Even though Frost’s repeated lies over a series of years should be grounds alone for her dismissal as CalPERS CEO, we feel compelled to chronicle that she has done a poor job as CEO, in the hopes that the board will set its standards higher when it looks for her replacement.
It is important to stress that Frost’s experience was thin, despite having worked for a Washington retirement agency since 2000. Her job scope involved only a small subset of the activities that CalPERS is involved in, and on top of that, ones that were managerially less complex by virtue of being heavily routinized.
Her previous employer, Washington’s Department of Retirement Systems (DRS), as one prominent CalPERS retiree put it, is “a purely administrative and clerical agency – they process checks and answer inquiries from beneficiaries.” Or as we put it, she ran a back office plus a call center. The Washington pension system’s actuary is not a part of DRS and reports to the legislature. By contrast, at CalPERS it is in house, and such an important role that it was until recently a direct report to the board. In Washington, management of the funds sits with the State Investment Board, not DRS. While Frost did sit on that board as an ex officio member for a bit over three years, she has no more experience in making investment decisions or managing investment professionals than, say, Henry Jones, the Chairman of the Investment Committee, has. Jones may do a fine job of officiating at meetings and contributing to closed session discussions of investments, but that is not the same as overseeing the daily investment decisions and operations of a $350 billion fund.
We wrote about Frost’s personnel-related fiascoes at CalPERS last week. That matters because Frost ran Human Resources at DRS, so this is an area in which she supposedly has experience. If she can’t manage that properly, how can she possibly handle the considerable areas of activity at CalPERS that are new to her?
At DRS, Frost was head of Information Technology and then the Deputy Director before becoming Executive Director in 2013. However, the reality is that DRS is an IT minnow cobbled together from legacy systems and is a poor learning ground. A single project that CalPERS completed in recent years, its $7 million private equity reporting system, is vastly bigger than anything Frost would have seen at DRS.1
So it should come as no surprise that Frost has presided over a series of IT and operational messes at CalPERS, including, most disturbingly, security-related ones.
We’ve received an unprecedented number of e-mails from insiders praising our work on Frost and expressing concerns about her leadership. Note that only after Frost became CEO did we get intel from current employees, and the level has escalated dramatically since we exposed her resume misrepresentations. This employee e-mail is one of several examples that recited serious internal management failings:
Marcie is over her head. Nice lady but more focused on the politics and giving the appearance that the work is getting done. She relies on and trusts her executive leadership team and they tell her what she wants to hear. Her lack of focus on internal operations and reliance on execs, particularly Doug Hoffner is a mistake. Doug has been there a number of years and has yet to develop any sort of operational plan/priorities for improvement with his chiefs to try and improve their organizations and as you’ve pointed out. (I’ve yet to see or hear a vision from the guy but it’s probably because he doesn’t have an Ops background). Operations, Human Resources and IT are sub-par, lack internal controls, systems integration, workforce planning or future state operating model and all of these programs are under Doug’s watch.
You’ve picked up on the HR hiring issues and the Board elections (under operations) but contracts and IT are bad as well. Operations doesn’t have DGS authority to administer contracts. There’s an old board ordained resolution from the 1990s they rely on using prop 162 as the basis of their authority. They have broadened the contracting type beyond what Dept of General Services allows other agencies (spring fed pool contracts are outside state guidelines. I’m not aware of any other state agency that uses this approach). It seems like DGS, CalHR and CDT should periodically audit CalPERS systems and processes to make sure they are sufficient — don’t think that’s happening.
Marcie is trying to get legislation passed that would make Doug a permanent civil service classification and get a big ole raise. He’s really operating like a chief of staff/handler to Marcie and not as a COO/Chief Administrative Officer like you’d expect him to be operating. This is all in an effort to get the legislation passed. Kim Malm who runs operations is a big giant bully. The board elections and contracts are under her helm but she’s too busy politicking and gossiping and bullying, it’s a joke. Doug protects her because she is a source of gossip and does his dirty work. Anytime someone tries to complain about her, it gets swept under the rug. Many of the professional staff are mortified by the shenanigans of the execs. The place is being run like high school and not like a business.
Now to some specific examples:
Gutting of Audit Services. We discussed and documented this extremely troubling development in a recent post, how CalPERS’ Office of Audit Services has been crippled by high levels of turnover and vacancies, poor morale, and most important, the loss of independence. Law professor and white collar criminologist Bill Black’s reaction:
Yes, very bad. CalPERS’ top management is determined to do the wrong things – and wants to improve the odds they can get away with it. That is the only reason, given the nature of its business, that the leaders would gut internal audit. Internal audit, like underwriting at a bank, is a great test of managers. If they are incompetent or sleazy (or both) they see audit and underwriting as cost centers. It they are competent and people of integrity, they see that great controls and underwriting are the core of investor (and bank) profitability and survival.
