Managing Systemic Risks in Organizations

The gross turnover of top 100 multinationals is higher than the gross domestic product of a few countries. As it was obvious from the financial crises, organizations employing a few hundred thousand employees can rock the global financial stability. From then on, a lot of discussion is occurring around systemic risks. However, I wonder about the actual momentum in addressing systemic risks.

As per my understanding, an inaccurate perception has formed that governments have the major responsibility to address systemic risks and not the organizations. The picture below depicts the increasing level of risks for human civilization or society as a whole and the increasing level of risks within an organization. Though we do not see linear relationships, they are interconnected. While an organization is a subset of the civilization, their large sizes have also made it a significant component of creating systemic risks.

 

 

Another fallacy is that organization’s need to track systemic risks at the global level alone. From the financial crises, it was obvious that the Retail Housing Loan departments of US Banks shook the real estate industry. Various CDOs of banks investment divisions were the cause of collapse of major banks. Hence, something as small as the functioning of a department, process or product can destabilize the industry and economy when incorrect practices are followed in multiple organizations.

Moreover, senior management of organizations that have implemented Enterprise Risk Management (ERM) believe that systemic risks are automatically addressed. None of the ERMs is going beyond strategic risks. The focus is mostly on operational and tactical risk coverage. Unless the risk management department has taken concrete measures to identify systemic risks, in all probability they are unmitigated.

Lastly, for most of the systemic risks, the organization by itself can only partly mitigate the risks. Except for taking insurance, they cannot develop and implement full-fledged solutions to treat the risks. Though the impact of systemic risks is huge, the lack of understanding, information and solutions, make organizations negligent about identifying and addressing these risks. Hence, the question is – what should organizations do to manage systemic risks?

1. Global Systemic Risk Monitoring Group

Within the risk management department there should be dedicated resources tracking systemic risks from process to country level and reporting to the global group. In the interconnected world, the risks in one country impact other countries. For instance, consider the attack on Malaysian airplane by rebels in Ukraine. A geo-political risk of one country has brought an organization of another country down. Hence, now the risks have to be viewed from a global perspective. To do this organizations must incorporate the group within the organization structure, deploy funds and resources, use technology to connect and track risks at a global level.

2.  Connecting With National Risk Boards

The 2014 World Bank Risk Report suggests formation of National Risk Boards (Same name, could they have got inspired by this blog :)). This will be a huge plus, since risk identification and mitigation will be done at a national level. For instance, if a large country like India were connected at district, state, and national level through risk boards, the level of risk management would improve significantly.

Moreover, this will facilitate in addressing inter-state risks and cross border risks. For example, cyber security threats mitigation requires coordination within the country and significant amount of international collaboration. The national risk boards of countries become the focal point for international cooperation and collaboration for risk mitigation. Developing relationships with the board members and participating in the initiatives will help organizations in dealing with systemic risks.

3.  Connecting With Industry Risk Boards

The systemic risk group needs to connect with the industry risk boards and regulators to capture the industry level risks. For instance, Back of England conducts a half-yearly survey to determine systemic risks in UK financial sector and the confidence of the organizations in dealing with it.

If organizations facilitate in formation and management of industry risk boards, they can cooperate with the competitors to mitigate industry level risks. Relationships with international industry boards would be a huge plus in acquiring knowledge and formulating plans.

4.  Assessing Preparation at National Level

The World Bank report states that investment in risk mitigation and prevention is low, and most of the expenditure is done during and after a disaster to recover and continue operations. Therefore, the challenge is that risk identification may not result in developing and implementing risk mitigation plans. For example, various cities in India regularly suffer from floods during monsoons. ALthough the government knows the problem and solutions, it has not done much to resolve the issue. There are ongoing battles between city, state, and national level for risk prioritization.

That is, the same risk may have different impact and loss level due to national level preparation. Organizations need to assess the level of preparation of government and local communities to determine the impact and develop risk mitigation plans accordingly.

5.  Assessing Impact at Social Level

Previously, organizations were insulated from the society to some extent. The social networks have changed the scenario, and any incident can become an explosive issue. Hence, impact has to be calculated at social level rather than at an incident level. For instance, recently a six-year-old girl in Bangalore was gang-raped in school by her teachers. Last weekend, parents in Bangalore organized marches to demonstrate their anger against the schools lackadaisical attitude towards children security. Police has lodged complaints against the school and politicians are talking about closing the school.

