Shattering Perceptions About Audit Committees

Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently?  Should the audit committees function differently to help the CEO and board members perform better?

I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?

1.  Formation of Audit Committee

Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations.  The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.

Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”

 Another challenge is getting independent directors with the right industry experience and expertise. To illustrate, in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were  insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.

Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?

Additionally, the value-add provided by the audit committee members is sometimes questionable.  I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations,  in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.

Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.

 2.  Selection & Appointment of External Auditors

 The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee.  .

Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:

• In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
• 85% of the companies in EU are audited by big four.
• 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
• Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.

I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.

I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.

 3.  Relationship with Chief Audit Executive

Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.

Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.

Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee?  Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?

Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?

My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into  procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.

 4.  Challenging Board Decisions

Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.

A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–

  “The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.

SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.

The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team

5.  Evaluation of Finance Function

Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board.  Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:

“Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:

• Compliance with accounting standards and changes in accounting policies and practices;
• Major accounting entries involving estimates based on exercise of judgment by Management;
• Audit Qualifications and significant adjustments arising out of audit;
• Analysis of the effects of alternative GAAP methods on the financial statements;
• Compliance with listing and other legal requirements concerning financial statements;
• Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;
• Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;
• Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”

Hence, it is crucial to evaluate the performance of finance function.

As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.

Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:

• Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.
• Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.
• Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.
• Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.
• Evaluate CFOs relationship with external auditors to determine whether he/she is unduly influencing them. Obtain CFOs viewpoint on qualifications and disclaimers given by external auditors.
• Review the systems and processes used for maintaining accounts and preparing financial statements. Understand the finance department organization structure and segregation of duties matrix.
• Determine CFOs focus on cost control, risk management, cash-flow management, and acquisition and mergers.

In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports.  From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.

 6.  Nature of External Reporting

The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.

In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.

Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.

The business benefits for upholding transparency are huge.

• The market value of shares increases. Velocity of share trading is also higher than other companies.
• Financial institutions show more propensities to invest.
• Foreign investors – institutional and individual – are open to trading in the shares.
• The companies have lower legal and regulatory costs as regulators are comfortable.
• Customers prefer buying products from companies that are ethical and socially responsible, hence transparency impacts sales directly.

The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance,  Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.

In my view, audit committees should focus more on the extent and level of external reporting.  To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.

7.  Information Available with Audit Committees

Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest,  cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.

Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.

However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.

Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:

• Obtain strategy and implementation plans.
• Review key performance indicators – financial and non-financial with status
• Interact with external and internal auditors of subsidiary companies directly
• Hold discussions with senior and middle managers were required of various business units
• Discuss with company secretary all legal and compliance challenges
• Discuss with ethics officer the key issues on maintaining code of conduct
• Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.
• Review in detail all documentation relating to material transactions, acquisitions and mergers.
• Travel to other offices and locations to understand business operations.

This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.

8.  Effectiveness of Risk Management Programs

The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.

Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.

Let me take some of the challenges of risk management in the financial industry:

• Risk management is increasingly complex for financial institutions as it involves managing interlinked strategic, financial, operational and systemic risks
• Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.
• Risk managers do not strong relationships with business teams
• Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.

During the financial crises some of the key examples were –

• Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.
• Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.
• AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.

Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.

In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?

 9.  Assessing Risk Culture

Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.

Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.

Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.

To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing.  The question remains, can audit committees help them in doing so?

Audit committees in my view can assess the risk culture by focusing on:

•  Remuneration of key personnel, including the bonus component linked to performance.
• Code of business ethics adopted and implemented by the company
• Analyzing the extent of reputation and regulatory risks the organization is facing
• Reviewing reported ethical breaches
• The amount of risk appetite board has determined it is willing to take to meet strategic objectives.
• The processes implemented to monitor risk appetite and key risk indicators
• Transactions entered that reflect conflict of interest to some degree.

In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.

 10.  Internal Controls

Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.

As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls.  Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.

Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making  and managing business operations.

After gathering the abovementioned information, audit committees would be in a position to assess whether:

• The right financial and operational areas were selected for internal controls review
• Procedures and practices followed for assessing internal controls was sufficient.
• Any areas require further review.
• The reported control weaknesses are material

In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.

Closing Thoughts

Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.

I rest my argument here; share your opinion with me.

References:

1.  Economic Times article – “Can the big four survive a break-up attempt”
2. Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore
3. Grant Thornton 2011 Chief Audit Executive Survey – Looking to the future: Perspectives and trends from internal audit leaders
4. Grant Thornton 2010 Report on UK
5. Corporate Governance in India – Evolution and Challenges by Rajesh Chakrabarti College of Management, Georgia Tech
6. Tata Motors 2010 Corporate Governance Report
7. KPMG- Highlights of the 6 Annual Audit Committee Issues Conference 2010

Strategy to Execution – A Risky Path

Some companies fail and some succeed spectacularly in the same market conditions. The question for successful companies is – what did they do differently? On the other hand, failure is attributed to either poor strategy or pathetic operations.  A popular notion among managers is that if company is not achieving targets, then review the strategy, something must be wrong with it. If the strategy is found reliable, review the operations and focus on it to be successful.  Is the explanation for failure that simple?

In my view failures occur because complexities of the situation are either ignored or misunderstood. The third-fourth-fifth dimensions are normally missed and must be looked into. The overall strategy might be right, the execution flawless, and  the company may still be staring in the face of failure. According to me the path from strategy to execution is very risky. Below are my views on the same, do you agree with them?

1. The Human Dimension

Let me give you an example, that most employees are familiar with:

Objective of the company : Make the organization a “Great place to work”.

Strategy to achieve the objective : Focus on diversity, work-life balance and good leadership pipeline.

Execution plans :  Hire 25% women, promote 10% women to senior levels, issue policy of work life balance , introduce 360 degree feedback and balance score card system.

All the execution plans were implemented, however employees are still cribbing and consider the organization one of the worst places to work. So what went wrong?

Now let me give you a few situations that occurred in the organization :

a) A gorgeous looking woman was placed in a senior management position who was rumored to be having an affair with a CXO. Employees down the line didn’t like her personally as she did not have a reputation of high professional caliber or ethics.

b) A few employees in the 360 degree feedback, gave honest negative feedback about their bosses. In less than a quarter the bosses with help of human resource department terminated or demoted the employees.

c) Bosses allowed the employees to leave office premises by 6 pm. However, they asked employees to work at home and deliver reports the next morning at 9 am.

The missing component – the human dimension – was overlooked. The culture of the organization didn’t change with the strategies and plans. The messages that employees received were –  ”One gets promoted if one sucks up to the boss, merit doesn’t count, honesty has a huge downside and bosses will harass.  Nothing has changed.” The tone at the top remained the same and no one was seen walking the talk. Hence, though everything looked good on paper, and all execution deliverables were achieved, the execution team met the key performance indicators, the objective wasn’t accomplished. People make the difference, hence analyzing culture, messages and in some situations even the grapevine is helpful.

2. The Organization History

The often ignored impediment in failure of strategy is the organization history. History – good and bad - makes a difference in success and failure of strategy as it directly impacts commitment levels. If the organization has had bad incidents or history, a host of issues become undiscussable. These undiscussable issues make communication superficial, hide negatives in the wood work and portray a picture that management wants to hear. In a globally connected world, even a small incident can become a historical landmark. To bring clarity to my point, I am narrating an incident that I experienced.

I was working in an organization in which one of the core values was “respect for everyone’s time”. The offices were open plan, with no difference between a CEO desk and an admin desk. All meetings were conducted in various conference rooms and room bookings were done through an intranet application. The cultural guideline was – do not overstay in a room as it may be booked by another group/individual. There were no reserved conference rooms for senior managers.

One day a new employee with his group saw that the people in the conference room he had booked for a meeting continued in the room after their meeting time elapsed. He knocked on the room, and asked the team inside to leave. The other employees outside were horrified. After 5 minutes, when he saw no action, he again knocked. The team inside walked out and all employees were red-faced. The poor chap had just evicted the Global CEO and his executive team out from the conference room.

News traveled globally within a few hours of the incident. The mathematical geniuses developed statistical models on probability of the new employee being asked to leave. Others like me, indulged in simple betting. Within a week the CEO sent a global message appreciating the employee for adhering to the organization values. He said that he felt good that induction training was effective, HR was doing a good job in recruitment & selection, and employees were fearless in confronting seniors on core organization values. All employees were absolutely jubilant on losing their bets. The incident became part of organization history and employees were inspired by the leadership. Commitment to a strategy comes from the heart and not by the numbers given in a Powerpoint presentation. In some situations analyzing the past history of the organization and failure rate of strategies might be helpful.

3. Reliance on Performance Management Systems

Norman Marks in his post – “The inter-relationships of risk, objectives, strategy and performance“ rightly said that “performance management without considering risk is flying blind.” I agree with this statement. However, my question is – are organizations really measuring the right stuff ? If not, are organizations deluding themselves into believing that they are monitoring and as all performance indicators show green status, everything is great.

Let me narrate here my pet peeve on risk management performance indicators. Tell me, how many of us have filled a balance score card or prepared an annual plan stating the number of risk management reports issued during the year. Additionally, recall numerous times assurance has been given to senior management based on the reports issued and their findings.

