Innovative Approaches to Fraud Risk Management

The Javelin Strategy & Research Identity Theft Report 2013 states that 5.16% of US customers suffered from identity theft amounting to US$20.9 billion. Moreover, Tablet users had the highest probability of fraud at 9.6%. Victims of data breach had a 22.5% likelihood to becoming fraud victims. Hence, it is clear that while organizations are deploying more processes, technology and resources to prevent fraud, the fraudsters are having a ball. One thing fraudsters do, is to think outside the box. So we have to take a leaf out of their book and be innovative in our approach to prevent and detect fraud. Below are some ideas on the same. Share with me your thoughts on what you think about them.

 1)    Voice Print Analysis

Presently, in most of the banks, a call center agent asks a set of questions to verify the identity of customer for telephone banking. Internal employees, external fraudsters and organized crime groups can easily steal information about date of birth, place of birth, address, secret questions, and card number.

Now voice-printing software is available for authentication of voice. The system automatically verifies the caller voice with the customer’s sample voice to identify fraudulent callers and protect the account.

Secondly, maintain voice records of earlier fraudsters. When system detects a fraudulent caller, it automatically checks against the previous fraudulent call records. Hence, the system will flag if a fraudster has previously conducted a telephone banking fraud. With this, it will be easy to nab the fraudster, if the police had caught him/her in a previous case.

A new voice identity technology is available  that captures the tone of the voice and the type of communication. The software can monitor quality of calls and customer satisfaction from call center agents’ conversations with customers. This will cut manual quality control checks significantly and result in savings in quality control department costs.

2)    Track through Photographs and Location Mapping

Besides having voice-printing software, use a system similar to WhatsApp to identify of customers. WhatsApp sends text messages, images, video recordings, audio recordings, and the location. If banks invest in a similar application and allow customers to download the application on their mobile phones and tablets, the number of telephone and internet frauds will reduce.

If a fraudulent caller is flagged, then the call center agent can request the customer to send a selfie or video. If it is the wrong person, usually the caller will cut the conversation and drop the attempt to commit a fraud.

If the caller is able to circumvent this control, the application will also track the location. Applications track the frequent places a customer visits or calls from. If the caller is from an unusual place, then s/he can be tracked immediately. For example, if a British customer is tracked to a place in India, the call centre agent can ask the caller to verify their location.

3. Track Spending Behavior

Sometimes high value fraudulent payments are processed resulting in huge losses. A study done by Vivek K. Singh*, Laura Freeman*, Bruno Lepri, Alex (Sandy) Pentland for “Classifying Spending Behaviour using Socio-Mobile Data” determined the spending behavior of customers from the social interaction patterns on mobile phones. For example, it showed that more social couple and couples with diverse business interests tend to spend more.

Using big data, insights on spending behavior of customers can be analysed based on personality traits. Tracking social patterns and payment patterns can flag out anomalies when the payment is not in line with the spending pattern. Moreover, a location map can identify the location of beneficiaries of previous payments . Hence, fraudulent payments can be identified at the time of processing itself.

Another advantage from this technology can be for processing retail loan applications. If prospective customers are willing to give the data of mobile phone transactions, then at the time of processing the application itself, the bank can identify which customers are likely to overspend and default in future. The bank can ask for additional securities and guarantees.

Moreover, if the application is installed in the loan customer’s mobile after loan disbursement, the moment s/he is about to overspend which might result in default of EMI, the bank can send the customer an alert to pay the EMI first.

 4. Fraud Risk Conversations

According to psychological studies on emotional intelligence, Negative Emotional Attractor’s activate defense systems and build resistance to change. On the other hand, Positive Emotional Attractors (PEA) activates parasympathetic nervous system and makes a person more conducive to listen and change behavior. An effective team has a 3:1 ratio of PEA:NEA. Another study shows that improving peer-to-peer conversation increases productivity of the team by 30 to 40%.

However, risk management reports are mainly critical hence activate NEA. Moreover, the communication, training material, and code of conduct are all geared towards creating fear and guilt. Hence, it is not surprising that attempts to educate business teams on fraud risks fail.

Fraud risk managers can build a positive interaction model using technology platform. A study conducted by Erez Shmueli_, Vivek Kumar Singh_, Bruno Lepri and Alex ”Sandy” Pentland on “Sensing, Understanding, and Shaping Social Behavior” enables tracking of human behavior through big data analytics. The analytic helps in understanding the behavior, the tone of the conversation and the trust relationships between people.

Using this technology, an organization can use a social networking platform to communicate fraud risks through blogs, videos, and stories. The write-ups and stories should be from the business teams. From the comments section, the application can identify the key influencers and trust holders to bring about change. Thus, change the conversation to change the behavior.

 Closing Thoughts

 The days of holding a gun to rob a bank are nearly over. Fraudsters use social engineering to obtain sensitive information to conduct account takeover frauds remotely. Hence, organizations need to use socio-physics, social networks, and technology to beat the fraudsters in their own game. Being a leader in adopting the latest technology to prevent and detect frauds has an additional advantage, the fraudsters have not discovered the antidote to it. Hence, fraud risk managers have the right weapons to fight. The right tools can make a hell of a difference.


  1.  Javelin Strategy & Research Identity Theft Report 2013
  2. Classifying Spending Behavior using Socio-Mobile Data – Vivek K. Singh*, Laura Freeman*, Bruno Lepri, Alex (Sandy) Pentland
  3.  Sensing, Understanding, and Shaping Social Behaviour – Erez Shmueli_, Vivek Kumar Singh_, Bruno Lepri and Alex ”Sandy” Pentland



IBM CEO Survey Insights On Customer Focus

The 2012 CEO survey conducted by IBM gives some interesting insights. Seventy-three per cent CEOs are gearing their organizations to gain meaningful insights from customer data. This is the area of highest investment.  The traditional approach to segment customer data to calculate statistical averages has been replaced with understanding the attitudes and tastes of individual customers.

The main aim of gathering holistic customer information is to devise services and products targeted at the customers and improve the response time. As stated in the report – “The challenge for organizations is two-fold: can they pick up on these cues, especially if the information comes from outside? And can the appropriate parts of the organization act on the insights discovered?” The graph depicts the main reasons for capturing customer information.

Further, the report mentions, that though most of the CEOs focus on capturing information, out-performers excel at acting on insights. The difference is innovation and execution. A quarter of the CEOs reported that their organizations are unable to derive value from the data. Speed of action is required to capture data, analyse, prepare strategies and respond to customers. As one CEO stated the most crucial characteristic is to “organize a major wake-up call.” The customer obsessed CEOs are driving the organizations to more contextual customer insights.  The graph below highlights the marked difference in under-performers and out-performers.

Risk managers can play a pivotal role in helping CEO’s achieve these objectives. They can focus on the following.

