SPAM pays it seems.

Oh dear, Over on the cyberlaw site at Harvard I came across a paper I’d seen before but not actually read. I read it last night. Spam Works: Evidence from Stock Touts and Corresponding Market Activity.  by Frieder and Zittrain. Read it. It is scary stuff.  Here is a quote….

We match price and volume data from Pink Sheets, LLC to ticker symbols that appear in email touts received by one of the authors and by the Internet Usenet newsgroup (“NANAS”) between January 2004 and July 2005, and compare the presence and volume of spam that touts particular stocks with the price and volume behavior of those stocks before, during, and after the touts.

We find a significantly positive return on a day of heavy spam touting of a stock, along with the day preceding our detection of such touting. Volume also responds positively and significantly to heavy touting. Returns in the days following touting are significantly negative. Though we have no way of directly knowing if the spammer actually has holdings in the spammed stock apart from the spammer’s own admission, when it appears, and the surmise that some pecuniary motive inspires sending the spam, the evidence accords with a hypothesis that spammers tout stocks in order to increase trading activity and price enough to unload their positions at a profit. Selling pressure on the part of the spammer then results in negative returns following heavy touting.

Does this worry anyone else? Bill Gates reckoned he would have the SPAM problem fixed by now, but we are absolutely miles from any kind of resolution. SPAM filters are not the cure, they are  band-aids applied to a bullet wound.  The Internet is not all huggy huggy web2.0 goodness and freedom. Surely the SEC and others should go after these folks?

 Check out the Spamhaus site for more details on the extent of the spam problem. Neither existing laws nor the current Internet governance seem to be workin. Spamhaus noted in 2003  that

As an international organization, but one which is based in the United Kingdom where the sending of Unsolicited Bulk Email is now illegal, Spamhaus sees the introduction of the CAN-SPAM Act of 2003 (S.877/HR 2214) as a serious failure of the United States government to understand the Spam problem.

3 years later it would seem that they were right.  I do find it rather odd that the organisation leading the fight against spam is a 25 person non-for-profit organisation.  The UK government won’t fund them, and they rely on donations to keep operating.

The spamming software is getting more sophisicated.

“Although we’ve seen automated spam networks set up by malware before…this is one of the more sophisticated efforts. The complexity and scope of the project rivals some commercial software. Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income,” the advisory concludes.

Geeklawyer  led me to a case in the UK and the US  relating to spamming .  This has all the making of a Rumpole episode. Details here and here I think. Zoli suggested an approach to deal with some of the spam you get. In addition to Zoli’s point, stick the FTC on cc. According to the FTC website.

If you get spam email that you think is deceptive, forward it to The FTC uses the spam stored in this database to pursue law enforcement actions against people who send deceptive email.

enough said.


Governance Risk and Compliance announcement

Big announcement today with SAP and Cisco. Webcast is running at the moment (it was when I started the post anyway), you can read the press release here.  I’ll post more once I’ve digested it and talked to a few folks internally. I’d be interested to hear what James makes of this….

Three main points… 

1. Accelerated roadmap on the GRC repository. (central system to record control, policies, risk, not just SAP content, but plans for other content too.

2. GRC process control application. cross application, dashboard, risk identification…

3. Risk management application. Built from the internal risk management tool from SAP. This thing rocks.

The combination of SAP and Cisco means that there  is good coverage of the infrastructure risk issues as well. This will help in delivering more support for COBIT and other IT governance models. 

As part of the Finance Best Practice Meeting in September I will be moderating a session on GRC, BMW and GM are presenting, as well as Amit, the Lead dude for the GRC developments.  Should be interesting. This stuff is so much more than just SOX.

More on Corporate Social Responsibility

Dennis asked me in a recent comment for examples of companies doing stuff with CSR. The FT kindly obliged on friday by publishing an interview with Wayne Murdy, CEO of Newmont Mining and the chairman of the International Council on Mining and Metals. (Hat tip, James)

This point hits home.

For companies, maximising local benefits and reducing poverty is simply a matter of enlightened self-interest.