According to me, these performance indicators for a risk management department make limited sense. Better indicators would be :

a) To calculate the amount of loss averted from timely risk mitigation. Or,

b) Counting the number of days organization risk was higher than the established risk appetite of the company.

However, only a few companies keep these performance parameters because these are difficult to calculate and require robust management systems. So we rely on parameters that are actually not telling us anything more than the fact that some work is being done. Therefore, my contention is that even if a the risk of not issuing 12 risk management reports (a performance measure) during the year would be available, it may be irrelevant risk identification. A good idea when doing management by objectives, is to check what the company is measuring.

4. The Organization Structure & Systems

The focus is not developing the strategy and operation plans, however the point that is missed is – whether the organization structure and systems are conducive towards accomplishing the envisaged operations efficiency.

The prime example of this is establishing backoffice operations in emerging markets or outsourcing processes. Most organizations initially off shored to save on costs. The cost-benefit analysis was done considering the explicit cost of labor and other costs in mind. However, the implicit cost of managing the operations remotely, variance in customer service quality, breakdown of services and increased risk of fraud were not considered. Quite frequently, the same process was outsourced without much re-engineering for outsourcing the process. This resulted in cumbersome and long processes, higher management time and more risks. In rare cases only the organization structure was aligned to outsourcing activities and managing the complex relationships.

In this case, the strategy was fine, effort was put in setting up back office operations properly. However, the interlinked impact on various functions and activities was ignored. Basically the problems arose due to structure and systems, as these were not considered at the strategy formation stage.

5. Strategic Risk Management

Finally, the concept of strategic risk management is gaining popularity, though it still has a long way to go. Problems sometimes arise in implementing a strategy, because at the time of formulation the strategic risks were not identified and assessed. Hence, the organization has a rosy picture of the strategy.

The additional challenge is when strategic risks are identified though not properly. Some hold the opinion that strategic risks are best identified by the top management or chief risk manager. The frontline operations teams do not have a role to play. My view is that while strategy may be developed at the top, the risks need to be captured at all levels and rolled up to the strategy development team.

To illustrate, let me share with you the venture of international fast food joints in India. KFC, McDonalds etc. made losses in the Indian market initially. The reason for entering the Indian market was clear – a huge educated middle class provided a good customer base. They replicated their operations model in India. However, they really didn’t understand Indian tastes. Indians preferred spicy food and didn’t appreciate the American bland taste. Secondly, Indians initially took these meals as snacks and not for lunch or dinner. Hence, were willing to spend much less than they would in an Indian restaurant.  It took the companies 3-4 years to understand the difference in customer tastes and expenditure patterns, and change the menu accordingly. Customer risk was local whereas the strategy was formed globally. Strategy failed due to lack of understanding of local market.

Hence, in my view strategic risk management is not a simple exercise undertaken at the top of the company pyramid. A robust enterprise risk management system aligning objectives, strategies and risks is definitely beneficial. If an organization is not meeting its key performance indicators, even when their are no obvious problems with operations, a through analysis of risks at all levels sheds light on quite a few issues.

6. Impact of Systemic Risks

Another aspect that is least understood in organizations is systemic risks. Organizations adopting enterprise risk management assume that since the key risk indicators are showing low risk, everything is running smoothly. However, as seen in the financial crises, the impact of systemic risks is huge. Underestimating it or ignoring it can nearly wipe out the organization.

Turner report highlighted the impact of systemic risks in the banking sector with the following lines:

“Five key features of this new model played a crucial role in increasing systemic risks, contributing to the credit boom in the upswing and exacerbating the self-reinforcing nature of the subsequent downswing:
(i) The growing size of the financial sector.
(ii) Increasing leverage – in many forms.
(iii) Changing forms of maturity transformation.
(iv) A misplaced reliance on sophisticated maths.
(v) Hard-wired procyclicality.”

Although, in the blame game the investment bankers are being labeled as culprits for playing in the CDO market, the interconnections between retail and investment banking  resulted in the crises. The retail bankers gave home loans to individuals with doubtful repayment capacity to leverage the boom in real estate market. Simple explanation is that the collapse of real estate market negatively impacted recovery of loans which resulted in making the CDOs worthless. The key lesson to learn here is that strategies can fail majorly if they are not protected against the impact of systemic risks.

7. Leadership Quality

The quality of leaders makes the largest difference to an organization’s success. Can one imagine GE’s tremendous success without Jack Welch? He accomplished a lot as a leader, though he portrays himself modestly in his book “Straight From The Gut” . He narrates -

“I came to the job without any external CEO skills. I had rarely dealt with anyone in Washington, even though the government was more into business than ever. I had little experience dealing with the media. My only press conference was scripted session with Reg on the day GE announced I would the the next chairman. I had only one or two brief outings before the Wall Street analysts who followed GE. And out 500,000-plus shareholders had no idea who Jack Welch was and whether he would be able to fill the shoes of the most admired businessman in America.”

Jim Collins in his book “Good to Great” analysed the impact on companies that had level 5 leaders. Organizations with level 5 leaders showed consistent performance and a far better share holder return than their industry counterparts. Hence, if either strategy or operations are failing, the quality of leadership should be looked into.

8. Assessment of  Strategy Formation Process

Last but not the least is a discussion on strategy itself. Two thoughts come into mind – how should a strategy be assessed for effectiveness and when should the strategy be modified or changed? The quality of strategy itself is in doubt sometimes.

The key reasons for adopting a wrong or misguided strategy relate to some of the points I had mentioned in my earlier posts on strategic risk management :

a) Very few organizations have a proper process for strategy formation. For most it is an end of the year data accumulation practice from different business units. An organization level strategy considering all interconnected aspects of business may not have been devised.

b) Board and CXOs generally do not negate a strategy given by the CEO or fellow colleague. The political repercussions of challenging a CEO/CXOs strategy can be huge, hence most keep their opposing opinions to themselves.

c) If the organization culture is not focused on creativity, ideas and learning, new strategies will not be presented for fear of being mocked or run over. Hence, contrary to popular perceptions the strategy pipeline is quite dry.

d) Moreover, the choices of strategy selection with CEO/CXO are limited. They receive ideas which people down the line have collectively agreed to. These might not be the best ideas as the popular ones generally do not shake people out of their comfort zones.

Understanding these circumstances for assessing the quality of strategy can be difficult. Senior management in such situations has to start from scratch to develop a strategy formation process. If the formation process is full of loopholes or ineffective, the probability of having a good strategy is low.

Closing Thoughts

In nutshell, getting the strategy and operations right is critical for organization success. However, these two components itself do not guarantee success, they are just the building blocks. Other management and organization parts need to be aligned properly to the objectives and strategy of the organization. A holistic picture is required to accomplish objectives. In case of failure in achieving objectives, a review of strategy and operations is definitely beneficial. However, aspects underlining these should be delved into deeply to do a proper root cause analysis. Looking beyond the obvious helps.

References:

1. Turner report – A regulatory response to global financial crises – Financial Serivices Authority, UK
2. Straight from the gut- Jack Welch with Johm A. Byrne
3. Good to Great – Jim Collins
4. Norman Marks Blog

Achieving Excellence by Becoming a Learning Organization

When we wake up in the morning to read a business newspaper, the headline that grabs our attention is that a high-profile company has gone bankrupt. Companies with reputation of infallibility, just sink like titanic. Flawless legacies tarnish overnight. Being in fortune 500 list does not guarantee continuity in the next decade. Against this backdrop, the burning question is how do organizations mitigate the risk of failure, avert crippling blows and become impregnable fortresses of resilience and growth?

To complicate matters further, classic business models are losing relevance. The business environment and global dynamics are changing fast. It is obvious that resilient companies will sustain and grow, while others will die a sudden or slow death. Learning from the changing environment is the key for success. As Charles Darwin said – “It is not the biggest, the brightest or the best that will survive, but those that adapt the quickest.” 

Companies that learn to adapt quickly to the changing environment will succeed. Organizations with thousands of employees can’t wait for the CEO to lead, direct and react. The empowered frontline leaders make the difference in an organization’s success and failure. In learning companies, they become catalysts for change. Hence, the question is how an organization can achieve excellence by becoming a learning company.  Below are some of the advantages of becoming a learning organization. Read on and discuss with me your viewpoints.

1.       Build the corporate DNA

The Egyptian revolution taught one major business lesson – anyone can lead and be a change agent. For leading one doesn’t require a hierarchical structure supporting a leader, any formal authority or support of an organization. A person needs a good idea and strong influencing skills. That’s it.

Moreover, in the present organization structures the organizational boundaries are collapsing. There is no way to focus on an aspect in isolation, as everything is interlinked. For example, risk appetite calculation is not just a mathematical analysis, as it is highly dependent on the organization values and culture. Organization behavioral psychology influences risk culture.

It is apparent that organizations with hierarchical autocratic culture will lose the game to the socially networked organization. Social networks have made it easier for organizations to communicate vision, values and focus on culture. It allows multifunctional teams to work together and each employee can actively participate in the discussion.