1.     Organization Culture and Process Change

A customer oriented organization culture is required to leverage the opportunities. Secondly, the organization needs to align the processes towards customer relationship management. Risk managers can conduct organization culture survey to assess customer orientation. Moreover, they can review processes to determine risks and controls to mitigate risks.

2.     Security of Data

The activity requires accumulation of extensive customer personal information. Generally, companies use separate data centres to collect and analyse the data. However, the risks of loss and theft of data is huge. As in the recent case of Facebook 1.1 million users’ data was sold for US $5. Therefore, it is a good idea to review security polices and test data centre security.

3.     Return on Investment

Data collection requires huge investments in technology and resources. As the CEOs are saying the failure rate is quite high. A review of projects, plans and strategy would identify the pain points and misdirected activity. Calculating return on investment on various programs might steer the investments in the right direction. Timely identifying failing projects and reasons for failure is critical to maintain cost effectiveness.

Closing thoughts

Technology and social media has brought customers closure to companies. The face-to-face customer interaction is gradually shifting towards social media. The companies that are able to navigate this transition successfully will outperform their peers in the industry. Hence, risk managers should support this CEO initiative to enable the organization to leverage upside risks.

What is your organization doing in this respect? How do you think risk managers should facilitate CEOs in this initiative?


Leading Through Connections – IBM CEO Survey

Misunderstanding of Risks Between Business Teams and Auditors

PWC Internal Audit survey highlighted one critical shortcoming of Chief Audit Executives and Internal Audit Department. The risks that business teams consider critical are being ignored. I have been covering some of the risks on the blog, namely – people risks, competitive advantage, innovation and creativity, marketing, country risks, etc. According to the survey, more than 20% of the stakeholders reported that internal audit paid too little attention on these risks. Hence, the question is why are internal auditors and risk managers not looking at them. Take a look at this chart first.

PWC Internal Audit Survey 2012

From the survey results, two assumptions can be made. First, the internal audit function is still focused on auditing the processes that link to the financial numbers. Second, they are not understanding the business aspects of the organization. As given below, three things need to be done.

1. Understand business requirements

The situation reminds me of an Archie-Veronica joke. Veronica is trying out a new pair of jeans in a store. She looks in the mirror and says – “The jeans are tight, I wonder what could be the problem.” Archie promptly replies – “You might have gained a few pounds”. Veronica gives one whack on Archie’s head and again makes the same statement. This time Archie replies – “The store may have marked a wrong size on the jeans”. If the internal audit reports were hard hitting, business teams may give the internal auditors a rosy picture. They may not be sharing the true concerns in respect to various business risks. Hence, internal auditors would focus their energies on some unsubstantial risks.  Improve the communication with business teams to understand the risk environment. Create an environment where truthful interactions occur.

2. Add in next year business plan

Last quarter of the year has started today, and most of the organizations will prepare 2013 plans in this quarter. This is a good time to understand the business risks and prepare the 2013 annual audit plan and budgets accordingly. Coordinate with the business teams to understand their annual plans. Identify the risks relating to the plans. Discuss with the teams on how internal audit function can help them. Attempt using collective intelligence and crowd sourcing techniques to develop your plan. Where required, take a call to provide advisory services rather than assurance services. Business managers expect much more from the internal audit function. Hence, gear yourself to meet if not exceed those expectations.

3. Develop talent and skills

In the 20th century internal auditors audited the same financial numbers as external auditors. In the 21st century, the function requires revamping. In my previous article – “New Risks and Uncertainties in 21st Century” – I had conducted a poll. I had asked respondents whether they thought present day risk managers were equipped to deal with 21st century risks. Out of 17 total votes, 15 had responded that less than 50% of the risk managers can manage the new business risks. The verdict was by the risk managers about risk managers. Don’t be a dinosaur and learn new skills to survive in the market. In another 5 years when Gen Y become middle managers, Gen X may become redundant.

Closing Thoughts

With the turmoil in various economies, the 2013 risk landscape will be drastically different. Organizations that are well geared in risk management, have a higher probability of sailing through. Internal auditors and risk managers need to incorporate the impact of globalization, technology and social media in their annual plans. There is no purpose in serving stale bread and expecting business teams to swallow it. Rejuvenate in the new business age.

Wishing all my readers a Happy Gandhi Jayanti. Let us pray that each person believes a little more in non-violence and work towards a peaceful world.


PWC Internal Audit Survey 2012

An Update of Adidas India Euro 125 Million Fraud Story

In the last couple of weeks, some startling information was revealed by the media about the fraud. To recap, Adidas global management disclosed euro 125 million (Rs 870 crore, USD 157.68 million) fraud in India operations in the first quarter end report of 2012. Subsequently, Adidas India management filed a police complaint against the ex-CEO Subhinder Prem Singh and ex-COO Vishnu Bhagat. Now the battle lines are drawn and allegations are flying. Here are some surprising revelations of the case so far.

Adidas management is alleging “commercial irregularities” and mismanagement of Reebok operations for last five years. Reebok and Adidas India operations were merged under Mr. Singh last year. Mr. Singh portrayed it that the allegations are more about a power struggle between the two groups and Adidas India operations has similar number of unreported frauds, as mentioned in the earlier post.

Some financial numbers and other details that were reported by the media are:

1) Profitability of Adidas & Reebok India

An Economic Times article stated that Reebok India March 2010 reported Rs 786.1 crore (USD 142 million) total income with a loss of Rs 40 lakhs (USD 72,000) . On the other hand, Adidas India operations showed a profit of Rs 455.6 crore (USD 82.75 million) for the year ending March 2010, with a profit after tax of Rs 9.01 crore (Rs 1.63 million). Mr. Singh attributed the difference to two aspects. First, Reebok India had a share capital of Rs 23 crore (USD 4.16 million) in comparison to Adidas India’s share capital of Rs 99 crore (USD 17.94 million), hence has to pay interest on borrowed funds. Second, Reebok India paid a royalty of 5% on sales, that amounted to Rs 110 crore ( USD 19.93 million), whereas Adidas India isn’t required to pay royalty. Hence, Mr. Singh’s contention is that Reebok India  performed better than Adidas India.

This practice of charging royalty to one arm of the company and not the other in the same country, is somewhat controversial. It raises questions on the transfer pricing practices followed by the company.  The Income Tax department may view it as an intentional strategy to deflate profits to avoid taxation.

Subsequent to the story breaking, the Income Tax department has commenced an inquiry and issued notices to executives for probing financial wrong-doing in last four years to determine tax evasion.

