IncQ Consulting recently had our leadership conference on the beautiful Island of Phuket, Thailand.  Apart from wanting to make you jealous, I would like to share with you two slides from the presentation that was given to the IncQ Consulting Practice Leaders on Governance, Risk, and Compliance and then make some comments on it relating to the recent Walmart incident.

The first slide shows the historical drivers for significant market capitalization decline, categorized broadly into strategic, operational, legal and compliance, and financial risks.

The second slide represents some results of a survey conducted by KPMG.

A caveat on the market capitalization decline drivers: To keep the chart readable, a fundamental piece of data is missing – the interrelationship between the risk drivers and the risks. In the interest of trying to keep this blog short, I’ve drawn up some examples of how risk drivers and risks may be interrelated and therefore increase the likelihood of other drivers and risks. It can lead to what is called the Domino Effect and, if uncontrolled, will often lead to multiple catastrophic failures for the organization.

For simplicity, I’ve left out multiple impacts in different impact categories that are exacerbated by multiple risks, but let’s just say that I’m painting a very rosy picture of the domino-effect here.

Take the recent Walmart incident as an example of a simple domino effect.

http://www.nytimes.com/2012/04/25/business/wal-mart-says-it-is-tightening-internal-controls.html

A breakdown or absence of certain key internal controls, led to bribery (and also breach of compliance), which led to reputational fallout, which led to share price drops of around 12 percent on Monday, and a further 4 percent on Tuesday.  It also resulted in fallout with the main Walmart parent company, which trades separately to Walmart Mexico, with drops of 5 percent on Monday and 3 percent on Tuesday.

Linking this back to the KPMG survey results, we see the not too surprising business complexity, reducing risk exposure and improving performance as top-3 drivers for GRC convergence.

The interesting figure that I will focus on for this blog is the 4th driver.  This driver is the first driver that the CEO has actually singled-out as an explicit risk type ie, the most important risk to be best managed by GRC convergence is reputational risk.  This is risk-intuitive thinking.  Reputational fallout tends to be at the end of the domino effect and often affects share price.  Therefore, if we converge our Governance, Risk and Compliance frameworks and processes, and have a holistic, integrated, and coordinated approach to managing risks and domino effects, then we will avoid these reputational fallouts such as the recent Walmart incident.  That is because analysing reputational risk will show multiple other risks pointing to it, with multiple drivers, allowing us to more accurately focus our key controls.  Some of these controls won’t even directly relate to reputational risk.  We’re managing reputational risk, via indirectly controlling related risks.

Conversely, you simply can’t manage reputational risk in a silo. There’s no “preventative control” for reputational risk, only the efforts required to recover from reputational fallout.

Managing interrelationships between drivers and risks seems a little more difficult than managing risks in isolation, but there are two strong reasons to manage interrelationships between drivers and risks:

1. Companies don’t usually collapse or have significant market capital decline due to a single risk. Only when multiple risks hit all at once and the organization is not prepared for them do we see collapses of this nature.  Multiple risks hit all at once mostly because of the domino effect rather than just bad luck.  The domino effect therefore is the biggest risk (impact) a company can face.
2. It is impossible to make a judgement call on the appropriate level of control on any risks if we don’t understand the interdependencies and interrelationships with other drivers and risks.

As an example, a risk manager identifies a risk with a moderate likelihood and moderate impact.  Moderate control prioritization is made accordingly, based on the management of this risk in a silo.  A converged GRC process however would have identified the fact that this risk may significantly increase the likelihood of multiple, related, catastrophic risks.  The prioritization on this control should actually be very high.  Moderate control and monitoring of this risk is unduly exposing your organization to multiple catastrophic risks.

Mapping out the inter-relationships between risks and drivers by GRC Convergence.

How not to do it.

You don’t do it by listing your risks on a spreadsheet.  That would be the most granular silo there can possibly be (silo by risk).  I’ve yet to see anyone compile an accurate or even meaningful picture of their risks using a spreadsheet, and I’ve seen some amazingly complex spreadsheets.  I’ve had the following discussion with many Risk Managers telling me that their spreadsheet is sufficient technology for their $100m+ organization:

“If this driver happens, what will the impact most likely be?” asks Justin, pointing to line 250 on the spreadsheet as an example.

