Managing Systemic Risks in Organizations

The gross turnover of top 100 multinationals is higher than the gross domestic product of a few countries. As it was obvious from the financial crises, organizations employing a few hundred thousand employees can rock the global financial stability. From then on, a lot of discussion is occurring around systemic risks. However, I wonder about the actual momentum in addressing systemic risks.

As per my understanding, an inaccurate perception has formed that governments have the major responsibility to address systemic risks and not the organizations. The picture below depicts the increasing level of risks for human civilization or society as a whole and the increasing level of risks within an organization. Though we do not see linear relationships, they are interconnected. While an organization is a subset of the civilization, their large sizes have also made it a significant component of creating systemic risks.

 

Systemic risks

 

Another fallacy is that organization’s need to track systemic risks at the global level alone. From the financial crises, it was obvious that the Retail Housing Loan departments of US Banks shook the real estate industry. Various CDOs of banks investment divisions were the cause of collapse of major banks. Hence, something as small as the functioning of a department, process or product can destabilize the industry and economy when incorrect practices are followed in multiple organizations.

Moreover, senior management of organizations that have implemented Enterprise Risk Management (ERM) believe that systemic risks are automatically addressed. None of the ERMs is going beyond strategic risks. The focus is mostly on operational and tactical risk coverage. Unless the risk management department has taken concrete measures to identify systemic risks, in all probability they are unmitigated.

Lastly, for most of the systemic risks, the organization by itself can only partly mitigate the risks. Except for taking insurance, they cannot develop and implement full-fledged solutions to treat the risks. Though the impact of systemic risks is huge, the lack of understanding, information and solutions, make organizations negligent about identifying and addressing these risks. Hence, the question is – what should organizations do to manage systemic risks?

1. Global Systemic Risk Monitoring Group

Within the risk management department there should be dedicated resources tracking systemic risks from process to country level and reporting to the global group. In the interconnected world, the risks in one country impact other countries. For instance, consider the attack on Malaysian airplane by rebels in Ukraine. A geo-political risk of one country has brought an organization of another country down. Hence, now the risks have to be viewed from a global perspective. To do this organizations must incorporate the group within the organization structure, deploy funds and resources, use technology to connect and track risks at a global level.

2.  Connecting With National Risk Boards

The 2014 World Bank Risk Report suggests formation of National Risk Boards (Same name, could they have got inspired by this blog :)). This will be a huge plus, since risk identification and mitigation will be done at a national level. For instance, if a large country like India were connected at district, state, and national level through risk boards, the level of risk management would improve significantly.

Moreover, this will facilitate in addressing inter-state risks and cross border risks. For example, cyber security threats mitigation requires coordination within the country and significant amount of international collaboration. The national risk boards of countries become the focal point for international cooperation and collaboration for risk mitigation. Developing relationships with the board members and participating in the initiatives will help organizations in dealing with systemic risks.

3.  Connecting With Industry Risk Boards

The systemic risk group needs to connect with the industry risk boards and regulators to capture the industry level risks. For instance, Back of England conducts a half-yearly survey to determine systemic risks in UK financial sector and the confidence of the organizations in dealing with it.

If organizations facilitate in formation and management of industry risk boards, they can cooperate with the competitors to mitigate industry level risks. Relationships with international industry boards would be a huge plus in acquiring knowledge and formulating plans.

4.  Assessing Preparation at National Level

The World Bank report states that investment in risk mitigation and prevention is low, and most of the expenditure is done during and after a disaster to recover and continue operations. Therefore, the challenge is that risk identification may not result in developing and implementing risk mitigation plans. For example, various cities in India regularly suffer from floods during monsoons. ALthough the government knows the problem and solutions, it has not done much to resolve the issue. There are ongoing battles between city, state, and national level for risk prioritization.

That is, the same risk may have different impact and loss level due to national level preparation. Organizations need to assess the level of preparation of government and local communities to determine the impact and develop risk mitigation plans accordingly.

5.  Assessing Impact at Social Level

Previously, organizations were insulated from the society to some extent. The social networks have changed the scenario, and any incident can become an explosive issue. Hence, impact has to be calculated at social level rather than at an incident level. For instance, recently a six-year-old girl in Bangalore was gang-raped in school by her teachers. Last weekend, parents in Bangalore organized marches to demonstrate their anger against the schools lackadaisical attitude towards children security. Police has lodged complaints against the school and politicians are talking about closing the school.

Presently, rape, women, and child security are sensitive topics in India. India is fourth unsafe country in the world for women. Hence, a single incident can close down an organization. Therefore, risk managers need to identify sensitive issues related to systemic risks and extrapolate the impact at city, state, country, and global level to determine impact of various risks.

Closing Thoughts

Systemic risks impact is sometimes more than losses of earthquakes, tsunamis and nuclear disasters, hence they cannot be ignored. Higher level of focus is required within organizations, industry, community, and nations to build processes, institutions, and infrastructure to identify and mitigate systemic risks. Timely investment in this area can save billions of dollars. Hence, risk managers need to put their thinking caps on, develop concept notes, and influence senior managers to deploy funds in managing systemic risks.

The Misconstrued Likelihood

Source: Lancashire Resiliency Forum

Source: Lancashire Resiliency Forum

 

Have you ever thought of stopping the use of “likelihood” in preparing a risk matrix? The shocked reaction is – “how can we calculate risk without likelihood?” But seriously, how competent are we in calculating the probability of each risk. As risk managers, don’t we just check the box based on our judgment? The thought process is – earthquake – rare, hurricane – rare, data theft – occasional, and we don’t need data to make these judgments.

