Even though Frost’s repeated lies over a series of years should be grounds alone for her dismissal as CalPERS CEO, we feel compelled to chronicle that she has done a poor job as CEO, in the hopes that the board will set its standards higher when it looks for her replacement.
It is important to stress that Frost’s experience was thin, despite having worked for a Washington retirement agency since 2000. Her job scope involved only a small subset of the activities that CalPERS is involved in, and on top of that, ones that were managerially less complex by virtue of being heavily routinized.
Her previous employer, Washington’s Department of Retirement Systems (DRS), as one prominent CalPERS retiree put it, is “a purely administrative and clerical agency – they process checks and answer inquiries from beneficiaries.” Or as we put it, she ran a back office plus a call center. The Washington pension system’s actuary is not a part of DRS and reports to the legislature. By contrast, at CalPERS it is in house, and such an important role that it was until recently a direct report to the board. In Washington, management of the funds sits with the State Investment Board, not DRS. While Frost did sit on that board as an ex officio member for a bit over three years, she has no more experience in making investment decisions or managing investment professionals than, say, Henry Jones, the Chairman of the Investment Committee, has. Jones may do a fine job of officiating at meetings and contributing to closed session discussions of investments, but that is not the same as overseeing the daily investment decisions and operations of a $350 billion fund.
We wrote about Frost’s personnel-related fiascoes at CalPERS last week. That matters because Frost ran Human Resources at DRS, so this is an area in which she supposedly has experience. If she can’t manage that properly, how can she possibly handle the considerable areas of activity at CalPERS that are new to her?
At DRS, Frost was head of Information Technology and then the Deputy Director before becoming Executive Director in 2013. However, the reality is that DRS is an IT minnow cobbled together from legacy systems and is a poor learning ground. A single project that CalPERS completed in recent years, its $7 million private equity reporting system, is vastly bigger than anything Frost would have seen at DRS.1
So it should come as no surprise that Frost has presided over a series of IT and operational messes at CalPERS, including, most disturbingly, security-related ones.
We’ve received an unprecedented number of e-mails from insiders praising our work on Frost and expressing concerns about her leadership. Note that only after Frost became CEO did we get intel from current employees, and the level has escalated dramatically since we exposed her resume misrepresentations. This employee e-mail is one of several examples that recited serious internal management failings:
Marcie is over her head. Nice lady but more focused on the politics and giving the appearance that the work is getting done. She relies on and trusts her executive leadership team and they tell her what she wants to hear. Her lack of focus on internal operations and reliance on execs, particularly Doug Hoffner is a mistake. Doug has been there a number of years and has yet to develop any sort of operational plan/priorities for improvement with his chiefs to try and improve their organizations and as you’ve pointed out. (I’ve yet to see or hear a vision from the guy but it’s probably because he doesn’t have an Ops background). Operations, Human Resources and IT are sub-par, lack internal controls, systems integration, workforce planning or future state operating model and all of these programs are under Doug’s watch.
You’ve picked up on the HR hiring issues and the Board elections (under operations) but contracts and IT are bad as well. Operations doesn’t have DGS authority to administer contracts. There’s an old board ordained resolution from the 1990s they rely on using prop 162 as the basis of their authority. They have broadened the contracting type beyond what Dept of General Services allows other agencies (spring fed pool contracts are outside state guidelines. I’m not aware of any other state agency that uses this approach). It seems like DGS, CalHR and CDT should periodically audit CalPERS systems and processes to make sure they are sufficient — don’t think that’s happening.
Marcie is trying to get legislation passed that would make Doug a permanent civil service classification and get a big ole raise. He’s really operating like a chief of staff/handler to Marcie and not as a COO/Chief Administrative Officer like you’d expect him to be operating. This is all in an effort to get the legislation passed. Kim Malm who runs operations is a big giant bully. The board elections and contracts are under her helm but she’s too busy politicking and gossiping and bullying, it’s a joke. Doug protects her because she is a source of gossip and does his dirty work. Anytime someone tries to complain about her, it gets swept under the rug. Many of the professional staff are mortified by the shenanigans of the execs. The place is being run like high school and not like a business.
