the custodian of other people’s information and they deserve nothing less.

3. Procedures to secure customer data on employee mobile devices and computers: This must extend to work done at home, at consultant sites, and by remote workers.

4. Secure configuration of all existing and new hardware to minimise vulnerability and storage media crashes. These quality assurance measures should extend to removable media and remote backups.

So Is This the Worst of the Pain?

We are at the heart of the matter, although there is more to tell in future articles. You may be almost there, if you already protect your proprietary information. If not, you may have key company information already open to malware.We should welcome the EU General Data Protection Regulation as a notice that it is time to face up to the challenges of data protection and security generally. The age of hacking and malware is upon us. The offender could be a disgruntled employee, or your competition just down the street. It is time to take precautions.

Is the GDPR Good or Bad News for Business

by GDPR (General Data Protection Regulation)GovernanceOperational ReviewQuality AssuranceRegulatory Compliance

The European Union’s General Data Protection Act (GDPR) is a new data authority coming into force on 25 May 2018. It replaces the current Data Protection Directive 95/46/EC, while extending the remit to include the export of personal data outside the EU. It aims to give EU citizens and residents living there more control over their personal information. It also hopes to make regulatory compliance simpler for participating businesses.

The Broad Implications for Business
The GDPR puts another layer of accountability on businesses falling within its remit. It requires them to implement ‘comprehensive but proportionate governance measures’ including recording how they make decisions. The long-term goal is to reduce privacy infringements. In the short run, businesses without good governance may find themselves writing new policies and procedures.

Article 5 of the European Union’s General Data Protection Act lays down the following guidelines for managing personal data. This shall be …
• Processed transparently, fairly, and lawfully
• Acquired for specific, legitimate purposes only
• Adequate, relevant and limited to essentials
• Not used for any other, incompatible purpose
• However it may be archived in the public interest
• Kept up to date with all inaccuracies corrected
• Ring-fenced when the information becomes irrelevant
• Adequately protected against unauthorised access
• Stored in a way that prevents accidental loss
Furthermore, affected businesses shall appoint a “controller responsible for, and able to demonstrate, compliance with the principles.”

Implementing Accountability and Governance
The UK Information Commissioner’s Office has issued guidelines regarding provisions to assure governance and accountability. These are along the lines of the ‘don’t tell me, show me’ management approach the office has generally been following. In summary form, a business, and its controller must:
• Implement measures that assist it to ensure demonstrated compliance
• Maintain suitable, relevant records of personal data processing activities
• Appoint a dedicated data protection officer if scale makes this appropriate
• Implement technologies that ensure data protection by design
• Conduct data protection assessments and respond to results timeously

Implementing the General Data Protection Act in Ireland
The Irish Data Protection Commissioner has decided it is unnecessary to incorporate the GDPR into Irish law, since EU regulations have direct effect. The office of the Commissioner is working in tandem with data practitioners, and industry and professional bodies to raise awareness in business through 2017. It has produced a document detailing what it considers the essentials for business compliance. Briefly, these pre-requisites are:
• Ensure awareness among key personnel, and make sure they incorporate the GDPR into their planning
• Conduct an early assessment of quality management gaps, and budget for additional resources needed
• Do an audit of personal data held, to determine the origin, the necessity to hold it, and with whom shared
• Inform internal and external stakeholders of the current status, and your future plans to implement the GDPR
• Examine current procedures in the light of the new directive. Could you ‘survive’ a challenge from a data subject?
• Determine how you will process requests for access to the data in the future from within and outside your organization
• Assess how you currently obtain customer consent to store their data. Is this “freely given, specific, informed and unambiguous”?
• Find how you handle information from underage people. Do you have systems to verify ages and obtain guardian consent?
• Implement procedures to detect, investigate, and report data breaches to the Data Protection Commissioner within 72 hours
• Implement a culture of always assessing the effect on individual privacy before starting new initiatives

So Is the GDPR Good or Bad for Business
The GDPR should be good news for business customers. Their personal data will be more secure, and they should see their rate of spam marketing come down. The GDPR is also good news for businesses currently investing resources to protect their clients’ interests. It could however, be bad news for businesses that have not been focussing on these matters. They may have a high mountain to climb to come in line with the GDPR.
Disclaimer: This article is for information only and not intended as a comprehensive guide.

investment banking

How the Dodd-Frank Act affects Investment Banking

by Governance

investment bankingThe regulatory reform known as the Dodd-Frank Act has been hailed as the most revolutionary, comprehensive financial policy implemented in the United States since the years of the Great Depression. Created to protect consumers and investors, the Dodd-Frank Act is made up of a set of regulations and restrictions overseen by a number of specific government departments. As a result of this continuous scrutiny, banks and financial institutions are now subject to more-stringent accountability and full-disclosure transparency in all transactions.