 1. Inaccurate Calculation

My claim is that all this is hyperbole and we draw inferences from inaccurate information. To substantiate my argument, here are two statements of the EY 13 Global Fraud Survey 2014 and Kroll Global Fraud Survey 2013/2014.

EY 13 Global Fraud Survey 2014 quote:–

“More than 1 in 10 executives surveyed reported their company as having experienced a significant fraud in the past two years. In fact, the level of fraud reported by respondents has remained largely unchanged over the past six years: from 13% in 2008 to 12% in 2014.”

 Kroll Global Fraud Survey 2013/2014 quote:

 “The incidence of fraud has increased. Overall, 70% of companies reported suffering from at least one type of fraud in the last year, up from 61% in the previous poll”

The EY report does not define “significant fraud” .Kroll report does state that “the economic cost of these crimes mounted, increasing from an average of 0.9% of revenue to 1.4%, with one in 10 businesses reporting a cost of more than 4% of revenue.”

 Now assume you do not have historical data on incidence of fraud in your organization and have to infer the likelihood of fraud from the above-mentioned statements.

 

Please share the logic you used to determine the likelihood in the comments section.

 2. Unidentified Representative Bias

Implicit in our judgment is representative bias, which only a discerning eye can decipher. For instance, read the following lines from the EY 13 Global Fraud Survey 2014.

“The survey results show a correlation between executive roles and willingness to justify certain activity when under pressure to meet financial targets:

CFOs are more likely than other executives to justify changes to assumptions relating to valuations and reserves in order to meet financial targets.

General counsel are more likely than other executives to justify backdating contracts in order to meet financial targets.

► Sales and marketing executives are more likely than other executives to justify introducing flexible return policies in order to meet financial targets.”

How is this news worth reporting? Aren’t risk managers aware that employees are more likely to conduct frauds within their area of job responsibility and authority?

It would be interesting to know the probability of other departments (excluding sales and marketing personal) introducing fraudulent flexible return policies. Without that information, while conducting a fraud investigation we are likely to assume the fraud in sales department was conducted by sales personnel, whereas it is possible that another department personnel had done it.

Now if you want further proof of representative heuristic, here is a classic example of a study conducted on women’s propensity to conduct fraud by Steffensmeler. He concluded:

“There is reason to believe that over time increasing the number of female CEOs would reduce corporate corruption because women tend to promote a more ethical business climate rather than one that promotes personal and corporate profits at all costs, no matter what the potential societal costs or harms might be.”

Then he further states that lower rate of fraud might be because men do not conspire with women to conduct frauds and women may not have access to higher echelons of management to do big frauds.

However, it still does not explain how he has made the above statements. According to child psychology reports, both girls and boys in childhood have nearly equal tendency towards anti-social behavior though it reflects in different ways. For example, boys bully directly, girls bully indirectly.

So, are we saying nature and nurture have less impact on girls than boys because they are somehow hardwired to be more ethical? Alternatively, do you think that social conceptions are at play here because women are the weaker sex and therefore nicer. Wouldn’t it be interesting to study the tendency to commit fraud by giving equal opportunity to both genders to steal without fear of punishment and then find who is more likely to do so? It might show that women commit less fraud not because they are more ethical, but more fearful.

Closing Thoughts

Risk managers must ask themselves – “What is the worst that can happen if they do not check any box of likelihood? It is possible to create a bucket list of known risks, with undetermined likelihood and impact?” Adopt an alternative method or procedure, since inaccurate calculations lead to misguiding the management and implementation of wrong risk mitigation plans.

If we do not know something, why pretend to have a magic wand and claim knowledge. What is the harm in admitting that we do not have all the answers?

 

References:

  1.  EY 13 Global Fraud Survey 2014
  2. Kroll Global Fraud Survey 2013/2014
  3. Women still less likely to commit corporate fraud 

 

 

 

 

Junk The Risk Assessments

Sorry folks for taking such a long break from blogging.  I was busy talking to a few angels who had entered my life all of a sudden. Now you are thinking that maybe I injured my head during the last five months. An adult talking about angels, absolutely insane! As kids we are happy to believe in Santa Claus. As we grow the social norms expect us to be more cynical, and we have to say – “We don’t believe in angels”. The question is –“have you seen any with your naked eye?” Off course not, but how does that prove that they don’t exist. In life, we have not seen many things, but we believe they exist.

So now, you are wondering what I am getting at.

As a risk manager has a business head ever told you – “You don’t have any idea of the business, this risk assessment is trash.” You wished to tell him that you did a proper job but he is absolutely is absolutely refusing to listen.

When business managers  submitted self-risk assessments, were you rubbing your eyes in disbelief? You could not figure out how they have rated the risks so high or so low, completely contrary to your expectations.

Is it possible that the risk assessments are frequently wrong and serve very little purpose except for completing the paper work? The idea of discarding risk assessments is scary as operational risk managers rely heavily on risk assessments matrix to assess the probability of occurrence of risk and the impact of the same. We advise business managers to complete self-risk assessments for their units. Organizations consider top twenty risks critical and depute resources to address the same.

Despite the risk assessments, unknown risks keep popping up. Risks rated low flare up into big issues. High impact low probability risks cause a whole lot of more damage than estimated.

