Human Rights Risk Management Process

Bangladesh Building Collapse

The fire in a nine-story factory building in Bangladesh killed 400 people. More than 600 people remain unaccounted for. It housed five garment factories that supplied to international brands – J.C. Penny, The Children’s Place, Dress Barn, Primark, Wal-Mart etc. The workers were asked to come to work even when cracks appeared in the building the previous day.

Bangladesh is the second largest exporter of clothes and the workers get the lowest compensations. Just around USD 37-40 per month. The question arises why are the multinational organizations not following the UN Guiding Principles for Human Rights protection. The reason is simple; they want to show higher and higher profits to the investors.

In Delhi, in Munirka one will find numerous small factories full of workers making export garments. A friend of mine also ran one. I had bought a few shirts from her at cost price ranging from Rs 300-500 (USD 6-10). In one international visit, I found the same shirts selling in range of USD 15-30. The fivefold increase in price was because of the brand tag attached to the shirt.

The multinational buyers push the prices down and some supplier gives a rock bottom price. The others are forced to match that price to get the business. End result is that basic facilities are not provided to the workers and they work at really low wages. Unknown workers are paying with their lives in developing countries to satisfy the growth targets set by CEOs to earn their bonuses and keep investors happy.  It is the dark side of capitalism which organizations want to hide.

In most companies, human rights risk management is not a focus area. The 2013 Global Risk Management Survey conducted by RIMS identified seven risks related to human resources among the top fifty risks. Though worker injury and harassment were included there was no specific emphasis on human rights risk management.

The risk management team can conduct annually or bi-annually a human rights risk management assessment. It requires attention not only from human resources perspective but from operational, financial, legal and reputational risks perspective. Any breach can result in huge losses.

Here are some of the steps mentioned in the UN Guiding Principles on Human Rights and guide “Investing the Right Way” issued by Institute of Human Rights and Business.

1.     Review the Human Rights Policy Statement

Human rights risk management is emerging as an important issue, especially with multinationals entering emerging markets and developing countries. They are expected to protect and respect rights of workers, communities and society. Investors can play a crucial role by influencing companies to promote human rights relating to gender equality, child labor, rights of indigenous people, land acquisition, mineral processing etc.

Hence, companies need to publish Human Rights Policy Statement on their websites. The UN Guiding Principle 16 states –

 “As the basis for embedding their responsibility to respect human rights, business enterprises should express their commitment to meet this responsibility through a statement of policy that:

(a) Is approved at the most senior level of the business enterprise;

(b) Is informed by relevant internal and/or external expertise;

(c) Stipulates the enterprise’s human rights expectations of personnel, business partners and other parties directly linked to its operations, products or services;

(d) Is publicly available and communicated internally and externally to all personnel, business partners and other relevant parties;

(e) Is reflected in operational policies and procedures necessary to embed it throughout the business enterprise.”

As a first step risk managers need to check whether the organization has a human rights policy statement and the above mentioned steps have been adhered to.

2.     Human Rights Impact Assessment

The second aspect of UN Guiding Principles is for companies to establish human rights due diligence processes. Guiding Principle 17 states:

 “In order to identify, prevent, mitigate and account for how they address their adverse human rights impacts, business enterprises should carry out human rights due diligence. The process should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed. Human rights due diligence:

(a) Should cover adverse human rights impacts that the business enterprise may cause or contribute to through its own activities, or which may be directly linked to its operations, products or services by its business relationships;

(b) Will vary in complexity with the size of the business enterprise, the risk of severe human rights impacts, and the nature and context of its operations;

(c) Should be on going, recognizing that the human rights risks may change over time as the business enterprise’s operations and operating context evolves.”

Human rights risk management is complex and challenging. If ignored, they can increase political risks and deteriorate relationships of the organization with the government. For example, Tata Motors wished to establish Nano manufacturing plant in Singur, West Bengal. The government allocated agriculture land using 1894 land acquisition rule, meant for public improvement projects, to take over 997 acres farmland. The farmers protested with help of activists and the then opposition leader Mamta Banerjee. Tata Motors moved out of West Bengal and established the factory in Gujarat. Multinationals looking for large tracts of land to establish factories are facing similar challenges in India.

Another aspect to look into is that scrap, waste disposal, sewage, environment pollution etc. from factories can impact food, water and health of local communities.

Decision needs to be taken whether investments should be made in countries or states with poor human rights record. In India, the Naxalite area is extremely conflict prone and business operations can have severe human rights impact.

Risk managers should evaluate the strategy and operations of the company from human rights, environmental, social and governance factors. The companies can face operational risks (project delays or cancellation), legal and regulatory risks (lawsuits and fines) and reputational risks (negative press coverage and brand damage). The impact assessment should be done from investors, customers, employees, society and supplier perspective. Identify business owners for the risks and devise appropriate risk mitigation plans to address adverse impact.

3.   Grievance Mechanisms

UN Guiding Principles state that victims of corporate related human rights abuse should have access to judicial or non-judicial remedies. Companies should provide some remedies themselves and cooperate in the remediation process.

UN Guiding Principle 29 states –

“To make it possible for grievances to be addressed early and remediated directly, business enterprises should establish or participate in effective operational-level grievance mechanisms for individuals and communities who may be adversely impacted.”

However, this isn’t followed by the companies in true spirit. “A Vigieo analysis of human rights records of 1500 companies listed in North America, Europe and Asia revealed that, in the previous three years, almost one in five had faced at least one allegation that it had abused or failed to respect human rights.”

