Our Chief Financial Officer died. It’s a trauma on so many levels. There has been a lot to process. One thing it has highlighted is that there is a lot of our law library’s operation that doesn’t require a library degree. Also, that not a lot of that operation is transparent. Law library directors and those aspiring to lead law libraries need operational literacy beyond anything our library or legal education provides. Organizations need to plan for business continuity, not just of their systems, but also for their staff and processes.
I’ve seen it termed as succession planning but that makes assumptions that I think aren’t necessarily healthy for an organization. Succession planning focuses on people growing into roles on a more permanent basis. That may be a very small pool from which to draw long-term leadership in your typical law library. It also ignores the operational challenge: you need a skill set, but also an understanding of process, and access to tools (accounts, etc.). Someone who already has one role may not be able to gain expertise in another role until they’re actually in it.
Another term I’ve read about is transition planning, which is more of a business continuity approach. It is often in the context of leadership, a change in the executive management, but it transcends that. This makes more sense to me and can be designed to both ensure continuity between leadership but also to document other roles within the organization that may be highly specialized or need more hands to complete.
We often do a good job of transition management in other parts of our law libraries. We refer to it as cross-training. This shared experience and training blurs the edges of staff knowledge, so that people who may normally only do reference or only acquire materials can also participate in other parts of the library’s operations. Reference librarians can step up to run a reference team, a cataloger may have insight into the entire selection and deselection process, even if they don’t always do all the roles.
Finance? HR? Facilities management? Marketing? Policy and lobbying? Fundraising? These are more lightly staffed roles in a law library, if they exist at all outside of the director. They’re particularly susceptible to continuity challenges. You can’t adequately cross-train a reference librarian and a bookkeeper. At some point, you need a division of labor that acknowledges subject matter expertise, capability within a knowledge domain.
If you’re a solo law librarian, then I don’t even need to explain this to you. You are already doing everything. As you reach the edges of your own knowledge domains, you may use outsourcing to fulfill those aspects of law library operations that stretch beyond. Increasingly, that’s something I’m thinking about as I think about how to make our library more resilient during future transitions: departures, retirements, deaths.
Firm Up Your Basics
One of the very first things I needed to figure out was how to access all of the CFO’s accounts. I needed usernames and passwords. And, in many cases, I needed their phone number. Bank accounts, accounting software and other cloud-based apps, insurance provider and payroll portals. Each one had a different approach to how they secured their accounts, some of which required an exchange of paperwork before I could even speak to anyone.
You would think some of this would be easy. Our Board passed a resolution in April that authorized me to be added as a signer on the library’s bank accounts. It took almost 4 months to get that access. During that time, a lot of our financial operations ground to a halt. I was only lucky that my green card had arrived, or I wouldn’t have been able to get into the accounts at all regardless of the Board’s action.
It wasn’t because I didn’t have a username and password. But I didn’t have my own username and password. And when you do anything related to a financial capacity, you want to ensure there’s an audit trail. You don’t have to look far for financial fraud in law libraries that shows the risk of weak financial controls.
A wise CFO who I once worked with commented on this challenge. Fraud and theft aren’t necessarily an indicator of a bad person with a plan. The issue arises when you have someone with motive and access. Financial controls inhibit the access – you can’t do anything about motive – to reduce the likelihood of people acting on bad motives.
I learned a lot. I immediately learned that the CFO had saved all of their passwords in Google Chrome. This meant it was a matter of a couple of clicks for me to export them all in plain text. I did this with my twin brother’s passwords too after he was taken hostage by the Russian government. You should not be saving your banking passwords or any other secure password in Google Chrome. If you sync those passwords, they can be exported by anyone who has access to your device.
I also learned that a lot of our financial passwords and account access were shared under a single username. The single username – just as I’d experienced with the banking accounts – and password were known to multiple staff users. This creates a multitude of issues. First, you can’t know who accessed an account and performed and action. Second, you have exponentially increased the possibility of loss of account control, since each person could potentially also be storing their passwords in insecure configurations, like web browsers or unencrypted Microsoft Excel files.
Some thoughts on password and account resiliency: shared password managers like Bitwarden, to ensure that work passwords are centrally managed or accessible, just like email accounts are; policy on not using a browser to save passwords; policy on not saving personal email passwords with work passwords, perhaps using browser profiles for separation and privacy
The first thing I’ve done is to work through all of the accounts, changing passwords as I go. Then I’m attempting to take control of the accounts by creating my own username / account so that it’s distinguished from other staff. And, lastly, I’m creating new accounts for each staff person that needs to have access to an account and ensuring that they only have the amount of access they need to perform their role.
In some cases, this means providing more access than we had in the past. For example, none of our management team could see bank statements or our PayPal account or our accounting (budget) in real-time. They had to make requests through the financial staff. As I create new accounts, I’m adding them in so they can see more of our operational details.