Research on cognitive biases shows that subjective risk assessment done without data are prone to errors. Human beings have numerous biases in their thinking, due to which they tend to make incorrect decisions. Below is the list of biases I shall discuss in the next few posts:

1)      Representative Heuristic

2)      Availability

3)      Hindsight Bias

4)      Black Swans

5)      Conjunction Fallacy

6)      Confirmation Bias

7)      Anchoring, adjustment and contamination

8)      Affect Heuristic

9)      Scope Neglect

10)   Calibration and Overconfidence

11)   Bystander Apathy

You might be wondering whether the biases and heuristics really have any impact or is it just another aspect of psychology we can ignore. Let me ask you a question here:

 

Malcolm Gladwell did an analysis in his book David versus Goliath and stated that in 63% of the cases the smaller country defending its territories won the war. The powerful invader had to backtrack and generally lost the war despite its military strength. The small defending countries win because they use unconventional strategies for warfare, garner public support, and have higher commitment as they have more at stake if they lose. Then what percentage of the risk assessments of a war are incorrect? The loss of life and property are in vain.

Wait for the next few posts, as they might make you rethink on the conventional wisdom of risk assessment done by organizations.  

References: 1. Cognitive Biases Potentially Affecting Judgment of Global Risks – Eliezer Yudkowsky, Machine Intelligence Research Institute

2.  Probabilistic Reasoning by Amos Tversky and Daniel Kahneman

Human Rights Risk Management Process

Bangladesh Building Collapse

The fire in a nine-story factory building in Bangladesh killed 400 people. More than 600 people remain unaccounted for. It housed five garment factories that supplied to international brands – J.C. Penny, The Children’s Place, Dress Barn, Primark, Wal-Mart etc. The workers were asked to come to work even when cracks appeared in the building the previous day.

Bangladesh is the second largest exporter of clothes and the workers get the lowest compensations. Just around USD 37-40 per month. The question arises why are the multinational organizations not following the UN Guiding Principles for Human Rights protection. The reason is simple; they want to show higher and higher profits to the investors.

In Delhi, in Munirka one will find numerous small factories full of workers making export garments. A friend of mine also ran one. I had bought a few shirts from her at cost price ranging from Rs 300-500 (USD 6-10). In one international visit, I found the same shirts selling in range of USD 15-30. The fivefold increase in price was because of the brand tag attached to the shirt.

The multinational buyers push the prices down and some supplier gives a rock bottom price. The others are forced to match that price to get the business. End result is that basic facilities are not provided to the workers and they work at really low wages. Unknown workers are paying with their lives in developing countries to satisfy the growth targets set by CEOs to earn their bonuses and keep investors happy.  It is the dark side of capitalism which organizations want to hide.

In most companies, human rights risk management is not a focus area. The 2013 Global Risk Management Survey conducted by RIMS identified seven risks related to human resources among the top fifty risks. Though worker injury and harassment were included there was no specific emphasis on human rights risk management.

The risk management team can conduct annually or bi-annually a human rights risk management assessment. It requires attention not only from human resources perspective but from operational, financial, legal and reputational risks perspective. Any breach can result in huge losses.

Here are some of the steps mentioned in the UN Guiding Principles on Human Rights and guide “Investing the Right Way” issued by Institute of Human Rights and Business.

1.     Review the Human Rights Policy Statement

Human rights risk management is emerging as an important issue, especially with multinationals entering emerging markets and developing countries. They are expected to protect and respect rights of workers, communities and society. Investors can play a crucial role by influencing companies to promote human rights relating to gender equality, child labor, rights of indigenous people, land acquisition, mineral processing etc.

Hence, companies need to publish Human Rights Policy Statement on their websites. The UN Guiding Principle 16 states –

 “As the basis for embedding their responsibility to respect human rights, business enterprises should express their commitment to meet this responsibility through a statement of policy that:

(a) Is approved at the most senior level of the business enterprise;

(b) Is informed by relevant internal and/or external expertise;

(c) Stipulates the enterprise’s human rights expectations of personnel, business partners and other parties directly linked to its operations, products or services;

(d) Is publicly available and communicated internally and externally to all personnel, business partners and other relevant parties;

(e) Is reflected in operational policies and procedures necessary to embed it throughout the business enterprise.”

As a first step risk managers need to check whether the organization has a human rights policy statement and the above mentioned steps have been adhered to.

2.     Human Rights Impact Assessment

The second aspect of UN Guiding Principles is for companies to establish human rights due diligence processes. Guiding Principle 17 states:

 “In order to identify, prevent, mitigate and account for how they address their adverse human rights impacts, business enterprises should carry out human rights due diligence. The process should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed. Human rights due diligence:

(a) Should cover adverse human rights impacts that the business enterprise may cause or contribute to through its own activities, or which may be directly linked to its operations, products or services by its business relationships;

(b) Will vary in complexity with the size of the business enterprise, the risk of severe human rights impacts, and the nature and context of its operations;

(c) Should be on going, recognizing that the human rights risks may change over time as the business enterprise’s operations and operating context evolves.”

Human rights risk management is complex and challenging. If ignored, they can increase political risks and deteriorate relationships of the organization with the government. For example, Tata Motors wished to establish Nano manufacturing plant in Singur, West Bengal. The government allocated agriculture land using 1894 land acquisition rule, meant for public improvement projects, to take over 997 acres farmland. The farmers protested with help of activists and the then opposition leader Mamta Banerjee. Tata Motors moved out of West Bengal and established the factory in Gujarat. Multinationals looking for large tracts of land to establish factories are facing similar challenges in India.