Presently, rape, women, and child security are sensitive topics in India. India is fourth unsafe country in the world for women. Hence, a single incident can close down an organization. Therefore, risk managers need to identify sensitive issues related to systemic risks and extrapolate the impact at city, state, country, and global level to determine impact of various risks.

Closing Thoughts

Systemic risks impact is sometimes more than losses of earthquakes, tsunamis and nuclear disasters, hence they cannot be ignored. Higher level of focus is required within organizations, industry, community, and nations to build processes, institutions, and infrastructure to identify and mitigate systemic risks. Timely investment in this area can save billions of dollars. Hence, risk managers need to put their thinking caps on, develop concept notes, and influence senior managers to deploy funds in managing systemic risks.

Risk Management Version 3.0

The business world is changing so rapidly that companies are either not willing to publish growth predictions or they are getting it wrong. In this new world trends can’t be analysed from historical data. The best business analytic teams fail because the new business models have totally different risks. Moreover, now the risks are interconnected and can’t be addressed separately. An operations risk may have a huge impact on financial risks.  The old compasses are useless and most are walking on uncharted territory.

This is the ideal time for risk managers to shed their old avatars and  become new super heroes of business. First they have to get out of their comfort zone of addressing internal risks that are preventable. The compliance and control based approach leaves over 60% of the risks un-addressed. If we consider that Risk Management version 1.0, we need to rapidly move to Risk Management version 3.0.

So what does version 3.0 look like?

1. Focus on Strategic Risk Management

I consider Enterprise Risk Management frameworks approach as Risk Management version 2.0. Though they covered strategic risks the focus was on finance, processes and technology. Hence, in reality it has become a bottom-up approach though the initial purpose was to make it top down. Risk managers are still not involved at strategic level and it is the Chief Strategy Officers who are analyzing strategic risks.

My guess estimate is that we depute less than 10% of resources to strategic risk management. We need to put in processes and resources where approximately 25% of efforts are focused on strategic risk management. Strategy failure probability has increased in present business environment.  For managing strategic risks reduce  probability of occurrence of assumed risks and effectively manage them if they occur.

2. Focus on Human Behavioral Risks

Industrial age focused on mechanization and streamlining of processes. Products were produced on the assumption that human behavior can be straight jacketed. In the age of technology and social media, this assumption has proved false.  Social media and data analysis allows behavioral analysis of each individual.

Secondly, the bigger challenge the world is facing is of changing demographics. In the last few decades, the average age has changed from 60 years to 75-80 years. The older generation lives longer and works longer. The Gen Y is entering the workforce with different expectations. Women have not only broken ground in the corporate world, but have become main decision makers for household purchases. Emerging market customers and employees have different behavior patterns.  The leadership skill sets have changed drastically. Participative and consultative cultures are more successful now.

Therefore, whether an organization wishes to fight  war of talent or entice customers, understanding human behavior has become crucial. Each segment of employee, customer and other stakeholders present different risks which an organization needs to manage successfully. Without addressing these risks at strategic and operational level, an organization is unlikely to succeed.  Risk managers traditionally haven’t focused on people, leadership or culture risks. In this century they need to.

3. Integrate Risk Management Knowledge & Resources

The traditional approach of having different experts of financial, operational and other risks in separate departments and addressing each risk in a linear manner is redundant. Moreover, now businesses are significantly exposed to external risks, which was not the case before. The Vodafone and Nokia tax cases are prime examples of risks occurring due to change in government stance.

Risk Management version 3.0 requires integrated risk management where risk managers with diverse skills can assess inter-related risks – internal and external. Secondly, risk managers have to be available within the business and as a separate department. The risk managers operating as part of the business unit need to identify the business risks and update the risk management department. The department needs to devise holistic solutions.

The risk management tools, technology, processes and resources all need to restructured to operate in an integrated manner at all levels.

Closing Thoughts

I suspect, group think is prevailing among risk managers. No one wishes to be a bull in a china shop and say – “hey this isn’t working.” It is ironic that risk managers are not doing adequate risk management of their own role and function. Old habits die hard and getting out of the comfort zone is scary, but I think we need to do it. Else, business failures are going to increase at a high rate. In the current economic environment, we can’t afford those losses. Think about it and share your views.