Failure to report criminal hack of CalPERS records to the authorities as required; persecution of victim instead. Due to other events interfering, I am not able to write up Michaels v. CalPERS as I had intended; I hope to get to that in the next few days. I’ve embedded the filing at the end of this post for those of you who want to have a go at it now. CalPERS has declined a request for comment.
What should concern CalPERS beneficiaries is that among other things, this filing describes a prima facie case of criminal hacking. CalPERS employee, who was on extended leave during a disciplinary investigation (she faced multiple complaints of workplace bullying and harassment) came into CalPERS after hours, obtained access to the personnel records of Nancy Michaels, who had been required as part of the investigation of the complaints against Lorenz to give testimony. Lorenz had no legitimate access to these records. She either broke in electronically or had a fellow employee impermissibly give her access. The reason this is a prima facie case of hacking is that Lorenz then distributed these confidential records within and outside CalPERS. Michaels’ records were also altered (not clear by whom) to alter her start date in her current position to make it appear she had not passed the probationary period when CalPERS maliciously charged her with having secured her promotion improperly.
The reason this is not a mere workplace abuse of authority, but raises big red flags, is that:
CalPERS failed to report criminal hacking by Lorenz. This looks like a clear-cut violation of the Computer Fraud and Abuse Act (18 U.S.C. § 1030). That Act defines hacking broadly, penalizing intentionally accessing a computer without authorization or in excess of authorization. CalPERS and the State Personnel Board also violated California Penal Code section 502(c)(2), which requires that a data breach must be reported to the person whose data was exposed. Michaels was not informed; she found out by happenstance, and she still does not know the extent of the breach because CaLPERS and other agencies have refused to give her full unredacted copies of the documents Lorenz distributed.
CalPERS appears to lack tools to detect unusual IT activity. To have someone rooting around in personnel records at night and out of synch with any reason to access Michaels’ files should have triggered an alert and didn’t.
CalPERS appears to have poor control of its facilities and computers. Why was an employee on disciplinary leave allowed into the building at all and able to get access to any computer?
This fact set suggests that CAlPERS has lax security controls system-wide. It’s not very plausible to think that CalPERS would have wildly different standards across the different databases it operates.
Sequential, hack-friendly board member passwords that were also pasted to the bottom of their keyboards. You cannot make this up. Board member passwords followed a very simple formula, which not only made it trivial to hack into supposedly super confidential closed session records, and also meant that any former employee or board member could access these records. Even worse, if a board member insisted on changing the password to something secure, that was vitiated too. Instead of being allowed to choose their own (difficult) password, all they could do was add more numbers to the sequence! So if they had been assigned “admin1” they could make it “admin5644”. And then the new password was e-mailed, which in Board Member Margaret Brown’s case, meant not only that her secretary at her day job would see it, but all the people with admin access there could as well.
Recall that one reason fetishizes the secrecy of closed session information is that the claim that outsiders could somehow get rich trading against CalPERS by having access to it. Their amateur hour procedures here belie their posture of concern.
And 1.9 million beneficiaries depend on CalPERS to keep their personal data secure?
The only good news is that after agitating since February to fix this mess, board member Margaret Brown broke protocol to complain directly to the new head of IT, Christian Farland, who was suitably alarmed and is on the case. But even he didn’t believe how bad things were. From Brown:
In case you didn’t know our desktop computers are also updated periodically with sequential passwords.
I don’t know why we have passwords at all since the password is taped to our work area just underneath the keyboard.
Anybody with access to the offices, staff, janitors and maintenance personnel could easily get board information.
Farland said [he thought] the board area was secure. Brown disabused him of that idea:
I will take exception to access being extremely limited to the board area.
Are you aware employees come into the board area just to use the men’s restroom?
It’s happened a number of times when I’ve been in in my office working. There really is nothing exceptional about our restrooms but this happens when I’m working in the back. No other staff or board members are there. That board area is not secure or restricted if staff can come in any time they want.
Do you routinely run badge in and badge out reports for all doors with access to the board area? I would like to see those reports (last 6 months). Who reviews those reports looking for unauthorized, unusual or suspicious activity?
It happens more frequently than you know.
Also, please run the report for Saturday and let me know who was in there.
So this exchange points to another huge operation and security lapse: the failure to have systems in place that monitor unusual access patterns.