Ideally the investors in the company should ensure that grievance mechanisms exist and address human rights issues. The transparency and disclosure of the same in annual reports would highlight the financial, legal and reputational risks. However, the investors don’t seem to be bothered by it.

See the case of Apple. It reported  Gross Profit Margin – 42.5%, Net Profit Margin – 26.7%, Revenue Per Employee – $ 2,149,835 and Net Revenue Per Employee – $ 573,255. It has 43000 employees in US and 20,000 outside US. However, Apple contractors hire an additional 700,000 people to engineer, build and assemble iPads, iPhones and Apple’s other products.

An Apple supplier in Taiwan, Foxconn was recently in the news for its workers attempting suicide. As per reportsWorkers are required to stand at fast-moving assembly lines for eight hours without a break and without talking. Workers, sharing sleeping accommodations with nine other workmates, often do not know each other’s names. They do not have much time to get to know each other. The basic starting pay of 900 RMB($130) a month – barely enough to live on – can be augmented to a more respectable 2,000RMB ($295) only by working 30 hours overtime a week.”

See the difference the company earns per employee and the payment made to the supplier’s employees. Apple shows profits at the expense of lives of Taiwanese workers.  The workers don’t have much of a grievance mechanism in China as the government stated that the suicides are within the normal suicide rate. Can Apple investors sacrifice some profit margin for safety and security of the contractual workers?

Another old example is the class action suit since 2001 on Wal-Mart Stores that involved 1.5 million current and former Wal-Mart female employees. It is the largest workplace bias case in US history.

 4.    Human Rights Reporting

 The biggest challenge is that most of the human rights abuses are not reported. The victims of human rights exploitation hold little power in comparison to the exploiters. They can hardly take up the might of powerful businesses when they are struggling to get basic food and shelter. Secondly, in the developing and emerging countries, corruption levels are generally high. Hence, media, law enforcement agencies etc. are bribed by the power players to silence the victims. However, with internet and social media, things are gradually changing. People have a voice and collectively they can fight.

UN Guiding Principle 21 lays out the requirement for companies to communicate human rights impact externally. It states -

 “In order to account for how they address their human rights impacts, business enterprises should be prepared to communicate this externally, particularly when concerns are raised by or on behalf of affected stakeholders. Business enterprises whose operations or operating contexts pose risks of severe human rights impacts should report formally on how they address them. In all instances, communications should:

(a) Be of a form and frequency that reflect an enterprise’s human rights impacts and that are accessible to its intended audiences;

(b) Provide information that is sufficient to evaluate the adequacy of an enterprise’s response to the particular human rights impact involved;

(c) In turn not pose risks to affected stakeholders, personnel or to legitimate requirements of commercial confidentiality.”

 As per the UN principles, the reports must cover appropriate qualitative and quantitative indicators, feedback from internal and external sources including affected stakeholders.

Risk managers can evaluate the reports and the reporting process to ensure that all risks are properly addressed. They should evaluate whether cautionary steps are taken and nothing is being done to exacerbate the situation. They should highlight severe or irreversible risks to the management to ensure appropriate decisions are taken.

Closing Thoughts

 Inequalities in income are the main cause of human rights abuse. The rich want to get richer at the expense of blood and sweat of the poor, and sometimes life. The diamond manufacturers and sellers took the right step to publish that they do not source blood diamonds. Since 2003, the Kimberley Process Certification Scheme (KPCS), supported by national and international legislation, has sought to certify the legitimate origin of uncut diamonds. Trade organizations – International Diamond Manufacturers Association (IDMA) and the World Federation of Diamond Bourses (WFDB) – representing virtually all significant processors and traders – have established a regimen of self-regulation.

Other industries, be it technology, electronics or textile manufacturers,  need to come out with similar steps to stop human rights abuse. The risk managers have a vital role to play in it. If we do not do anything, we are cheating this and the next generation of their right to live happily.

References:

  1.  Investing the Right Way – A Guide for Investors on Business and Human Rights – By Institute of Human Rights and Business
  2. Singur farmland-  Tata Motors conflict
  3. Apple financial ratios
  4. Foxconn Case Study
  5. Diamond industry sales clauses
  6. 2013 RIMS Global Risk Management Survey

 

Fraud Risk Management in Ancient India

Presently, the Serious Fraud Investigation Office of India lacks sufficient powers to initiate investigations and prosecute. The Central Bureau of Intelligence isn’t independent due to which politicians escape prosecution for corruption and money laundering. Indian police force Economic Crime wing doesn’t have expertise in dealing with electronic and financial frauds. The legal system is pathetic and takes a long time to prosecute white-collar criminals. India has a shortfall of trained fraud investigators as it hardly has any courses for students in this line.

All these aspects may make you think that Indians are new to the concept of fraud risk management. This is far from the truth. Kautilya addressed financial fraud risks in 4th century BC and most of the concepts are still used presently. Let me narrate you some of the concepts he formulated in earlier times.

1.      Formation of a Central Investigation Agency

Kautilya proposed a central investigation agency for a kingdom to do espionage work. A network of spies located in different parts of the kingdom reported information to their handlers. The handlers in turn checked the authenticity of the information from three sources and if correct reported to the agency. The spies did not have direct contact with the agency to conceal true identities..

Spy selection depended on character and social position. Spies were recruited from all sections of society. Spies were positioned in all the departments and commercial ventures of the king to ensure that the head of the departments do not abuse their power or cheat the king. Women were considered particularly useful to penetrate wealthy households to get the inside story. In current India, there is a scarcity of female fraud investigators as it now considered a masculine job. However, in ancient India, women investigators and spies were quite common.