In the article he notes that mining companies have a responsibility to the countries in which they operate, and he highlights the EITI (Extractive Industries Transparency Initiative)  the EITI looks very interesting, as it is a combined effort by “developed countries”, resource rich countries, NGOs and large corporates to address the tragedy that is “poor but resource rich countries”.

The mining companies have realised that a sustainable social fabric is vital. Without that stability, it makes mining investment a tricky business.

As the Shell website puts it.

Oil revenues can transform developing countries by invigorating economic growth and funding social services such as schools and hospitals. But managed badly they can have the opposite effect: stimulating corruption and conflict.

The Shell CEO , Jeroen van der Veer commented

“If we get it right, transparency will create a virtuous circle where improved governance encourages more investment – which in turn leads to improved and sustained economic and social development.”

Also, the UN’s Principles for Responsible Investment looks promising. There is of course, a long way to go. NGO’s such as Global Witness are key in making us aware of the issues, and bringing the unsavory examples to the table.

Shell’s reporting page is more than just window dressing. The modern CEO needs to manage and report on more than just Q1 sales. Those designing software to aid reporting should take note.

It isnt just the mines and the oil companise that take this seriously. I have just been over on HP’s site. Check out HP’s position on global warming. This is more than just some attempt to sell pc’s to green types.  HP also publish a GRI report  This diagram is from the report

So Dennis, there are lots of companies investing serious executive time and shareholders’ money into CSR efforts. It makes good business sense to invest in broader societal issues, because without a functioning broader society, you have no business.

My little browse this evening. (There is zip on German TV tonight1) lead me to the opendemocracy website. I’ll be reading more about the sustainable development and capitalism debate, and I may have to add this to my reading list.

Technorati tags

Corporate Social Responsibility isn’t just blah blah..

The Mckinsey Quarterly and its on-line siblings are simply brilliant. They reflect and polish the image of the firm, are well researched, thorough, very useful, and a pleasant read. (Would be even better if the site was RSS enabled)

It is easy to be cynical about CSR, see it as nice padding in the annual report. There is more too it than that though.

Being Political Science graduate who somehow ended up in the software industry, I have always had an interest in the relationship between corporations and society. Much of my university time was spent discussing the complex relationship between capitalism and apartheid. (It isn’t as simple as it first seems.)  At least in the South African economy, a firm grasp of socio-political issues and their implications, together with action is key to business success. The Milton Friedmann business of business is business argument just doesn’t wash back home.

It is also being challenged elsewhere too. Read what the Management guru Henry Mintzberg has to say.  and the discussion at Harvard here. 

Back to Mckinsey: they recently published a series of articles on CSR (when social issues become strategic), and they are well worth reading. I found the MD, Ian Davis, especially enlightening. He says…

  • The case for incorporating an awareness of social and political trends into corporate strategy has become overwhelming.
  • Issues such as privacy, obesity, offshoring, and the safety of pharmaceutical products can alter an industry’s ground rules, and the financial and reputational impact of mishandling these issues can be huge. But they also create new market opportunities that nimble companies can exploit.
  • Companies should look for signs of emerging hot topics, be ready to respond to them early, and place a series of small strategic bets that will create value if the social and political landscape shifts.
  • CEOs must be willing to ensure that different parts of their own organizations are united behind a coherent approach, to engage in external debate, and to consider collaboration with others.

The survey also makes compelling reading   see exhibit 4 for the key issues. (It is a fancy flash graphic which has so far defied my attempts to link to it)   The report notes.

Executives around the world overwhelmingly embrace the idea that the role of corporations in society goes far beyond simply meeting obligations to shareholders, according to the latest McKinsey Quarterly global survey.But executives also say that, for most companies, sociopolitical issues—such as environmental concerns and the effects of offshoring—present real risks. Indeed, finding ways to control them is so important, the executives say, that the effective management of sociopolitical concerns must start with the CEO.