Refusing to intervene and assure delivery of mail to board members. New Board member Margaret Brown objected strenuously to the fact that the Board Services Unit was not only opening and screening board members’ mail, but even replying on their behalf without informing board members. When Brown, whose father had worked for the Post Office, complained about this practice to Frost, Frost’s response was that she couldn’t do anything about it because the Board Services Unit reported to Board President Priya Mathur. That is nonsensical because the Board Services Unit members are all CalPeRS employees and the only direct report to the board is Frost herself. But she refused to intervene until the press took notice. This abuse stuck in the craw of CalPERS beneficiaries. Even now, Brown reports that members of the public regularly ask her if she is finally getting her CalPERS mail.
Failure to address abuses by Board member and the Board Services Unit of having board members pre-sign blank forms. General Counsel Matt Jacobs stated this practice was “wrong” in January, yet it went uncorrected until we publicized it in May. Will CalPERS shape up only when the media exposes bad conduct?
As we showed in a later post, Doug Hoffner approved some of these law-breaking travel claim forms, so Frost and CalPERS cannot claim this is a “whocoulddanode” abuse within the board ranks.2
Implementing corrupt election methods, most of all, insecure, audit-trail free, tamper friendly Internet voting. As we wrote, experts disapproved of Internet voting even before worries about Russian election hacking became a daily news staple. The latest group to say Internet voting should not be used, and any current efforts should be reversed ASAP, is the National Institutes of Sciences, Engineering and Medicine, based on a two year study.
To make this sorry picture even worse, CalPERS’ vendor for Internet and phone voting is Everyone Counts, which has regularly been criticized for its poor performance. Everyone Counts also does not provide a paper trail. CalPERS refuses to publish election results by voting channel, which would serve as a check against gross abuses of these not-auditable voting methods.
And if you think our charges of election-rigging are exaggerated, please read:
Election-Rigging, CalPERS-Style: How Voting by Phone Was Designed to Favor Incumbent, Suppress Support for Challenger
CalPERS Election-Rigging: Delays Release of Proof of Incumbent Priya Mathur Approving Illegal Pre-Signed Expense Forms to Thwart Challenger Jason Perez
California Secretary of State Gives Unprecedented Qualified Certification for CalPERS Board Election; Vendor Everyone Counts Bars Public Viewing and Fails to Tabulate Paper Ballots as Required
Copyright fiasco. CalPERS paid nearly $4 million to settle copyright infringement claims with the Wall Street Journal, the Los Angeles Times, and the New York Times. The Daily News Summary was e-mailed every weekday. CalPERS had the full text of copyrighted articles in the Daily New Summary hosted on its own servers without having obtained the right to publish them. Anyone with an operating brain cell could see this was copyright theft, yet no one, from Frost on down, stopped it.
Unprecedented site wide crash and protracted outage. On the weekend of August 26-27, CalPERS entire site went down. This was a crash, not scheduled maintenance, despite the slap-dash effort to claim otherwise:
I got quite a few e-mails from people who have been CalPERS beneficiaries for decades, from before the days when the system had a substantial web presence. One compared the site falling over to the George Washington Bridge (one of the main routes from New Jersey into Manhattan) being shut with no notice. The site failure occurred almost immediately after a weekend beneficiary workshop demonstrating new site features, so the outage also substantially undercut the purpose of the workshop, since the intention was to have the people who participated go home and use the site while their memories were fresh.
The site was back up after roughly 10 hours. Even if you generously look at the downtime on an annual basis, this puts CalPERS at mere two sigma performance. Recall that Frost on her resume touted that she was an expert in “lean” as in “lean management techniques. “Lean” is a six sigma discipline. Servers that fall over are proof of a massive failure.
Mailer screw up. We are hardly all that plugged into inside CalPERS messes, but in the very same month that CalPERS had its massive site crash, CalPERS sent a mailer to some 20,000 members who are facing massive health care premium increases (nearly 20%) on their current plan (PERSCare) to show them other choices. CalPERS had initially planned to do this all online until one member pointed out that 14% of the target audience didn’t use computers. CalPERS sent a letter out that did not include the critical information, the brochure with the plan choices. One retiree alerted CalPERS to the screw-up; it would have gone unnoticed otherwise. CalPERS had to re-do the entire mailing, and sent the board a bafflegab letter in response to a compliant by a Long Beach State professor that served to obfuscate what his issues were.
Attempt to reduce transparency and accountability by getting rid of preparing transcripts of public board meetings. Because influential beneficiaries made a stink and we threatened to prepare, publish, and maintain archives of transcripts, CalPERS went into retreat and now posts these transcripts, when before, interested parties would have to use the Public Records Act to obtain them.