2) Police Complaint

The FIR, which has been seen by Bloomberg UTV says that: 

– Irregularities include over-invoicing to the tune of Rs 147 crore (USD 26.64 million)
– Running a false franchisee referral programme, receipts from which were about Rs 114 crore (USD 20.66 million)
– Maintaining four secret warehouses where company goods were diverted, all of which have been sealed and goods confiscated
– Raising fake invoices of about Rs 98 crore (USD 17.76 million) to show higher sales and claim promotions, bonus and incentives
– And collusion with some customers to aid the two officers in the scam”

Behind the allegations, the details when pieced together give the following story.

According to the Economic Times story, Mr. Singh started gunning for the top job of the merged entity from 2008, knowing that merger was inevitable. He pursued expansion plans to show numbers and beat internal competition, at the expense of profitability.

The source of the problems appears to be the minimum guarantee strategy adopted for store franchises.  Reebok had 100 stores in 2003, and grew to 800 stores. As per the minimum guarantee program, the franchisee was given a specific sum, irrespective whether the company earned any money from the store. Small time business persons were invited by Reebok to open stores and these stores didn’t make any money. Hence, the costs ran high, with no revenues. Rumors are that some money was earned by Mr. Singh privately for opening these stores.

Another information shared by police is that Adidas management claim that Mr. Singh and Mr. Bhagat diverted stock to four secret warehouses near Delhi doesn’t hold much water as no stocks were found in the warehouses. Adidas India claims to have confiscated goods worth Rs 63 crores (USD 11.41 million) from these warehouses. According to the police, three of the four warehouses were empty, and the fourth the new management has taken the goods.

However, from the information available so far, it appears that sales figures may have been inflated, and closing stock deflated to show higher profitability and meet the growth targets. It is possible, that false sales invoices were created and the goods transferred to the warehouses. There are allegations from store owners also that there are discrepancies between statement of accounts. The debit and credit balances significantly differ. Hence, the sale invoices may have been made in the franchises name without an actual sale. If this is true, most of the internal controls were over ridden by management.

Another aspect reported was that German management at headquarters was aware of the complaints and various issues cropping up, however chose to ignore the same due the great performance being shown. They apparently didn’t take proper action on the auditors report also. Of course, there are likely to be questions raised as to quality of work done external and internal auditors.

With all the information available till date, the fraud figures don’t add up to Rs 870 crore (USD 157.68 million). The police investigators are stating that beside the complaint, no evidence has been provided by Adidas management till date. Reading the corporate boxing match, Registrar of Companies under Ministry of Corporate Affairs has commenced an investigation.

Closing Thoughts

With all the dirty linen being washed in public domain by Adidas group, it has attracted regulators attention. If the plan was to browbeat Mr. Singh, without adequate evidence the prosecution will fail. If in reality all the allegations can be proved, then Mr. Singh along with a number of senior executives are in hot soup. Till date it is the largest fraud case reported by a multinational company in India. Let us wait and watch to get some more juicy information.


  1. How Adidas Slipped in India – Economic Times
  2. Reebok under tax lens, Adidas seizes goods from warehouses
  3. The Reebok Adidas scam – another corporate saga in courts

Risk Management Failures in Kingfisher Airlines

Mr.Mallya with KFA Air hostesses

The king of good times is facing hard times. Launched in 2006, with much fanfare by its Chairman, Mr. Vijay Mallya, Kingfisher Airlines (KFA) is presently in dire financial straits. After the euphoria abated, KFA’s strategy, performance and financial health has been questioned from mid-2008. Now the company is facing major financial and operational problems. The press statement from KFA, on 12 March 2012, highlights the challenges:

“The flight loads have reduced because of our limited distribution ability caused by IATA suspension. We are therefore combining some of our flights. Also, some of the flights are being cancelled as a result of employee agitation on account of delayed salaries. This situation has arisen as a consequence of our bank accounts having been frozen by the tax authorities. We are making all possible efforts to remedy this temporary situation.” 

KFA is a good case to understand the impact of failure in risk management. The management ignored the warning signs of stormy weather and failed to navigate the company into safety.With hindsight, some of the important decisions made by the airline appear incorrect. Let us analyse the  top 5 risks.

1. Strategic Risk – Market Analysis 

 KFA was launched as a premium business class airline. That was the first mistake, a lack of understanding of customer requirements and basing a decision that luxury sells in airlines. Organizations focus on reducing costs and  usually just CXOs are allowed business class travel. Rest of the staff mostly travels by economy class. Moreover, buying most expensive business class tickets doesn’t go down well when seniors aim to project the image of walking the talk.

Even consultants, whose travel tickets are paid for by clients, hesitate to book KFA tickets. It appears that they are abusing privileges. Hence, the market size for business class tickets is small in India.

Secondly, internationally Southwest Airlines operating model has proven successful. It is a low-cost airlines, provides minimum frills to customers at reasonable rates. Mr. Mallya, highly successful in liquor business, didn’t comprehend the differences in customer preferences within the two industries. Customers may buy expensive alcohol, but not airline tickets, since the total cash outflow  is higher.  It is a price sensitive market. Therefore, KFA adopted an incorrect strategy from the start as it failed to understand the market dynamics.

2. Strategic Risk – Merger with Air Deccan 

KFA acquired Air Deccan, a low-cost airline in 2007. Five years of operations is a key criteria for an airline to fly internationally. Hence, KFA acquired Air Deccan’s international flying rights and simultaneously entered the cheaper market segment.  It made the following announcement in September 2008 financial results commentary:

The merger of the two operating airlines into one corporate entity has also enabled savings on operating costs such as Engineering and Ground Handling, Insurance and Catering. Employee costs have also been addressed through an integrated organization which enabled the Company to terminate the contracts of most expatriate staff and impose a hiring freeze on new appointments.

After the merger, first signs of trouble cropped up. As per a Business Today article, it became the largest Indian airline with 27.5% market share, and domestic travel increased by 30%, however it didn’t make profits. Despite the fact the its main rival – Jet Airways – continuously showed profitable quarters.

KFA showed growth in numbers while having lost the strategy. With the merger, it lost its brand image of a premium business class airline. It expanded with the speed of a jet without building a base and resolving the post merger challenges. This set the course for a bumpy ride.

3. Strategic Risk – Investment in Planes 

According to 31 March 2011 ending annual report, KFA flew 366 domestic flights and 28 international flights. It owned 67 aircraft.

“Aircraft Engine/Lease Rentals: Aircraft/engine lease rentals stood at Rs. 984 crore (USD 197 million) during the twelve month period from April 2010 to March 2011. Your Company operated 67 aircraft (scheduled and non scheduled) in the year under review, 13 of which are owned through finance leases and 54 are held under operating leases.”

Business Today article mentions that presently the airline owns 63 planes and a few have been returned to the lessors. However, the plane financing problem isn’t new. In September 2008, after the merger with Air Deccan,in financial results commentary KFA stated the following:

“Two aircraft have already been returned to Lessors with no additional cost, and the Company is in discussion for the return of a further eight aircraft. The impact of this capacity contraction will be visible during the second half of the Financial Year.”