Establishing the processes, systems and thinking pattern of learning organizations will facilitate organizations into building cultures that are more transparent. It helps companies break silo mentality, challenge groupthink and create an environment for employees to cope with change. The time has come for collective leadership.

 2.       Prepare plans in detail with failure scenarios

As Anon said – “Destiny is not a matter of chance; it is a matter of choice.” The age-old practice of senior management rolling out the strategic plan will soon become passé. Though presently, as I had earlier mentioned from the McKinsey report, just 6.5% of the organizations have a proper strategic planning process. Around 20% are just consolidating different business units’ numbers for the strategic plan. This doesn’t work in the long run.

To succeed one has to plan in detail with all possible failure scenarios. For instance, Bill Gates wrote “nightmare memos” describing various failure scenarios even when Microsoft was doing well. Paranoia is good.  When a company prepares for each of the assumptions of strategic planning going wrong, it devises alternative strategies in advance to quickly change track in emergency situations.

Learning organizations gather information on business opportunities and failure scenarios from all possible sources at local and central level. They have a better understanding of the local and global issues and this puts them in an advantageous position. Second aspect is with double loop reporting, the senior management promptly gets information about assumptions going wrong, failures and successes. This allows them to leverage opportunities, mitigate risks timely and change tracks where required.

3.       Change at strategic inflection points

With the rapidly changing environment, one of the bigger challenges is to differentiate between the noise and strategic inflection point. Nonconforming for the sake of being different doesn’t amount to leveraging strategic inflection points. As Andy Grove said in the book ‘Only the Paranoid Survive’ –

“A strategic inflection point is when the balance of forces shifts from the old structure, from the old ways of doing business and from the old ways of competing, to the new. Before the strategic inflection point, the industry simply was more like the old. After it, it is more like the new. It is a point where the curve has subtly but profoundly changed, never to change back again.”

The computer industry faced a strategic inflection point in 1980’s when from vertical industry it became a horizontal industry. However, quite a few big names failed to understand the changing face of the industry.

Thousands of individual events contribute to the transformation of an industry. The organizations that capture information of these individual events and get the bigger picture from putting the various pieces of jigsaw puzzle together have the upper hand. In learning organizations, employees are used to challenging the status quo and are wired to learn new stuff. They identify trends, changes and transforming events faster than the hierarchical organizations. Hence, organizations benefit by not reacting to the noise, but changing at strategic inflection points.

 4.       Innovate to implement & gain competitive advantage

Intellectual capital consists of organization, human and social capital. It gives organizations a competitive edge by encouraging a culture of innovation.  Organizations hit a home run, as innovation gives companies the first mover advantage and puts them ahead of the pack. As shown by Apple, intellectual capital and innovations add to the market value of the organization. Failure to innovate slowly erases the company from customers’ minds. An organization not only needs ideas, it needs a culture that transforms those ideas into products.

This underscores the importance of being a learning company. The rate at which an organization learns may become the only differentiating factor for giving an organization competitive advantage. Hence, knowledge management has become critical for success. Organizations need to capture explicit and tacit knowledge. Companies that have effective knowledge management systems and an environment for innovation are more flexible, adaptable and creative.

Learning companies have processes, systems and structures in place that allows them to leverage collective intelligence.  As individual employees’ knowledge on customers, suppliers and other relevant stakeholders is systematically captured, therefore value creation improves. As human and social capital is hard to imitate it becomes a valuable source of competitive advantage. Innovation in products and services adds to the bottom line.

 5.       Avoid psychic traps, rely on data

Success often results in C-suite wearing rose-tinted glasses and from their comfort zone tell happy stories for the future. These organizations might be operating real-time but may not be living in the real world. Psychic traps make it difficult for organizations to confront brutal facts, be straightforward and decipher the data.

Additionally, hierarchical structures with command and control environment reinforce the thinking – the boss is always right. If someone challenges the status quo, they get hushed up and told – this is the way things are done out here.  Moreover, when C-suite does mandate change, it results in failure since no one wishes to discuss the real problems and most nod their head in obedience. These change programs don’t get commitment, they get compliance, hence are mostly unsuccessful.

In learning organizations, business intelligence plays a vital role in decision-making. Management and employees rely on data, not individual hunches and intuitions. Secondly, companies adopt a two-pronged approach for information exchange and decision-making. Employees don’t expect C-suite to have all the answers. They take ownership for leading at local levels, gather requisite business intelligence and commit to change, as they are personally involved in organization success. Hence, the advantage is that no one can have distorted reality for a long enough duration to cause extensive damage.

 6.       Deliver consistent performance

Some organizations market value graph depicts a sea wave – goes high and low for some time then flatten out.  These organizations work on the mental model of quarterly earnings and making quick bucks. They try to capture the short-term gains at the expense of long-term benefits. As Sun Pin in ‘Art of War’ stated -

 “If you abandon your armor and heavy equipment to race forward day and night without encamping, covering  two days the normal distance at a time, marching forward a hundred kilometers to contend for the gain, the Three Army generals will be captured. The strong will be the first to arrive, while the exhausted will follow. With such tactics only one in ten will reach the battle site.”

Apple exemplifies the case of a long distance runner. After Steve Jobs return as CEO in 1997, Apple didn’t grow rapidly immediately. The company invested in research and development of new products. The market value started showing an upward trend after five years, and reached its pinnacle before Jobs death. The company worked on long-term plans and improved step-by-step.

Learning organizations as part of systems thinking focus on long-term goals versus short-term goals. They aim is on the whole not individual parts. These companies survive in turbulent conditions as they show different behaviors though the circumstances maybe the same. Consistency is the name of the game. They neither blindly rush to adapt to each change in business environment nor fail to make changes where required. They focus on showing consistent performance in earnings report and not spectacular successes and unimagined failures.

 7. Make learning fun

In the present business environment, John F. Kennedy’s statement holds true –“Learning and leadership are indispensable to each other”. Leaders must become master learners and create an environment of continuous learning within the organization.

In autocratic and bureaucratic organizations the two statements that predict death knell of an employee’s career is saying – “I don’t know” and “I made a mistake”.  The blame game is so intense on failure that employees are petrified to try out new things and follow procedures even if they don’t make any logical sense. Organizations cannot survive in culture of fear and defensiveness. More disasters occur when no one spoke up in time to question the plans and/or delivers the bad news.

On the other hand, learning organizations give people a platform to learn, unleash their passion and creativity. The shared values and visions allow them to discuss a number of bad ideas to arrive at a few good ones. Individuals feel responsible for fixing their own areas and don’t wait for top management to address problems. Learning becomes fun and inspiring. As Peter Senge said – “People talk about being part of something larger than themselves, of being connected, of being generative.”

Closing Thoughts

Becoming a learning organization is not an option any more; it is a mandatory requirement for success. At this business juncture, seeing the exponential change due to globalization, advanced technology and economic downturn, acting out from an old script isn’t going to help organizations. The organizations that are aiming for the biggest honey pot need to incorporate the core concepts of learning organizations within their culture.  Else, they might tank anytime.

References:

1. Leading Learning Organizations: Leading Learning Organizations : The Bold, The Powerful and The Invisible by Peter M Senge
2. Communities of Commitment :  The Heart of Learning Organizations by Peter M Senge and Fred Kofman 

Comments on Basel Committee’s consultative paper – The Internal Audit Function in Banks

The Basel Committee on Banking Supervision issued a consultative paper on the internal audit functions in banks comprising of 20 principles. This is a revision of the 2001 document and aims to promote a strong internal audit function and supervisory guidance of the function in banks. This is definitely a step in the right direction, however it still fails to address some of the critical issues apparent during the financial crises. Below are some of my observations that may help the function to become stronger and more effective. I am being a devils advocate out here and invite you to debate with me on these aspects.

1.  Independence and objectivity of internal auditors 

Principle 2 of the paper covers independence and objectivity of internal auditors. Point 15 mentioned below discusses the remuneration of internal auditors.

“The independence and objectivity of the internal audit function may be undermined if the staff’s remuneration is linked to the financial performance of the business line for which they exercise internal audit responsibilities or to the financial performance of the bank as a whole.“

My contention is that internal auditors within the organization can never be fully independent as their job, salary and bonuses are decided by the CEO/CXO. However, internal auditors/ risk managers face the dilemma of getting appraised at year-end for being good critics of the decisions taken and work done by CXOs/CEO. Hence, there is high possibility of being unfairly appraised on issuing strong reports. Senior managers may turn vindictive. This impacts independence as job, salary and bonus is dependent on senior management feedback.

The second aspect is about how internal auditors/ risk managers should be given bonus. Should they be given stock options like other employees? The committee paper “Principles of enhancing Corporate Governance” states -

“Banks should take other steps to better align compensation with prudent risk taking. One characteristic of effective compensation outcomes is that they are symmetric with risk outcomes, particularly at the bank or business line level. That is, the size of the bank’s variable compensation pool should vary in response to both positive and negative performance. Variable compensation should be diminished or eliminated when a bank or business line incurs substantial losses.