The Risk Manager proceeds to read out the risk description of line 250.

“So, the other 500 risks on your spreadsheet are all completely unaffected by this?” asks Justin.

Of course, they know that the answer to my last question is “no” or “I don’t know”.  The reality is, there is a more complicated impact than what they told me and the impact magnitude may be significantly higher than what they rated based on the fact that we now have multiple risk impacts all happening at once.  It’s much too difficult to comprehend this using a list of risks on a spreadsheet, but we must understand this if we are to protect our organization from the biggest, most catastrophic domino-effects.

How to do it.

It’s actually very simple if you use decent Risk Management technology.  You need good people, good process, and good technology, in balance.  I’ve seen the best people, with the best risk management frameworks and processes, using Excel lists, and it’s significantly holding them and their organization back.  It’s like turning up to a Formula One race in a horse and cart.  Even with the best race driver in the world, it’s still not the best holistic solution to meet objectives!

Risk Management technology should be able to answer the following 5 questions within a few seconds:

1. Can we easily see and analyse interrelated drivers and risks?
2. Can we calculate the expected impact of all of the interrelated risks for any specified risk driver?
3. Can we see where the real weaknesses are and appropriately prioritise controls on the risks that may not be damaging in isolation, but can trigger other catastrophic risks?
4. What are our real top 10 risks and their drivers, and how are we monitoring them (including their interrelated risks)?
5. Where should the CEO be placing focus to protect the organisation?

The more relevant the question to the organization, the less accurate the answer will be when using a spreadsheet. Spreadsheets are only ok at answering questions that aren’t really all that helpful to the CEO. A CEO is not interested in a spreadsheet of 500 or 1000 risks, as the CEO is typically working in magnitudes far greater than each of these risks alone and it’s just too much for him or her to become familiar with, and to do something about.

The CEO is interested however, in ensuring the biggest risk to the organization is appropriately managed. The only way to do this, is to properly identify interrelationship and the domino effect.

But Risk Management technology is expensive!

Only if you ignore the cost of not having Risk Management technology. 

Action points

I would like you to do the following (assuming you’re not up to your eyeballs trying to continuously update spreadsheets with risks):

• Look at your risk management technology and ask yourself those questions that I posted above.  Can you easily answer them?  Any decent risk management technology should have each of those questions answered by a simple report or dashboard.
• If you’re using Excel spreadsheet lists, try to map the relationships between the risks and drivers and each other.
• If you manage to do this, then contact me ASAP as you’ve just done something that I’ve never seen before and I would be thrilled to see it! 
• If you can’t do this, then contact me to talk seriously about some technology that will support you.  If not me, contact some other trusted risk management advisor (I assume you don’t have one if you’re still using spreadsheets).

There is so much decent Risk Management technology available at the moment for different industries, different organizational sizes and different price-points, you would be doing yourself and your organization a huge disservice if you weren’t to seriously consider talking to someone about it.

 

 

I live in a country where I see everyday people trying to influence their luck.  From burning incense and praying to numerous different gods, to burning paper representations of gifts to their ancestors, and hanging little trinkets from their rear-view mirrors in their car.  This is a foreign, albeit really interesting concept to me.  I wish them all the success they are praying for, but this approach isn’t for me.  My approach to influencing luck doesn’t look anything like this.  My approach is world recognised, is completely non-spiritual, is business-centric, and has been proven to work across all industries in many countries around the world.

This blog is to provide some practical measures to ensure your business has ‘luck on its side’.  

An old saying goes “Success takes 10% high-intelligence, 50% hard-work, and 40% good luck”.  Hard-work is drilled into us from when we first attend school or sometimes earlier.  The realities of high-intelligence becomes apparent to everyone somewhere along the line.  But what about good luck?  I’ve heard three schools of thought on good luck:

1. It is just something that happens or doesn’t happen and there is absolutely nothing we can do about it.  So, let’s forget it’s there.
2. Always think positively, because positive thoughts attract good luck.
3. You can proactively influence and leverage from good luck.

School of thought number 1 is basically saying that the 40% contribution of luck to success is completely out of our hands.  We brute-force our way to success with the shackles of whatever bad-luck comes our way.  This is not useful to us at all.