After the merger, according to the Business Today article, the airline refused to take delivery of 5 Airbus A340-500. It had over 90 aircraft in Airbus books and no delivery was taken after 2008. This is a case of investment plans made under a cloud of unknowing.

4. Financial Risk – Excessive Debt  

In the December 2011 quarter unaudited financial results, signed by the Chairman Mr. Mallya, the following note is given:

The Company has incurred substantial losses and its net worth has been eroded. However, having regard to capital raising plans, group support, the request made by the Company to its bankers for further credit facilities, planned reconfiguration of aircrafts and other factors, these interim financial statements have been prepared on the basis that the Company is a going concern and that no adjustments are required to the carrying value of assets and liabilities.

KFA posted a loss of Rs 1027.39 crore (USD 205.95 million) in December 2011 quarter. As of 31 March 2011, its net worth was negative at Rs 3633.08 crore (USD 728.29 million). It was last positive in March 2008, and now the picture is dismal. Presently, KFA has a total debt of Rs 7057.08 crore (USD 1414 million) and total accumulated losses of Rs 6000 crore (USD 1202 million). The banks refuse to extend further  credit as the non-performing assets (NPA) will jeopardize the profitability and liquidity of the banks.

Here it is a clear case of excessive debt and poor cash flow management systems. The situation has gradually worsened from March 2008 and in three years the capital is completely eroded. A better financial risk management may have helped mitigate the problem. It appears no one in the company was monitoring the risk dashboard. Maybe they were flying high on optimism.

5. Operational Risk – Fuel Costs

It’s a well know fact in aviation industry that most airlines nosedive due to high fuel costs. The rise in fuel costs are an uncontrollable risks as the price of petrol is set internationally. Additionally, in India, states charge heavy sales tax on petrol. Hence, the fuel costs are much higher in India. KFA annual report of 31 March 2011 acknowledges this issue:

Aircraft fuel expenses: Expenditure on fuel stood at Rs. 2274 crore (USD 456 million) during the twelve month period from April 2010 to March 2011 accounting to 28% of the total costs. While the average fuel prices have come down from a high of Rs. 74 per litre in August 2008, prices have steadily risen through the year and ended 34% higher than prices at beginning of the year. 

As given in the commentary on the results for the half-year ended 30th September 2008, KFA was aware of the problem.:

The Aviation Industry is going through a challenging phase globally, driven primarily by spiraling fuel costs, which hit an un-precedent USD 147 per barrel in July 2008. The Indian industry was hit more adversely due to the cumulative impact of Customs Duty and Sales Tax on account of this sharp increase in international fuel prices. The average price of ATF in the six month period from April to September 2008 increased by about 60%. The impact on Kingfisher Airlines alone was to the tune of Rs.640 Crores (USD 128 million).

Most airlines to recover fuel costs increase the number of seats in the aircraft by better use of space. KFA couldn’t do it, as it projected itself as luxury class. Despite enjoying an occupancy rate of 75-85%, the company failed to break-even. Although the management was aware of the truculent factors in aviation industry it failed to take preemptive measures timely.

Closing Thoughts

A look at the 31 March 2011 year-end annual report reveals that KFA had 7-8 directors, with just one executive director. The audit committee had 3-4 directors and didn’t seem active, since there were just 4 meetings during the year. Since inception of the company, three CEOs have come and gone. Mr. Vijay Mallya, the Chairman, controls the company. The board of directors have not actively participated in charting the route of the company. Hence, pilot of the company is responsible for the downward spiral of KFA.  As the banks and government refuse to give a life jacket to KFA, the probability of safe landing is low.


  1. Kingfisher Airlines – Media statement 12 March 2012
  2. Kingfisher Airlines – 31 March 2011 Annual Report
  3. Kingfisher Airlines – 31 December 2011 Unaudited results
  4. Kingfisher Airlines – Commentary on results for half year ending 30 September 2008
  5. Losing Color – Business Today article.

Program Change Management Risks

Organizations invest huge amounts in running numerous programs to improve operations, culture and profitability of the company. For instance, programs cover technology implementation, building social networks, improving employee engagement and corporate social responsibility initiatives. Some programs give good return on investment while others dwindle without much success.  The success and failure of a program appreciably depends on effective change management.

Even for information technology programs, various survey reports show success-failure ratio as 50-50 percentage. Failure results in cost overruns and delay in project schedule besides low employee morale. A few reports indicate just around 20% of the programs are successful in the first effort in all respects. The differentiating factor, with technology and implementation capability being the same, is change management skills. Lack of focus on change management risks results in program failure.

Before discussing some key aspects of program change management risks, let us understand the reason for the same. Change causes insecurities to surface, hence sows the seeds of conflict and discord. On start of a program, people do not understand the reason for change. They are unable to assess what is at stake and what success looks like. Moreover, people respond differently to change. Idea of change gets supporting, skeptical and scornful reactions. If not handled carefully, different groups within the organization prepare battle plans to sabotage the program.

Hence, change management strategy is an essential component of program implementation. Given below are some of the risks on the same.

1.   Senior Management Involvement

For approval of the program, the program manager shakes hands with all the senior managers to get their buy-in.  Managers assume that the senior management commitment will continue after approval. However, this is rarely the case. With time, commitment will wane if senior managers do not understand the direction of the program and/ or start giving priority to other programs. Hence, program managers need to monthly/ fortnightly update the senior managers through review meetings and reports on the status and plans of the program.

Additionally, users and employees need to see senior managers demonstrate commitment to the program i.e. walk the talk. Program managers need to leverage opportunities to show senior management support for the program. Develop a leadership plan to ensure senior managers become champions of the program.

2.   User/ Employee Adoption

The program managers gear most of the programs activities towards adoption by the users. For example, in building a risk culture, adoption of risk assessment template is a milestone. The point is change agents view program activities in isolation for pre-go-live stage without considering the overall impact on the organization. Programs influence strategy, process, technology, and people. Without synchronizing the four aspects, even with user acceptance, the program will be unsuccessful in the long run.

Second aspect to consider is the handholding and support after the go live stage. After implementation of a program, the users may still face some challenges or new problems and risks may arise. For continued success of the program a team is required to support it, else it will fizzle out.

3.    Multiple Communication Channels

A program requires a good communication plan and failure in communication jeopardizes the program. Communication messages must be clear, straightforward and from the heart. The corporate jargon and meaningless mantras does not get buy in from senior management or users. For example, do not have a mission statement for an ethics program that sounds like this:

The company’s mission is to be the most ethical organization in the world by adopting best practices, making it a great place to work and rewarding meritocracy

Employees will roll their eyes on the above statement and consider it as management hyperbole. There is nothing actionable or measurable in the statement. Neither are the steps linked to ethics.