We’ll stop here so as not to overtax reader patience, but the picture should be clear: CalPERS is poorly governed, with a complacent board overseeing a management team where most operations have weak controls and poor procedures. This is a train wreck waiting to happen. And a CEO deficient in integrity, as proven by Frost’s multiple misrepresentations made during and after her hiring, compounded by her lack of interest in running a tight ship, means it will happen sooner rather than later.
1 Clive describes why Frost’s IT chops are a joke:
From reading between the lines, the great endeavour that was the creation of the Department of Retirement Systems seems to have faltered in the usual problem you have with this approach — you pool the (claimed) 15 retirement plans into a consolidated management apparatus, but that’s the easy bit. You’ve still got 15 legacy systems which were designed in isolation with no thought for interoperability. So trying to port these onto a single host platform is in the “nailing jello to a wall” category of projects.
Then you’ve got the balkanisation of the technologists — each of Whole will usually sit there through interminable meetings waffling on about “our system is best because…”, “no, I think you’ll find our system is best because…”
No serious corporate talent would ever work in such an outfit. It’s a bureaucratic make-work scheme and exists only because of unchallenged notions / perceived wisdom about economies of scale that never deliver on their promises — but once established, no one can admit defeat and pay the then required costs of breaking the thing up again.
If you’re able to swim in the inherently political waters (the “politics” being of both state and also the office (workplace) varieties) then you can get into a reasonably senior position, draw $100-200k-ish plus a sweetheart package of benefits and live nicely even in an expensive place like Washington. Not a bad life, of the 9.9% kind.
But no-one of top-flight CEO-caliber would work there for more than a few years as a stepping stone. If CalPERS were to look at the Department of Retirement Systems Director and think that is a read-across for an appointment as CEO for an organisation of CalPERS’ scale, they’d be completely clueless. CalPERS is four times the size in funds under management terms alone.
Now, turning to the specifics of the sort of work our friend Marcie would have been working on as “Head of IT” — luckily DRS has to go cap in hand and beg the state legislature for funding for projects, so we can take a look at their business cases to see the kinds of work they do. There’s only half-a-dozen or so key projects in their entire portfolio as far as I can tell. Here’s an typical example to local servers (which I’m assuming are legacy hardware from all those schemes they inherited) to the state’s strategic data centre:
It’s trivial. $500k in total project costs. That is barely above the radar for an organisation of any scale. Put it this way, I’ve got 12 projects in my work list at the moment, three of these are £500k+ and the rest are in the £100-250k range. And I’m barely mid-level.
None of DRS’ projects seem to have budgets above $1m. http://www.drs.wa.gov/administration/budget/budget-requests
In a sentence no position that I can find at DRS qualifies anyone as CEO of CalPERS.
2 It’s also hard to pretend no one at CalPERS knew about this abuse when it was codified in the Board manual.Second Amended Complaint for_ Damages and Equitable Relief; Request for Jury Trial 091718 (1)
I’m sorry to be in the role of dissent however to get to the heart of the issue the problem at CALPERS is not Ms. Frost.
While she maybe in over here head or even poorly suited for the position it is common management practice to hire executives who have serious flaws. I’ve seen larcenous executives, drug addled executives, executives with a fondness for young flesh.
These sorts of folks survive and prosper solely because they are easily manipulated – often times by threat..
There is much more than Ms. Frost here
I beg to differ and I am sure other readers will as well.
First, you seem to be a latecomer to this saga and may not realize that Frost has engaged in misrepresentations and omissions about her educational and work history that lead to executives suddenly deciding they need to spend more time with their families. Frost has dug her hole deeper by getting an employee to tell implausible lies for her lies (her defenses were brutally shredded by the Financial Times).
Second, CalPERS had good CEOs before Fred Buenrostro, who took bribes and is now in Federal prison. CalPERS’ Sacramento sister, CalSTRS, has a vastly better CEO and board and also earns consistently better returns. So your claim that all CEOs are bad is false.
Third, even though CalPERS at 2900 employees, is vastly larger than the Department of Retirement Services (250 employees), it is small enough that the CEO can have a good or bad impact quickly. This is a big reason why Frost modeling casual lying, already a disease at CalPERS, is particularly disturbing. A fiduciary that handles hundreds of billions of beneficiary funds should hew, or at least appear to hew, to high ethical standards. Frost’s behavior makes a mockery of that.
The organization gets its culture from its visible leaders.
If the visible leaders (CEO might not be visible, but in this case I’m pretty sure she is) support cronyism, lying, misdirection etc. it will impact the organization – good people will leave (if they can), bad ones will take it as ticket to behave so. Worse yet, a number of in-the-middle folk will follow the examples they can see all around.