Compensation should be sensitive to risk outcomes over a multi-year horizon. This is typically achieved through arrangements that defer compensation until risk outcomes have been realised, and may include so-called “malus” or “clawback” provisions whereby compensation is reduced or reversed if employees generate exposures that cause the bank to perform poorly in subsequent years or if the employee has failed to comply with internal policies or legal requirements.”

Now my question is, if it is later discovered that internal audit function failed to identify some control lapses and risks that resulted in huge financial losses to the bank, should their bonus/stock options be reduced subsequently? My view is yes, if they are receiving stock options and failed, then they should be withdrawn. However, if possible their compensation should not have a high variable component.

Lastly, rotation of internal auditors, a point that I consider relevant for maintaining independence is not covered in the paper. Depending on the size of the bank, internal audit function key staff  should be rotated to other subsidiary organizations or different functions every 3 to 5 years. Here the logic is same as applied to external auditors, with deepening business relationships objectivity may be compromised.

2. Regulatory Compliance for Capital Adequacy and Liquidity

Principle 7 mandates that  ”internal audit function should ensure adequate coverage of regulatory matters within the audit plan.” One of the critical points covered relates to capital adequacy and liquidity assessment. The scope of audit should check compliance to regulatory framework and assess the adequacy of capital resources in relation to bank risk exposures and minimum ratios.

From a banking perspective I believe this is the crux of ensuring applicability of going concern concept for banks. As seen from the financial crises, the banks that failed basically had insufficient liquidity.

My argument here is about what happens when internal audit function does mention the problems in the report. Let me take the case of RBS failure. RBS faced liquidity crunch as the CEO had taken a strategic decision towards “capital efficiency” due to which it heavily relied on wholesale funding. As per the report   “the main weakness was the firm’s use of a 96% confidence interval in its assessment of how much capital it should hold, rather than the ‘standard’ 99.9%.” Secondly, the Supervision team was “concerned that the firm was underestimating the amount of capital that should be held.” The internal audit report also highlighted a few weaknesses relating to capital adequacy. A long term plan was developed to improve capital adequacy, however no change in capital efficiency strategy was envisaged.

Now my question is, in this scenario where internal audit function highlights key gaps and the same are ignored, what should be done? The FSA report on RBS failure states that no legal action can be taken as -

“There is neither in the relevant law nor FSA rules a concept of ‘strict liability’: the fact that a bank failed does not make its management or Board automatically liable to sanctions. A successful case needs clear evidence of actions by particular people that were incompetent, dishonest or demonstrated a lack of integrity.

Errors of commercial judgement are not in themselves sanctionable unless either the processes and controls which governed how these judgments were reached were clearly deficient, or the judgements were clearly outside the bounds of what might be considered reasonable. The reasonableness of judgments, moreover, has to be assessed within the context of the information available at the time, and not with the benefit of hindsight.“

According to the report, if senior executives ignore the internal audit reports and thus the firm suffers huge losses and goes bankrupt, they are not really legally liable. In my view, this is a flawed approach and encourages high risk taking since there is no downside to bad decisions.

My suggestion might raise a few eyebrows, nonetheless I think it is required to avert further financial crises. A few penal clauses should be incorporated in the guideline that ensures high risks/ control gaps are addressed by senior management. If senior management/board chose to ignore high risks they can be penalized by removal and/or not getting a similar position in any other bank.

3. Review of Internal Audit Function by Board

Principle 9 mentions responsibilities of board of directors and senior management in respect to internal audit function. Para 43 states that -

“At least once a year, the board of directors should review the effectiveness and efficiency of the internal control framework based, in part, on information provided by the internal audit function.“

My contention is that an annual review is too little. Keeping in view the dynamic banking environment and global impact review of internal control framework for banks should be done quarterly. If not, at least it should be done half yearly.

Additionally, para 72 states that -

” Supervisory authorities should receive periodically (e.g., on an annual basis), or upon request, the main internal audit findings and recommendations as well as the corrective measures taken or to be taken in response to the weaknesses identified, in the same way the audit committee is informed.”

My view is the same here, it would be best to review the observations and weaknesses quarterly. An annual review would be historic and no corrective action would be possible.

4. Impact on bank’s Risk Profile

Principle 19 states that “supervisory authority should consider the impact of its assessment of the internal audit function on its assessment of the bank’s risk profile and on its own supervisory work.” In para 92 it further adds -

“Where remedial actions cannot be agreed upon or where the bank faces ongoing delays in remediating the identified weaknesses, the supervisory authority should consider the impact of this on the bank’s risk profile.“

A good example of this case is the CitiBank Rs 400 crore fraud (USD 76 million) conducted by employee (now ex) Shivraj Puri. The fraud case was filed with Gurgaon police in 2010. An internal report of Citi Security and Investigative Serivces (CSIS) was submitted five months earlier before the date of police case filing. Moreover, unusual activity in Shivraj Puri and his wife’s account was detected in its initial stages in 2008 by fraud risk management team. The media report states that senior officials were aware of it, were involved in discussions, however did not take any action.

My argument here is the same as given in point 2. If there is failure to act on high-level risks, specially fraud risks, senior management/board can be treated as accomplice to the fraud. Hence, the guideline should include a few penal clauses on failure to respond timely  on identified risks and control gaps.

Closing thoughts

The framework fortunately does not subscribe to the COSO definition of internal controls and covers strategic risks. It also provides detailed guidelines on a number of aspects, including outsourcing of the function and managing the function in subsidiaries.

However, my view is that the guideline should be more stringent and include a few penal clauses. This might raise questions, as the guideline cannot replace the laws of the country. I understand that, so even a recommendatory guideline would be helpful. The logic behind this suggestion is that financial crises occurred due to bad decisions and high risk taking. It is unlikely that internal auditors/ risk managers of the banks were entirely clueless about the high risks. In all probability management chose to ignore those warnings hence the crash. Therefore, to avoid a similar disaster some measures need to be incorporated to ensure that management/board cannot override high impact risks that exceed the risk appetite/tolerance of the bank without being personally laible and accountable.

References:

1. Citibank failed to act on Puri scam warning signals, says probe report - Economic Times
2. The internal audit function in banks – consultative document – Basel Committee
3. FSA RBS Failure Report
4. Principles of enhancing corporate governance – Basel Committee

Comments on COSO revised Internal Control – Integrated Framework

COSO released the draft exposure of “Internal Controls – Integrated Framework” in December 2011 for public comments. The new framework still focuses on the five components of control described in the previous 1992 framework. The major change in the new framework is the explicit description of 17 principles. These describe the fundamental concepts related to the five controls.

The good aspect of the revised framework is that it has incorporated changes in business environment due to globalization, technology and governance regulations. It is more detailed than the original, hence gives a better understanding on a broad level. However, I still felt that some of my pet peeves with the previous framework remain unaddressed. Secondly, there are a couple of concerns regarding the practical application of the principles. I am covering some of my concerns below. Share your opinion with me, whether you agree or disagree and what changes would you suggest?

1. Definition of Internal Control

This is an old grouse, I am not in complete agreement with Internal Control definition given by COSO. In the current version I was hoping some changes would be made, but the definition remains the same. COSO defines internal control as

“Internal control is a process, effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following areas:

• effectiveness and efficiency of operations
• reliability of reporting
• compliance with various laws and regulations“

My concern is about the first bullet “effectiveness and efficiency of operations”. Before I give my view, let me further share the COSO definition of operations objectives.

“Operations Objectives – These pertain to effectiveness and efficiency  of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss.“

This according to me excludes the major portion of management issues. In an organization, the flow in linear form is as follows:

Top Management > Strategy > Culture (People) > Finance > Process > Technology.

Most business failures and large-scale frauds occurred – Enron, Swiss Air, Olympus, Satyam – due to failure of top management, incorrect strategies or deviant/ aggressive cultures. In rare cases only, a major fraud occurred solely due to process or technology failure.

Additionally the framework states in Risk Assessment section “However, identifying and assessing potential opportunities is not part of internal control.” Hence, the upside risks are excluded from the assessment. In present day organizations, processes established for strategy, innovation, research and creativity give them competitive advantage. Without these organizations cannot be said to be operating effectively as they are leaving a lot of cash on the table. Hence, isn’t it misleading to give an assurance of effectiveness and efficiency of operations based just on assessing coverage of downside risks in finance, business and technology processes. Would it be more appropriate to replace “effectiveness and efficiency of operations”  with “adherence to established operation processes”?

2. Impact of Organization Culture

The COSO framework mentions the focus on internal control culture under “control environment.” It states:

“Control environment is sometimes seen as synonymous to internal control culture, in that  elements that make one strong, such as integrity and ethical values, oversight, accountability,  and performance evaluation, make the other strong as well.”

My concern is that internal control culture cannot be considered in isolation of organization culture. Aggressive, passive-aggressive, consultative, etc. organization cultures have an impact on internal control environment. For example, in a deviant organization culture management override is significant. Hence, an internal auditor or a risk manager cannot assess the risks without understanding the overall organization behavior and attitudes.