Another risk is failure of communication from senior management. Program managers assume that employees understand senior management commitment from strategy and other generic documents. However, adopters need to hear from senior management, their views and aspirations regularly.

Moreover, when programs run into problems, the initial reaction is to hide the bad news from the adopters. Clear concise communication on challenges being faced by program managers and support required, gets the program back on track. Communicate more often when program is running into trouble.

More importantly, change agents sometimes fail to listen to the adopters. Adopters’ feedback is critical for the success of the program. Understand their angry reactions, criticism and challenges. Develop plans to address them and not ignore them.

 4.    Training Plans

 Standard training material is the bane of most programs. Change agents believe that once the training is imparted, their job is done. Some pieces are overlooked in training plans and I have mentioned these before in a post. These are:

  • People have different learning patterns.
  • People are at different stages of learning – beginner, learner, manager, and expert.
  • People do not remember the training for long unless they start using the information in practical work.
  • Old habits are hard to break; hence, people revert to old patterns of working if not monitored.

Last but the not least, is the content of the training. For example, fraud awareness training is a double-edged sword. The users, who didn’t know a word about fraud, now have some idea on how frauds are conducted. The information can be misused. Moreover, an overload of information may create panic reactions in users. Hence, when to deliver training and what information to give are critical decisions for successful program implementation.

 5.     Reward & Recognition System

For a program to be successful, set up a clear system about reward and accountability for the adopters. Failure to establish a system will result in rewarding mediocrity rather than meritocracy. Further, without implementing a penalty criterion, there is no downside for wrongdoing. Hence, maintain a balance between reward and punishment.

For instance, in an ethics program, build a system of bonus points at time of appraisal for meeting business objectives in an ethical way. If a manager had the option of choosing an unethical means to achieve an objective faster but selected an ethical way though had to work harder, award him/her bonus points. On the other hand, award penalty points to a manager who chose unethical means.

6.    Dealing with Failure

Sometimes, despite best efforts the program team stares at the face of failure. People adopt inflexible approach and refuse to acknowledge the logical benefits of the program. They foresee their personal and political agendas negatively impacted, hence refuse to contribute to the shared purpose of the organization. The situation reminds me of an old joke.

A man bought a parrot as a pet. To his dismay, the parrot had a bad attitude and spoke foul language. The man tried to teach the parrot to behave but the parrot refused to change. One day in a fit of anger the man put the parrot in the freezer. He heard the parrot screaming and abusing for a couple of minutes, then there was silence. The man opened the door of the freezer, the parrot trotted out and said – “I beg your forgiveness for speaking rudely. I promise to behave properly.” The man was amazed at the transformation. Then the parrot said – “May I ask, what did the chicken do?”

To avert sudden failure periodically conduct organization surveys to understand the acceptability of the program and organization readiness for the next stage. Measure the behavior and sentiment change due to the program. Do not rush to the next stage without ensuring that adopters connect with the program in the existing stage.

 7.    Awareness of Retaliation

Situations can get out of hand when people start retaliating against the program manager and his/her team. Some programs are launched for appearances sake. For example, senior management may approve a program for business ethics, diversity or employee participation. However, when the change agents sincerely attempt to run the program to bring about a cultural change in the organization, they get mobbed by the employees. In this case, the junior employees start complaining that the change agents are pressurizing, bullying and forcing them to change. This impacts the heart of the program and the change agents spend most of the time defending their actions. The senior management doesn’t really want change, hence looks the other way or gives tacit approval to derail the program and mob the change agents.

In such cases, the change agents have to pay a high price, but the seeds of change are sown. People recognize that there is a better way of doing things, and gradually move towards light.

Closing Thoughts

 Change is difficult. We ourselves find it difficult to change, so getting others to change is an obstacle race. As Mahatma Gandhi said on leading the non-violent Indian independence movement – “First they ignore you, then they laugh at you, then they fight you and then you win.” Being a change agent is a test of stamina, perseverance, discipline and sacrifice. There are no low hanging fruits to pluck, no short-term rewards, no personal glory, however, in the end organization benefits.


Innovative Assurance and Advisory Services

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -“Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I  could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1.  Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3.  Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance  needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

 5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

 7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit  titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various  natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability.  Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high.  Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.


  1. The long view – Getting new perspective on strategic risk by Economist Intelligence Unit
  2. Brand Keys Customer Loyalty Leaders 2011
  3. Challenges to the Accounting Profession Some Reflections – Speech of  Dr. Duvvuri Subbarao, Governor of Reserve Bank of India on 16 December

Strategy to Execution – A Risky Path

Some companies fail and some succeed spectacularly in the same market conditions. The question for successful companies is – what did they do differently? On the other hand, failure is attributed to either poor strategy or pathetic operations.  A popular notion among managers is that if company is not achieving targets, then review the strategy, something must be wrong with it. If the strategy is found reliable, review the operations and focus on it to be successful.  Is the explanation for failure that simple?

In my view failures occur because complexities of the situation are either ignored or misunderstood. The third-fourth-fifth dimensions are normally missed and must be looked into. The overall strategy might be right, the execution flawless, and  the company may still be staring in the face of failure. According to me the path from strategy to execution is very risky. Below are my views on the same, do you agree with them?

1. The Human Dimension

Let me give you an example, that most employees are familiar with:

Objective of the company : Make the organization a “Great place to work”.

Strategy to achieve the objective : Focus on diversity, work-life balance and good leadership pipeline.

Execution plans :  Hire 25% women, promote 10% women to senior levels, issue policy of work life balance , introduce 360 degree feedback and balance score card system.

All the execution plans were implemented, however employees are still cribbing and consider the organization one of the worst places to work. So what went wrong?

Now let me give you a few situations that occurred in the organization :

a) A gorgeous looking woman was placed in a senior management position who was rumored to be having an affair with a CXO. Employees down the line didn’t like her personally as she did not have a reputation of high professional caliber or ethics.

b) A few employees in the 360 degree feedback, gave honest negative feedback about their bosses. In less than a quarter the bosses with help of human resource department terminated or demoted the employees.

c) Bosses allowed the employees to leave office premises by 6 pm. However, they asked employees to work at home and deliver reports the next morning at 9 am.

The missing component – the human dimension – was overlooked. The culture of the organization didn’t change with the strategies and plans. The messages that employees received were –  “One gets promoted if one sucks up to the boss, merit doesn’t count, honesty has a huge downside and bosses will harass.  Nothing has changed.” The tone at the top remained the same and no one was seen walking the talk. Hence, though everything looked good on paper, and all execution deliverables were achieved, the execution team met the key performance indicators, the objective wasn’t accomplished. People make the difference, hence analyzing culture, messages and in some situations even the grapevine is helpful.