2.      Types of Financial Frauds

Kautilya identified 40 ways of embezzlement. Some of them are mentioned below:

  • Overpricing and under-pricing of goods
  • Incorrect recording of quantity of raw material and other stocks
  • Misappropriation of funds
  • Teaming and lading
  • Misrepresentation of sources of income
  • Incorrect recording of debtors and creditors
  • Incorrect valuing and distribution of gifts
  • Inconsistency in donations and distributions for charity
  • Misappropriating goods during barter exchange
  • Manipulating weights and tools for measurement
  • Misrepresentation of test marks or the standard of fineness (of gold and silver)

It is interesting to note that Kautilya mentioned most of the frauds that occur in accounting and preparation of financial statements. It shows human psychology has remained the same. However, in India the value system has deteriorated that has resulted in increased fraud and corruption. In olden times, the value of honour was held high. For example, the prime thought in Hindi was - “prann jiye pur vachan na jiye.” (meaning – it is better to lose one’s life rather than go back on a verbal promise given)

3.      Mechanism for Investigation and Punishment

The investigation process was quite similar to the current process followed. Information was initially gathered regarding the fraud from informants, spies, whistle blowers and audits. Background information of the suspects was gathered by sending spies to their residence and business premises.

Subsequently, the people involved, the suspects and witnesses were interrogated. Kautilya suggested separately examining ” the treasurer (nidháyaka), the prescriber (nibandhaka), the receiver (pratigráhaka), the payer (dáyaka), the person who caused the payment (dápaka), the ministerial servants of the officer (mantri-vaiyávrityakara)” for financial frauds. If any person lied, s/he received the same punishment as the main culprit.

Another fascinating aspect is that India doesn’t not have any law similar to the whistle blower provisions of Dodd Frank Act. However, Kautilya proposed -  “Any informant (súchaka) who supplies information about embezzlement just under perpetration shall, if he succeeds in proving it, get as reward one-sixth of the amount in question; if he happens to be a government servant (bhritaka), he shall get for the same act one-twelfth of the amount.”

The punishment for fraud depended on the nature and value of fraud. It ranged from nominal fines to death penalty. The victim was compensated for the losses suffered.

Closing Thoughts

The processes proposed by Kautilya for fraud detection were followed even until the Moghul rule. However, these were dismantled during the time of British Rule as the Indian Penal Code was formulated.  The difference between Mogul rule was that Moguls settled in India, marriages took place between Indian royalty and Mogul rulers and the culture got integrated over time.

The British came to rule for economic purposes. They wished to take advantage of India’s natural resources and vibrant economy. They levied their own rules and did not integrate them with the Indian culture. Hence, over time the Indian value system was lost or kept for namesake only. Overtime, as even after independence the British education system was used, a split ethical value system developed between personal values and business ethics. Therefore, corruption increased in the business environment till it became all-pervasive in the society. It is going to take a lot of effort to change the system now. No short-term solutions  will work.

Employee Selection and Background Screening in Ancient India

Would it be fair to assume most of us believe that employee selection and background screening processes were formed in the 20th century? Do you think soft skill evaluation of employees is the latest management mantra? Will it come as a surprise that in India these were formed in 4th Century BC?

Kautilya’s Arthshastra, written in 4th  century BC, lays down rigorous process for selection and background screening for ministers, priests and government employees. It is more extensive than that employed in the present-day corporate world. I am doing a comparison of the two below. After reading, tell me whether we have progressed or deteriorated in 25 centuries.

1.      Selection Process

Let us first see the qualities senior level people require according to Kautilya:

“Native, born of high family, influential, well trained in arts, possessed of foresight, wise, of strong memory, bold, eloquent, skilful, intelligent, possessed of enthusiasm, dignity, and endurance, pure in character, affable, firm in loyal devotion, endowed with excellent conduct, strength, health and bravery, free from procrastination and fickle mindedness, affectionate, and free from such qualities as excite hatred and enmity–these are the qualifications of a ministerial officer (amátyasampat).”

If you look at them, he covers intelligence, professional capability, personal character, strategic thinking, emotional intelligence, social and business connections, soft skills and physical fitness. In the 21st century words and terminologies are different, but attributes are the same. Hence, not much change.

2. Background Verification Process

Now I am giving a table below comparing the two period’s process of background verification. For detailed methodology of the current period refer to my article – Pre-employment Background Verification.

Background screening

Doesn’t it make you think? Over 25 centuries, the basic concept and process of selection and background verification has remained more or less the same. However, Kautilya’s selection process doesn’t stop here. He mentions a few additional processes and I am amazed at the insight.

3. Detailed Character Verification

In the Arthshastra, Kautilya asks to ascertain the character of employees by offering temptations and instigating them against the king. Senior level ministers and priests should attempt to lure the employee to test him for four allurements- religious, monetary, love and fear. He suggests creating situations to test whether the employee will defy the king for the sake of religion, money, sex or under threat. Then he states, that whosoever is lured by a certain aspect, should not be in-charge of it. For example, if someone fails the test of monetary allurement, he should not be responsible for managing finance. The tests were conducted to ensure that people in critical positions were incorruptible.

In present times, we select senior managers on various aspects but their loyalty and character aren’t as thoroughly checked as in the ancient times. In my view, quite a significant number will fail Kautilya’s tests for “purity of character”. How many CEOs check whether their direct reports will betray them for bribes and rewards?