Therefore, in my view, the framework should cover on a broad level the types of organization culture, the risks associated with it and the methods to assess it. Though, this may come under organization behavioral psychology, a high-level understanding is required to conduct a proper assessment of internal control environment.

3. Strategic Risks

The COSO framework is focused on risks that threaten operations and regulatory requirements. It does not cover strategic risks unlike the ERM framework. Moreover, it does not even cover the process of strategy formation. As I had mentioned in earlier posts on strategic risks, strategies frequently fail due to the organization having inadequate strategy formation processes.

The issue becomes debatable more so, considering the following statements given in the framework

“Objectives - how management will create, preserve and realize value for its stakeholders”

“Setting objectives is a key part of management and a perquisite to strategic planning“

“Operations objectives relate to achievement of entity’s basic mission – the fundamental reason for its existence”

A good strategy basically protects the capital and generates earnings. Hence, evaluating internal controls on strategic planning process is critical to ensure management is maximizing value for its stakeholders. The fundamental question to ask is – without a strategy, can management do so?

The framework further mentions -

“Internal control cannot prevent bad decisions or judgments being made. It can only ensure management is aware of the direction entity is following.”

Hence, to me this sounds more like an assurance being given that “nothing is majorly wrong” instead of “everything is working properly”. To highlight my concern, let me give an example of Infosys. The company has recently entered into an agreement with an Australian company Portland Group Pty to acquire it for Rs 180 crore (USD 34 million ). However, investors have complained previously that Infosys management is extremely conservative on acquisition and mergers as it has cash reserves of Rs 18,601 crore (USD 3509 million ) as on 30 Sep 2011. In this scenario, can one say that Infosys is efficiently using its cash resources and maximizing shareholder value? May be a broader outlook is required for business management.

4. Miscellaneous

Some other aspects that I felt the framework needs to focus on are:

1. Linkages and relationship with Internal Control and Enterprise Risk Management Framework

2. Linkages and relationship with the technology controls mentioned in COSO framework with COBIT framework.

3.  Though now there is some coverage on calculating benefits of internal control and conducting a cost-benefit analysis, more details on benefits would be useful.

4. A chapter on the process to be followed for designing and implementing internal controls would be helpful. Presently, the major focus is on evaluating and assessing internal controls.

5. Principle 4 of control environment – Demonstrates commitment to competence, may be difficult to evaluate for an internal auditor. Can an internal auditor really evaluate competence of senior managers and be taken seriously when CAE’s don’t even get a seat on the board? Hence, though it sounds good on paper, it may not be practical.

Closing thoughts

The framework is a step in the right direction and definitely an improvement over the previous one as it addresses the existing business environment risks. However, as the revision has come in after twenty years one would expect to be more progressive by projecting the trends in the business environment, and guiding on internal controls issues envisaged in future. My question is – do you think with the changing business environment this framework will be relevant five years down the line?

References: 

1. Internal Controls - Integrated Framework
2. Infosys News

1 Jan 2012 – A New Begining

I am feeling on top of the world. This blog in its first full year got 51,556 page views. More than doubled from last year (11,299 page views in six months). I have nearly twisted my arm from patting myself on the back for being such an incredibly brilliant writer. With great difficulty I have managed to reign in my egoistic enthusiasm and have decided to be a humble Level 5 leader.

Sincerely, my heartfelt gratitude to all my readers, who came again and again, to read, comment and share my blog posts. For keeping silent when I floundered, and giving me constructive feedback and encouragement to continue learning and growing. I owe it to you all  to share the lessons I learnt in blogging this year. Before I declare the top 10 posts of the year, there are two stories I wanted to share with you.

1. The Audience

Writers give one solid piece of advise – “write for your audience”. For new bloggers, this amounts to asking them to be James Bond when they haven’t read a spy novel.  Nevertheless, since I decided in blogging world the faint hearted can’t succeed, I devised a strategy. My blogging aim was to share my knowledge and experience with the younger risk managers to make a positive difference in their work. So I wrote on topics that I felt passionate about and felt risk managers approach should change.

Six months down the line in June 2011 I got a shock on reviewing audience statistics. To my utter amazement most of my subscribers are in the age group of 44-64 years.

I had missed my target group entirely. I realized most of my readers are more experienced than me. Phew, that discovery was very nerve wrecking. Gen Y seems to be reading entirely different topics. Since I already have over 300 Gen X and Boomers subscribers, I have changed my strategy and will continue to write topics for them. Lesson learnt was do better market research to match products with your own skill set. By the way, are any of my subscribers single men over 44 years of age?

Resolution for the year: Understand audience tastes better. Reading Only.

2. The Blogging Etiquette

Another advise given is be careful what you write on the blog, in the internet world all is visible. Ha, have you every heard of a risk management blog going viral. With my first few subscribers, I was hardly worried.

Till it suddenly dawned on me, my ex colleagues, bosses and clients were following my blog. None of them informed me, as they quietly used Risky Secretive Subscribers (RSS) feed. Have you ever imagined what you will feel when all your bosses, boy-friends and the not so friendly guys all are in one room. Here, they are not only in one room, they are invisible to each other and me.

Sob, sob, sob. I identified a couple of my posts where I had nicely put my foot in my delicate mouth. Wondered seriously, should I continue to chew the nails of my toes, or take my foot out and put my fingers inside my mouth.  Political correctness was never my strong point, but this. Me, the poor little baby.

Resolution for the year : Be politically correct. Seriously.

3. The Good Posts

As is the blogging tradition, I shall list down the top posts for the past year. Surprisingly, some of my 2010 are still going great guns. So, here are the top five from each year. Hope you enjoyed them.

2011

1. Key Performance Indicators for GRC Departments

2. Rs 300 crore CitiBank Fraud

3. Fraud Symptom 5 – Insufficient focus on Organization Culture and Processes

4. Enterprise Risk Management V/s Strategic Risk Management

5. Reflections on Definition of Corporate Governance in India

2010

1.  Impact of Organization Culture on Internal Controls

2.  Deviant Organization Culture

3.  Pre-employment Background Screening Verification Program

4.  Risk Management Strategy of Virgin Group

5.  Mother Teresa – An Inspiration for Social Responsibility

Resolution for the year: Write only good quality posts.

Wishing You A Very Happy New Year

Finally, once again a big thank you to all my readers. This song is my tribute to all of you. May our relationship grow and prosper in this year. And you enjoy the journey as much as I do.

Hope you are successful in achieving all your ethical dreams in 2012.

Best wishes,

Sonia

Corporate Social Responsibility The Dalai Lama Way

The new Companies Bill 2011, section 135 on Corporate Social Responsibility (CSR), has raised a lot of debate about the merits of holding companies responsible for social responsibility. Some have stoically  refuted that companies are any way liable for social responsibility as their objective is to earn profits. According to this view, earning profits and social responsibility are not complimentary goals. Another view presented, to which I subscribe, is that companies owe it to the society and must meet social responsibilities. Profitability and social responsibility are not divergent goals and are mutually beneficial.

Hence, I thought of sharing His Holiness The Dalai Lama’s ideas on social responsibility expressed in his book “My Spiritual Autobiography”. He epitomizes a socially responsible life. While the act is the dry subject, below are some deeper philosophical musings on social responsibility. Read on, and tell me, do you agree with it?

Section 135, Companies Bill 2011

The section stipulates that select Indian companies form a Corporate Social Responsibility (CSR) Committee with three or more directors of which one must be independent. The Committee will report to the board, formulate a CSR policy and recommend expenditure. The board is expected to approve the policy, make it available on the company website and ensure that at least 2% of average net profits of preceding three years is spent on CSR activities. If the CSR budget is not spent in a particular year, the same shall be disclosed with reasons for not doing so in the annual report. The section is applicable to companies that meet either of the following three criteria. That is, have a:

• net worth of Rs 500 crore or more or
• turnover of Rs 1000 crore or more or
• net profit of Rs 5 crore or more.

The big question is – should companies be asked to spend 2% of average net profits on CSR? Let me share the financial logic and the spiritual reasoning for doing so.

The Spiritual Reason

In the modern world we believe spirituality has no place in business. This is more of a western concept rather than an Indian one. In India, even a small shopkeeper will have a photograph of their god and start work after offering prayers. In my view, spirituality promotes ethical thinking and behavior. Organizations are in dire need of building an ethical culture. In the present world organization behavior and culture impacts society, hence one cannot dissociate the two. I am impressed with Dalai Lama’s story in his book. He said :-

 ”I remember an Indian politician who invited me to discuss this point with him. He said to me, with sincere humility, “Oh, but we’re politicians, not monks!” To which I replied: “Politicians need religion even more than a hermit in retreat. If a hermit acts inspired by bad motivation, he’ll harm only himself. But if a politician, who can directly influence an entire society, acts with bad motivation, a large number of people will experience the negative consequences.”