Not to mention that CalPERS seems to be also trying to put in a culture of fear and don’t-rock-the-boat-or-we-will-rock-you (out). That alone, for a financial institution, is lethal.
Yes, CalPERS is bedevilled with problems and these are symptomatic of an organisation which, at an entire agency level, needs root and branch reform.
But large (and I’m talking about more than a few hundred employees here, above what is generally referred to as SME sized) organisations are utterly incapable of simply arriving, collectively, at the office one day and deciding to start sorting things out and then somehow magically agreeing a strategy to do this then following through on it.
Even shockingly indulged Too Big to Fail banks, when found to have systemic management issues start with the CEO, such as Wells Fargo post the fake accounts scandal. And companies which are mired in wrongdoing face external pressure for management clear-outs which start at the top such as Volkswagen is under as regulators and jurisdictions keep turning their screws over dieselgate.
The reason is that a new, hopefully untainted incomer can objectively assess what is wrong — without being tempted to sweep some things, maybe a lot of things, under the rug because they knew or could have been expected to know about them in the past. They can also, assuming they are genuinely CEO-calibre, flick through their Rolodex and bring in experienced management from outside into senior positions.
Never, ever, are the underlings replaced in the hope that they’ll somehow upskill an out-of-their-depth CEO and induce competence where none exists.
The cult of the miracle-working CEO (replete with outsized salary to match) does get overplayed. There is a limit to what a single individual can do if they don’t get board and regulatory buy-in plus strong stakeholder leadership from, as here, the California legislature. But replacement of a weak, nice-but-dim CEO is an essential first step.
See also vlade above for the cultural implications and impacts. These are just as crucial, if not more so, than the leadership qualities I’ve gone into here.
The passwords??? WTF???? That’s only one step removed from posting on their web “come and hack us please”. Given the untold damage this could do – say if someone messed the beneficiaries records, the investment records (especially OTC) – this alone should cost CIO/COO their heads.
On the DRS project size – where does one apply for CalPERS CEO? I have few doubts that a number of people amongst NC commentariat had a degree (or a few) of magnitude larger financial responsibilities than that, and as it looks CalPERS will be looking..
This is the type of thing that private equity will wink wink about having access to. I’m sure it takes discipline and some money to keep things at least semi secure. Leaving passwords out in the open makes it look almost intentional, as if whoever’s grifting doesn’t give a shit because they’re getting theirs no matter what.
Yes, that was really bad. Imagine that little detail coming out in the context of a major security incident. I think it might make it as far as the late night talk show hosts.
And I agree with Pespi that it’s sufficiently egregious that you have to wonder if it’s by design – a question that would certainly be asked many times in the above scenario.
I’m not suggesting that Ms. Frost has not misrepresented herself.
Nor am I suggesting that all executives are or do misrepresent facts.
What I am suggesting is folks who have serious flaws can be easily manipulated.
And a good question is to what end.
Ms. Frost is not operating in a vacuum.
Frost is an exceptionally pliable and appearance-oriented CEO who as we pointed out is unusually weak on “hard” skills (which means she undervalues them in others, as demonstrated by her failed effort to hire an unqualified Chief Actuary). CalPERS has much less cred than it used to due to the severity of its underfunding. The board and the unions, who have way more sway than they should (they are unquestionably key stakeholders, but they act like they should be driving the train, when having crap governance as a result is only going to hurt them in the long and even the short run), seem to think having a weak CEO is just dandy. The cost will be the further decline of CalPERS.
>[MFROST] is unusually weak on “hard” skills (which means she undervalues them in others
this is a great observation.
kind of the negation of “game recognizes game”.
Yes, and this is where ALL the taxpayers in California get monetarily dinged by the incompetence at CalPERS. The state of California is a sovereign entity (unlike municipal governments) and cannot claim bankruptcy. The taxpayers of Californian are legally ‘on the hook’ for the pension liabilities of CalPERS.
if only john podesta had been familiar with calpers’ innovative security techniques!
I read the Michael’s complaint and having gone through something similar I can empathize.
Even when your attorney is working on a contingency basis you have to cover their actual costs, and it’s not cheap.
The defensive strategy in a case like this is to stall and bleed the plaintiff with costs until just before the court date and then settle for as little as possible.
I read through the usual litany of cronyism, dishonesty, incompetence and lawbreaking and got to the part about the passwords.
“Gross Negligence” is the term that comes to mind, and it’s institutionalized at CalPers.
Top to bottom.
However I and my fellow Californians can take comfort in knowing that Attorney General Becerra will be all over this.
Trust me, I’m a Realtor.