Closing thoughts

In India, around 25% candidates submit false or inaccurate resumes. The background screening processes aren’t fully established in most of the organizations. With high risks of hiring terrorists, hackers and fraudsters the organizations are susceptible to financial, legal and reputation risks. Isn’t it surprising that even after 25 centuries the process and procedures aren’t fully implemented.

We now say we are living in a fast changing world. So, do you think background-screening processes will become efficient in this century, if they haven’t changed in 25 centuries?

Ernst & Young Insight For Internal Audit Transformation

The last post – ‘Coal Gate Scam – Should Auditors Comment on Policy Decisions’ ignited a thought-provoking discussion on LinkedIn. The major debate was on role of internal auditors on evaluating strategic decisions and strategy per se. The message is – transform the internal audit department and leave behind the old thinking of verifying compliance to existing processes. Hence, I thought of sharing some great insights from the Ernst & Young report – The Future of Internal Audit is Now.

Before we discuss the details, check out transformation process depiction below.

The key aspects of the transformation process are:

1.      Align with organization strategy

According to the study, 61% of the internal audit departments did not have a documented mandate aligned to business. One can question then, exactly what are they working on. The way forward is to understand the business strategy – sales, operations, human resources, products, etc. and identify the strategic and business risks of the same.

2.      Formulate the internal audit strategy

Based on the understanding of business strategy and strategic risks, devise an internal audit strategy. Developing an internal audit annual plan isn’t sufficient. Take the time period of the business strategy, and formulate the internal audit strategy for the same period or a three to five year period.

3.      Acquire the right talent

Execution of a strategy is as good as the people deployed to the task. Upgrading skills is a must. Besides technical and functional knowledge, auditors now need business acumen. Rotate resources from operations to get in-depth business knowledge. To highlight the importance of business skills, according to the report just 47% of the IA departments have a training plan for leadership and business management.

4.      Operate as a business function

Internal audit should stop viewing itself as a support function and take a leaf out of line functions. It should measure itself against the same standards as business functions. Have the right strategy, execute it effectively, provide value add and measure against key performance indicators. As it is mostly a cost centre, it doesn’t mean it should let itself go.

Closing thoughts

Survival of business in this global economic crisis is hugely dependent on effective risk management. Internal audit plays a vital role in improving the financial performance of the organization. Hence, transforming the department functioning from old mind-set to fit the 21st century requirements is must.

Before closing, here is something to start your week on a good note. An old man for the first time saw moving walls. While he was standing in front of them, he saw an old woman enter the walls, and in a second a young woman came out. He said to his grandson – Son, hurry home and get your grandmother.

References:

The Future of Internal Audit is Now – Ernst & Young report

Coal Gate Scam – Should Auditors Comment on Policy Decisions?

The Coal Gate Scam report has squarely put the loss of Rs. 1.86 lakh crores (USD 35. 097 billion) at the Prime Ministers door. Comptroller and Auditor General (CAG) report states that Prime Minister Manmohan Singh agreed to introduce competitive bidding for allocation of coal blocks way back in October 2004. However, his office indulged in delay tactics of approving the revised policy. This resulted in allocation of coal blocks according to the old policy introduced in 1993. Failure to use competitive bidding resulted in a loss of Rs. 1.86 lakh crores (USD 35.097 billion).

This raises interesting questions from the corporate sector perspective. Should auditors see the validity and applicability of policies? Alternatively, should they restrict their role to the compliance of existing policies?  What happens when a policy or standard operating procedure of an organization is redundant however is still being followed? If competitors are using better processes, technology and policies than the organization, what role should auditors play in it?

1.     Delaying Policies Becomes a Political Game

According to the CAG report, the Screening Committee allocated blocks and the process lacked transparency. Allegations are that private companies with political links benefited at the expense of others. However, competitive bidding policy could have been introduced with an amendment from the administrative desk. Prime Minister’s role becomes critical as he was also fulfilling the responsibilities of Minister of Coal. CAG says he made it into a bigger issue that the policy should be changed for all minerals and not just coal; hence the process for making such large-scale policy change was different. This allowed the coal ministry to follow the 1993 process.

This happens in the corporate sector too. For instance, an employee or a small group suggest a change to an existing control process that will take just one man-month effort. Some others with vested interests do not wish for the change to occur. However, they can’t reject the suggestion for strengthening controls without looking bad. Hence, to stall the project, they add a few more suggestions which make the project larger into 24 man-months effort. Now the change can only happen once the huge budget is approved. Since, the project is not priority; it stays on the bottom of the budget approval list. Hence, status quo remains and subsequently someone exploits the control weakness to conduct a fraud.

In such a situation, as an internal auditor would you highlight the initial attempt to strengthen controls and put responsibility on the other group for delaying the change? Do we as internal auditors go back in such depth to find out what projects or policies were kept pending approval and they had such a huge negative impact?

2.     Auditor’s Role in Policy Review

The Supreme Court has upheld CAGs power to comment on policies. Justices R M Lodha and A R Dave bench said “Do not confuse the constitutional office of CAG with that of an auditor of a company or corporation.” This response was in respect to a petitioner’s contention that CAG should restrict itself to auditing expenditure and not comment on the government’s rational of policy decisions. The bench had further added – “CAG is not the traditional Munimji to prepare only balance sheets. It is constitutionally mandated to examine the efficiency, effectiveness and economy of the decisions of the government in using resources. If the CAG will not do this, then who will?

This viewpoint raises some interesting points for internal auditors in the corporate world. Should auditors be commenting on strategic or policy decisions of the company?