He has then further described spirituality as :

“Spirituality, in my view, consists of transforming the mind. The best way to transform it is to get used to thinking in a more altruistic way. So ethics is the basis for a secular spirituality for everyone, one that is not limited to a group of believers in one religion or another.“

The same logic applies to business also. A CEO’s decisions impacts thousands of employees, customers, suppliers, shareholders and the public. Can we afford a CEO not to be spiritually aware? Wouldn’t promoting secular ethics help organizations build an ethical culture? Studies indicate that major frauds in organizations – Enron, Satyam, Olympus – occurred when senior management stopped differentiating between right and wrong business practices and was governed by greed.

The Social Reason

Backbiting, backstabbing and bitching are thought of as normal in corporate world. Employees show surprise when a fellow colleague shows compassion, consideration and empathy. Fear, insecurity, ruthlessness and competitiveness have led to deterioration in human values and humanity . The paradox is that with these value systems and emotions prevailing in organizations, we want to create winning teams. A near impossibility, and then we wonder on reasons of failure.

The problem arises because of the thinking that emotions have no place in business. How is it possible to segregate emotions during business hours when we base 70-80% of decisions on emotions? Should one view it that good emotions have no place in business, only negative emotions are allowed? Dalai Lama   hit the nail on the head and identified the core problem in the following words:

“Unfortunately, love and compassion have been excluded from too many areas of social interaction, for too long a time.”

He further identified the impact of positive emotions on a human being. He aptly points out:

“A mind dedicated to compassion is like an overflowing reservoir: it is a constant source of energy, determination, and goodness. You could compare compassion to a seed. If you cultivate it, it makes an abundance of other excellent qualities blossom, such as forgiveness, tolerance, inner strength, and confidence, allowing us to conquer fear and anxiety. The compassionate mind is like an elixir: it has the strength to turn adverse situations into beneficial circumstances.”

Studies show that corporate philanthropy programs not only attract talent but retain employees. Employees at all level appreciate organizations that have a humane culture and are dedicated to the welfare of society. Although managements believe that numbers and targets drive achievement of profits, CSR activities contribute to the bottom line by improving ethics, culture, commitment and engagement levels within the organization.

Secondly, companies are linking CSR activities with their brands. Results show that customers view organizations better and are more loyal to products when they consider the company socially responsible.

Lastly, India really lags behind in charity. As per the Worlds Giving Index 2011, India ranks 91st among 153 countries assessed. India was ranked as the most uncharitable nation in South Asia, Pakistan, Bangladesh, Sri Lanka etc. all rank better than India. With India’s poverty levels and discrepancy in incomes, this status is really sad. 

The Financial Reason

Presently in Indian media there is a debate going on The National Food Security Bill ( NFSB). The objective of the bill is to eradicate hunger and malnutrition in the country. For 2011-12 financial year the food subsidy budget is  Rs 60,572 crore. The NFSB plans to provide subsidized food grains to 64% of the population with a budget of approximately Rs 95,000 crore. The debate is that should government be providing such a large subsidy to the poor?

Professor Bardhan rightly pointed out in Economic Times interview saying “About 9 % of GDP is being given to the relatively rich in the form of subsidies, why should the government then mind giving 1-2% of GDP to the poor.” Indian organizations receive benefit in the form of direct tax, excise duty and sales tax subsidies for building the industrial sector and exports. Should these be withdrawn to give the whole amount to the poor? Asking organizations to invest 2% of their average net profits in society seems a small price, when public money is being used to subsidize business. Of course some naysayers are saying that government is being financially irresponsible by giving this huge subsidy. Question remains, do they hold the same view on subsidies given to business sector?

This gets me back to Dalai Lama’s thinking - ”Everyone must assume his own share of universal responsibility.” Unless the corporate sector gets committed to fulfilling social responsibilities, the country will deteriorate. Besides economic power, the society needs a lot more to flourish and be healthy.

Closing Thoughts

I found Dali Lama’s description of his morning rituals enchanting. He narrates – “As a practicing Buddhist monk, as soon as I wake up I pay homage to the Buddha, and I try to prepare my mind to be more altruistic, more compassionate, during the day to come so that I can be of benefit of beings. Then I do physical exercise – I walk on a treadmill.” World’s most influential and renowned monk happily adopts modern day gadgets into his daily life. He talks of ethics of genetic engineering, global warming, environment risks etc. with complete ease and knowledge. However, we the management experts, the technical geniuses, the advocates of change hesitate to incorporate spirituality, compassion and social responsibility in business. Ironical isn’t it. Can we leave our hearts at home when we come to work?

I want to share the prayer Dalai Lama read on receiving the Nobel Peace Prize. He wishes that this prayer is on his lips when he dies. Very few people in the world can have this level of generosity of spirit, but maybe in 2012 we can think of new beginnings.

May I Remain In Order to Relieve the Suffering of the World

May I be the protector of the abandoned,
The guide for those who wander the path,
And for those who yearn for the other shore,
May I be the vessel, the ferry, the bridge;
May I be an island for those who need an island,
The lamp for those who need a lamp,
The bed for those who need a bed;
May I be the wish-fulling gem, the vase
With great treasure, a powerful mantra, the healing plant,
The wish granting tree, the cow of abundance.
As long as space remains,
As long as beings remain,
May I too remain
To relieve the sufferings of the world.

Indian saint Shantideva’s prayer read by Dalai Lama on accepting Nobel Peace Prize in 1989.

References:

1. My Spiritual Autobiography by His Holiness The Dalai Lama
2. New Companies Bill – Ministry of Corporate Affairs
3. India should cut wasteful expenditure on subsidies: US prof Pranab Bardhan

India Country Risks in 2012

Indian organizations are in for a rocky ride in 2012 as darkening clouds hang over India growth story. In some ways it is a make or break year for India’s continuing successful journey for economic growth and power. The world is watching and India cannot afford to flounder. However, the risks in the economic environment are acting as tsunamis and volcanoes, wiping out past efforts swiftly. This year Indian organizations need to watch out for external risks and triggers carefully, as they can have huge impact on the bottom line of the company.

The prophets of gloom and doom predict that India’s GDP in 2012-2013 financial year will be between 6-7%. In light of prevailing political and economic environment this statement is a conservative realistic assessment. Hence, organizations to sustain and grow in 2012 need to conduct strategic risk assessment of India country risks. I am giving below my top four.

1. Political Paralysis

In 2011, Prime Minster Manmohan Singh’s reputation has nose-dived as the country was engulfed in corruption scandals. His continuance as Prime Minster till the end of term is widely debated in political circles. The Congress party is facing another crises due to Sonia Gandhi’s ill-health. Public is speculating that she has undergone surgery to treat cancer in USA. Hence, rumors are rife about Rahul Gandhi  taking over the reigns of the party. Moreover, senior Congress party leaders are having spats in public.

On the hand, Bhartiya Janta Party (BJP), the main party in opposition, is suffering from lack of strong leadership at national level. The ex-chief minister of Karnataka, Mr. B. S. Yeddyruppa, openly contravened orders of BJP leadership team when named in Illegal Mining Report.  At state level, local parties are gaining prominence and strength.

Last but not the least, Anna Hazare’s fight against corruption has awakened the middle class. Finally, they have lost their apathy and are demanding better governance.

Considering all aspects, there is little likelihood of a strong national party leading India in 2012. Moreover, political commentators are hinting about mid-term polls due to fishers in Congress party and it’s deteriorating credibility. Therefore, large organizations must manage political risks at national and local state level. Keep in mind sensitivities of various political parties otherwise their is a probability of getting caught in a tug of war. Also, adjust the growth plans for government ineffectiveness.

2. Financial Market Turmoil

Indian markets in 2011 have done badly on financial indicators. There is slowdown in growth and in October 2011 industrial output contracted by 5.1%. Fiscal and current deficit are expected to cross 3% and 5% of the GDP respectively in 2011-2012. The GDP growth forecast for the year was reduced to 7.5% on 10 Dec 2011.

Sensex on 16 December 2011 closed at 15,491, a 25 month low. Stock brokers predict that the market is not going to rise in a hurry.

Business Standard reported in its weekly report on 16 December that “The WPI inflation for the month of November came in at 9.11 per cent compared to 9.73 per cent in October. The market was looking at an inflation of below 9 per cent for November. Inflation for November 2010 stood at 8.2%. India’s food inflation eased to 4.35% in the year to December 3 — its lowest reading since late February 2008 — from an annual 6.60% rise in the previous week, government data showed today.

Further, On Thursday, the Indian rupee touched a record low of 54.30 to the US dollar on the back of sustained foreign fund capital outflows in view of the fall in the equity markets, coupled with a stronger dollar in global markets.”

The Finance Minister Pranab Mukherjee recently commented in a meeting – “The present indicators show that both private consumption and investment sentiments have weakened and it is this weakening of sentiments that makes it necessary to shift our focus back to near term issues.“

Moreover, Moody’s in November 2011, “downgraded the entire Indian banking system’s rating outlook from “stable” to “negative,” citing the likely deterioration in asset quality in the months ahead.” Additionally, aviation, telecom, commercial real estate and power utilities industries collectively owe banks Rs 5 lakh crore. These industries are most affected by the slow down.

