Program Change Management Risks

Organizations invest huge amounts in running numerous programs to improve operations, culture and profitability of the company. For instance, programs cover technology implementation, building social networks, improving employee engagement and corporate social responsibility initiatives. Some programs give good return on investment while others dwindle without much success.  The success and failure of a program appreciably depends on effective change management.

Even for information technology programs, various survey reports show success-failure ratio as 50-50 percentage. Failure results in cost overruns and delay in project schedule besides low employee morale. A few reports indicate just around 20% of the programs are successful in the first effort in all respects. The differentiating factor, with technology and implementation capability being the same, is change management skills. Lack of focus on change management risks results in program failure.

Before discussing some key aspects of program change management risks, let us understand the reason for the same. Change causes insecurities to surface, hence sows the seeds of conflict and discord. On start of a program, people do not understand the reason for change. They are unable to assess what is at stake and what success looks like. Moreover, people respond differently to change. Idea of change gets supporting, skeptical and scornful reactions. If not handled carefully, different groups within the organization prepare battle plans to sabotage the program.

Hence, change management strategy is an essential component of program implementation. Given below are some of the risks on the same.

1.   Senior Management Involvement

For approval of the program, the program manager shakes hands with all the senior managers to get their buy-in.  Managers assume that the senior management commitment will continue after approval. However, this is rarely the case. With time, commitment will wane if senior managers do not understand the direction of the program and/ or start giving priority to other programs. Hence, program managers need to monthly/ fortnightly update the senior managers through review meetings and reports on the status and plans of the program.

Additionally, users and employees need to see senior managers demonstrate commitment to the program i.e. walk the talk. Program managers need to leverage opportunities to show senior management support for the program. Develop a leadership plan to ensure senior managers become champions of the program.

2.   User/ Employee Adoption

The program managers gear most of the programs activities towards adoption by the users. For example, in building a risk culture, adoption of risk assessment template is a milestone. The point is change agents view program activities in isolation for pre-go-live stage without considering the overall impact on the organization. Programs influence strategy, process, technology, and people. Without synchronizing the four aspects, even with user acceptance, the program will be unsuccessful in the long run.

Second aspect to consider is the handholding and support after the go live stage. After implementation of a program, the users may still face some challenges or new problems and risks may arise. For continued success of the program a team is required to support it, else it will fizzle out.

3.    Multiple Communication Channels

A program requires a good communication plan and failure in communication jeopardizes the program. Communication messages must be clear, straightforward and from the heart. The corporate jargon and meaningless mantras does not get buy in from senior management or users. For example, do not have a mission statement for an ethics program that sounds like this:

The company’s mission is to be the most ethical organization in the world by adopting best practices, making it a great place to work and rewarding meritocracy

Employees will roll their eyes on the above statement and consider it as management hyperbole. There is nothing actionable or measurable in the statement. Neither are the steps linked to ethics.

Another risk is failure of communication from senior management. Program managers assume that employees understand senior management commitment from strategy and other generic documents. However, adopters need to hear from senior management, their views and aspirations regularly.

Moreover, when programs run into problems, the initial reaction is to hide the bad news from the adopters. Clear concise communication on challenges being faced by program managers and support required, gets the program back on track. Communicate more often when program is running into trouble.

More importantly, change agents sometimes fail to listen to the adopters. Adopters’ feedback is critical for the success of the program. Understand their angry reactions, criticism and challenges. Develop plans to address them and not ignore them.

 4.    Training Plans

 Standard training material is the bane of most programs. Change agents believe that once the training is imparted, their job is done. Some pieces are overlooked in training plans and I have mentioned these before in a post. These are:

  • People have different learning patterns.
  • People are at different stages of learning – beginner, learner, manager, and expert.
  • People do not remember the training for long unless they start using the information in practical work.
  • Old habits are hard to break; hence, people revert to old patterns of working if not monitored.

Last but the not least, is the content of the training. For example, fraud awareness training is a double-edged sword. The users, who didn’t know a word about fraud, now have some idea on how frauds are conducted. The information can be misused. Moreover, an overload of information may create panic reactions in users. Hence, when to deliver training and what information to give are critical decisions for successful program implementation.

 5.     Reward & Recognition System

For a program to be successful, set up a clear system about reward and accountability for the adopters. Failure to establish a system will result in rewarding mediocrity rather than meritocracy. Further, without implementing a penalty criterion, there is no downside for wrongdoing. Hence, maintain a balance between reward and punishment.

For instance, in an ethics program, build a system of bonus points at time of appraisal for meeting business objectives in an ethical way. If a manager had the option of choosing an unethical means to achieve an objective faster but selected an ethical way though had to work harder, award him/her bonus points. On the other hand, award penalty points to a manager who chose unethical means.

6.    Dealing with Failure

Sometimes, despite best efforts the program team stares at the face of failure. People adopt inflexible approach and refuse to acknowledge the logical benefits of the program. They foresee their personal and political agendas negatively impacted, hence refuse to contribute to the shared purpose of the organization. The situation reminds me of an old joke.