Another aspect to look into is that scrap, waste disposal, sewage, environment pollution etc. from factories can impact food, water and health of local communities.

Decision needs to be taken whether investments should be made in countries or states with poor human rights record. In India, the Naxalite area is extremely conflict prone and business operations can have severe human rights impact.

Risk managers should evaluate the strategy and operations of the company from human rights, environmental, social and governance factors. The companies can face operational risks (project delays or cancellation), legal and regulatory risks (lawsuits and fines) and reputational risks (negative press coverage and brand damage). The impact assessment should be done from investors, customers, employees, society and supplier perspective. Identify business owners for the risks and devise appropriate risk mitigation plans to address adverse impact.

3.   Grievance Mechanisms

UN Guiding Principles state that victims of corporate related human rights abuse should have access to judicial or non-judicial remedies. Companies should provide some remedies themselves and cooperate in the remediation process.

UN Guiding Principle 29 states –

“To make it possible for grievances to be addressed early and remediated directly, business enterprises should establish or participate in effective operational-level grievance mechanisms for individuals and communities who may be adversely impacted.”

However, this isn’t followed by the companies in true spirit. “A Vigieo analysis of human rights records of 1500 companies listed in North America, Europe and Asia revealed that, in the previous three years, almost one in five had faced at least one allegation that it had abused or failed to respect human rights.”

Ideally the investors in the company should ensure that grievance mechanisms exist and address human rights issues. The transparency and disclosure of the same in annual reports would highlight the financial, legal and reputational risks. However, the investors don’t seem to be bothered by it.

See the case of Apple. It reported  Gross Profit Margin – 42.5%, Net Profit Margin – 26.7%, Revenue Per Employee – $ 2,149,835 and Net Revenue Per Employee – $ 573,255. It has 43000 employees in US and 20,000 outside US. However, Apple contractors hire an additional 700,000 people to engineer, build and assemble iPads, iPhones and Apple’s other products.

An Apple supplier in Taiwan, Foxconn was recently in the news for its workers attempting suicide. As per reportsWorkers are required to stand at fast-moving assembly lines for eight hours without a break and without talking. Workers, sharing sleeping accommodations with nine other workmates, often do not know each other’s names. They do not have much time to get to know each other. The basic starting pay of 900 RMB($130) a month – barely enough to live on – can be augmented to a more respectable 2,000RMB ($295) only by working 30 hours overtime a week.”

See the difference the company earns per employee and the payment made to the supplier’s employees. Apple shows profits at the expense of lives of Taiwanese workers.  The workers don’t have much of a grievance mechanism in China as the government stated that the suicides are within the normal suicide rate. Can Apple investors sacrifice some profit margin for safety and security of the contractual workers?

Another old example is the class action suit since 2001 on Wal-Mart Stores that involved 1.5 million current and former Wal-Mart female employees. It is the largest workplace bias case in US history.

 4.    Human Rights Reporting

 The biggest challenge is that most of the human rights abuses are not reported. The victims of human rights exploitation hold little power in comparison to the exploiters. They can hardly take up the might of powerful businesses when they are struggling to get basic food and shelter. Secondly, in the developing and emerging countries, corruption levels are generally high. Hence, media, law enforcement agencies etc. are bribed by the power players to silence the victims. However, with internet and social media, things are gradually changing. People have a voice and collectively they can fight.

UN Guiding Principle 21 lays out the requirement for companies to communicate human rights impact externally. It states -

 “In order to account for how they address their human rights impacts, business enterprises should be prepared to communicate this externally, particularly when concerns are raised by or on behalf of affected stakeholders. Business enterprises whose operations or operating contexts pose risks of severe human rights impacts should report formally on how they address them. In all instances, communications should:

(a) Be of a form and frequency that reflect an enterprise’s human rights impacts and that are accessible to its intended audiences;

(b) Provide information that is sufficient to evaluate the adequacy of an enterprise’s response to the particular human rights impact involved;

(c) In turn not pose risks to affected stakeholders, personnel or to legitimate requirements of commercial confidentiality.”

 As per the UN principles, the reports must cover appropriate qualitative and quantitative indicators, feedback from internal and external sources including affected stakeholders.

Risk managers can evaluate the reports and the reporting process to ensure that all risks are properly addressed. They should evaluate whether cautionary steps are taken and nothing is being done to exacerbate the situation. They should highlight severe or irreversible risks to the management to ensure appropriate decisions are taken.

Closing Thoughts

 Inequalities in income are the main cause of human rights abuse. The rich want to get richer at the expense of blood and sweat of the poor, and sometimes life. The diamond manufacturers and sellers took the right step to publish that they do not source blood diamonds. Since 2003, the Kimberley Process Certification Scheme (KPCS), supported by national and international legislation, has sought to certify the legitimate origin of uncut diamonds. Trade organizations – International Diamond Manufacturers Association (IDMA) and the World Federation of Diamond Bourses (WFDB) – representing virtually all significant processors and traders – have established a regimen of self-regulation.

Other industries, be it technology, electronics or textile manufacturers,  need to come out with similar steps to stop human rights abuse. The risk managers have a vital role to play in it. If we do not do anything, we are cheating this and the next generation of their right to live happily.