While looking through Technorati I found an Interesting post  about what Timberland do.This is what the  CEO of Timberland, Jeff Schwartz  has to say:

And so, where it was once a great risk for business to step up and engage in matters of social justice, environmental stewardship and global human rights, it’s time to take a greater risk – to step outside our comfort zones and work to make our impact in these areas in ways that are stronger, deeper, more powerful and more thoughtful. It’s incumbent upon us to do this for two reasons:

We have the ability. If we, as businesses, applied the same level of innovation, passion and determination to corporate social responsibility as we do to product development, sales and marketing, the results would be phenomenal. And why shouldn’t we? In the business world, “good enough” rarely is; we’re always working to make it better. There’s no reason why the standards should be any less for our CSR efforts.

The world desperately needs it. Never before has the notion of sustainability been so prevalent – the idea that we must consider the consequences of our actions not on tomorrow, but on the world we leave behind for generations to come. And while making a conscious effort to reduce our negative impact on the environment and our communities is a good first step, doing “less bad” isn’t enough. We’ve got to start doing more good – to try to repair some of the damage that has already been done and invest in positive, sustainable change.

Some of my questions, (more to follow someother time)

What are the issues software companies should be focussing on? Sun has recently started marketing eco-servers. Is this just a cynical, irrelevant ploy, or will they become the Toyota prius success story? Should the industry concerned about the impact that computer processing has on energy demands? Should software designers care about this too? Can programs, like light bulbs, be more energy efficient?

Privacy and security were ranked #5 on the list. Should software companies be doing more in these areas? If so what? Loss of privacy is an externality that is currently not adequately regulated for – will this change? What about Google and other search players? I’ve mentioned this before.

What are business schools doing to educate future leaders? Is the focus too much on quantitative stuff, and the shareholder primacy dogma?  This is a criticism that Henry Mintzberg has leveled here. (more on this another day) How should ethics and CSR be taught and researched?

What tools and measures are needed to report on CSR? how can we be transparent without undermining competitive advantage? How can CSR actvities be communicated to broader society and the market in clear, hype-free, believable language? What standards should be used to measure CSR?

Is the Global Reporting Initiative,  GRI, the answer? (GRI’s vision is that reporting on economic, environmental, and social performance by all organizations is as routine and comparable as financial reporting.)

I have recently read Sumantra Ghosal on Management, A force for good. He was a brilliant management thinker, and he provides a thought provoking challenge to management theory. He challenges the greed is good mentality and suggests that a lot of management theory is based on incorrect assumptions about humanity. 

Part of the reason why this is on my mind is that I’m organising our 1st Chief HR Officer roundtable at the moment, and the theme is “Employee Engagement and Sustainability in Europe.” If you would like to find out more, drop me a note. Thomas[dot]Otter[at]SAP[com]

Technorati tags

Business case for lobbying and the SOX-Enron of 1720..

Businesses lobbying government has always seemed a bit odd to me. Is there a link between all that talking to politicians and company success? Well, one of my research feeds from SSRN picked up two fascinating papers that are well worth a read, but here are the abstracts and a couple of quotes if you are too busy for academic papers.

One, by Goldman, Rocholl and So, from the University of North Carolina.  

In countries with a weak legal system and a high level of corruption it may not be surprising to find that political connectedness is valuable to a corporation. This paper explores whether political connectedness is also important in the U.S., which has the most developed financial markets in the world as well as a very strong legal system. The paper uses an original data set on the political connections of board members of S&P500 companies to sort companies into those connected to the Republican Party and those connected to the Democratic Party. An analysis of the stock price response of these companies to the Republican win in the 2000 Presidential Election finds that companies connected to the Republican Party increase in value while companies connected to the Democratic Party decrease in value. In addition, the paper finds that the announcement of the nomination to the board of politically connected directors results in a positive abnormal stock return. The analysis further suggests that the above effects are more pronounced for the larger corporations. Finally, using an additional (indirect) measure of political connectedness based on political contributions by corporations prior to the 2000 election lends further support to these results. 