For instance, the company decides to use print media for advertising open job positions. However, it is much cheaper to use job portals and social media. These significantly reduce the cost of recruitment. Should an auditor restrict himself to checking that all expenditure is authentic or question the hiring policy?

Another aspect is the strategy decisions. Let us say, Company A decided not to enter into the emerging markets, whereas Company B operating in the same industry entered the emerging markets and increased the profitability tremendously. Should an auditor audit strategic decisions, and not just say that it is management responsibility. Where is the line of demarcation drawn in respect of corporate internal audit?

Institute of Internal Auditors new standard applicable from 2013 ‘Achievement of the organization’s strategic objectives’ states that – “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives”.  Hence, should we conclude that evaluating strategic decisions comes under internal audit purview?

3.     Auditor’s Role in Calculating Presumptive Loss

The CAG audit reports on 2G licenses and Coal Block allocations have raised a storm due to the calculation of presumptive loss figures. The government’s contention is that CAG should not be calculating the opportunity loss, as policy decisions are taken to benefit the public.

CAG however, contended that – “We had never commented on government policies, neither did we ever say that auction was the only route or that all natural resources should be auctioned. In both 2G spectrum licences and coal block allocations, we had only commented on the ‘effectiveness or non-implementation’ of policies. The presumptive loss or windfall gain figures are only to highlight the serious issues of an act of commission during implementation of government policies.”

In the corporate world, internal auditors make an observation and restrict their recommendations to suggest improvements. In rare cases, a cost-benefit analysis is done on the impact of the control weakness. We generally fail to draw management attention to the seriousness of the issue, as they are no numbers given. Should corporate internal auditors change their approach to audit work to give a cost-benefit analysis for their observations? Will that garner more attention from the management and initiate action?

Closing Thoughts

These are questions worth debating about and there are no easy answers. The business world internal auditors can learn quite a few lessons from the government auditors. They are doing a good job of raising contentious issues. Below is a poll to assess your views.

References:

  1. CAG not a ‘munimji’ of govt’s balance sheet: SC
  2. CoalGate: CAG does not let Manmohan, PMO off the hook
  3.  Performance Audit of Allocation of Coal Blocks and Augmentation of Coal Production (Ministry of Coal)

Reflections on Reputation Risks

Indians think more highly of themselves than they are. I am not making this up, it is a factually correct statement according to the Country report of Reputation Institute. Respondents ranked India 25th with 51.93 RepTrak score. According to its own evaluation, India deserved a score of 75.67 with 11th ranking. It is ranked 5th for having perception differences between internal and external reputation. A 25th rank among 50 countries ranked isn’t anything to talk about.

In the Companies Reputation report, there was no Indian company in the top 100. Yes, my ex-company Intel was ranked 16th, though its ranking has fallen from previous years.  BMW, Sony and Walt Disney are the top three. Though reputation has a huge impact, most companies do not focus on it. Below is a chart from the Reputation Institute report on the impact of good and negative reputation of various factors.

Reputation Institute Company Report 2012

Customers, society, employees and investors – all are influenced by the reputation of the company. While companies may enjoy a good local reputation, as is the case for many Indian companies, maintaining a global reputation is a different ball game altogether. From the above chart it is clear, investing in a good reputation pays off and adds to the profit margin. Question is what all is required to build a good reputation. Another chart from the report highlights the main aspects:

Seven factors - leadership, performance, products/services, innovation, workplace, governance and citizenship are required to build a global reputation. For instance, Intel was among the top ten for – governance, workplace, performance, and products and services.

On the other hand, in respect of reputation damage, risk managers mostly focus on reputation damage due to misstatement of financial statements and governance. That accounts to just 28% of reputation.  The impact on reputation of other aspects are generally ignored. The question is how can these be built into a risk assessment framework? Besides reducing downside risks, this gives a good option to leverage upside risks. Here are a few things that risk managers can look into:

1. Reputation map – Does the company have a reputation map covering these parameters and defining its progress through the years?

2. Integration level – Is reputation aspects integrated into all the functions of the organization, or is it left to the advertising and communications department?

3. External perceptions – Is the organization depending on advertisements to build its reputation or is it undertaking CSR and other activities also?

4. Participation in industry competitions - Does the organization participate and win industry competitions, for instance “great place to work”, “most innovative company” etc. ?

5. Social Media – How is the company using social media to build its reputation and manage the negative feedback?

6. Risk assessment - Is a risk assessment for reputation conducted to highlight the risks in all the seven areas and mitigation plans prepared?

Closing thoughts

Reputation damage is difficult to quantify and often the risks are not categorically listed. In social media environment, it is far easier to lose the reputation and more difficult to build a good one. In the present environment, they old age thinking  - no news is good news - has become redundant. Just because the organization name hasn’t made headlines for the wrong reasons, it doesn’t mean all is well. The negative under currents slowly erode the good name of the organization. Hence, risk managers need to actively address reputation risks on all seven parameters.

References:

Reputation Institute reports

PS: I changed the background and added a little color to the blog. How is it looking? Please give feedback.

Risk Assessment of Marketing Function

The global economy is facing turbulent times with US in recession, Europe in economic crises and emerging markets growth slowing down. Frequently organizations panic on hearing forecasts of looming recession. They cut down marketing budgets, innovation of products and capital investments. The reaction further adds to the woes, and accelerates the downward trend in sales. Risk managers normally do not focus on marketing department activities and generally are not called upon to share their views on marketing strategies. A look on these areas may prevent the company from going in red and thrive in chaotic times. Here are a few suggestions for risk managers.