References:

  1.  Investing the Right Way – A Guide for Investors on Business and Human Rights – By Institute of Human Rights and Business
  2. Singur farmland-  Tata Motors conflict
  3. Apple financial ratios
  4. Foxconn Case Study
  5. Diamond industry sales clauses
  6. 2013 RIMS Global Risk Management Survey

 

Fraud Risk Management in Ancient India

Presently, the Serious Fraud Investigation Office of India lacks sufficient powers to initiate investigations and prosecute. The Central Bureau of Intelligence isn’t independent due to which politicians escape prosecution for corruption and money laundering. Indian police force Economic Crime wing doesn’t have expertise in dealing with electronic and financial frauds. The legal system is pathetic and takes a long time to prosecute white-collar criminals. India has a shortfall of trained fraud investigators as it hardly has any courses for students in this line.

All these aspects may make you think that Indians are new to the concept of fraud risk management. This is far from the truth. Kautilya addressed financial fraud risks in 4th century BC and most of the concepts are still used presently. Let me narrate you some of the concepts he formulated in earlier times.

1.      Formation of a Central Investigation Agency

Kautilya proposed a central investigation agency for a kingdom to do espionage work. A network of spies located in different parts of the kingdom reported information to their handlers. The handlers in turn checked the authenticity of the information from three sources and if correct reported to the agency. The spies did not have direct contact with the agency to conceal true identities..

Spy selection depended on character and social position. Spies were recruited from all sections of society. Spies were positioned in all the departments and commercial ventures of the king to ensure that the head of the departments do not abuse their power or cheat the king. Women were considered particularly useful to penetrate wealthy households to get the inside story. In current India, there is a scarcity of female fraud investigators as it now considered a masculine job. However, in ancient India, women investigators and spies were quite common.

2.      Types of Financial Frauds

Kautilya identified 40 ways of embezzlement. Some of them are mentioned below:

  • Overpricing and under-pricing of goods
  • Incorrect recording of quantity of raw material and other stocks
  • Misappropriation of funds
  • Teaming and lading
  • Misrepresentation of sources of income
  • Incorrect recording of debtors and creditors
  • Incorrect valuing and distribution of gifts
  • Inconsistency in donations and distributions for charity
  • Misappropriating goods during barter exchange
  • Manipulating weights and tools for measurement
  • Misrepresentation of test marks or the standard of fineness (of gold and silver)

It is interesting to note that Kautilya mentioned most of the frauds that occur in accounting and preparation of financial statements. It shows human psychology has remained the same. However, in India the value system has deteriorated that has resulted in increased fraud and corruption. In olden times, the value of honour was held high. For example, the prime thought in Hindi was – “prann jiye pur vachan na jiye.” (meaning – it is better to lose one’s life rather than go back on a verbal promise given)

3.      Mechanism for Investigation and Punishment

The investigation process was quite similar to the current process followed. Information was initially gathered regarding the fraud from informants, spies, whistle blowers and audits. Background information of the suspects was gathered by sending spies to their residence and business premises.

Subsequently, the people involved, the suspects and witnesses were interrogated. Kautilya suggested separately examining ” the treasurer (nidháyaka), the prescriber (nibandhaka), the receiver (pratigráhaka), the payer (dáyaka), the person who caused the payment (dápaka), the ministerial servants of the officer (mantri-vaiyávrityakara)” for financial frauds. If any person lied, s/he received the same punishment as the main culprit.

Another fascinating aspect is that India doesn’t not have any law similar to the whistle blower provisions of Dodd Frank Act. However, Kautilya proposed –  “Any informant (súchaka) who supplies information about embezzlement just under perpetration shall, if he succeeds in proving it, get as reward one-sixth of the amount in question; if he happens to be a government servant (bhritaka), he shall get for the same act one-twelfth of the amount.”

The punishment for fraud depended on the nature and value of fraud. It ranged from nominal fines to death penalty. The victim was compensated for the losses suffered.

Closing Thoughts

The processes proposed by Kautilya for fraud detection were followed even until the Moghul rule. However, these were dismantled during the time of British Rule as the Indian Penal Code was formulated.  The difference between Mogul rule was that Moguls settled in India, marriages took place between Indian royalty and Mogul rulers and the culture got integrated over time.

The British came to rule for economic purposes. They wished to take advantage of India’s natural resources and vibrant economy. They levied their own rules and did not integrate them with the Indian culture. Hence, over time the Indian value system was lost or kept for namesake only. Overtime, as even after independence the British education system was used, a split ethical value system developed between personal values and business ethics. Therefore, corruption increased in the business environment till it became all-pervasive in the society. It is going to take a lot of effort to change the system now. No short-term solutions  will work.

Employee Selection and Background Screening in Ancient India

Would it be fair to assume most of us believe that employee selection and background screening processes were formed in the 20th century? Do you think soft skill evaluation of employees is the latest management mantra? Will it come as a surprise that in India these were formed in 4th Century BC?

Kautilya’s Arthshastra, written in 4th  century BC, lays down rigorous process for selection and background screening for ministers, priests and government employees. It is more extensive than that employed in the present-day corporate world. I am doing a comparison of the two below. After reading, tell me whether we have progressed or deteriorated in 25 centuries.

1.      Selection Process

Let us first see the qualities senior level people require according to Kautilya:

“Native, born of high family, influential, well trained in arts, possessed of foresight, wise, of strong memory, bold, eloquent, skilful, intelligent, possessed of enthusiasm, dignity, and endurance, pure in character, affable, firm in loyal devotion, endowed with excellent conduct, strength, health and bravery, free from procrastination and fickle mindedness, affectionate, and free from such qualities as excite hatred and enmity–these are the qualifications of a ministerial officer (amátyasampat).”