If you need a business case for lobbying and having an old politician on your board, I guess this is it. Silly me, thinking that share prices were a reflection of future discounted cash flows. As the paper notes,

First, following the announcement of the Republican win, the return difference between companies classified as having a Republican board and those classified as having a Democratic board is positive. Furthermore, the announcement returns are positive for the Republican portfolio and negative for the Democratic portfolio. These results are reconfirmed when using an alternative definition of connectedness based on political contributions and in addition they remain robust after controlling for several firm characteristics as well as for industry effects.

Secondly, following the announcement of the nomination to the board of a politically connected individual, there is on average a positive and significant stock price response.

The second paper (a lecture) by Painter from the University of Minnesota goes back a bit further and looks two major bits of financial history, the South Sea Bubble and the the US National Bank saga.

 This lecture addresses a phenomenon that arises repeatedly in history: concurrent and interrelated corruption in the political system and in business that puts political and business establishments on the defensive. When corruption from business spills over into government, the story is likely to end with politicians seeking to cover for their own actions or to elevate themselves on an ethical pedestal above their peers. Resulting legislative action – hostile to business and driven by self serving political considerations in the wake of scandal – is often not well thought out, and may hinder economic growth and stability.

The lecture discusses two examples of this phenomenon in England and the United States respectively. First, the South Sea Bubble of 1720 – during which many Members of Parliament took bribes in South Sea Company stock and traded in the stock on inside information – was followed by Parliament’s draconian restriction in the Bubble Act on transferability of shares for over 100 years thereafter. Second, there were two attempts at the end of the Eighteenth and the first half of the Nineteenth Century to establish a permanent Bank of the United States modeled on the Bank of England. This undertaking was championed by Federalist and Whig politicians who, while they may have sought economic stability, also encouraged speculation in government securities on inside information, and bribery by the Bank of Members of Congress. The debate over the Bank was in part a debate over corruption that came with it. The First Bank of the United States was opposed and eventually allowed to expire by Jeffersonian Democrats and the Second Bank was attacked, and then pushed out of business, by President Jackson. Congress failed to establish a national bank until the Wilson Administration in 1913, two and a quarter centuries after establishment of the Bank of England.

The lecture concludes that corruption of government by business is not only bad for government, but in the long run bad for business. Business sometimes overreaches in  influencing government officials, but at the risk of a backlash in which politicians – in self righteous indignation or in order to cover up for their own actions – embrace harsh anti-business policies, regardless of whether those policies are in the national economic interest.

Pointer goes on to note in the lecture. (excuse the long quote)

Modern parallels do come to mind. Some might think of Enron, Worldcom and the Sarbanes-Oxley Act. As a current White House employee, I will not say more about these scandals beyond what I said before I entered government service. I reviewed former SEC Chairman Arthur Levitt’s book in 2003.While I disagreed with some of Levitt’s substantive views on securities law, I shared his concern that accounting firms – including Arthur Anderson while it audited Enron’s books — undermined the SEC’s independence by making an end run to Congress to complain about proposed SEC rules. Levitt pointed out that campaign contributions were a significant part of the strategy

Enron and Worldcom embarrassed government and business. There is considerable speculation about whether Congress overreacted. If so, the Enron/Worldcom fiasco would fit into the broader phenomenon I discuss in today. Harsh legislative action follows political backlash when business exerts excessive influence on government. Legislative action taken in an atmosphere of moral indignation does not necessarily rid the political system or the economy of corruption, but may leave a body of corporate law, or a banking system, or a capital market that is weaker than what existed before.

I could quote the whole paper but go and download it from SSRN instead. It is probably the most interesting thing about SOX you will read.

I’ll almost finish with a poem from Alexander Pope

At length corruption, like a general flood,
Did deluge all, and avarice creeping on,
Spread, like a low-born mist, and hid the sun.
Statesmen and patriots plied alike the stocks,
Peeress and butler shared alike the box;
And judges jobbed, and bishops bit the town,
And mighty dukes packed cards for half-a-crown:
Britain was sunk in lucre’s sordid charms. 