Now to some specific examples:
Gutting of Audit Services. We discussed and documented this extremely troubling development in a recent post, how CalPERS’ Office of Audit Services has been crippled by high levels of turnover and vacancies, poor morale, and most important, the loss of independence. Law professor and white collar criminologist Bill Black’s reaction:
Yes, very bad. CalPERS’ top management is determined to do the wrong things – and wants to improve the odds they can get away with it. That is the only reason, given the nature of its business, that the leaders would gut internal audit. Internal audit, like underwriting at a bank, is a great test of managers. If they are incompetent or sleazy (or both) they see audit and underwriting as cost centers. It they are competent and people of integrity, they see that great controls and underwriting are the core of investor (and bank) profitability and survival.
Failure to report criminal hack of CalPERS records to the authorities as required; persecution of victim instead. Due to other events interfering, I am not able to write up Michaels v. CalPERS as I had intended; I hope to get to that in the next few days. I’ve embedded the filing at the end of this post for those of you who want to have a go at it now. CalPERS has declined a request for comment.
What should concern CalPERS beneficiaries is that among other things, this filing describes a prima facie case of criminal hacking. CalPERS employee, who was on extended leave during a disciplinary investigation (she faced multiple complaints of workplace bullying and harassment) came into CalPERS after hours, obtained access to the personnel records of Nancy Michaels, who had been required as part of the investigation of the complaints against Lorenz to give testimony. Lorenz had no legitimate access to these records. She either broke in electronically or had a fellow employee impermissibly give her access. The reason this is a prima facie case of hacking is that Lorenz then distributed these confidential records within and outside CalPERS. Michaels’ records were also altered (not clear by whom) to alter her start date in her current position to make it appear she had not passed the probationary period when CalPERS maliciously charged her with having secured her promotion improperly.
The reason this is not a mere workplace abuse of authority, but raises big red flags, is that:
CalPERS failed to report criminal hacking by Lorenz. This looks like a clear-cut violation of the Computer Fraud and Abuse Act (18 U.S.C. § 1030). That Act defines hacking broadly, penalizing intentionally accessing a computer without authorization or in excess of authorization. CalPERS and the State Personnel Board also violated California Penal Code section 502(c)(2), which requires that a data breach must be reported to the person whose data was exposed. Michaels was not informed; she found out by happenstance, and she still does not know the extent of the breach because CaLPERS and other agencies have refused to give her full unredacted copies of the documents Lorenz distributed.
CalPERS appears to lack tools to detect unusual IT activity. To have someone rooting around in personnel records at night and out of synch with any reason to access Michaels’ files should have triggered an alert and didn’t.
CalPERS appears to have poor control of its facilities and computers. Why was an employee on disciplinary leave allowed into the building at all and able to get access to any computer?
This fact set suggests that CAlPERS has lax security controls system-wide. It’s not very plausible to think that CalPERS would have wildly different standards across the different databases it operates.
Sequential, hack-friendly board member passwords that were also pasted to the bottom of their keyboards. You cannot make this up. Board member passwords followed a very simple formula, which not only made it trivial to hack into supposedly super confidential closed session records, and also meant that any former employee or board member could access these records. Even worse, if a board member insisted on changing the password to something secure, that was vitiated too. Instead of being allowed to choose their own (difficult) password, all they could do was add more numbers to the sequence! So if they had been assigned “admin1” they could make it “admin5644”. And then the new password was e-mailed, which in Board Member Margaret Brown’s case, meant not only that her secretary at her day job would see it, but all the people with admin access there could as well.
Recall that one reason fetishizes the secrecy of closed session information is that the claim that outsiders could somehow get rich trading against CalPERS by having access to it. Their amateur hour procedures here belie their posture of concern.
And 1.9 million beneficiaries depend on CalPERS to keep their personal data secure?
The only good news is that after agitating since February to fix this mess, board member Margaret Brown broke protocol to complain directly to the new head of IT, Christian Farland, who was suitably alarmed and is on the case. But even he didn’t believe how bad things were. From Brown:
In case you didn’t know our desktop computers are also updated periodically with sequential passwords.