If you look at them, he covers intelligence, professional capability, personal character, strategic thinking, emotional intelligence, social and business connections, soft skills and physical fitness. In the 21st century words and terminologies are different, but attributes are the same. Hence, not much change.

2. Background Verification Process

Now I am giving a table below comparing the two period’s process of background verification. For detailed methodology of the current period refer to my article – Pre-employment Background Verification.

Background screening

Doesn’t it make you think? Over 25 centuries, the basic concept and process of selection and background verification has remained more or less the same. However, Kautilya’s selection process doesn’t stop here. He mentions a few additional processes and I am amazed at the insight.

3. Detailed Character Verification

In the Arthshastra, Kautilya asks to ascertain the character of employees by offering temptations and instigating them against the king. Senior level ministers and priests should attempt to lure the employee to test him for four allurements- religious, monetary, love and fear. He suggests creating situations to test whether the employee will defy the king for the sake of religion, money, sex or under threat. Then he states, that whosoever is lured by a certain aspect, should not be in-charge of it. For example, if someone fails the test of monetary allurement, he should not be responsible for managing finance. The tests were conducted to ensure that people in critical positions were incorruptible.

In present times, we select senior managers on various aspects but their loyalty and character aren’t as thoroughly checked as in the ancient times. In my view, quite a significant number will fail Kautilya’s tests for “purity of character”. How many CEOs check whether their direct reports will betray them for bribes and rewards?

Closing thoughts

In India, around 25% candidates submit false or inaccurate resumes. The background screening processes aren’t fully established in most of the organizations. With high risks of hiring terrorists, hackers and fraudsters the organizations are susceptible to financial, legal and reputation risks. Isn’t it surprising that even after 25 centuries the process and procedures aren’t fully implemented.

We now say we are living in a fast changing world. So, do you think background-screening processes will become efficient in this century, if they haven’t changed in 25 centuries?

Ernst & Young Insight For Internal Audit Transformation

The last post – ‘Coal Gate Scam – Should Auditors Comment on Policy Decisions’ ignited a thought-provoking discussion on LinkedIn. The major debate was on role of internal auditors on evaluating strategic decisions and strategy per se. The message is – transform the internal audit department and leave behind the old thinking of verifying compliance to existing processes. Hence, I thought of sharing some great insights from the Ernst & Young report – The Future of Internal Audit is Now.

Before we discuss the details, check out transformation process depiction below.

The key aspects of the transformation process are:

1.      Align with organization strategy

According to the study, 61% of the internal audit departments did not have a documented mandate aligned to business. One can question then, exactly what are they working on. The way forward is to understand the business strategy – sales, operations, human resources, products, etc. and identify the strategic and business risks of the same.

2.      Formulate the internal audit strategy

Based on the understanding of business strategy and strategic risks, devise an internal audit strategy. Developing an internal audit annual plan isn’t sufficient. Take the time period of the business strategy, and formulate the internal audit strategy for the same period or a three to five year period.

3.      Acquire the right talent

Execution of a strategy is as good as the people deployed to the task. Upgrading skills is a must. Besides technical and functional knowledge, auditors now need business acumen. Rotate resources from operations to get in-depth business knowledge. To highlight the importance of business skills, according to the report just 47% of the IA departments have a training plan for leadership and business management.

4.      Operate as a business function

Internal audit should stop viewing itself as a support function and take a leaf out of line functions. It should measure itself against the same standards as business functions. Have the right strategy, execute it effectively, provide value add and measure against key performance indicators. As it is mostly a cost centre, it doesn’t mean it should let itself go.

Closing thoughts

Survival of business in this global economic crisis is hugely dependent on effective risk management. Internal audit plays a vital role in improving the financial performance of the organization. Hence, transforming the department functioning from old mind-set to fit the 21st century requirements is must.

Before closing, here is something to start your week on a good note. An old man for the first time saw moving walls. While he was standing in front of them, he saw an old woman enter the walls, and in a second a young woman came out. He said to his grandson – Son, hurry home and get your grandmother.

References:

The Future of Internal Audit is Now – Ernst & Young report

Coal Gate Scam – Should Auditors Comment on Policy Decisions?

The Coal Gate Scam report has squarely put the loss of Rs. 1.86 lakh crores (USD 35. 097 billion) at the Prime Ministers door. Comptroller and Auditor General (CAG) report states that Prime Minister Manmohan Singh agreed to introduce competitive bidding for allocation of coal blocks way back in October 2004. However, his office indulged in delay tactics of approving the revised policy. This resulted in allocation of coal blocks according to the old policy introduced in 1993. Failure to use competitive bidding resulted in a loss of Rs. 1.86 lakh crores (USD 35.097 billion).

This raises interesting questions from the corporate sector perspective. Should auditors see the validity and applicability of policies? Alternatively, should they restrict their role to the compliance of existing policies?  What happens when a policy or standard operating procedure of an organization is redundant however is still being followed? If competitors are using better processes, technology and policies than the organization, what role should auditors play in it?

1.     Delaying Policies Becomes a Political Game

According to the CAG report, the Screening Committee allocated blocks and the process lacked transparency. Allegations are that private companies with political links benefited at the expense of others. However, competitive bidding policy could have been introduced with an amendment from the administrative desk. Prime Minister’s role becomes critical as he was also fulfilling the responsibilities of Minister of Coal. CAG says he made it into a bigger issue that the policy should be changed for all minerals and not just coal; hence the process for making such large-scale policy change was different. This allowed the coal ministry to follow the 1993 process.