Wishing all my readers a very Happy Holi.

5 Things CFOs Should Do In Planning Process

In December, senior management focuses on formulating strategies. Department heads prepare business plans and budgets. Risk management departments define the next year’s agenda and plans. Everyone works hard at planning and preparing for the coming year. However, most of the efforts are in vain and result in failure. The problem is that generally people do these activities independently and make no attempt to align them. The ideal integrated sequence is below.

However, this does not happen. For instance, department heads do capital expenditures while ignoring the strategy. Business teams define performance indicators and risk managers establish risk indicators, without syncing the two indicators. Situations occur where desired performance is achieved at very high-risk levels. Business teams ignore the risk levels until disaster occurs. With the multitude of unsynchronized management information, boards make incorrect decisions with information overload. Hence, at the end of the year only a few organizations can claim that they achieved the strategy and targets.

The Chief Financial Officers (CFOs) can play a pivotal role in bringing the different facets together. CFOs sit on the board and participate in the strategy formation process. Department heads submit their plans and budgets to CFOs for review and consolidation. Generally, Chief Audit Executives (CAE) administrative reporting is to the CFO. Quite frequently, CFOs act as defacto Chief Risk Officers (CRO). Hence, CFOs can put the jigsaw puzzle together. The key things they need to look into to revamp the process are as follows:

 1.     Strategy Formulation

 The common misperception is that organizations have a proper strategy formation process. In reality, the ideas supported by the CEO and politically strong CXOs are adopted without much constructive discussion since no one wishes to rock the boat. Secondly, a formal strategy process is not in place in most organizations. Moreover, at the time of strategy formation upside and downside risks remain unidentified, as CXOs do not invite CRO to the discussion. The CFOs can influence the other CXOs to implement a formal strategy development process and conduct a strategic risk assessment in each phase of strategy formation.

2.     Business Plans

While strategies are for 3-5 year period, business plans are drawn annually. However, the changing business landscape makes business plans redundant on formation. Reason being that business plans are prepared on a set of assumptions on customer behavior  engagement and market situation. Real interaction with customers and entry into the market prove most of the assumptions incorrect. Additionally, department heads make independent business plans to show one up man ship. Hence, performance objectives are missed and risks remain unidentified. The need of the hour is for businesses to react fast and give cohesive messages in response to market changes. Therefore, CFOs must make the business planning process dynamic and integrated.

3.     Budgets

More than 60% of the organizations are unsatisfied with their ability to link strategy to operating budgets. Additionally, organizations spend 4 to 6 months in preparing budgets with numerous iterations back and forth between departments. Meanwhile the business plans change due to the volatility in the market. Hence, organizations are feeling the need of speed in the budgeting and forecasting process. CFOs must adopt rolling forecasts rather than static budgets to improve planning and control. Rather than doing post facto variance analysis they can collaborate with business teams to give real-time analysis.

4.     Performance Indicators

Performance indicators measure the reward side of the strategy. Without the risk indicators, they give an incomplete picture of business status. Another aspect is that performance indicators and risk indicators for the same strategy or plan are not aligned together and are reported at different periods. Organizations sometimes continue to measure redundant parts and do not update the indicators with change in strategy and objectives. A prime example is the financial crises. A few banks achieved performance targets without understanding the risk levels. Hence, CFOs must use technology to create relevant dashboards to monitor indicators to keep a firm grasp on the business.

5.     Risk Indicators

 Risk managers fail to address the twin shortcomings in process of identifying key risk indicators. Firstly, risk managers do not ascertain strategic risk indicators. Secondly, a lot of meaningless indicators are created which do not really find out the overall business risks. Hence, CXOs fail to separate the noise from the inflection points. Moreover, Nassim Taleb’s point of view that most significant risks are unpredictable needs to be thought over. There might be too much data available and organizations might look at risk indicators they are comfortable with, until the bubble bursts. CFOs can identify key risk indicators for strategy and business plans, and synchronize them to performance indicators. That will close the loop and move the business in the right direction.