1. Bench-mark Marketing Function

The complexities of business world are escalating marketing risks. For survival and growth organizations need resilient marketing and sales functions. They have to identify strategic inflection points in the market and adapt accordingly. In recession customers interest, values and budgets change. With new competition and changing regulations, organizations need to reinvent business models. Hence, as a first step risk managers  need to bench-mark the organization’s marketing function.

Philip Kotler and Johan A. Caslione in their book “Chaotics - The business of managing and marketing in the age of turbulence” have presented a table on marketing function attributes. Out of the 14 attributes, below are 5 critical ones distinguishing between poor, good  and great marketing functions.

Srl    Poor                                        Good                                              Great

1. Product driven                    Market driven                                    Market driving

2. Product offer                       Augmented product offer                 Customer solutions offer

3. Price driven                        Quality driven                                     Value driven

4. Reacting to competitors    Bench-marking competitors             Leapfrogging competitors

5. Function oriented               Process oriented                                Outcome oriented

McDonalds marketing strategies reflect these attributes. In India, McDonalds is opening a purely vegetarian restaurant near Vaishu Devi ( a renowned Hindu temple) and Golden Temple (Sikh’s foremost gurdwara). It is catering to the Indian sentiments; in most religions Indians do not eat non-vegetarian food in a place of worship. Near the temples, generally local vegetarian eating joints thrive and there are no global food chains. The huge number of devotees provide a large market.

A few years back, McDonalds customized its menu according to Indian tastes and introduced vegetarian burgers. The McAloo Tikki (a potato burger) contributes to 25% of the total sales.  It may shock the Americans, but no beef burgers are served in India.

2. Evaluate Cost-cutting Measures

The attitude frequently is to cut costs across board. For instance, if marketing budget is XXX dollars, the total budget will be reduced by 25% without assessing the details and profitable products. Here risk managers need to assess the soundness of decisions taken to reduce costs. Below are a few examples to look for:

a) Advertising : Is the total advertising budget reduced? This would be a wrong move. During recession, the core products that contribute to revenue need aggressive advertisement. The advertising budget spent non-core products and loss making products can be dropped. Moreover, explore cheaper advertising models – social media, internet etc. and reduce budgets on paper and television media.

b) Discounts : Another option adopted to increase sales is to discount all products by a certain percentage. This is a self-destructive strategy as discounts on core premium products would damage the revenue stream in the long-run. If customers require cheaper products, cut the frills in the premium products and introduce a bare minimum model. This will maintain the brand and revenue.

3. Assess Strategy and Systems

Risk managers must assess the marketing strategy and systems to ensure that the risks are systematically identified in a timely manner. Here are a few examples of the same:

a) Core products: Does the strategy focus on core products? Are there systems in place to show the winners and losers? If the systems are inadequate profitability, market spend and customer behavior cannot be captured accurately. Hence, the organization will be unable to adapt strategy to the changing marketing trends and customer behavior. Moreover, companies cannot  reduce costs without identifying inefficient spending.

b) New products : Has the organization delayed the launch of new products during recession? The customers require cheaper products during hard times. Hence, the strategy should be to delay expensive products but focus on products that cater to the new customer requirements and changes in behavior.

Closing thoughts

With economies slowing down, the marketing functions are facing many challenges. Customers are better informed through social media and internet, competitors copy products faster, and price of the product is a driving factor. Risk managers can contribute by conducting risk assessments of the marketing function and helping the teams in identifying the upside and downside risks to their strategies. This is a good place to add to  profitability.

References:

  1. Chaotics - The business of managing and marketing in the age of turbulence - Philip Kotler and Johan A. Caslione
  2. Beefy McDonald’s to Open Veg-Only Outlet in Katra – Economic Times

Program Change Management Risks

Organizations invest huge amounts in running numerous programs to improve operations, culture and profitability of the company. For instance, programs cover technology implementation, building social networks, improving employee engagement and corporate social responsibility initiatives. Some programs give good return on investment while others dwindle without much success.  The success and failure of a program appreciably depends on effective change management.

Even for information technology programs, various survey reports show success-failure ratio as 50-50 percentage. Failure results in cost overruns and delay in project schedule besides low employee morale. A few reports indicate just around 20% of the programs are successful in the first effort in all respects. The differentiating factor, with technology and implementation capability being the same, is change management skills. Lack of focus on change management risks results in program failure.

Before discussing some key aspects of program change management risks, let us understand the reason for the same. Change causes insecurities to surface, hence sows the seeds of conflict and discord. On start of a program, people do not understand the reason for change. They are unable to assess what is at stake and what success looks like. Moreover, people respond differently to change. Idea of change gets supporting, skeptical and scornful reactions. If not handled carefully, different groups within the organization prepare battle plans to sabotage the program.

Hence, change management strategy is an essential component of program implementation. Given below are some of the risks on the same.

1.   Senior Management Involvement

For approval of the program, the program manager shakes hands with all the senior managers to get their buy-in.  Managers assume that the senior management commitment will continue after approval. However, this is rarely the case. With time, commitment will wane if senior managers do not understand the direction of the program and/ or start giving priority to other programs. Hence, program managers need to monthly/ fortnightly update the senior managers through review meetings and reports on the status and plans of the program.

Additionally, users and employees need to see senior managers demonstrate commitment to the program i.e. walk the talk. Program managers need to leverage opportunities to show senior management support for the program. Develop a leadership plan to ensure senior managers become champions of the program.