This happens in the corporate sector too. For instance, an employee or a small group suggest a change to an existing control process that will take just one man-month effort. Some others with vested interests do not wish for the change to occur. However, they can’t reject the suggestion for strengthening controls without looking bad. Hence, to stall the project, they add a few more suggestions which make the project larger into 24 man-months effort. Now the change can only happen once the huge budget is approved. Since, the project is not priority; it stays on the bottom of the budget approval list. Hence, status quo remains and subsequently someone exploits the control weakness to conduct a fraud.

In such a situation, as an internal auditor would you highlight the initial attempt to strengthen controls and put responsibility on the other group for delaying the change? Do we as internal auditors go back in such depth to find out what projects or policies were kept pending approval and they had such a huge negative impact?

2.     Auditor’s Role in Policy Review

The Supreme Court has upheld CAGs power to comment on policies. Justices R M Lodha and A R Dave bench said “Do not confuse the constitutional office of CAG with that of an auditor of a company or corporation.” This response was in respect to a petitioner’s contention that CAG should restrict itself to auditing expenditure and not comment on the government’s rational of policy decisions. The bench had further added – “CAG is not the traditional Munimji to prepare only balance sheets. It is constitutionally mandated to examine the efficiency, effectiveness and economy of the decisions of the government in using resources. If the CAG will not do this, then who will?

This viewpoint raises some interesting points for internal auditors in the corporate world. Should auditors be commenting on strategic or policy decisions of the company?

For instance, the company decides to use print media for advertising open job positions. However, it is much cheaper to use job portals and social media. These significantly reduce the cost of recruitment. Should an auditor restrict himself to checking that all expenditure is authentic or question the hiring policy?

Another aspect is the strategy decisions. Let us say, Company A decided not to enter into the emerging markets, whereas Company B operating in the same industry entered the emerging markets and increased the profitability tremendously. Should an auditor audit strategic decisions, and not just say that it is management responsibility. Where is the line of demarcation drawn in respect of corporate internal audit?

Institute of Internal Auditors new standard applicable from 2013 ‘Achievement of the organization’s strategic objectives’ states that – “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives”.  Hence, should we conclude that evaluating strategic decisions comes under internal audit purview?

3.     Auditor’s Role in Calculating Presumptive Loss

The CAG audit reports on 2G licenses and Coal Block allocations have raised a storm due to the calculation of presumptive loss figures. The government’s contention is that CAG should not be calculating the opportunity loss, as policy decisions are taken to benefit the public.

CAG however, contended that – “We had never commented on government policies, neither did we ever say that auction was the only route or that all natural resources should be auctioned. In both 2G spectrum licences and coal block allocations, we had only commented on the ‘effectiveness or non-implementation’ of policies. The presumptive loss or windfall gain figures are only to highlight the serious issues of an act of commission during implementation of government policies.”

In the corporate world, internal auditors make an observation and restrict their recommendations to suggest improvements. In rare cases, a cost-benefit analysis is done on the impact of the control weakness. We generally fail to draw management attention to the seriousness of the issue, as they are no numbers given. Should corporate internal auditors change their approach to audit work to give a cost-benefit analysis for their observations? Will that garner more attention from the management and initiate action?

Closing Thoughts

These are questions worth debating about and there are no easy answers. The business world internal auditors can learn quite a few lessons from the government auditors. They are doing a good job of raising contentious issues. Below is a poll to assess your views.

References:

  1. CAG not a ‘munimji’ of govt’s balance sheet: SC
  2. CoalGate: CAG does not let Manmohan, PMO off the hook
  3.  Performance Audit of Allocation of Coal Blocks and Augmentation of Coal Production (Ministry of Coal)

Reflections on Reputation Risks

Indians think more highly of themselves than they are. I am not making this up, it is a factually correct statement according to the Country report of Reputation Institute. Respondents ranked India 25th with 51.93 RepTrak score. According to its own evaluation, India deserved a score of 75.67 with 11th ranking. It is ranked 5th for having perception differences between internal and external reputation. A 25th rank among 50 countries ranked isn’t anything to talk about.

In the Companies Reputation report, there was no Indian company in the top 100. Yes, my ex-company Intel was ranked 16th, though its ranking has fallen from previous years.  BMW, Sony and Walt Disney are the top three. Though reputation has a huge impact, most companies do not focus on it. Below is a chart from the Reputation Institute report on the impact of good and negative reputation of various factors.

Reputation Institute Company Report 2012

Customers, society, employees and investors – all are influenced by the reputation of the company. While companies may enjoy a good local reputation, as is the case for many Indian companies, maintaining a global reputation is a different ball game altogether. From the above chart it is clear, investing in a good reputation pays off and adds to the profit margin. Question is what all is required to build a good reputation. Another chart from the report highlights the main aspects:

Seven factors - leadership, performance, products/services, innovation, workplace, governance and citizenship are required to build a global reputation. For instance, Intel was among the top ten for – governance, workplace, performance, and products and services.

On the other hand, in respect of reputation damage, risk managers mostly focus on reputation damage due to misstatement of financial statements and governance. That accounts to just 28% of reputation.  The impact on reputation of other aspects are generally ignored. The question is how can these be built into a risk assessment framework? Besides reducing downside risks, this gives a good option to leverage upside risks. Here are a few things that risk managers can look into:

1. Reputation map – Does the company have a reputation map covering these parameters and defining its progress through the years?