Closing Thoughts

Synchronizing multiple factors between strategy and indicators influences a company’s capacity to achieve goals. With predictions of recession and volatile business environment, dropping the ball is highly probable. Understanding which economic predictions to rely on, which market trends will impact long-term and what are the strategic inflection points, spells the difference between success and failure. Hence, CFOs must play the vital role of coordinating and aligning various steps between strategy formation and identifying indicators.

IBM CEO Survey Insights On Customer Focus

The 2012 CEO survey conducted by IBM gives some interesting insights. Seventy-three per cent CEOs are gearing their organizations to gain meaningful insights from customer data. This is the area of highest investment.  The traditional approach to segment customer data to calculate statistical averages has been replaced with understanding the attitudes and tastes of individual customers.

The main aim of gathering holistic customer information is to devise services and products targeted at the customers and improve the response time. As stated in the report – “The challenge for organizations is two-fold: can they pick up on these cues, especially if the information comes from outside? And can the appropriate parts of the organization act on the insights discovered?” The graph depicts the main reasons for capturing customer information.

Further, the report mentions, that though most of the CEOs focus on capturing information, out-performers excel at acting on insights. The difference is innovation and execution. A quarter of the CEOs reported that their organizations are unable to derive value from the data. Speed of action is required to capture data, analyse, prepare strategies and respond to customers. As one CEO stated the most crucial characteristic is to “organize a major wake-up call.” The customer obsessed CEOs are driving the organizations to more contextual customer insights.  The graph below highlights the marked difference in under-performers and out-performers.

Risk managers can play a pivotal role in helping CEO’s achieve these objectives. They can focus on the following.

1.     Organization Culture and Process Change

A customer oriented organization culture is required to leverage the opportunities. Secondly, the organization needs to align the processes towards customer relationship management. Risk managers can conduct organization culture survey to assess customer orientation. Moreover, they can review processes to determine risks and controls to mitigate risks.

2.     Security of Data

The activity requires accumulation of extensive customer personal information. Generally, companies use separate data centres to collect and analyse the data. However, the risks of loss and theft of data is huge. As in the recent case of Facebook 1.1 million users’ data was sold for US $5. Therefore, it is a good idea to review security polices and test data centre security.

3.     Return on Investment

Data collection requires huge investments in technology and resources. As the CEOs are saying the failure rate is quite high. A review of projects, plans and strategy would identify the pain points and misdirected activity. Calculating return on investment on various programs might steer the investments in the right direction. Timely identifying failing projects and reasons for failure is critical to maintain cost effectiveness.

Closing thoughts

Technology and social media has brought customers closure to companies. The face-to-face customer interaction is gradually shifting towards social media. The companies that are able to navigate this transition successfully will outperform their peers in the industry. Hence, risk managers should support this CEO initiative to enable the organization to leverage upside risks.

What is your organization doing in this respect? How do you think risk managers should facilitate CEOs in this initiative?

References:

Leading Through Connections – IBM CEO Survey

Is Doing Nothing A Reputation Risk?

Tim Cook, CEO of Apple, recently issued an open letter on Apple website, publicly apologizing for the shortcomings in the Apple maps. The first paragraph reads:

“To our customers,

At Apple, we strive to make world-class products that deliver the best experience possible to our customers. With the launch of our new Maps last week, we fell short on this commitment. We are extremely sorry for the frustration this has caused our customers and we are doing everything we can to make Maps better.”

The purpose was to pacify the angry customers who found inaccuracies in the Apple maps. The words of the CEO mattered.

Now let us assume that none of the customers knew who the CEO of Apple is. They have not heard of the CEO before. The CEO visibility was zilch in media, social networks, business conferences etc. Would the words have mattered then? Wouldn’t the customers say – “Who is this guy? We never heard from him before and now he is giving excuses for horrid products?”

Managing an organization’s reputation is part of CEO/CXO job. When reputation risks occur, their communication is part of the risk mitigation plan. Hence, the effectiveness of risk mitigation plan is dependent on the CEO/CXO profile. Until here, I think you will agree with me.

Now let me ask you the difficult question. If the senior management of the organization does nothing to add to the brand or reputation of the organization, is it a risk?

Here is my argument. Normally, we take the following criteria for reputation risks.