A man bought a parrot as a pet. To his dismay, the parrot had a bad attitude and spoke foul language. The man tried to teach the parrot to behave but the parrot refused to change. One day in a fit of anger the man put the parrot in the freezer. He heard the parrot screaming and abusing for a couple of minutes, then there was silence. The man opened the door of the freezer, the parrot trotted out and said – “I beg your forgiveness for speaking rudely. I promise to behave properly.” The man was amazed at the transformation. Then the parrot said – “May I ask, what did the chicken do?”

To avert sudden failure periodically conduct organization surveys to understand the acceptability of the program and organization readiness for the next stage. Measure the behavior and sentiment change due to the program. Do not rush to the next stage without ensuring that adopters connect with the program in the existing stage.

 7.    Awareness of Retaliation

Situations can get out of hand when people start retaliating against the program manager and his/her team. Some programs are launched for appearances sake. For example, senior management may approve a program for business ethics, diversity or employee participation. However, when the change agents sincerely attempt to run the program to bring about a cultural change in the organization, they get mobbed by the employees. In this case, the junior employees start complaining that the change agents are pressurizing, bullying and forcing them to change. This impacts the heart of the program and the change agents spend most of the time defending their actions. The senior management doesn’t really want change, hence looks the other way or gives tacit approval to derail the program and mob the change agents.

In such cases, the change agents have to pay a high price, but the seeds of change are sown. People recognize that there is a better way of doing things, and gradually move towards light.

Closing Thoughts

 Change is difficult. We ourselves find it difficult to change, so getting others to change is an obstacle race. As Mahatma Gandhi said on leading the non-violent Indian independence movement – “First they ignore you, then they laugh at you, then they fight you and then you win.” Being a change agent is a test of stamina, perseverance, discipline and sacrifice. There are no low hanging fruits to pluck, no short-term rewards, no personal glory, however, in the end organization benefits.

 

Fraud Symptom 10 – Lapses in Information Assurance

The 2011 report of Panda Security titled “The Cyber Crime Black Market: Uncovered” discusses the way the crime organizations work to steal data and conduct frauds. The report mentions the ongoing rates for bank customer data – credit card information is sold between US$ 2 to US$ 90, depending on the nature of the card and information. European card details attract a higher price than US and Asia. The report mentions the roles of programmers, distributors, tech experts, hackers, fraudsters, cashiers, mules, tellers, and social engineering experts. They all have a role to play in the crime scene and collaborate to conduct high-level frauds.

In light of the increasing threat of cyber crime, information assurance plays a critical role in organizations, especially financial institutions. Media regularly provides cases of cyber attacks, which provide an external perspective. However, the foundation for sound information security is laid within the organization. Any lapses in this area, signifies a high risk of fraud. I am here giving some examples on how to identify the issues excluding the regular network breaches.

1.  Commitment to Information Assurance Policies and Procedures

The first indicator of lapses in information assurance appears on evaluating the information assurance policies and procedures. The questions to ask are – does it cover all sources of data leakage, does it monitor exceptions, how is the implementation and are regular audits conducted to ensure adherence.

To illustrate, I had once prepared an information assurance polices document for an organization. According to my estimate, on approval of the document, the implementation time was three months. However, to my surprise the management did not approve the document for over a year, despite repeated reminders on high exposure to information risks. I subsequently discovered that some senior executives were conducting frauds and laying the blame on the juniors. Their problem was that if the policies were implemented, they would not have easy escape goats.

2.    Level of Application Controls

Most organizations still lack focus on application controls – the basic input, processing and output controls and access controls. Access to critical information is available easily and hence can be stolen.

For example, in one case I had found that a VISA card application could be accessed by the employees working on the process from their homes or any internet café. Interestingly enough, all the customer information of the cards was visible outside of office premises and machines.

In another case, a Master card processing application of a bank had no input controls and verification controls on the amount. The employee could pass the transaction for US$ 5 million, when the real amount might be just US$ 5. The whole transaction was processed without verification checks and the only control available was at Master card office.

3.    Back-end Logs

From a fraud detection perspective, back-end logs are crucial. They provide the information of access of various accounts by employees, transactions conducted and the whole trail of activities. Analyzing the logs helps in identifying suspects.

However, some companies give the weird logic that maintaining back-end logs is expensive; hence, we do not keep them. With the cheap data storage facilities available, the organizations are losing the best tool available to them for fraud detection.

The second risk of back-end logs is that the information security personnel can play havoc with it. For example, if they have participated in a fraud, they can remain undetected. The simple process employed by deviant information security personnel is to download the back-end log, tamper with it to remove their own access trail and in its place put some other employee’s information. This way when the fraud is investigated, the other employee becomes the suspect.

These are just a few examples on how lapses in information assurance increase the risk of frauds.