The financial market situation is unlikely to improve in the short run. India will most probably not see a double-digit growth in GDP in 2012-2013. Companies need to risk adjust the financial growth numbers keeping in mind the prevailing situation. . Conservative estimates and cost control will steer the organizations in safe waters. Maintain good liquidity throughout the year as banks are not going to save organizations in a crunch.

3. Future Regulatory Reforms

The regulatory reforms came to a standstill in 2011. The political deadlock between UPA government and BJP opposition party pushed all reforms on the back burner. The business leaders came out strongly criticizing the political parties for hampering economic growth. The unhappiness of corporate world is evident that investments – domestic and foreign – are at an all time low.

The government in December 2011 parliament session had a list of 50 Bills for approval. Some of the Bills presented were Companies Bill 2011, Banking Laws Amendment Bill 2011,Prevention of Money Laundering (Amendment) Bill,  Direct Taxes Code Bill, 2010, Forward Contracts (Regulation) Amendment Bill, 2010; Pension Fund Regulatory and Development Authority Bill, 2011, Securities and Exchange Board of India (Amendment) Bill 2009; Insurance Laws (Amendment) Bill, 2008 and Regulation of Factor (Assignment of Receivables) Bill, 2011, among others.

This shows the pending backlog of bills requiring approval in the parliament. Business leaders are likely to lobby for approval of these bills in 2012. Hence, risk managers need to be geared to manage numerous regulatory changes in 2012.

4. Skyrocketing Corruption & Bribery

In light of various scams - telecom, mining, land, etc, – the corruption perception index in 2011 has fallen to 3.1 from 2010′s 3.3. India’s world ranking in corruption has gone lower to 95 from a total of 183 countries assessed. This is not surprising as Indian’s in 2011 saw well known politicians and business owners implicated in scam cases.

The recently released report of Global Financial Integrity - Illicit Financial Flows from Developing Countries Over the Decade Ending 2009 – states that trade mis-pricing accounts over 80% of the illicit financial flows in Asia. India in the last decade lost US $104 billions in illicit flows and is ranked 15th highest among developing countries with China topping at US $ 2467 billion. Though in comparison to China, India doesn’t appear to be doing badly, but that is distorted reality. A couple of activists and whistle blowers lost their lives during the year for uncovering corruption cases.

In 2011, Anna Hazare initiated public rallies to force government to pass Lok Pal Bill. Although, parliament is expected to pass it in December 2011 winter session, the implementation will take some time. The government’s sincerity in eradicating corruption is questionable as the various anti-graft bills are being used to play political football. The UPA government to counteract Hazare’s war cry has presented three additional anti-graft namely –  Judicial Accountability Bill,  Public Interest Disclosure Bill (Protection to Whistleblowers Bill) and the Citizens’ Charter – in the parliament in December 2011. A step in the right direction but the road ahead is tough. Passing bills and implementing them are different ball games.

In light of the fraud cases, high-level prosecutions and political games, the Indian corporate world has become vary. In 2012, organizations must focus on implementing a code of conduct for employees and provide training to them on business ethics. The legal and reputation risks will be extremely high if these aspects are ignored.  The situation becomes more tricky for US and UK multinationals as they are governed by FCPA of their respective countries.

Closing Thoughts

Political deadlock, inflation and corruption have taken the air out of India’s growth story. 2012 will be the decisive year in assessing whether India can surmount these obstacles and accelerate economic growth or  go on a downward spiral. Organizations must maintain a balance between growth and risks. The downside risks can cost heavily and there may be no quick ways to turn around numbers. Hence, doing proper planning, implementation and cost effective operational execution are key for success.

References:

1. Illicit Financial Flows from Developing Countries Over the Decade Ending 2009 – By Global Financial Integrity
2. Corruption Perception Index
3. Weekly Report: Sensex, Nifty hit 2-yr lows on growth woes - Business Standard

Risks in Budgeting and Forecasting Process

When I go shopping more often than not I blow my budget. You see, in the shopping mall my requirements far exceed the forecast. My three finance qualifications come to naught in this simple expenditure planning. So I understand why budgets of organizations go wrong. But the risks associated with an organization’s inaccurate budgeting and forecasting process are far higher.

For instance, the CAG report on Air India states that airplanes were purchased based on an estimated huge market growth and share. The government airlines is now nearly bankrupt. More recent is the case of Kingfisher Airlines. The company is facing a huge liquidity crunch and may go bust if banks do not bail it out. Though I haven’t analyzed the financial statements, the question does come up – didn’t they see this coming? What kind of cash flow forecasting was the finance team doing? The airlines grew quite fast, where there any checks kept on expenditure and how was it linked back to revenues?

These are basic questions, and show the impact on the organization when proper techniques are not used for budgeting and forecasting. In the next quarter, Indian organizations will commence their budgeting process for the financial year 2011-2012. I thought it is a good time to study the best practices of budgeting and forecasting, and share with you my understanding of the risks associated with it. I delved into the SAP CFO forum research papers and here are some interesting points.

1. Business Drivers for Budgeting and Forecasting

According to Aberdeen and SAP report the top three drivers for budgeting and forecasting in 2011 were to help organizations deal with market volatility, aligning strategy and doing cost control. As these three have been major drivers for the past three years, one can safely assume considering the global economy that in 2012 also, these three will prevail.

 Moreover, Indian economy year-end scenario is turning bleak. As per recent reports GDP is expected to show just around 7.25-7.75% growth in 2011, instead of the initial 9% growth forecast. Sensex has fallen one fifth in the year and presently India is among the worst performing stock markets in the world. Organizations have cut down on capital expenditure to maintain profitability. Hence, in the coming financial year, Indian organizations will face all the five pressures mentioned in the graph above. Therefore, it has become more critical to do accurate budgeting and forecasting.

2.   Risk Adjusted Forecasting

In another SAP white paper titled “Increasing Competitiveness through Closed Loop Performance Management” I came across an interesting point. It emphasized on implementing integrated financial performance management processes that “comprise strategy planning, budgeting and operational planning, forecasting, management reporting, profitability and cost management, and risk management.” It further added that in most organizations the “various performance management systems remain disconnected specially risk management.”

Now the question that begs an answer is – are risk managers having a look at the budgeting process to ensure all management systems are linked together? Secondly, are they reviewing the budgets, facilitating the business teams in identifying risks and adjusting the budgets accordingly?

In my view if risk managers are taking a hands off approach during the budgeting process, then they are doing the organization a major disfavor. They should proactively participate in the process, identify the problem areas and discrepancies, highlight the risks and inaccuracies, and facilitate management in preparing flexible budgets.

The benefits of this approach can be seen in the Infosys case. The company was recently in the news for asking its employees to sacrifice two Saturdays in this quarter to meet the budgets. Though I have different views on the action taken by Infosys to call employees on weekends, it does show that they are proactive in managing their forecasts. The management assessed the risk of failure of forecast and took action. Hence, there is a lesson to be learned here for all organizations. Organizations should build in internal and external events triggers for internal and external  events to adjust forecasts timely.

3. Flexible Forecasting

A new report of SAP with CFO Research Services highlights the risks of having fixed budgets based on historical data. It states that due to the changing business environment forecast numbers are “continually measured against real-world results and recalibrated to meet new threats and take hold of new opportunities as they arise. “ Further on it adds that “The time-honored tradition of beating the budget by surpassing revenue targets is no longer a reason for celebration; it’s one sign that the budgeting process took so long that the assumptions underlying it grew stale.”

The CFOs interviewed in the report state that building flexibility into planning assumptions and processes is of paramount importance. With Mobiles and Tablets, realtime information on sales, expenses etc. is available. Hence, now forecasts require regular examination of the underlying assumptions. The market dynamics ensure that one has to go back to the drawing board periodically to study the movement and re-strategize. Annual fixed budgets are becoming a thing of the past and CFOs are in favor of rolling budgets.

In light of this aspect, the points I mentioned in my earlier post that risk managers need to actively participate in strategic risk management holds true. In this scenario, risk managers must review the budgets assumptions and risks on a monthly/ quarterly basis to ensure smooth sailing. A once in a year periodic review doesn’t hold much water. They must make sure that organization’s strategy, operations plans, and budgets are continuously aligned.

Closing Thoughts

Budgets are no longer just the domain of finance department. In the present environment budgets must be developed with a combination of top down and bottoms up approach. While the strategy is developed at senior management level, the execution plans are developed down the lines. They have the real information on market dynamics, numbers and risks. The views of various departments -sales, human resources, purchases etc. need to be incorporated to form realistic assumptions and understand associated risks. Hence, risk managers have a significant role to play in this process.

Share your opinion here. Do you think Indian organizations have robust budgeting and forecasting processes?

References:

1. Economy in Distress as Factory Output Slumps : Economic Times 13 Dec 2011
2. Financial Planning, Budgeting & Forecasting in the New Economy : Aberdeen Group with SAP
3. Increasing Competitiveness through Closed Loop Performance Management – SAP
4. Accelerating the Speed of Intelligence for Fast and Flexible Forecasting – SAP with CFO Research Services

You can find the reports at http://www.sapcfo.com/

This article was published in The Business Enterprise Magazine January 2012 issue.