Source- ICAI ERM Training Material

This measures only the negative impact. We talk about negative coverage in the media, but what about no coverage in media. In India, most of the CEO/CXOs have no media visibility and unlike the west, 90% do not give interviews etc. in the media. They even don’t have a social media presence and one can hardly find them directly interacting with customers. That is, except for traditional advertising of products in newspapers, magazines and television, there is no coverage of the organization and the senior management in the media.

Now let us see from risk management perspective. One of the strategic objectives of the organization is to build brand and reputation of the organization. The purpose of enterprise risk management is to give an assurance to the board that the entity is moving in the right direction to achieve its objectives. As risk managers, we focus if something goes wrong, but what if, the company is not moving at all in any direction – positive or negative – in meeting its objectives. Should we capture that as a risk?

Closing thoughts

Negative viral messages in social media tarnish a reputation in a span of few hours. It takes just one tweet to go viral. It will be very difficult for a company to defend itself if a company does not have a twitter account and reputation management plan. The same applies to executives. Now the thought process is either develop a brand or get branded. Silence gives an opportunity to others to put labels and develop negative perceptions. Continuous positive messages at a personal level need to go out about the brand for customers to have a favorable opinion. Doing nothing may become a huge risk.

Industry Disruption Risks

The biggest risk of all is industry disruption risks. One fine day the competitive landscape of the industry transformed and it caught us by surprise. Ouch, the world changed while we were sleeping. It is a CEO’s recurring nightmare, and the risk managers do not focus on it much. Reason as I mentioned in my recent posts is that risk managers assume they do not have the right or duty to question the strategy or strategic objectives. Let us discuss this in detail.

Andrew Grove in his book “Only the Paranoid Survive” described the strategic inflection point. He said – “An inflection point occurs where the old strategic picture dissolves and gives way to the new, allowing the business to ascend to new heights. However, if you don’t navigate your way through an inflection point, you go through a peak and after the peak the business declines.” The strategic inflection point disrupts the industry completely and can wipe out old companies in a few years.

1.      The Intel Story

Fascinatingly, Intel itself missed the strategic inflection point of mobile computing. Intel controls 80% of the world’s PCs chip market. It failed to make a timely dent in the handheld devices. Nvidia, Texas Instruments, Qualcomm and Samsung rule the ARM chips market for smartphones and tablets. Intel is now positioning itself in this market with its x86 chips. With the shrinking in the PC, laptop and server market, let us see whether Intel can re-position itself as the smartphone and tablet chipmaker. IPhones and IPads disrupted the technology industry; and surprisingly the giants of the industry – Intel and Microsoft – both missed the boat.

2.      The India FDI Retail Story

Closer home, the opening up of foreign direct investment in retail industry has shaken the complacent industry from its roots. Expected entry of Wal-Mart is causing havoc in the minds of established players. Most of the food retail sector in India comprises of Mom-Pop local stores that supply at low costs. Some organized chains as Reliance, Bharti, Nilgiri’s etc. have started catering to the upper middle class requirements; however have not wiped out the smaller stores. The opening of the retail sector to foreign investment is indicative of industry disruption. The industry is gearing itself to deal with the new risks to retain the competitive advantage.

3.      The ERM Perspective

COSO ERM –Integrated Framework, 2004 defines ERM as:

Enterprise Risk Management is a process, effected by an entity’s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide a reasonable assurance regarding the achievement of entity objectives.

 Going by the definition, identifying industry disruption risks comes under risk managers’ purview. However, we tend to take strategy as given and don’t challenge the strategy and strategic objectives. We need to change our perspective. Building and retaining competitive advantage is a strategic objective. The industry disruption events can wipe that out. Hence, include identifying disruption risks as part of risk assessment.

Closing thoughts

Industry disruptions occur due to external forces – regulators, competitors, suppliers, customers and society. To identify strategic inflections points risk managers must meticulously track the external environment. Understanding external environment is difficult and requires extensive industry knowledge. Therefore, I know, some of you would be wondering whether it is part of our job. Let us check with the readers.

Should Risk Managers Re-use Last Year’s Strategy?