2. Integration level – Is reputation aspects integrated into all the functions of the organization, or is it left to the advertising and communications department?

3. External perceptions – Is the organization depending on advertisements to build its reputation or is it undertaking CSR and other activities also?

4. Participation in industry competitions – Does the organization participate and win industry competitions, for instance “great place to work”, “most innovative company” etc. ?

5. Social Media – How is the company using social media to build its reputation and manage the negative feedback?

6. Risk assessment – Is a risk assessment for reputation conducted to highlight the risks in all the seven areas and mitigation plans prepared?

Closing thoughts

Reputation damage is difficult to quantify and often the risks are not categorically listed. In social media environment, it is far easier to lose the reputation and more difficult to build a good one. In the present environment, they old age thinking  – no news is good news – has become redundant. Just because the organization name hasn’t made headlines for the wrong reasons, it doesn’t mean all is well. The negative under currents slowly erode the good name of the organization. Hence, risk managers need to actively address reputation risks on all seven parameters.

References:

Reputation Institute reports

PS: I changed the background and added a little color to the blog. How is it looking? Please give feedback.

Risk Assessment of Marketing Function

The global economy is facing turbulent times with US in recession, Europe in economic crises and emerging markets growth slowing down. Frequently organizations panic on hearing forecasts of looming recession. They cut down marketing budgets, innovation of products and capital investments. The reaction further adds to the woes, and accelerates the downward trend in sales. Risk managers normally do not focus on marketing department activities and generally are not called upon to share their views on marketing strategies. A look on these areas may prevent the company from going in red and thrive in chaotic times. Here are a few suggestions for risk managers.

1. Bench-mark Marketing Function

The complexities of business world are escalating marketing risks. For survival and growth organizations need resilient marketing and sales functions. They have to identify strategic inflection points in the market and adapt accordingly. In recession customers interest, values and budgets change. With new competition and changing regulations, organizations need to reinvent business models. Hence, as a first step risk managers  need to bench-mark the organization’s marketing function.

Philip Kotler and Johan A. Caslione in their book “Chaotics – The business of managing and marketing in the age of turbulence” have presented a table on marketing function attributes. Out of the 14 attributes, below are 5 critical ones distinguishing between poor, good  and great marketing functions.

Srl    Poor                                        Good                                              Great

1. Product driven                    Market driven                                    Market driving

2. Product offer                       Augmented product offer                 Customer solutions offer

3. Price driven                        Quality driven                                     Value driven

4. Reacting to competitors    Bench-marking competitors             Leapfrogging competitors

5. Function oriented               Process oriented                                Outcome oriented

McDonalds marketing strategies reflect these attributes. In India, McDonalds is opening a purely vegetarian restaurant near Vaishu Devi ( a renowned Hindu temple) and Golden Temple (Sikh’s foremost gurdwara). It is catering to the Indian sentiments; in most religions Indians do not eat non-vegetarian food in a place of worship. Near the temples, generally local vegetarian eating joints thrive and there are no global food chains. The huge number of devotees provide a large market.

A few years back, McDonalds customized its menu according to Indian tastes and introduced vegetarian burgers. The McAloo Tikki (a potato burger) contributes to 25% of the total sales.  It may shock the Americans, but no beef burgers are served in India.

2. Evaluate Cost-cutting Measures

The attitude frequently is to cut costs across board. For instance, if marketing budget is XXX dollars, the total budget will be reduced by 25% without assessing the details and profitable products. Here risk managers need to assess the soundness of decisions taken to reduce costs. Below are a few examples to look for:

a) Advertising : Is the total advertising budget reduced? This would be a wrong move. During recession, the core products that contribute to revenue need aggressive advertisement. The advertising budget spent non-core products and loss making products can be dropped. Moreover, explore cheaper advertising models – social media, internet etc. and reduce budgets on paper and television media.

b) Discounts : Another option adopted to increase sales is to discount all products by a certain percentage. This is a self-destructive strategy as discounts on core premium products would damage the revenue stream in the long-run. If customers require cheaper products, cut the frills in the premium products and introduce a bare minimum model. This will maintain the brand and revenue.

3. Assess Strategy and Systems

Risk managers must assess the marketing strategy and systems to ensure that the risks are systematically identified in a timely manner. Here are a few examples of the same:

a) Core products: Does the strategy focus on core products? Are there systems in place to show the winners and losers? If the systems are inadequate profitability, market spend and customer behavior cannot be captured accurately. Hence, the organization will be unable to adapt strategy to the changing marketing trends and customer behavior. Moreover, companies cannot  reduce costs without identifying inefficient spending.

b) New products : Has the organization delayed the launch of new products during recession? The customers require cheaper products during hard times. Hence, the strategy should be to delay expensive products but focus on products that cater to the new customer requirements and changes in behavior.

Closing thoughts

With economies slowing down, the marketing functions are facing many challenges. Customers are better informed through social media and internet, competitors copy products faster, and price of the product is a driving factor. Risk managers can contribute by conducting risk assessments of the marketing function and helping the teams in identifying the upside and downside risks to their strategies. This is a good place to add to  profitability.

References:

  1. Chaotics – The business of managing and marketing in the age of turbulence – Philip Kotler and Johan A. Caslione
  2. Beefy McDonald’s to Open Veg-Only Outlet in Katra – Economic Times