The Dodd-Frank Act was also created to keep checks and balances on mega-giant financial firms that were considered too big to crash or default. This was especially deemed crucial after the collapse of the powerhouse financial institution Lehman Brothers in 2008. The intended result is to bring an end to the recent rash of bailouts that have plagued the U.S. financial system.

Additionally, the Dodd-Frank Act was created to protect consumers from unethical, abusive practices in the financial services industry. In recent years, reports of many of these abuses have centered around unethical lending practices and astronomically-high interest rates from mortgage lenders and banks.

Originally created by Representative Barney Frank, Senator Chris Dodd and Senator Dick Durbin, the Dodd-Frank Wall Street Reform and Consumer Protection Act, as it is officially called, originated as a response to the problems and financial abuses that had been exposed during the nation’s economic recession, which began to worsen in 2008. The bill was signed into law and enacted by President Obama on July 21, 2010.

Although it may seem complicated, the Dodd-Frank Act can be more easily comprehended if broken down to its most essential points, especially the points that most affect investment banking. Here are some of the component acts within the Dodd-Frank Act that directly involve regulation for investment banks and lending institutions:

* Financial Stability Oversight Council (FSOC): The FSOC is a committee of nine member departments, including the Securities and Exchange Commission, the Federal Reserve and the Consumer Financial Protection Bureau. With the Treasury Secretary as chairman, the FSOC determines whether or not a bank is getting too big. If it is, the Federal Reserve can request that a bank increase its reserve requirement, which is made up of funds in reserve that aren’t being used for business or lending costs. The FSOC also has contingencies for banks in case they become insolvent in any way.

• The Volcker Rule: The Volcker Rule bans banks from investing, owning or trading any funds for their own profit. This includes sponsoring hedge funds, maintaining private equity funds, and any other sort of similar trading or investing. As an exception, banks will still be allowed to do trading under certain conditions, such as currency trading to circulate and offset their own foreign currency holdings. The primary purpose of the Volcker Rule is to prohibit banks from trading for their own financial gain, rather than trading for the benefit of their clients. The Volcker Rule also serves to prohibit banks from putting their own capital in high-risk investments, particularly since the government is guaranteeing all of their deposits. For the next two years, the government has given banks a grace period to restructure their own funding system so as to comply with this rule.

• Commodity Futures Trading Commission (CFTC): The CFTC regulates derivative trades and requires them to be made in public. Derivative trades, such as credit default swaps, are regularly transacted among financial institutions, but the new regulation insures that all such trades must now be done under full disclosure.

• Consumer Financial Protection Bureau (CFPB): The CFPB was created to protect customers and consumers from unscrupulous, unethical business practices by banks and other financial institutions. One way the CFPB works is by providing a toll-free hotline for consumers with questions about mortgage loans and other credit and lending issues. The 24- hour hotline also allows consumers to report any problems they have with specific financial services and institutions.

• Whistle-Blowing Provision: As part of its plan to eradicate corrupt insider trading practices, the Dodd-Frank Act has a proviso allowing anyone with information about these types of violations to come forward. Consumers can report these irregularities directly to the government, and may be eligible to receive a financial reward for doing so.

Critics of the Dodd-Frank Act feel that these regulations are too harsh, and speculate that the enactment of these restrictions will only serve to send more business to European investment banks. Nevertheless, there is general agreement that the Dodd-Frank Act became necessary because of the unscrupulous behavior of the financial institutions themselves. Although these irregular and ultimately unethical practices resulted in the downfall of some institutions, others survived or were bailed out at the government’s expense.

Because of these factors, there was more than the usual bi-partisan support for the Dodd-Frank Act. As a means of checks and balances, the hope is that the new regulations will make the world of investment banking a safer place for the consumer.

References:

CNBC: CNBC Explains: Dodd-Frank Act

New York Times: J.P. Morgan Says Dodd-Frank Favors Europe’s Banks

Sunlight Foundation: Dodd-Frank: How Investment Banks Contributed to the Financial Crisis

 

User-Friendly RASCI Accountability Matrices

by GovernanceOperational Efficiency InitiativesOperational ReviewProject ManagementStrategy and Portfolio Management

Right now, you’re probably thinking that’s a statement of opposites. Something dreamed up by a consultant to impress, or just to fill a blog page. But wait. What if I taught you to create order in procedural chaos in five minutes flat?  Would you be interested then?