Clean Up Time
I did not have a lot of time with our CFO to understand their part of the law library operation. I’m learning some things in real-time, with phone calls to providers who walk me through running this report or making that payment. Some things I’m learning from our finance manual, which had been updated periodically. Others I’m learning about with a “you’re getting audited!” email.
Unfortunately, the manual is out of date and also misses some financial activities. These are emerging as time passes and we hit weekly, monthly, and annual milestones in our fiscal year cycle. I’ve recently started to rewrite the manual, updating it as I go but also fleshing it out so that literally anyone could understand not only what to do but why. As I go, I’m flagging areas that have money aspects that are not documented, and will then go back through those.
My goal is to use the finance manual as a first block in a transition plan. Any senior manager or Board member should be able to pick up the manual and understand not only how to do a process, but why, how it works.
At the same time, one of our senior staff has started process mapping and this has been an opportunity to look at some of the finance processes. The maps will give our senior staff group an excellent road map. They’ll will give us some chances to find more efficient ways to get from point A to point B without sacrificing audit and financial control considerations.
Another area I’m working on is updating our financial accounts so that they are attached to people who are currently on staff and accountable to the law library. For example, our PayPal account is in the name of someone who retired in 2019. We have a retirements benefit administrator listed who retired in 2001. We have credit cards that are in the names of individual employees, not the law library, and so we cannot unlink the law library from those accounts if the staff person is no longer with the law library.
I have been fortunate that I have some of the financial literacy I need, even if California creates some new challenges for me. I also realize I can’t know everything. So I’m following the threads I have or can see. The things I don’t know will arise in the future and I’ll just have to deal with them then if I haven’t stumbled upon them in advance.
In a lot of cases, this just means getting added to an account, converting myself to a primary account holder, and then deleting the old staff. In some, it’s not so straight forward. For example, all of our bill payments were made under one account and there’s no way to export the bill payees, even though it’s at the same bank and cover the same accounts. In this case, I’ll have to re-enter each payee manually as we pay a bill. There’s always a silver lining, though: as an account signer, I can delegate access to my list of payees. Going forward, other staff will be able to leverage this work.
In the case of PayPal – and with a lot of financial accounts – you have to prove who you are. So I have uploaded my personal documentation, photos of IDs, and so on, to get that process going. The next step, now that I have the account owner name changed, is to change the email address (which is currently blocked).
Clean up takes time. I was added to our bank accounts and needed to give them a phone number to get SMS texts with verification codes. But they can’t send codes to my phone number for 15 days. Until I can use my own phone number, I have to call a Chase banker who knows me, who then calls their tech support, gets the code, and sends it to me. All within a 10 minute window or the code won’t work. This means I can’t work on these issues outside normal business hours, because the banker isn’t available then.
Time for Transition Planning
I understand some of the slowness. We’re dealing with money access and lots of risk associated with money loss or misappropriation. Everyone has “i”s to dot and “t”s to cross. In fact, going slow is a good idea. We are using all of the current financial processes as best we understand them to ensure we continue creating paper and audit trails. A transition plan needs to take into account these delays and consider ways to reduce them without breaking the reasons for the caution.
One way is to ensure that senior or key staff have some of the same access the accountable people do. Unless it’s private data about individual employees, there’s no reason for staff not to have access to bank statements. So long as it’s part of a process that has financial controls built-in and staff have individual accounts, there’s no reason for only one person to be able to do critical tasks. This is a time to plan for backups and to improve operational literacy.
This has meant ensuring all senior staff can look at bank statements. It will mean using corporate-centric credit cards, so that they can be administered centrally and are not tied to personal financial accounts. It means using granular controls within PayPal and banking and other systems to broaden access so people can view reports directly, instead of using email forwarding rules to distribute information.
Transition planning is challenging. Someone has to be responsible for it, probably the director. And when things are working, you may not realize they may in fact be on the point of breaking. This means that transition planning can’t be set and forget.
This has been like hiking up a mountain. At first, you can’t imagine how you’ll reach the summit. Then you get into the foothills and you start to see your path. And you realize that it’s probably not as steep as you imagined. Some of the lack of situational awareness becomes clearer as you hit turns in the track. You gain experience, your knowledge domain widens, you see patterns that weren’t clear before.
I recently had two questions that I thought were unrelated. How to access an account called X and how to withdraw cash. So I went over to the bank to make a deposit and withdrawal. I could do the first but not the latter, and it dawned on me that the account X is really account Y, which I knew I can’t withdraw from (no, I had no account numbers for account X, just a name). Now, I could identify the correct account from which to make a withdrawal and I had greater understanding of our money flow.
One of our Board members commented on how this was an unprecedented turmoil and tragedy. And I’m hopeful that’s the case. At the same time, it’s totally within the realm of possibility that it could happen again and so there’s no reason for us not to be better prepared the next time.
It is ideal for a law library director to understand the operations with some degree of detail. Normally, I would not delve this far into operational work that was someone else’s responsibility. But I’m learning enough to be able to backstop the work as well as to document it. In the end, the investment of learning and understanding should create better continuity for our law library’s future transitions.