I’m really puzzled. Never mind CalPERS, how does a High School graduate get such high placed jobs in the first place? The job at Washington’s Department of Retirement Systems (DRS), [running] a back office plus a call center, was no doubt far less demanding than that of CEO at CalPERS, but still, how does a high school graduate get even that position and (maybe not the next question, but one that soon follows:) why in the world would anyone go for an undergraduate degree at college, never mind a Masters, if early on they can get such management positions with eighth grade training?
Whose daughter is she?? (I don’t see “Frost” in the PBS usual lineup of prominent oligarchs)
My apologies to those who view higher education as something beyond, or other than, a jobs training facility.
I am not sure that colleges actually provide any real jobs training skills except for possibly MD and actuarial degrees. millions of millennials and boomers have single or multiple degrees and no commensurate rise in salary or job prospects without nepotistic connections.
That may be. I’ve understood, perhaps incorrectly, that except in the ivy league schools, colleges are catering less and less to the arts and humanities and more and more to disciplines where the prospect of gainful employ is at lest an implicit if not explicit part of the goal. Success or failure in such is another matter.
It’s especially odd, given what Yves has reported about civil service jobs and their strict education requirements, that the boss, the leader, gets to skip the line. There are “pay 30k to us and get an expedited masters” programs everywhere. The coursework is easy.
I don’t view college as a special accomplishment, but what’s good for the geese is good for the gander.
Opps, (12th grade), perhaps I should have rephrased that to say, “why high school? Why does one need anything beyond grade school?”
As I’ve pointed out before, there were surely other people who applied for the CEO position. It would be rather informative to see those resumes.
isn’t running a back office and a call center the type of job one used to be able to be promoted up to even without the formal credentials? Maybe not in government but then at least in private industry.
You may well be right, and I would applaud it especially if achieved by working one’s way up through the ranks, but my own experience (in the east) has been anything white collar and managerial, especially if it has to do with money, requires, at least officially, a college degree (BA or BS) at a minimum.
The same is true in California. You would not be hired for any government management position in Finance, HR or Management without a college degree.
Oh, and misrepresenting your education or experience is grounds for termination.
Well, having worked for the state of Nevada, non-degreed personnel, secretaries and the like, are allowed to test for higher grade levels (accounting). But often they are distracted by the test questions: Convert decimal ’12’ into Octal format, (14).
It seems CalPERS has no such testing program.
Title is an affront to high schools
But “kindergartens” would’ve been insulting to kindergartens.
I have to admit that it is disappointing to find that CaLPERS’ problems are not pockets of incompetents spread here and there but appear to be systematic right across the board. In fact, CaLPERS seems to be like one of those Russian Matryoshka dolls – the ones that are nested one within the other. Each doll that pops out has their own layer of problems and the laxness with security, as an example, is just one time bomb waiting to go off. And now this problem is right out in the open so cannot be denied.
What actually gives me a bit of hope is the fact that there are only about 2,875 employees. In spite of sitting atop of $350 billion dollars, the number of employees involved is about the size of a very small community. I agree with Clive’s comment that a miracle-working CEO on a white horse is much overrated idea but I think that a team of professionals put in the right positions should give an oversize effect here. Doesn’t take much research to work out which people need the chop and which departments need a total overhaul.
This part was interesting to me:
“CalPERS appears to lack tools to detect unusual IT activity.”
At one point they certainly did. I was part of the team that sold a security monitoring tool (a Security Information and Event Management or SIEM system) to CalPERS years ago, and it was deployed to a reasonably good standard. It wouldn’t surprise me to discover that the project had neglected or abandoned given the apparently atrocious state of CalPERS governance.
If I had a £1 for every time I’d come across a situation where someone was tasked with “doing something” about a problem, IT got involved, and the solution was that someone should go out and buy a bit of shrink-wrapped software but then stopped at that point not realising that you have to think about use cases, configuration, maintenance, requirement-traceability and a few more — well, I’d have a lot of pounds.
I’d be willing to bet that CalPERS maybe considered intrusion detection or asset management, but didn’t think at all about data loss prevention, auditing user user roles and user permissions, a data segmentation strategy to facilitate allocation of minimum essential access and a whole load of other things which large organisations, politically exposed, with diverse and complex needs for data protection and sharing. They seem stuck in about 1998 in terms of how they manage their IT estate.
We certainly had our share of “shelfware” – software that was purchased to meet some mandate or other and never deployed. But as I recall CalPERS wasn’t one of those – they got it up and running and had data collection working, policies and alerts defined, etc. This would have been in the Anne Stausboll era.
IT systems deteriorate rapidly if neglected, as I expect happened here.
Course they dont help if they are ignored or if updates arent applied like that credit bureau didt do
Thanks for all of the work that you’ve done on this series. It’s a service to us, even if we don’t live in California or are pensioners.