Recommendations

To ensure that the organization is adequately covering information assurance risks, do the following:

a)  Implement information assurance policies and procedures.

b)  Put a system in place to regularly monitor adherence and address exceptions

c)  Conduct ethical network hacking to assess security vulnerabilities

d)  Review all critical applications for controls and mitigate the major weaknesses.

e)  Segregate duties of information technology and information security personnel to ensure that they do not tamper with the application. Build in some checks to monitor their activities.

f)  Investigate all breaches and incidents to determine the root cause analysis and make the environment more secure

References:

The Cyber-Crime Black Market: Uncovered by Panda Security

To read more on Fraud Symptom series, click here

Reducing Recruitment Costs

I checked out Seth’s Blog global Alexa traffic analysis and it states – “Visitors to the site spend approximately two minutes per visit to the site and 84 seconds per page view.” I checked out my blog’s analysis and it states- Visitors to the site spend roughly two minutes per visit to the site and two minutes per page view.” My readers spend more time per site visit (2 minutes) than Seth Godin’s (84 seconds) do. Yippee!Obviously I am ignoring the traffic ranking, as there is a few hundred thousand difference.  Now you must be wondering how this data relates to reducing recruitment costs. Read on.

I further analyzed the ranking of Tata Consultancy Services, Infosys and Wipro Technologies; the three technology and business process outsourcing  giants of India. Now look at the table below:

Company Website Global Rank Audience Age Total time on site Time per page view
Tcs.com 12,405 Mostly under 25 6 minutes 44 seconds
Infosys.com 17,672 Mostly under 25 5 minutes 41 seconds
Wipro.com 12,706 Mostly under 25 6 minutes 46 seconds

What am I getting at? Most of the site visitors are young males looking for a job. Each site has a career section that allows candidates to register and submit their resume. Look at the table from a recruitment cost lens. If the organization focuses on career webpage, it can reduce recruitment costs.

The Business Case

Overall, recruitment costs include job advertising costs, recruitment company fees, employee referral, interview travel expenses, relocation expenses and human resource recruitment department operating costs.

Let me take the example of IT and BPO sector recruitment costs. According to the NASSCOM Strategic Review 20011 report, the IT and BPO sector will employ 2.5 million employees in 2011. In comparison to 2010, the total employee strength will increase by 240,000 employees. Secondly, the attrition rate is ranging from 20-40% in the sector. This means that approximately one-third of the employees will change jobs. Back of the envelope calculations show that BPO and IT sector organizations will hire roughly one million employees in 2011.

Most of the demand is for employees with 1-3 years of experience. Their monthly salary ranges between Rs. 20,000 – Rs. 50,000 and the recruitment companies’ fees range between 1-2 months of employee monthly salary costs.

Hence, if I take 10% of annual salary cost to company as recruitment fee and Rs 300,000 as annual salary, nearly Rs. 30 billion will be spent on recruitment fee alone by the sector. Definitely, a line item worth looking at for reducing organization recruitment costs. Especially in case of BPO and IT sector as the profit margins are decreasing with the recession in US and Europe economy.

The Solution

Simply put the organizations need to drive traffic to their websites to ensure prospective candidates submit their resumes on the website. Any percentage increase of hire through website will decrease agency recruitment fee costs.

As in the case of BPO and IT sector the audience age is less than 25. The Gen Y is technologically savvy and looks for the same in websites. Hence, some of things that organizations can look into are:

> Post a video message from CEO or other CXOs explaining the vision and mission of the organization.  Gen Y prefers flat structures, access to senior management and enjoys watching videos. This will increase their enthusiasm to submit their resumes.

> Aptitude tests – IT and BPO sector generally request recruitment agencies to do preliminary screening by giving candidates written aptitude tests. The tests can be web-enabled on the career page to enable candidates to complete it while submitting their resumes.

> Voice and language tests – BPO sector in call center business conducts voice and language tests. The organizations can provide a facility for prospective candidates to upload audio and video recordings for voice tests. Secondly, administer written language tests through web.

> Pre-employment background verification – Provide a facility to candidates for uploading relevant certificates required for background screening. In India, roughly 25% of the resumes are fake or inaccurate. The background screening costs are high if done after appointment. Hence, organizations can conduct a preliminary verification before interview by reviewing the scanned certificates.

> Application processing system – Organizations can provide an application  tracking mechanism to the candidates, either to update them through automated emails or showing the application status on the website.

I was amazed that technologically advanced companies that provide technology and business consulting services have not focused aggressively on developing the career page and attracting candidates through them. Maybe the technology costs are higher, though to me it does not seem so. Maybe the thinking is that putting boots on the ground will reduce the recruitment pressure on the human resource teams. In my opinion, since in BPO and IT sector the recruitment numbers and costs are high, the human resource teams should have all technological advantages to do their jobs better. What is your opinion?

References:

NASSCOM: The IT+ BPO Sector in India – A Strategic Review 2011