2.   User/ Employee Adoption

The program managers gear most of the programs activities towards adoption by the users. For example, in building a risk culture, adoption of risk assessment template is a milestone. The point is change agents view program activities in isolation for pre-go-live stage without considering the overall impact on the organization. Programs influence strategy, process, technology, and people. Without synchronizing the four aspects, even with user acceptance, the program will be unsuccessful in the long run.

Second aspect to consider is the handholding and support after the go live stage. After implementation of a program, the users may still face some challenges or new problems and risks may arise. For continued success of the program a team is required to support it, else it will fizzle out.

3.    Multiple Communication Channels

A program requires a good communication plan and failure in communication jeopardizes the program. Communication messages must be clear, straightforward and from the heart. The corporate jargon and meaningless mantras does not get buy in from senior management or users. For example, do not have a mission statement for an ethics program that sounds like this:

The company’s mission is to be the most ethical organization in the world by adopting best practices, making it a great place to work and rewarding meritocracy

Employees will roll their eyes on the above statement and consider it as management hyperbole. There is nothing actionable or measurable in the statement. Neither are the steps linked to ethics.

Another risk is failure of communication from senior management. Program managers assume that employees understand senior management commitment from strategy and other generic documents. However, adopters need to hear from senior management, their views and aspirations regularly.

Moreover, when programs run into problems, the initial reaction is to hide the bad news from the adopters. Clear concise communication on challenges being faced by program managers and support required, gets the program back on track. Communicate more often when program is running into trouble.

More importantly, change agents sometimes fail to listen to the adopters. Adopters’ feedback is critical for the success of the program. Understand their angry reactions, criticism and challenges. Develop plans to address them and not ignore them.

 4.    Training Plans

 Standard training material is the bane of most programs. Change agents believe that once the training is imparted, their job is done. Some pieces are overlooked in training plans and I have mentioned these before in a post. These are:

  • People have different learning patterns.
  • People are at different stages of learning – beginner, learner, manager, and expert.
  • People do not remember the training for long unless they start using the information in practical work.
  • Old habits are hard to break; hence, people revert to old patterns of working if not monitored.

Last but the not least, is the content of the training. For example, fraud awareness training is a double-edged sword. The users, who didn’t know a word about fraud, now have some idea on how frauds are conducted. The information can be misused. Moreover, an overload of information may create panic reactions in users. Hence, when to deliver training and what information to give are critical decisions for successful program implementation.

 5.     Reward & Recognition System

For a program to be successful, set up a clear system about reward and accountability for the adopters. Failure to establish a system will result in rewarding mediocrity rather than meritocracy. Further, without implementing a penalty criterion, there is no downside for wrongdoing. Hence, maintain a balance between reward and punishment.

For instance, in an ethics program, build a system of bonus points at time of appraisal for meeting business objectives in an ethical way. If a manager had the option of choosing an unethical means to achieve an objective faster but selected an ethical way though had to work harder, award him/her bonus points. On the other hand, award penalty points to a manager who chose unethical means.

6.    Dealing with Failure

Sometimes, despite best efforts the program team stares at the face of failure. People adopt inflexible approach and refuse to acknowledge the logical benefits of the program. They foresee their personal and political agendas negatively impacted, hence refuse to contribute to the shared purpose of the organization. The situation reminds me of an old joke.

A man bought a parrot as a pet. To his dismay, the parrot had a bad attitude and spoke foul language. The man tried to teach the parrot to behave but the parrot refused to change. One day in a fit of anger the man put the parrot in the freezer. He heard the parrot screaming and abusing for a couple of minutes, then there was silence. The man opened the door of the freezer, the parrot trotted out and said – “I beg your forgiveness for speaking rudely. I promise to behave properly.” The man was amazed at the transformation. Then the parrot said – “May I ask, what did the chicken do?”

To avert sudden failure periodically conduct organization surveys to understand the acceptability of the program and organization readiness for the next stage. Measure the behavior and sentiment change due to the program. Do not rush to the next stage without ensuring that adopters connect with the program in the existing stage.

 7.    Awareness of Retaliation

Situations can get out of hand when people start retaliating against the program manager and his/her team. Some programs are launched for appearances sake. For example, senior management may approve a program for business ethics, diversity or employee participation. However, when the change agents sincerely attempt to run the program to bring about a cultural change in the organization, they get mobbed by the employees. In this case, the junior employees start complaining that the change agents are pressurizing, bullying and forcing them to change. This impacts the heart of the program and the change agents spend most of the time defending their actions. The senior management doesn’t really want change, hence looks the other way or gives tacit approval to derail the program and mob the change agents.

In such cases, the change agents have to pay a high price, but the seeds of change are sown. People recognize that there is a better way of doing things, and gradually move towards light.

Closing Thoughts

 Change is difficult. We ourselves find it difficult to change, so getting others to change is an obstacle race. As Mahatma Gandhi said on leading the non-violent Indian independence movement – “First they ignore you, then they laugh at you, then they fight you and then you win.” Being a change agent is a test of stamina, perseverance, discipline and sacrifice. There are no low hanging fruits to pluck, no short-term rewards, no personal glory, however, in the end organization benefits.

 

Innovative Assurance and Advisory Services

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -”Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I  could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1.  Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3.  Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance  needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

 5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

 7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit  titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various  natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability.  Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high.  Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.