The first step is to create a story line …

Let’s imagine five friends decide to row a boat across a river to an island. Mary is in charge and responsible for steering in the right direction. John on the other hand is going to do the rowing, while Sue who once watched a rowing competition will be on hand to give advice. James will sit up front so he can tell Mary when they have arrived. Finally Kevin is going to have a snooze but wants James to wake him up just before they reach the island.

That’s kind of hard to follow, isn’t it …

Let’s see if we can make some sense of it with a basic RASCI diagram …

Responsibility Matrix: Rowing to the Island
ActivityResponsibleAccountableSupportiveConsultedInformed
PersonJohnMarySueJamesKevin
RoleOarsmanCaptainConsultantNavigatorSleeper

 

Now let’s add a simple timeline …

Responsibility Matrix: Rowing to the Island
SueJohnMaryJamesKevin
Gives DirectionA
Rows the BoatR
Provides AdviceS
Announces ArrivalAC
Surfaces From SleepCI
Ties Boat to TreeA

 

Things are more complicated in reality …

Quite correct. Although if I had jumped in at the detail end I might have lost you. Here’s a more serious example.

rasci

 

There’s absolutely no necessity for you so examine the diagram in any detail, other to note the method is even more valuable in large, corporate environments. This one is actually a RACI diagram because there are no supportive roles (which is the way the system was originally configured).

Other varieties you may come across include PACSI (perform, accountable, control, suggest, inform), and RACI-VS that adds verifier and signatory to the original mix. There are several more you can look at Wikipedia if you like. My main goal was to highlight a handy way of simplifying things, which I hope I succeeded in doing in this blog.

Any Questions: contact us.

Implementing Matrix Management

by GovernanceOperational Efficiency InitiativesProject ManagementStrategy and Portfolio Management

Matrix management is a culture change. More than the hierarchical structures, lines of responsibilities, modes of communication and channels of decision-making, it is a concept that needs to be planned ahead and managed appropriately over time.

Implementing matrix management to any organization can be confusing. It is essential to ensure that it fits right to your business strategies, skills and competencies. With this, realizing matrix management should not be taken lightly. Careful stages should be considered, instead.

Here are the steps to proper implementation of matrix management:

Consider Your Business Context

You need to evaluate your organization to analyze what are your development needs with regards to skills, products, services and market environment. This will help you decide on what type of matrix structure you will apply in your organization. Consider the following questions in building up your context:

  • What is our strategy?
  • Where are the demands in our business?
  • What are the structures that our competitors currently employ?
  • What are the talents that my people possess?
  • What are other business organizations doing?

Set Your Implementation Scope

Next, you need to define the parameter and set the scope of your implementation. What area in your business do you think matrix management will successfully work? There are several things that you need to consider in setting your scope. You have to make sure that it works well with your overall business strategies, that it can be excellently communicated and easily understood. Also, you must ensure that you acquire the necessary talents and skills in the business to deliver the new system of responsibilities.

Implement the New Structure

When you have already decided what structure type you will implement, you are ready to give it a go. You will need to establish new communication channels so you can monitor the progress and receive feedback effectively.

Here’s how to apply the matrix structure:

  • Highlight your development needs
  • Define roles based on outputs and not inputs
  • Line up procedures and systems to support the structure and the behavior that comes with it.
  • Invest in training and development
  • Support the key people in the structure by coaching them to better adapt in changes
  • Communicate regularly
  • Monitor progress and make necessary adjustments

Review the Matrix Structure, Roles and Responsibilities

Organizations that successfully implement matrix management adapt to the changes in their environment. With this, they do regular evaluations to highlight the need for changes and revisions. The review can either focus on the structure only or to the entire process as a whole. The results can alter the structure, the roles involved and the responsibilities taken.

The process of implementing matrix management follows a step-by step method. Each stage is equally important with the rest. Hence, if you plan to exploit it in your organization, you have to recognize the purpose of each step and follow it appropriately. Balance is the key. And when you achieve stability in matrix management, amidst the complex changes in the world of business, then your organizational success is just around the corner.

Implementing Matrix Management? contact us.

IT Risk and Control Solutions Specialists – Why you need them more than ever

by Governance

IT risk and controlOver the years, the capabilities of IT systems have certainly grown by leaps and bounds. But so have the risks that accompany them. Countless threats to IT systems now exist that are capable of seriously disrupting business operations. That’s why companies have to conduct assessments aimed at making sure their systems are still capable of functioning effectively, efficiently, and securely all the time.