I don’t know why we have passwords at all since the password is taped to our work area just underneath the keyboard.
Anybody with access to the offices, staff, janitors and maintenance personnel could easily get board information.
Farland said [he thought] the board area was secure. Brown disabused him of that idea:
I will take exception to access being extremely limited to the board area.
Are you aware employees come into the board area just to use the men’s restroom?
It’s happened a number of times when I’ve been in in my office working. There really is nothing exceptional about our restrooms but this happens when I’m working in the back. No other staff or board members are there. That board area is not secure or restricted if staff can come in any time they want.
Do you routinely run badge in and badge out reports for all doors with access to the board area? I would like to see those reports (last 6 months). Who reviews those reports looking for unauthorized, unusual or suspicious activity?
It happens more frequently than you know.
Also, please run the report for Saturday and let me know who was in there.
So this exchange points to another huge operation and security lapse: the failure to have systems in place that monitor unusual access patterns.
Refusing to intervene and assure delivery of mail to board members. New Board member Margaret Brown objected strenuously to the fact that the Board Services Unit was not only opening and screening board members’ mail, but even replying on their behalf without informing board members. When Brown, whose father had worked for the Post Office, complained about this practice to Frost, Frost’s response was that she couldn’t do anything about it because the Board Services Unit reported to Board President Priya Mathur. That is nonsensical because the Board Services Unit members are all CalPeRS employees and the only direct report to the board is Frost herself. But she refused to intervene until the press took notice. This abuse stuck in the craw of CalPERS beneficiaries. Even now, Brown reports that members of the public regularly ask her if she is finally getting her CalPERS mail.
Failure to address abuses by Board member and the Board Services Unit of having board members pre-sign blank forms. General Counsel Matt Jacobs stated this practice was “wrong” in January, yet it went uncorrected until we publicized it in May. Will CalPERS shape up only when the media exposes bad conduct?
As we showed in a later post, Doug Hoffner approved some of these law-breaking travel claim forms, so Frost and CalPERS cannot claim this is a “whocoulddanode” abuse within the board ranks.2
Implementing corrupt election methods, most of all, insecure, audit-trail free, tamper friendly Internet voting. As we wrote, experts disapproved of Internet voting even before worries about Russian election hacking became a daily news staple. The latest group to say Internet voting should not be used, and any current efforts should be reversed ASAP, is the National Institutes of Sciences, Engineering and Medicine, based on a two year study.
To make this sorry picture even worse, CalPERS’ vendor for Internet and phone voting is Everyone Counts, which has regularly been criticized for its poor performance. Everyone Counts also does not provide a paper trail. CalPERS refuses to publish election results by voting channel, which would serve as a check against gross abuses of these not-auditable voting methods.
And if you think our charges of election-rigging are exaggerated, please read:
Copyright fiasco. CalPERS paid nearly $4 million to settle copyright infringement claims with the Wall Street Journal, the Los Angeles Times, and the New York Times. The Daily News Summary was e-mailed every weekday. CalPERS had the full text of copyrighted articles in the Daily New Summary hosted on its own servers without having obtained the right to publish them. Anyone with an operating brain cell could see this was copyright theft, yet no one, from Frost on down, stopped it.
Unprecedented site wide crash and protracted outage. On the weekend of August 26-27, CalPERS entire site went down. This was a crash, not scheduled maintenance, despite the slap-dash effort to claim otherwise:
I got quite a few e-mails from people who have been CalPERS beneficiaries for decades, from before the days when the system had a substantial web presence. One compared the site falling over to the George Washington Bridge (one of the main routes from New Jersey into Manhattan) being shut with no notice. The site failure occurred almost immediately after a weekend beneficiary workshop demonstrating new site features, so the outage also substantially undercut the purpose of the workshop, since the intention was to have the people who participated go home and use the site while their memories were fresh.