I think this is the most important article thus far because it shows that Frost isn’t very good at her job. I might have been willing to forgive the some of problems detailed in the previous posts, if Frost is an exceptionally good CEO, but she isn’t (as I suspected all along).
Thanks for the ongoing investigative reporting on the travesty that is CalPers.
I happened to know someone (not that well) who worked at CalPers in an IT capacity. This person was not a CalPers employee/staff. Rather they were “consultants” apparently brought in to do project work. Rumor had it, then, (years ago) that CalPers was a mess and their IT overall was less than stellar.
I’ve seen dumb IT stuff going on many places, including the private sector. It’s amazing how a lot of public and private organizations continue to try to cut IT costs and don’t really have a well run shop that provides the infrastructure and security needed. Of course, we also see it every day with these big security breaches at various govt agencies and companies and hospitals and….
Marcie Frost needs to go.
What can be done? This is such an alarming situation. Is there action, petitions, pressure on politicians by activists, etc. that might help?
Yes! Please write ASAP to the list below. Same letter will do. Most important is to cc Priya Mathur (firstname.lastname@example.org) on behalf of the CalPERS Board and Marcie Frost (Marcie.Frost@calpers.ca.gov) so they see that CA citizens and CalPERS beneficiaries are so upset that they are writing public officials.
The two chairs of the pension committees, since CalPERS is afraid of the legislature, Dr Richard Pan (Senator.Pan@senate.ca.gov.; fax 916- 651-4906 or 916-914-2179 ) and Freddie Rodriguez in the Assembly (Freddie@FreddieRodriguez.com; fax 909-902-9761).
The two ex officio members of the board, the State Controller, Betty Yee (email@example.com) and the State Treasurer, John Chiang (firstname.lastname@example.org). Chiang is termed out, so he might do the right thing.
You can also e-mail Governor Jerry Brown, who has appointees on the board (e-mail form https://govapps.gov.ca.gov/gov39mail/; fax 916-558-3160)
It’s very clear that Calpers traded down when they replaced Anne Stausboll, J.D. with Marcie Frost, H.S.D.
A review of Marcie’s replacement at Washington DRS shows they did much better than Calpers.
Tracy Green, the new DRS head, COMPLETED her bachelor’s degree at The Evergreen State College. She has completed the Strategic Leadership for State Executives program at Duke University as well as executive education programs through the John F. Kennedy School of Government at Harvard University. She received the Governor’s Management and Leadership Award in 2012.
Tracy most recently served as Deputy Director of the Office of Financial Management. She has also served as Chief of Staff for the Department of Social and Health Services, Deputy Director at the Department of Corrections and the Department of Information Services, and as Deputy Secretary for the Office of the Secretary of State.
Calpers should invoke California’s Lemon law and ask for a full refund.
Is it possible that CalPers and the legislature want the system to be broken? Sure would save a ton of money that they could bezzle. Perhaps knowledge exists that shows collapse is inevitable and they want goats to make it happen so they won’t be blamed? When corrupt management is given a free pass to act without a watchdog (or cat) is there a reason why their benefactor needs it to happen? How many board members and employees know the true state of affairs of the fund? How many are in charge of systems they can manipulate to the benefit of their friends in Vulture Cap?
When institutionalized, fraud becomes a tool. There seem to be quite a few tools at CalPers. Some appear to be in the mechanism itself to guarantee a breakdown. I am the relative of a CalPers beneficiary that can’t participate, but relies on the pension.
Doubt the politicians or management can avoid blame for the mess even if they want to.
Showing my ignorance here, but can I get an explanation for what “# sigma” means? Thanks.
Good question. I was curious about that too. :-)
I think in her case it meant what it said: lean – not very much, thin.
Sigma is a standard deviation in statistics – basically, how “spread” some dataset is. In six-sigma it means the number of defects/reworks/downtime etc. – i.e you’re aiming at less than X% problems. I can’t remember the numbers, but IIRC even 3 sigma (assuming normal distribution of the problems – but you can play with this, using central limit theorem to force the variable you want into a normal distribution, but then you have to be careful with interpretations) is less than 1% of defects. 6 sigma would be way fewer.
Sigma is one standard deviation (a measure of dispersion about the mean in a normal distribution). In such a distribution the range from (mean minus two sigma) to (mean plus two sigma) will include 95% of the observations. Six sigma is a popular
quality management technique which applies stringent statistical control to minimise faulty output.