And I’ll finish with a quote from Marx.

Hegel remarks somewhere that all great world-historic facts and personages appear, so to speak, twice. He forgot to add: the first time as tragedy, the second time as farce.

Technorati tags

Why SAP GRC…Virsa and so on.

Interview here with Amit Chatterjee from SAP about why we bought Virsa and some of our ideas on compliance etc. It puts a lot of what I have been on about on my blog into a clear context.

I especially like this quote:

The small example here is Basel II. … Simply put, it’s not about compliance. … [Really] it’s allowed banks to lower their capital reserves. … If they follow certain processes, they can decrease the amount they need to keep in their capital reserves, and that saves money.

So [regulations] aren’t just annoyances that you have to keep up with. These are massive strategic weapons you want to deploy because they make your business run more efficiently. … You’ll see more of that: the “let’s try to turn the business around and make all these regulations about revenue-generation and margin” improvements

Our strategy for Governance Risk and Compliance is so much bigger than SOX.   

At the next financials best practice meeting we will have a focus track on Risk and Compliance. It will be interesting to hear more about what European customers are doing in the real world.

Technorati tags

breakfast and compliance…anything James can do I can do …..

James wrote a useful post about CA compliance positioning. CA is an interesting case, they have had compliance challenges themselves, but as a business they really seem to be getting their house in order. I found this presentation via good old google this morning. (hope CA is okay with me linking to it) Check out slide 9, about the reduction in costs that they have achieved. At the event James attended CA  obviously pushed its part of the continuous compliance story, but that is only part of the picture.

If you look to the presentation above, you’ll see that a core ERP platform and control tools are a key part of the story. In this case, SAP ERP, and Virsa. (now SAP GRC) Slide 19 gives a good view of how the CA and SAP compliance messages fit together.

I like it when software companies walk the talk. CA is one of them. So is SAP.

Coincidentally I had compliance for breakfast this morning too. I met up in in Heidelberg, with Jan Nordhagen.  We had breakfast on a terrace in the early morning sunshine loooking out over the Neckar. (lousy job this)

Jan was the MD of Virsa in Europe, and now heads up the GRC sales efforts in Europe at SAP. Bright guy, really driven and has a passion for compliance. We talked about compliance, kids, mergers and why he should sponsor our charity bike ride. There is some real momentum behind the SAP compliance story here in Europe, it isn’t at all like Vinnie makes it out to be, vendors chasing the SOX gravy.

Compliance is less of a “new trendy thing” here in old europe, and opening a sales pitch with SOX is often the quickest way to the door.  There is a strong belief in many customers here that compliance is just good business practice, and we are seeing great traction for the SAP compliance suite from companies that dont have anything to do with SOX, for instance in the public sector. We also see great interest from private companies.  Companies are looking to reduce the cost of audit, but the main goal is to embed compliance in core business processes, and not to see compliance as a reporting after thought, or as an evil government burden. There is a real belief in many companies here that transparency and real time controls are just good business practice. Q2 for compliance was very strong here, despite a generally slow market. It wasn’t all about SOX….

There is also a lot of interest in the Risk and Governance bit of the GRC story. There is a lot of cool stuff in development at the moment on risk management, based partly on the risk desktop that we developed internally for the CFO and the CEO here at SAP. There is lots of great stuff going on in this space. If SOX was the spark that made SAP..

1) dust off stuff embedded in the depths of boring boring erp and actively tell people about it. (Like the Audit Information System for instance)

2) Acquire Virsa, and expand the solutions..

3) Build partnerships with auditors and SIs to drive down the cost of compliance.

Then maybe things arent so bad as Vinnie makes out.

Virsa surveyed 93 customers; and found that customers report significant reductions in compliance cost and labour.

Reduction time of spent on internal audit                       35%
Reduction in internal external audit costs                       28%
Reduction in time spent managing authorisation risk       44%
Recduction in costs for managing authorisation risk        36%
Reduction in audit report findings for security                41%
Reduction in time required to clean up audit findings       39% 

Technorati tags