2. The Organization History

The often ignored impediment in failure of strategy is the organization history. History – good and bad – makes a difference in success and failure of strategy as it directly impacts commitment levels. If the organization has had bad incidents or history, a host of issues become undiscussable. These undiscussable issues make communication superficial, hide negatives in the wood work and portray a picture that management wants to hear. In a globally connected world, even a small incident can become a historical landmark. To bring clarity to my point, I am narrating an incident that I experienced.

I was working in an organization in which one of the core values was “respect for everyone’s time”. The offices were open plan, with no difference between a CEO desk and an admin desk. All meetings were conducted in various conference rooms and room bookings were done through an intranet application. The cultural guideline was – do not overstay in a room as it may be booked by another group/individual. There were no reserved conference rooms for senior managers.

One day a new employee with his group saw that the people in the conference room he had booked for a meeting continued in the room after their meeting time elapsed. He knocked on the room, and asked the team inside to leave. The other employees outside were horrified. After 5 minutes, when he saw no action, he again knocked. The team inside walked out and all employees were red-faced. The poor chap had just evicted the Global CEO and his executive team out from the conference room.

News traveled globally within a few hours of the incident. The mathematical geniuses developed statistical models on probability of the new employee being asked to leave. Others like me, indulged in simple betting. Within a week the CEO sent a global message appreciating the employee for adhering to the organization values. He said that he felt good that induction training was effective, HR was doing a good job in recruitment & selection, and employees were fearless in confronting seniors on core organization values. All employees were absolutely jubilant on losing their bets. The incident became part of organization history and employees were inspired by the leadership. Commitment to a strategy comes from the heart and not by the numbers given in a Powerpoint presentation. In some situations analyzing the past history of the organization and failure rate of strategies might be helpful.

3. Reliance on Performance Management Systems

Norman Marks in his post“The inter-relationships of risk, objectives, strategy and performance rightly said that “performance management without considering risk is flying blind.” I agree with this statement. However, my question is – are organizations really measuring the right stuff ? If not, are organizations deluding themselves into believing that they are monitoring and as all performance indicators show green status, everything is great.

Let me narrate here my pet peeve on risk management performance indicators. Tell me, how many of us have filled a balance score card or prepared an annual plan stating the number of risk management reports issued during the year. Additionally, recall numerous times assurance has been given to senior management based on the reports issued and their findings.

According to me, these performance indicators for a risk management department make limited sense. Better indicators would be :

a) To calculate the amount of loss averted from timely risk mitigation. Or,

b) Counting the number of days organization risk was higher than the established risk appetite of the company.

However, only a few companies keep these performance parameters because these are difficult to calculate and require robust management systems. So we rely on parameters that are actually not telling us anything more than the fact that some work is being done. Therefore, my contention is that even if a the risk of not issuing 12 risk management reports (a performance measure) during the year would be available, it may be irrelevant risk identification. A good idea when doing management by objectives, is to check what the company is measuring.

4. The Organization Structure & Systems

The focus is not developing the strategy and operation plans, however the point that is missed is – whether the organization structure and systems are conducive towards accomplishing the envisaged operations efficiency.

The prime example of this is establishing backoffice operations in emerging markets or outsourcing processes. Most organizations initially off shored to save on costs. The cost-benefit analysis was done considering the explicit cost of labor and other costs in mind. However, the implicit cost of managing the operations remotely, variance in customer service quality, breakdown of services and increased risk of fraud were not considered. Quite frequently, the same process was outsourced without much re-engineering for outsourcing the process. This resulted in cumbersome and long processes, higher management time and more risks. In rare cases only the organization structure was aligned to outsourcing activities and managing the complex relationships.

In this case, the strategy was fine, effort was put in setting up back office operations properly. However, the interlinked impact on various functions and activities was ignored. Basically the problems arose due to structure and systems, as these were not considered at the strategy formation stage.

5. Strategic Risk Management

Finally, the concept of strategic risk management is gaining popularity, though it still has a long way to go. Problems sometimes arise in implementing a strategy, because at the time of formulation the strategic risks were not identified and assessed. Hence, the organization has a rosy picture of the strategy.

The additional challenge is when strategic risks are identified though not properly. Some hold the opinion that strategic risks are best identified by the top management or chief risk manager. The frontline operations teams do not have a role to play. My view is that while strategy may be developed at the top, the risks need to be captured at all levels and rolled up to the strategy development team.

To illustrate, let me share with you the venture of international fast food joints in India. KFC, McDonalds etc. made losses in the Indian market initially. The reason for entering the Indian market was clear – a huge educated middle class provided a good customer base. They replicated their operations model in India. However, they really didn’t understand Indian tastes. Indians preferred spicy food and didn’t appreciate the American bland taste. Secondly, Indians initially took these meals as snacks and not for lunch or dinner. Hence, were willing to spend much less than they would in an Indian restaurant.  It took the companies 3-4 years to understand the difference in customer tastes and expenditure patterns, and change the menu accordingly. Customer risk was local whereas the strategy was formed globally. Strategy failed due to lack of understanding of local market.

Hence, in my view strategic risk management is not a simple exercise undertaken at the top of the company pyramid. A robust enterprise risk management system aligning objectives, strategies and risks is definitely beneficial. If an organization is not meeting its key performance indicators, even when their are no obvious problems with operations, a through analysis of risks at all levels sheds light on quite a few issues.

6. Impact of Systemic Risks

Another aspect that is least understood in organizations is systemic risks. Organizations adopting enterprise risk management assume that since the key risk indicators are showing low risk, everything is running smoothly. However, as seen in the financial crises, the impact of systemic risks is huge. Underestimating it or ignoring it can nearly wipe out the organization.

Turner report highlighted the impact of systemic risks in the banking sector with the following lines:

Five key features of this new model played a crucial role in increasing systemic risks, contributing to the credit boom in the upswing and exacerbating the self-reinforcing nature of the subsequent downswing:
(i) The growing size of the financial sector.
(ii) Increasing leverage – in many forms.
(iii) Changing forms of maturity transformation.
(iv) A misplaced reliance on sophisticated maths.
(v) Hard-wired procyclicality.”

Although, in the blame game the investment bankers are being labeled as culprits for playing in the CDO market, the interconnections between retail and investment banking  resulted in the crises. The retail bankers gave home loans to individuals with doubtful repayment capacity to leverage the boom in real estate market. Simple explanation is that the collapse of real estate market negatively impacted recovery of loans which resulted in making the CDOs worthless. The key lesson to learn here is that strategies can fail majorly if they are not protected against the impact of systemic risks.