School of thought number 2 is somewhat useful.  You can read about this school of thought on numerous other blogs I’m sure, and self help books called ‘The Power of Positive Thinking’ or something similar.  I give it some merit in that someone who gives up after striking bad luck will more often than not be worse off than someone who maintains a positive attitude and tries to fix things.  In a way, this is part of managing luck, but is only a fraction of school of thought 3.

School of thought 3 is what this blog is focussing on.  Real influence over luck.  Mitigate the fallout from bad-luck, and grow the positive of good-luck.

Proactively Manage Luck

It doesn’t matter if your organization is small with only 10 people or large with 100,000 people.  With luck contributing 40% towards your success, it is definitely something worth managing now.

This flow chart below gives you a preview of a pro-active, world recognised best practice process for managing luck.

This may seem familiar to some of you.  I have taken part of a process from best practice, ISO31000 and replaced the work ‘risk’ with ‘luck’.  Why?  Because risk is luck and luck is risk.  Risk is the possibility of something occurring that influences your ability to achieve your objectives.  It can be good.  It can be bad.  Somewhere along the way however, people started seeing risk management as only focussing on the negatives.  Somewhere along the way people starting seeing risk management as a huge overhead and something not worth managing.  I’ve used the term ‘luck’ here as an opportunity to review Risk Management free from the preconceived ideas, and re-evaluate it from a fresh point of view. 

The reality of risk management is that it is one of the largest contributors to business success.  Even if it were a large overhead, it is still something that all organizations should be doing.  I’ve heard counter arguments that ‘good executive decisions’ are the largest contributor to business success and I agree to a certain extent with the following clarification – decisions can only be good when the risks (both positive and negative) are well understood.

The second reality is that risk management is in fact NOT a large overhead.  It is something that we are all doing already.  Without a consistent organizational framework, without appropriate governance, supported by an optimized system of people, process, and technology however, your risk management system is not working as well as it should be.  You’re not as successful as you could be and your risk management systems have a larger overhead than need be.

The third reality is that effective risk management that truly contributes to business success is so seldom implemented in an organization that it is in fact a differentiator amongst competition.  It separates the organizations that seem to succeed or fail depending on the general ‘flavour’ of the world economy versus organizations that thrive no matter what is going on around them.

Principles of Risk Management

Looking at the principles of Risk Management according to ISO31000, we can see that in fact the concept of risk management has always been to contribute to business success.  There’s nothing in there that indicate that it is only negative risks or that it will take a lot of time and/or cost a lot of money.

If you’re not familiar with the ISO31000 principles, or just haven’t read them for a while, please take your time reading the principles below and challenge your pre-conceived ideas of risk management.  I’ve read them many times, and every time I do, I still have an ‘ah ha’ moment!

a) Creates value
b) Integral part of the organizational processes
c) Part of decision making
d) Explicitly addresses uncertainty
e) Systematic, structured and timely
f) Based on the best available information
g) Tailored
h) Takes human and cultural factors into account
i) Transparent and inclusive
j) Dynamic, iterative and responsive to change
k) Facilitates continual improvement and enhancement of the organization

Next Steps

Not convinced yet?  Fair enough.  There are a lot of concepts out there claiming to be the number one contributor to success.  So, I leave you with an opportunity (being a popular term for positive-risk).  Contact me for a free Value Lifecycle Management service relating to Enterprise Risk Management.  We will have a Senior Advisor visit you for a week to understand your objectives, your people, structures, cultures, processes, and analyse your enterprise’s current state.  The deliverable of the service is a future state solution that meets your requirements and will help you achieve your objectives, a roadmap to get from your current state to future state, and business case including costings and benefits, all tailored to your organization.  We include all figures provided by you and used, all calculations and algorithms, and case-studies.  The future state will explicitly address any concerns you may have about resistance to change, complexity of implementing a future state, and other organizational priorities that you may have.  We will present our business case to you and to any other stakeholders in your organization that you feel appropriate.

Of course, this is an obligation-free and cost-free service to you.