Let me ask you a question. For 2013 planning, are you thinking of updating the 2012 annual audit plan or risk management plan? Alternatively, do you think major changes are required, and you need to start from scratch? While preparing 2013 strategy of plan, you cannot afford to just tweak your previous plan and get by. You need to do the whole works and start with a plain sheet of paper.

Exactly why am I making such a bold statement? Let me explain. You must have read various surveys in which business teams state that risk managers and auditors are not addressing the business concerns. The thing is risk management practice is changing at a much slower rate than the external and internal business environment.

Below is a simple graph. The lines in real world would not be straight; I have just used it for the sake of convenience to illustrate my point.

1.   External environment

The external environment is going through a rapid change. This includes the social, cultural, political, legal, economic, technological, financial and competitive environment. The speed of change is so high, that most organizations are failing to keep up to speed. Hence, there are a numerous upside and downside risks in the external environment that organizations are clueless about.

2.    Internal environment

Organizations attempt to make sense and adapt to the changes, however at a slower rate than the external environment. During a year, many organization changes take place. Changes occur in business strategy, objectives, policies, procedures, organization structure, roles and responsibilities, governance models, products, knowledge, processes, systems and technology. Due to these changes, the risks within the organization change. Numerous risks remain un-addressed when we do not consider the changes for preparing a risk management strategy.

3.    Risk management function

The risk management disciple as such is changing at a slow pace. If you recall, COSO issued “Internal Controls – Integrated Framework” in December 2011 for public comments. The internal control definition had not changed and only some areas were improved though this was the first revision issued after 1992. COSO received so many comments, that now it plans to issue the final version in 2013.

Within the organizations, the situation is the same. Risk management and audit functions are the last to change. While CEOs are demanding that they advise on strategic risks, very few are rising to the occasion. Even with five-year of financial crises and slow down of economy, the surveys show limited improvement in performance of risk management and audit functions. They haven’t leveraged the opportunity, leaped forward or made great strides. They are cribbing about the same old issues of lack of top management support instead of focusing on the changing business landscape.

Hence, the gap in knowledge of risk managers and auditors of business risks is huge. If they are not tuned into the internal business environment, they leave some risks unaddressed. If they haven’t focused on the external environment, they are a number of unknown risks that can affect the organization any time. Therefore, the annual risk management strategy and/or plan is ineffective if these aspects haven’t been considered.

Closing thoughts

The business environment risks can be best described in the words of Donald Rumsfield, the former US Defence Secretary. He had stated at a press briefing relating to the increasingly unstable situation in post-invasion Afghanistan: “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know.  But there are also unknown unknowns. There are things we do not know we don’t know.” Risk managers and auditors are in the same situation. Hence, strategy and plans have to be devised keeping this in mind. Start from scratch for 2013 strategy.

Watch this video and share with me, will your old strategy work?

Ernst & Young Insight For Internal Audit Transformation

The last post – ‘Coal Gate Scam – Should Auditors Comment on Policy Decisions’ ignited a thought-provoking discussion on LinkedIn. The major debate was on role of internal auditors on evaluating strategic decisions and strategy per se. The message is – transform the internal audit department and leave behind the old thinking of verifying compliance to existing processes. Hence, I thought of sharing some great insights from the Ernst & Young report – The Future of Internal Audit is Now.

Before we discuss the details, check out transformation process depiction below.

The key aspects of the transformation process are:

1.      Align with organization strategy

According to the study, 61% of the internal audit departments did not have a documented mandate aligned to business. One can question then, exactly what are they working on. The way forward is to understand the business strategy – sales, operations, human resources, products, etc. and identify the strategic and business risks of the same.

2.      Formulate the internal audit strategy

Based on the understanding of business strategy and strategic risks, devise an internal audit strategy. Developing an internal audit annual plan isn’t sufficient. Take the time period of the business strategy, and formulate the internal audit strategy for the same period or a three to five year period.

3.      Acquire the right talent

Execution of a strategy is as good as the people deployed to the task. Upgrading skills is a must. Besides technical and functional knowledge, auditors now need business acumen. Rotate resources from operations to get in-depth business knowledge. To highlight the importance of business skills, according to the report just 47% of the IA departments have a training plan for leadership and business management.