7. Leadership Quality

The quality of leaders makes the largest difference to an organization’s success. Can one imagine GE’s tremendous success without Jack Welch? He accomplished a lot as a leader, though he portrays himself modestly in his book “Straight From The Gut” . He narrates –

“I came to the job without any external CEO skills. I had rarely dealt with anyone in Washington, even though the government was more into business than ever. I had little experience dealing with the media. My only press conference was scripted session with Reg on the day GE announced I would the the next chairman. I had only one or two brief outings before the Wall Street analysts who followed GE. And out 500,000-plus shareholders had no idea who Jack Welch was and whether he would be able to fill the shoes of the most admired businessman in America.”

Jim Collins in his book “Good to Great” analysed the impact on companies that had level 5 leaders. Organizations with level 5 leaders showed consistent performance and a far better share holder return than their industry counterparts. Hence, if either strategy or operations are failing, the quality of leadership should be looked into.

8. Assessment of  Strategy Formation Process

Last but not the least is a discussion on strategy itself. Two thoughts come into mind – how should a strategy be assessed for effectiveness and when should the strategy be modified or changed? The quality of strategy itself is in doubt sometimes.

The key reasons for adopting a wrong or misguided strategy relate to some of the points I had mentioned in my earlier posts on strategic risk management :

a) Very few organizations have a proper process for strategy formation. For most it is an end of the year data accumulation practice from different business units. An organization level strategy considering all interconnected aspects of business may not have been devised.

b) Board and CXOs generally do not negate a strategy given by the CEO or fellow colleague. The political repercussions of challenging a CEO/CXOs strategy can be huge, hence most keep their opposing opinions to themselves.

c) If the organization culture is not focused on creativity, ideas and learning, new strategies will not be presented for fear of being mocked or run over. Hence, contrary to popular perceptions the strategy pipeline is quite dry.

d) Moreover, the choices of strategy selection with CEO/CXO are limited. They receive ideas which people down the line have collectively agreed to. These might not be the best ideas as the popular ones generally do not shake people out of their comfort zones.

Understanding these circumstances for assessing the quality of strategy can be difficult. Senior management in such situations has to start from scratch to develop a strategy formation process. If the formation process is full of loopholes or ineffective, the probability of having a good strategy is low.

Closing Thoughts

In nutshell, getting the strategy and operations right is critical for organization success. However, these two components itself do not guarantee success, they are just the building blocks. Other management and organization parts need to be aligned properly to the objectives and strategy of the organization. A holistic picture is required to accomplish objectives. In case of failure in achieving objectives, a review of strategy and operations is definitely beneficial. However, aspects underlining these should be delved into deeply to do a proper root cause analysis. Looking beyond the obvious helps.


  1. Turner report – A regulatory response to global financial crises – Financial Serivices Authority, UK
  2. Straight from the gut- Jack Welch with Johm A. Byrne
  3. Good to Great – Jim Collins
  4. Norman Marks Blog
The Business Enterprise Magazine published this post in February 2012 issue.

Fraud Symptom 8- Breaches of Internal Controls

The Enron case highlighted that inadequate internal controls cause huge damage to the organization. Subsequently, the Sarbanes Oxley Act section 404 focused on making it mandatory for organizations to implement good internal controls. However, don’t view internal controls in isolation of the organization culture. As I had mentioned before that internal controls of an organization are as good as the culture. The probability of breach of internal controls is higher in negative cultures. (Read Impact of Organization Culture on Internal Controls). Though, in this post I am totally focusing on internal controls without linking to the organization culture.

While the organization expanded and grew, the focus on internal controls reduced. When we consider the bigger fraud cases, Enron, WorldCom, Barings etc., the organizations management committed one or a combination of the following mistakes.

a) Management stopped old control systems without introducing new control systems.

b) In some cases, continued to use old systems without conducting a review to assess their reliability and usability.

c) On the other hand, in some companies management relied on new systems without assessing their accuracy and timeliness.

d) Lastly, assigned roles and responsibilities without segregating duties and defining clear reporting lines.

In nutshell, one can say that management lacked focus on implementing internal controls. Due to these weaknesses in the internal control systems, management and auditors failed to detect frauds done by employees.  KPMG 2010 India Fraud Survey stated 75% of Indian organization experienced fraud. It further mentioned:  

“Supply chain fraud (procurement, distribution and revenue leakage) is the single most exposed area. Weak internal control systems, eroding ethical values and a reluctance on the part of the line managers to take decisive action against the perpetrators are cited as the most vital underlying reasons for frauds being on the rise.”

 So let me start with the ways lapses in internal controls in the purchasing process can result in huge fraud. The Common Wealth Games fraud depicts the methods that are used to tamper with the purchasing process. Here are some examples, which apply to organizations:

1.    Contracts awarded without ensuring reasonableness of requirements – The basic premise of issuing purchase contract is that there is a business requirement for a specific good or service. Breaches of internal controls occur when employees create unnecessary requirements to favor a certain vendor. To illustrate, in India terrorist threat is high, however there haven’t been any major incident of an office premises being targeted. Now let us say, the physical security team plays on the nerves on the senior management, since security is essential and creates many unnecessary requests for equipment. For example, request for automobile blocking ramps at gates, which may not be used in any other offices. Now each installation is in lacks and the physical security team gets kickbacks from the vendor for the contract.  

 Another way of circumventing the controls is to order in excess of requirement. For example, the organization needs 100 units of X product and the order is given for 200 units. Now since the business requirement is met, the excess stock will be ignored. Either the concerned employee can get the excess stock delivered outside the office for personal use or if delivered in office steal the stock later on.

2.    Contracts awarded without ensuring reasonableness of rates – Normally the bidder with the lowest rates and best quality gets the contract. Multiple vendors are invited to submitted quotes. However, the purchasing team can easily breach the internal controls by doing false paperwork. Let us say, that X vendor quoted the most reasonable price for a product. However, purchasing team has tied up with Y vendor. Hence, it just discards the documents submitted by X vendor and produces two additional set of bidding documents in which Y vendor is reflected in the best light.

 3.    Payments made without receiving goods and services – The purchase contract terms state the payment terms. Advance payments amount to 10-20% of the total purchase price. The payments team in the finance section can contravene this control by making advance payments for 70-80% of the contract without receiving any goods or services. This affects cash flows and the company loses interest income. The other risk is that if subsequently if the vendor gives sub-standard goods or services, the company does not many tactics for negotiating fair terms with the vendors.

4.    Contracts terminated on flimsy grounds – Most organizations invest significantly in vendor relationships since good relationships result in lower costs and better quality. However, to meet personal agendas employees can get the contracts terminated on flimsy grounds.  To illustrate, let us say the physical security team evaluates the security contract for the premises, inclusive of guarding services. Now, if the same security vendor provides services in all office locations of the organization, the cost will be lower since the vendor has economies of scale. However, the physical security team approves contracts of different vendors for different locations and terminates the contract on a yearly basis without renewing the same. The reason behind it is that the physical security team gets a kickback for every fresh contract.