Back in 2002 the Sarbanes Oxley Act was enacted as a response to the shock collapse of Enron and as a result, a sudden awareness that there aren’t really enough legal controls on accurate financial reporting for shareholders.  I say ‘shock’ collapse, as none of their shareholders had any idea that the company was in trouble, and in fact, not even their external auditors, Arthur Anderson, who collapsed shortly afterwards due to unrecoverable reputational fallout, had any idea that the company was in trouble.  There were other organizations also involved in corporate and accounting scandals around the same time as Enron, such as Adelphia, Peregrine Systems, Tyco International, and WorldCom.  Simply speaking, Sarbanes Oxley Act of 2002 was enacted as a way to legally enforce minimum standards to ensure the financial statements are reasonably accurate for companies that publically trade in the US stock markets.  Key sections of the Act include:

• 302: Disclosure controls
• 303: Improper influence on conduct of audits
• 401: Disclosures in periodic reports
• 404: Assessment of internal controls relating to the compilation of financial statements
• 802: Criminal penalties for influencing US Agency investigation
• 906: Criminal penalties for CEO/CFO financial statement certification
• 1107: Criminal penalties for retaliation against whilste blowers 

In concept, I think this Act is absolutely necessary.  Shareholders have a right to know what they’re buying.  There is some criticism about the cost of compliance with the Act.  I personally find these criticisms shocking.  All companies with shareholders should be complying with these basic principles anyway!  The Act simply asks you to prove it.  The cost should be relatively insignificant, and considered part of the cost of public trading, much like food manufacturers accept the fact that a nutritional breakdown of their food is supplied to their buyers – it is necessary information for the potential buyer.  Companies that say it’s very expensive clearly didn’t have any of these controls in place and if I were a shareholder of one of these companies, I would be very very unhappy.

I noticed an interesting side-effect to the introduction of the Act over the years.  A large number of companies that I have had discussions with, who probably had nothing in place before Sarbanes Oxley, thought that it might be a good idea to kill two birds with one stone and use the Act to guide a new Enterprise Risk Management capability in their organization.  Some of them had no Risk Management capability in their organization previously (again, shocking), or if they did, it wasn’t as mature as what the Act required of them, so they took a major direction change with their existing Risk Management capability, and based it all on Sarbanes Oxley principles.

The trouble with this decision is that Sarbanes Oxley has nothing to do with managing your enterprise risks.  It is about telling shareholders the state of the organization so that they can make educated decisions on what price to buy/sell the shares.  Risk Management is about understanding probability and impacts of events to exploit or reduce/manage to improve the performance of the organization and to reduce the damage caused by negative events.   Sarbanes Oxley doesn’t care if your organization thrives or collapses and does nothing to influence business success.  Sure, there is an overlap, but a small overlap.  There are some events that could cause a material misstatement to the financial statements AND damage the organization.  But there are many events that could cause material misstatement to the financial statements (Sarbanes Oxley), but not really a lot of damage to the organization (Enterprise Risk Management), and even more the converse – there are a lot of events that may cause significant and unrecoverable damage to the organization (Enterprise Risk Management), but not cause a material misstatement to the financial statements at all (Sarbanes Oxley).  Ironically, Arthur Anderson, the external auditors whose failures triggered the development of the Act, collapsed due to a risk event that had nothing to do with the accuracy of their financial statements.

So, does this mean that basing an Enterprise Risk Management function on Sarbanes Oxley is not ideal, but is better than nothing?  I.e., some risks will be detected, but not all?  My answer is NO.  Basing an Enterprise Risk Management function on Sarbanes Oxley is worse than nothing, in my opinion.  I’ve seen some organizations with Sarbanes Oxley-based Enterprise Risk Management functions be over-confident in their ability to manage their risks.  They made decisions based on this over-confidence, and now some of these organizations no longer exist.  Some of these organizations were not able to analyse and respond to the impacts of the Global Financial Crisis on time, because their risk assessments were always made in context of financial statement accuracy.

I am currently working with a large mining organization, and they have it right.  We are working on bringing together their Governance, Risk (Enterprise Risk Management), and Compliance (eg, Sarbanes Oxley) functions with a holistic system of people, process, and technology.  We are identifying their risks that have a potential inherent material impact on their organization (Enterprise Risk Management) including financial, reputational, and health and safety risk impacts, and we’re identifying risks that have a potential material impact on the accuracy of their financial statements (Sarbanes Oxley), amongst other risks of course.  We’re integrating what is otherwise a very good, yet silo’d approach to their risk management and compliance.  We can test a control that relates to material risk and Sarbanes Oxley once, and it flows up to their Enterprise Risk Management reporting and their Sarbanes Oxley compliance.  The expected value to their organization is huge.  More value than almost anything else they can do right now.