The site was back up after roughly 10 hours. Even if you generously look at the downtime on an annual basis, this puts CalPERS at mere two sigma performance. Recall that Frost on her resume touted that she was an expert in “lean” as in “lean management techniques. “Lean” is a six sigma discipline. Servers that fall over are proof of a massive failure.
Mailer screw up. We are hardly all that plugged into inside CalPERS messes, but in the very same month that CalPERS had its massive site crash, CalPERS sent a mailer to some 20,000 members who are facing massive health care premium increases (nearly 20%) on their current plan (PERSCare) to show them other choices. CalPERS had initially planned to do this all online until one member pointed out that 14% of the target audience didn’t use computers. CalPERS sent a letter out that did not include the critical information, the brochure with the plan choices. One retiree alerted CalPERS to the screw-up; it would have gone unnoticed otherwise. CalPERS had to re-do the entire mailing, and sent the board a bafflegab letter in response to a compliant by a Long Beach State professor that served to obfuscate what his issues were.
Attempt to reduce transparency and accountability by getting rid of preparing transcripts of public board meetings. Because influential beneficiaries made a stink and we threatened to prepare, publish, and maintain archives of transcripts, CalPERS went into retreat and now posts these transcripts, when before, interested parties would have to use the Public Records Act to obtain them.
We’ll stop here so as not to overtax reader patience, but the picture should be clear: CalPERS is poorly governed, with a complacent board overseeing a management team where most operations have weak controls and poor procedures. This is a train wreck waiting to happen. And a CEO deficient in integrity, as proven by Frost’s multiple misrepresentations made during and after her hiring, compounded by her lack of interest in running a tight ship, means it will happen sooner rather than later.
1 Clive describes why Frost’s IT chops are a joke:
From reading between the lines, the great endeavour that was the creation of the Department of Retirement Systems seems to have faltered in the usual problem you have with this approach — you pool the (claimed) 15 retirement plans into a consolidated management apparatus, but that’s the easy bit. You’ve still got 15 legacy systems which were designed in isolation with no thought for interoperability. So trying to port these onto a single host platform is in the “nailing jello to a wall” category of projects.
Then you’ve got the balkanisation of the technologists — each of Whole will usually sit there through interminable meetings waffling on about “our system is best because…”, “no, I think you’ll find our system is best because…”
No serious corporate talent would ever work in such an outfit. It’s a bureaucratic make-work scheme and exists only because of unchallenged notions / perceived wisdom about economies of scale that never deliver on their promises — but once established, no one can admit defeat and pay the then required costs of breaking the thing up again.
If you’re able to swim in the inherently political waters (the “politics” being of both state and also the office (workplace) varieties) then you can get into a reasonably senior position, draw $100-200k-ish plus a sweetheart package of benefits and live nicely even in an expensive place like Washington. Not a bad life, of the 9.9% kind.
But no-one of top-flight CEO-caliber would work there for more than a few years as a stepping stone. If CalPERS were to look at the Department of Retirement Systems Director and think that is a read-across for an appointment as CEO for an organisation of CalPERS’ scale, they’d be completely clueless. CalPERS is four times the size in funds under management terms alone.
Now, turning to the specifics of the sort of work our friend Marcie would have been working on as “Head of IT” — luckily DRS has to go cap in hand and beg the state legislature for funding for projects, so we can take a look at their business cases to see the kinds of work they do. There’s only half-a-dozen or so key projects in their entire portfolio as far as I can tell. Here’s an typical example to local servers (which I’m assuming are legacy hardware from all those schemes they inherited) to the state’s strategic data centre:
It’s trivial. $500k in total project costs. That is barely above the radar for an organisation of any scale. Put it this way, I’ve got 12 projects in my work list at the moment, three of these are £500k+ and the rest are in the £100-250k range. And I’m barely mid-level.
None of DRS’ projects seem to have budgets above $1m. http://www.drs.wa.gov/administration/budget/budget-requests
In a sentence no position that I can find at DRS qualifies anyone as CEO of CalPERS.
2 It’s also hard to pretend no one at CalPERS knew about this abuse when it was codified in the Board manual.Second Amended Complaint for_ Damages and Equitable Relief; Request for Jury Trial 091718 (1)