 5.    Fake purchase contracts issued – In the worst-case scenario, employees can issue fake purchase contracts to vendors for meeting personal expenses. For example, let us say a physical security team has an XXX amount of budget for securing the organization. On the face of it, the team issues the contract to a guarding agency to protect an office premises. However, in reality the contract is given to spy on other employees for harassing them. In such cases, the organization suffers huge costs, as it is difficult to identify the true purpose of the contracts.


There are some key lessons to learn for senior management from these corporate disasters.

a)    Firstly, review process controls on acquisition of a new company, business or process. Conduct an independent review of controls to assess the vulnerability.

b)    Secondly, create new job descriptions with clear lines of responsibility and accountability. Remember that segregation of duties is essential for effective control. If employees are in the same positions for a longtime, rotate them to ensure they don’t get too comfortable in their positions.

c)    Monitor results through key performance indicators, exception reports and budget variances.

d)    Appoint independent external auditors (big four or other reputed concern) to evaluate the controls.

e)    In case of purchase contracts, audit the suppliers to see determine their authenticity of the contracts

f)     Conduct interviews with employees, consultants, contractors and subcontractors to assess whether kickbacks are being paid or received while entering into contracts.



KPMG India Fraud Survey Report 2010

To read more of the Fraud Symptoms series, click here.

Fraud Symptom 5- Insufficient focus on organization culture and processes

Organization culture is defined as the sum total of the psychology and attitudes which are communicated by the leadership team to the employees and the ethics, values and beliefs which are incorporated for execution of work and obtaining business objectives. However, organization culture is an often-ignored risk for assessing propensity towards corporate fraud.

As I had mentioned previously the impact of organization culture on internal controls is significant.  In a healthy organization culture there is open and honest communication between all parties without any fear of retribution or retaliation. In organizations with constructive cultures, the senior management is transparent in its dealings and there is serious focus on business ethics with senior management walking the walk. Intel is one organization, which has a strong focus on building a corporate culture. In any Intel office, one will find the same psychology and attitudes reflected. One of its core values is constructive confrontation and the CEO’s office conducts a global survey to determine adherence to the value.

In Intel, the focus on business ethics is excellent. Besides the regular signing of code of conduct, there is extensive ethics training regularly. To illustrate how serious they are in implementing ethics, in Intel India 250 staff was fired a few years back for submitting fraudulent bills for salary claims like conveyance, drivers salary , leave travel allowance (LTA) etc. This included some very senior level staff too. In India, it is a common practice for staff to submit fake bills to claim reimbursements and some organizations do nothing about it. Intel has a business practices excellence (BPX) program that ensures adherence to that the code of conduct covering diversity, harassment, gifts, bribes, corruption, suppliers etc..

However, in a deviant organization culture the leadership communicates to the employees that participating in criminal and unethical practices is normal. The management and employees rationalize that participating in white-collar crime and illegal behavior to achieve goals and targets is perfectly justified. Organizations having aggressive/ deviant work cultures, which are number driven and lack humanity, impact the control environment negatively. In such cases, for the sake of efficiency, legal requirements are compromised and the environment may become unsafe to work. The control environment is such cases maybe seriously impacted, as there may be strong alignment towards unhealthy and corrupt business practices. In such cases, the risk management teams are superficial and have little say. As mentioned in the book Greed and Corporate Failure -The Lessons from Recent Disasters authored by Stewart Hamilton and Alicia Micklethwait –

“Enron’s risk managers were supposed to challenge and validate the assumptions upon which the calculations were based to ensure that they were reasonable, but often failed to do so. As one recounted, ‘at times we were so overwhelmed with work that we could do little more than check the arithmetic, and in any event, it was difficult to turn down deals that would directly affect a colleague’s remuneration’. On at least one occasion, a business unit bypassed internal risk management and cleared a major deal directly with Andersen.”

As seen from the Enron case, a dominant minority controls the majority. Most of the staff is “going along for getting along.” Fear of job loss and retaliation keeps the staff quiet. A recent survey conducted by CEB indicated that employees are unwilling to share honest negative feedback if they think it impacts their careers. Results from the survey show:

Fifty-nine percent estimated that more than $1 million worth of harm to the company would have to be at stake for employees to share honest (negative) feedback.

• Twenty-nine percent estimated that more than $10 million would have to be at stake

In India, there is not much focus on building a uniform organization culture within the organization. In most cases, mission, vision and values are mentioned in the induction training and later the employee forgets the same. A new employee signs a code of conduct with the appointment letter, however in most cases there is no specific training given on adherence to the same. In quite a few cases, the detailed policies and framework for monitoring the adherence of business ethics will not be available. Without implementing policies in form of processes and control mechanisms, the code of conduct is just on paper.

Some of the India specific problems especially for multinationals are that business operations are established without improving risk management capabilities. For example, in back office operations established in India processes are migrated without understanding the history of frauds in the original country. With no data available on fraud risks, the back office has limited prevention and detection measures implemented. These may be insufficient for actually dealing with the fraud risks.

The second problem that is significant in India is the corruption and bribery cases. The bribe and corruption problem is in on supply and demand side. As the previous media reports regarding real estate, telecom frauds etc. has shown, government officials are accepting bribes for approving investments and expenditures. On the other hand, vendors and suppliers give 2-5% commission on the value of company contracts assigned to them.

In view of the above, if the organization is not adopting a clean culture, senior management may be hired without appropriate due diligence or for their unethical behavior. It is not unheard in India to hire a senior manager in facilities or finance section who is experienced in liaisoning with various officials. The term liaison is generally used for paying bribes in India.

The last but not the least, in most organizations the whistleblower programs is on paper only. Either the investigations are not done on the allegations or the employee is said to be a “problem employee”. In addition, the employees do not have any legal ways to fight an organization. Hence, they do not have much options except quit or follow orders.

In nutshell, an ethical organization culture is required to minimize corporate fraud and white-collar crime. Destructive management practices should be curtailed at the earliest by terminating the managers showing deviant behavior.


1.    Building a strong constructive organization culture is necessary to curtail corporate fraud and white color crime.

2.    Implement the organization code of conduct properly. Establish a sound framework of training, implementing processes and monitoring procedures.

3.    Deviations from code of ethics should be dealt with on a uniform basis, which is transparent to all employees.


  1. Intel (India) fires 250 employees (
  2. Organizational Culture: An Overlooked Internal Risk by By Michael Griffin and Tracy Davis Bradley ( )
  3. Greed and Corporate Failure -The Lessons from Recent Disasters authored by Stewart Hamilton and Alicia Micklethwait
  4. Mitigating Corporate Fraud in Asia (

To read the  Fraud Symptoms list, click here.