Derailment of Leaders- Profiling Steve Jobs

The corporate world citizens operate on two myths – “We all are great leaders” and “We all have bad bosses”. We cling to these two fallacies with our dear life, most probably because if we let it go, corporate life may become unbearable. These two paradoxical statements make us feel better about ourselves as the delusional views cushion us from harsh realities.

The problem arises due to corporate world’s obsession with leadership. Interviewers question a 21-year-old fresher in the first interview about his/her leadership skills. After six months, s/he will give an opinion how the CEO doesn’t have adequate leadership skills. An employee will risk his/her career if s/he admits that they are good managers and do not have adequate leadership skills. This is despite the fact that most leadership surveys show that 50% of the managers are ineffective leaders.

On the humorous side it reminds me of Scott Adams definition of leadership – “Leadership is an intangible quality with no clear definition. That’s probably a good thing, because if people being led knew the definition, they would hunt down their leaders and kill them.”

On a serious note, I couldn’t help contemplating about Steve Jobs, considered the most successful CEO in our times. He is one of the few CEOs who was thrown out of the company he formed and came back to succeed beyond anyone’s expectations. On the positive side, people viewed him as a visionary, innovator and a driving force. Moreover, his negative traits were equally prominent. His teams said he suffered from “distorted reality”, bullied them no end and was extremely insulting. His professional career shows that in some ways he was an insufferable bad boss and an incredibly good leader. The complexities of his character make an interesting case study to assess leadership derailment.

I read his biography by Walter Isaacson and mapped his leadership skills to the traits mentioned in Michael James Benson’s research paper titled “A Walk on the Dark Side of Personality & Implications for Leadership (In)Effectiveness.” Briefly, it states that derailed leaders have same traits as successful leaders. However, they have additional traits and personality flaws that cause derailment. In Isaacson’s book, initially Jobs showed most of the traits that result in leadership derailment. In his second coming at Apple, he showed more maturity and balanced it out. A mellow version of his intense personality made him more successful.

It is important for risk managers to understand the derailment traits for leadership. Enron, WorldCom, Satyam are prime examples of leadership gone wrong. Prevalence of derailment traits and major personality flaws cause leaders to take unnecessary business risks, create dysfunctional work cultures and have low focus on corporate governance. As top management drives the risk culture in an organization, it is worthwhile for risk managers to assess their derailment characteristics.

In the following paragraphs, I am discussing five derailment traits and am exemplifying it with Steve Jobs life. Before you start reading it, remember all leaders have these traits. Leaders possessing these traits in low to moderate qualities continue to be successful. However, excessiveness of these traits causes derailment.

1.       Ego-centered

People close to Steve Jobs thought that he felt a strong sense of abandonment due to his adoption. This propelled him to consider himself special,  i.e. not required to follow norms of regular people. His ex-girlfriend Redse even thought that he had narcissistic personality disorder.

An amusing story about his employee badge showed his false sense of entitlement. On Apple’s formation, Scott assigned employee badge number #1 to Woznaik and #2 to Jobs. Steve demanded badge #1 and when he didn’t get it, he asked for  badge #0. He kept the badge, though Bank of America still processed his salary as employee number #2.

 His personality flaws showed in other small things. For example, he didn’t want a “reserved for CEO” parking slot, however parked his car in slots reserved for handicapped people.

 His ego-centrism drove Apple in murky waters. He wished to project the image that he didn’t work for money and took a salary of $1 per year as CEO. In 2000 when the board offered him $14 million stock options, he refused and asked for a plane. Subsequently, he demanded $20 million stock options. He received backdated stock options and although he didn’t make any monetary gains from it, Apple got some negative publicity as SEC investigated the case. Walter commented that – “On compensation issues in particular, the difficulty of defying his whims drove some good people to make some bad mistakes.”

 2.    Manipulation

 Everyone thought Steve Jobs was a master manipulator.  Sometimes, for him there was no difference between truth and lies. Bud Tribble one of his teammates said Steve doesn’t accept facts, which do not fit, into his picture. He said, “Steve has a reality distortion field. In his presence, reality is malleable.”  

 Another colleague Andy Hertzfeld said that even if one knew that Steve was manipulating, a person still was influenced. He stated- “The reality distortion field was a confounding mélange of a charismatic rhetorical style, indomitable will, and eagerness to bend any fact to fit the purpose at hand.”  

 Adding to the trouble, his teams complained that if their idea were a good one – “he would soon be telling people about it as though it was his own.”

 Apple employees though knew they had a difficult boss, still considered themselves lucky to be working for him. He inspired people to do what they thought was unachievable. Most probably because manipulators are great at cajoling, persuading and flattering people into complying with their wishes.

However, this did create a dysfunctional culture in Apple. Due to his oscillating behavior, his staff handled him like fragile glass. Most probably, Apple lost quite a few top performers because of this treatment given to them.

He definitely lost his job as a CEO because his manipulations caused turmoil in Apple in 1985. Apple board ousted him out and Sculley remained.

3.    Micromanaging

In some ways, Jobs can be categorized as a control freak. He chose to integrate hardware and software of his products to control customer experience. At one point of time, he banned download of applications to iPad and iPhone that defame people, were politically explosive or pornographic. He morally policed his customers.  According to him, he was providing his customers – “Freedom from programs that steal your private data. Freedom from programs that trash your battery. Freedom from porn.”

Throughout his career, he was at war with Bill Gates on open versus closed platforms. Gates promoted open systems while Jobs ardently opposed it. Though he professed to belong to hacker counterculture, he didn’t want people to be able to use Apple’s platforms without permission.

Even in designing and developing products, Jobs controlled every aspect of the decision-making. His teams while appreciating his capacity to go into the details, did resent lack of authority to some extent. He had the final say even on the look of the cord and sockets of the products. He ran the organization at 10,000 feet and zero feet.

The awesome bit is that with his ideas and approach he managed to change six industries and developed path-breaking products. In this, his customers were not complaining, his competitors were. His control philosophy made the technological world sit up and take notice. One has to marvel at it, and contemplate whether micro managing has benefits in some situations.

4.     Intimidating

Steve Jobs learnt his most effective intimidation trick from Robert Friedland in college. He unblinkingly stared intensely at others and them kept silent for a long time to unnerve opponents.

Moreover, if some project or product didn’t meet his “insanely great” standard, the product was shit and the guy was a bozo. His colleagues referred it to as “hero/shithead dichotomy”. He voiced his unedited opinions without the normal social graces that caused many of his teammates to breakdown emotionally. . His frequent unfiltered scathing comments were hurtful and created a fear factor. Although, known to be emotionally intelligent, he was unrepentant of mistreating others.

Though his behavior looked like my way of highway, he succeeded as he appreciated the people who confronted him. His teams could push back and if Steve found the person capable, he would respect the person. His Mac team gave an annual award to the employee who did the best job of standing up to him. “Jobs knew about it and liked it.”

However, in the second stint as CEO, his intimidating nature negatively affected independence of the board. For instance, he invited former SEC chairperson Arthur Levitt to join the board. But, when he read Levitt’s speech on independence of board, he withdrew the invitation on phone.

5.    Passive Aggressive

 Jobs was blatantly aggressive; hence, this trait didn’t fit his personality. However, his partner Steve Woznaik did show this trait to an excessive level. For instance, Woznaik was hesitant of participating in Apple in a leadership position. He said he was happy that – “I could stay at the bottom of the organization chart as an engineer.” He never attempted to be a manager or leader. He played the good guy image to the hilt. While he appeared satisfied for Jobs to take up the mantle of bad guy and fight the corporate battles.

Woznaik claimed in his biography that he did a job for Atari to remove chips and Steve cheated him of the bonus. He claimed  - “Ethics always mattered to me, and I still don’t understand why he would’ve gotten paid one thing and told me he’d gotten paid another. But, you know, people are different.” He further added – “I would rather let it pass. It’s not something I want to judge Steve by.”

 Steve Jobs on the other hand denied the allegation and said that he has always been fair to Woz. He said in his defense – “In mean, Woz stopped working in 1978. He never did an ounce of work after 1978. And yet he got exactly the same shares of Apple stock that I did.” It showed Woz avoided confronting Steve though didn’t mind maligning his reputation. Woz projected an image of childlike innocence. I suspect, without Steve Jobs driving force and personality Apple would have collapsed if Woz had become the torch-bearer.

Closing thoughts

Leadership is a complex phenomenon and the more I read about it, the more I think Scott Adams definition is accurate. There is a lot of truth in it. However, as risk managers we cannot take leadership derailment traits lightly. Excessive derailment traits create a dysfunctional organization culture. They are a harbinger of unprecedented risk taking activities. Uncontrolled behavior can put organizations in peril. Hence, risk managers need to devise ways to monitor it. They must ensure proper checks are incorporated in succession planning for early detection of derailment traits.

“One more thing”, what do you think it takes to become a Steve Jobs of risk management?

References:

1. New Explorations in the Field of Leadership Research: A Walk on the Dark Side of Personality & Implications for Leadership (In)Effectiveness - By Michael James Benson

2. Steve Jobs – Biography by Walter Isaacson