References:

  1. The long view - Getting new perspective on strategic risk by Economist Intelligence Unit
  2. Brand Keys Customer Loyalty Leaders 2011
  3. Challenges to the Accounting Profession Some Reflections – Speech of  Dr. Duvvuri Subbarao, Governor of Reserve Bank of India on 16 December

Risks in Budgeting and Forecasting Process

When I go shopping more often than not I blow my budget. You see, in the shopping mall my requirements far exceed the forecast. My three finance qualifications come to naught in this simple expenditure planning. So I understand why budgets of organizations go wrong. But the risks associated with an organization’s inaccurate budgeting and forecasting process are far higher.

For instance, the CAG report on Air India states that airplanes were purchased based on an estimated huge market growth and share. The government airlines is now nearly bankrupt. More recent is the case of Kingfisher Airlines. The company is facing a huge liquidity crunch and may go bust if banks do not bail it out. Though I haven’t analyzed the financial statements, the question does come up – didn’t they see this coming? What kind of cash flow forecasting was the finance team doing? The airlines grew quite fast, where there any checks kept on expenditure and how was it linked back to revenues?

These are basic questions, and show the impact on the organization when proper techniques are not used for budgeting and forecasting. In the next quarter, Indian organizations will commence their budgeting process for the financial year 2011-2012. I thought it is a good time to study the best practices of budgeting and forecasting, and share with you my understanding of the risks associated with it. I delved into the SAP CFO forum research papers and here are some interesting points.

1. Business Drivers for Budgeting and Forecasting

According to Aberdeen and SAP report the top three drivers for budgeting and forecasting in 2011 were to help organizations deal with market volatility, aligning strategy and doing cost control. As these three have been major drivers for the past three years, one can safely assume considering the global economy that in 2012 also, these three will prevail.

 Moreover, Indian economy year-end scenario is turning bleak. As per recent reports GDP is expected to show just around 7.25-7.75% growth in 2011, instead of the initial 9% growth forecast. Sensex has fallen one fifth in the year and presently India is among the worst performing stock markets in the world. Organizations have cut down on capital expenditure to maintain profitability. Hence, in the coming financial year, Indian organizations will face all the five pressures mentioned in the graph above. Therefore, it has become more critical to do accurate budgeting and forecasting.

2.   Risk Adjusted Forecasting

In another SAP white paper titled “Increasing Competitiveness through Closed Loop Performance Management” I came across an interesting point. It emphasized on implementing integrated financial performance management processes that “comprise strategy planning, budgeting and operational planning, forecasting, management reporting, profitability and cost management, and risk management.” It further added that in most organizations the “various performance management systems remain disconnected specially risk management.”

Now the question that begs an answer is – are risk managers having a look at the budgeting process to ensure all management systems are linked together? Secondly, are they reviewing the budgets, facilitating the business teams in identifying risks and adjusting the budgets accordingly?

In my view if risk managers are taking a hands off approach during the budgeting process, then they are doing the organization a major disfavor. They should proactively participate in the process, identify the problem areas and discrepancies, highlight the risks and inaccuracies, and facilitate management in preparing flexible budgets.

The benefits of this approach can be seen in the Infosys case. The company was recently in the news for asking its employees to sacrifice two Saturdays in this quarter to meet the budgets. Though I have different views on the action taken by Infosys to call employees on weekends, it does show that they are proactive in managing their forecasts. The management assessed the risk of failure of forecast and took action. Hence, there is a lesson to be learned here for all organizations. Organizations should build in internal and external events triggers for internal and external  events to adjust forecasts timely.

3. Flexible Forecasting

A new report of SAP with CFO Research Services highlights the risks of having fixed budgets based on historical data. It states that due to the changing business environment forecast numbers are “continually measured against real-world results and recalibrated to meet new threats and take hold of new opportunities as they arise. “ Further on it adds that “The time-honored tradition of beating the budget by surpassing revenue targets is no longer a reason for celebration; it’s one sign that the budgeting process took so long that the assumptions underlying it grew stale.”

The CFOs interviewed in the report state that building flexibility into planning assumptions and processes is of paramount importance. With Mobiles and Tablets, realtime information on sales, expenses etc. is available. Hence, now forecasts require regular examination of the underlying assumptions. The market dynamics ensure that one has to go back to the drawing board periodically to study the movement and re-strategize. Annual fixed budgets are becoming a thing of the past and CFOs are in favor of rolling budgets.

In light of this aspect, the points I mentioned in my earlier post that risk managers need to actively participate in strategic risk management holds true. In this scenario, risk managers must review the budgets assumptions and risks on a monthly/ quarterly basis to ensure smooth sailing. A once in a year periodic review doesn’t hold much water. They must make sure that organization’s strategy, operations plans, and budgets are continuously aligned.

Closing Thoughts

Budgets are no longer just the domain of finance department. In the present environment budgets must be developed with a combination of top down and bottoms up approach. While the strategy is developed at senior management level, the execution plans are developed down the lines. They have the real information on market dynamics, numbers and risks. The views of various departments -sales, human resources, purchases etc. need to be incorporated to form realistic assumptions and understand associated risks. Hence, risk managers have a significant role to play in this process.

Share your opinion here. Do you think Indian organizations have robust budgeting and forecasting processes?

References:

  1. Economy in Distress as Factory Output Slumps : Economic Times 13 Dec 2011
  2. Financial Planning, Budgeting & Forecasting in the New Economy : Aberdeen Group with SAP
  3. Increasing Competitiveness through Closed Loop Performance Management – SAP
  4. Accelerating the Speed of Intelligence for Fast and Flexible Forecasting – SAP with CFO Research Services

You can find the reports at http://www.sapcfo.com/

This article was published in The Business Enterprise Magazine January 2012 issue.