If you think that your organization is using Sarbanes Oxley compliance to drive Enterprise Risk Management, please contact me or anyone else at IncQ Consulting or your Risk Management trusted advisor for help as soon as possible!  You really need to start focusing on the risks to your business, not just your risks to your financial reporting.  Time, is not on the side of organizations with Sarbanes Oxley-based Risk Management unfortunately, and nothing is too big to fail.

3 Dimensions you need to look at integrating your SAP system

In our latest SAP Insider special report we talked about integrating SAP systems transforming your boardroom. We described how the interaction between the CFO, CRO and CEO can be supported to unlock predictive insights and come to better decisions. This is possible only by using common SAP tools that are integrated in a way they were designed to be used. We explicitly explained how your strategy management (SSM), business planning and consolidation (BPC) and risk management (RM / GRC) system can work together flawlessly so the decision makers can make use of the information without having to deal with a complex system landscape. Link to SAP Insider article.

Integration in this scenario is not just a technical word. In fact to overcome silo-ed, modular system usage and make information accessible intuitively to executives three things have to be taken into consideration – the strategy and process, the system landscape itself and the data.

3 Success Factors when integrating your strategy, planning and risk management system 

1. Holistic and overall approach of decision relevant processes

   one of the biggest success factors is actually the company strategy itself and the processes related to it. What are our strategic targets? What processes need to be in place to get us there? Who is going to drive it? This sounds simple but is one of the major factors for non-success.

   Transferring this to the processes to be integrated, it is crucial to approach every process holistically on the one hand side and get an overall view across the processes on the other hand side.

   For example to get a holistic view on the risk on an initiative you should not only concentrate on the risk appetite of the organization and put measures and controls in place to manage the risk appetite but at the same time use the risk management process to look at the upside of the initiative to maximize the impact and likelihood of the opportunity.

   One example to achieve an overall view across Strategy Management and the Planning, Forecasting and Budgeting process is to manage the same initiative in both processes. Strategy Management enables you to develop an integrated set of choices. This strategy should then be translated in the Planning, Forecasting and Budgeting process into annual target-settings, revenue projection and budget development.

2. Integration and Performance – the two drivers for the system architecture

   When talking about a typical BI system landscape it would include source systems (SAP and non-SAP), SAP BPC, SAP GRC, SAP BOBJ and eventually Predictive Analysis (Infinite Inside). A lot of organizations have a selection or all of these in their BI system landscape already but are using them silo-ed and modular.

   To go the last mile and have a “real” integration of the single systems you already have in place you should consider two success factors – Integration and Performance.

From the integration prospective SAP manages the matter in general by using BI (BW) to interconnect information between different systems. For SSM, BPC and GRC a direct integration is possible, which allows you for example to create initiatives within SSM that directly align with line items in BPC and pull budget and actual spend.
From the performance prospective HANA is one solution that supports data processing for decisions instantly. Additionally the response time should always be a driver when data modeling or building reports.

All this sounds simple but when doing so you need to create interconnections that reflect the processes – e.g. projections integrated and based on historical data, integration with different level of risks, mapping all these information eventually into a dashboard. All this needs a deep understanding of technology and business process at the same time. You need specific knowledge on single systems and processes in the landscape, at the same time it is crucial to understand the system integration of the single systems and how it affects the response time.

3. The foundation of any decision supporting system – Data Management Strategy and Master Data Approach

   Strategy, process and systems are very crucial for the integration success, but even having the best system integration, design and performance but not having correct data in your results would make a project fail. So the third crucial dimension is the data quality, the master data approach and the data management strategy.

   Especially when integrating multiple system “one version of the truth” is the foundation of the integration. This includes clear defined KPIs, data mapping rules depending on the variety of source systems and data consolidation with clear defined consolidation rules.

   Again, this does not only refer to the technical master data definition like using the same code length but especially refers to the data business meaning which can be different from source to source.

 

So in order to create “one vision of the truth” and guarantee a flawless working environment where system complexity and solutions are invisible for the business a lot of business and technology knowhow needs to be in place when building the integration. Talk to us and profit from IncQ’s broad Performance Management and Risk Management experience.