Before seeing it in the article I was going to say it referred to standard deviation but that doesn’t seem to be the case here. Looks like it’s an industry measure of how often your systems screw up: https://www.isixsigma.com/new-to-six-sigma/sigma-level/sigma-performance-levels-one-six-sigma/
Thanks NC – I learned something today :)
Six Sigma is a manufacturing focus on:
Lean manufacturing is:
And there is Lean Six Sigma too, all of these you can go get certified in.
I’ve spent a lot of time reading about “lean,” including on sites by practitioners. They DO emphasize statistical analysis, which make sense, since “lean” is derived from the thinking and practices of Edward Deming, the intellectual godfather of Japanese manufacturing prowess.
This, for instance, is a discussion of applying “lean” (not “six sigma lean”) in a call center. The standard deviation analysis is similar to the type you would also see in a six sigma process:
The other reason it is fair to expect Frost to be familiar with six sigma concepts and standard is that she’s referred regularly to “black belts’ and “green belts” among her staffers at DRS. Google results (try “lean ‘black belt’ data”) strongly suggest these are Six Sigma Lean certifications.
Two sigma = Two standard deviations from the mean. Six sigma means six standard deviations from the mean, or about .00002%
In statistics its the probability of an event. Six sigma is so improbable that any claim of being that good requires a belief in magic, or that humans can actually work with a probability of 1 error in 500,000 actions. For example one keyboard typo in 500,000 keystrokes (aka Bullshit).
In manufacturing it requires automated manufacturing, and very carefully proscribed measuring bookmarks, by eliminating specification or design errors from the manufacturing process. Aka: Not my watch mentality.
A six sigma process is one in which 99.99966% of all opportunities to produce some feature of a part are statistically expected to be free of defects.
PS I also believe in the toothy fairy.
The other thing it means is that if your vendor subscribes to this, their product will be so widely specified that the specs are almost useless for design.
for example, in a motor drive IC, the 6 sigma spec for current limit might be between 1 and 9 amps.
Needless to say, that is a pretty useless spec. When we used this vendor, we just used their characterization data over 3 lot corner variances instead. Which worked fine.
6 sigma is overrated.
Sigma is the symbol used to represent standard deviation in statistics. Two sigma means two standard deviations above the mean. Think top 10 per cent or so. Six sigma implies being six standard deviations above the mean, one in a million or so. It was the name of a management fad a few years ago.
As this is clearly unattainable, Frost’s invocation of it is another example of her dubious competence.
She did not invoke it directly, but “lean management techniques” in manufacturing six sigma type process controls. This paper, admittedly dated, discusses how it can be used in “customer facing” operations…like call centers:
And I have to quibble re the validity of using six sigma (which is specified in terms of percentage uptime measures) in IT services. For instance, my current web hosting contract has a specific uptime minimum % and penalties if the host falls short.
I guess it just irks me (as the son of two maths teachers) that a statistical term with a defined meaning became a term bandied about by management gurus. We sorely need a rectification of names…
To see just how rare six-sigma events are consider Don Bradman’s batting average.
A “sigma” is a measure of standard deviation from the “normal”.
Six sigma events are really rare.
(i.e. Normal events would happen 99.99966% of the time.)
Last week, I lodged a complaint with CalPERS about Ms. Frost’s material misrepresentations in the hiring process for CEO. Today, I received the following, presumably canned, CalPERS response which utterly fails to comment on the meat of the issue:
Thank you for contacting the California Public Employees’ Retirement System (CalPERS).
Our CEO Marcie Frost earned the top job at CalPERS through hard work, talent, expertise, and an unquestioned ability to work with people. She has a 30-year government career, from a temporary typist position to her appointment by the governor of Washington to his cabinet. Since Ms. Frost has been at CalPERS, she has been instrumental in helping CalPERS build a solid path forward for the long-term future of the fund.
Charles Asubonten resigned from CalPERS; he was not terminated. We have worked to improve our process and recently announced that Michael Cohen, former head of the Department of Finance, will take over as Chief Financial Officer on October 1. He has more than 20 years of experience in government, with expertise in executive and financial leadership.
If you have additional questions or concerns, please submit another inquiry or call us toll-free at 888 CalPERS (888 225-7377) within the United States or from outside the United States (+1-916-795-3000) to speak with a customer service representative Monday through Friday, 8:00 a.m. to 5:00 p.m. PT (All CalPERS offices are closed on state holidays).
Well maybe someone should have asked a few questions then?
recent news re CalPERS…
Lead in: Ben Meng had worked seven years for giant public pension fund
Meng has not taken the job yet. If you read the piece carefully, it is clearly a leak by Frost herself. Looks like an effort to divert attention from her misrepresentations scandal and present herself as having landed a good hire, even though she hans’t landed him yet.