4.      Operate as a business function

Internal audit should stop viewing itself as a support function and take a leaf out of line functions. It should measure itself against the same standards as business functions. Have the right strategy, execute it effectively, provide value add and measure against key performance indicators. As it is mostly a cost centre, it doesn’t mean it should let itself go.

Closing thoughts

Survival of business in this global economic crisis is hugely dependent on effective risk management. Internal audit plays a vital role in improving the financial performance of the organization. Hence, transforming the department functioning from old mind-set to fit the 21^st century requirements is must.

Before closing, here is something to start your week on a good note. An old man for the first time saw moving walls. While he was standing in front of them, he saw an old woman enter the walls, and in a second a young woman came out. He said to his grandson – Son, hurry home and get your grandmother.

References:

The Future of Internal Audit is Now – Ernst & Young report

Reflections on Reputation Risks

Indians think more highly of themselves than they are. I am not making this up, it is a factually correct statement according to the Country report of Reputation Institute. Respondents ranked India 25th with 51.93 RepTrak score. According to its own evaluation, India deserved a score of 75.67 with 11th ranking. It is ranked 5th for having perception differences between internal and external reputation. A 25th rank among 50 countries ranked isn’t anything to talk about.

In the Companies Reputation report, there was no Indian company in the top 100. Yes, my ex-company Intel was ranked 16th, though its ranking has fallen from previous years.  BMW, Sony and Walt Disney are the top three. Though reputation has a huge impact, most companies do not focus on it. Below is a chart from the Reputation Institute report on the impact of good and negative reputation of various factors.

Reputation Institute Company Report 2012

Customers, society, employees and investors – all are influenced by the reputation of the company. While companies may enjoy a good local reputation, as is the case for many Indian companies, maintaining a global reputation is a different ball game altogether. From the above chart it is clear, investing in a good reputation pays off and adds to the profit margin. Question is what all is required to build a good reputation. Another chart from the report highlights the main aspects:

Seven factors – leadership, performance, products/services, innovation, workplace, governance and citizenship are required to build a global reputation. For instance, Intel was among the top ten for – governance, workplace, performance, and products and services.

On the other hand, in respect of reputation damage, risk managers mostly focus on reputation damage due to misstatement of financial statements and governance. That accounts to just 28% of reputation.  The impact on reputation of other aspects are generally ignored. The question is how can these be built into a risk assessment framework? Besides reducing downside risks, this gives a good option to leverage upside risks. Here are a few things that risk managers can look into:

1. Reputation map – Does the company have a reputation map covering these parameters and defining its progress through the years?

2. Integration level – Is reputation aspects integrated into all the functions of the organization, or is it left to the advertising and communications department?

3. External perceptions – Is the organization depending on advertisements to build its reputation or is it undertaking CSR and other activities also?

4. Participation in industry competitions – Does the organization participate and win industry competitions, for instance “great place to work”, “most innovative company” etc. ?

5. Social Media – How is the company using social media to build its reputation and manage the negative feedback?

6. Risk assessment – Is a risk assessment for reputation conducted to highlight the risks in all the seven areas and mitigation plans prepared?

Closing thoughts

Reputation damage is difficult to quantify and often the risks are not categorically listed. In social media environment, it is far easier to lose the reputation and more difficult to build a good one. In the present environment, they old age thinking  – no news is good news – has become redundant. Just because the organization name hasn’t made headlines for the wrong reasons, it doesn’t mean all is well. The negative under currents slowly erode the good name of the organization. Hence, risk managers need to actively address reputation risks on all seven parameters.

References:

Reputation Institute reports

PS: I changed the background and added a little color to the blog. How is it looking? Please give feedback.

Risk Assessment of Marketing Function

The global economy is facing turbulent times with US in recession, Europe in economic crises and emerging markets growth slowing down. Frequently organizations panic on hearing forecasts of looming recession. They cut down marketing budgets, innovation of products and capital investments. The reaction further adds to the woes, and accelerates the downward trend in sales. Risk managers normally do not focus on marketing department activities and generally are not called upon to share their views on marketing strategies. A look on these areas may prevent the company from going in red and thrive in chaotic times. Here are a few suggestions for risk managers.

1. Bench-mark Marketing Function

The complexities of business world are escalating marketing risks. For survival and growth organizations need resilient marketing and sales functions. They have to identify strategic inflection points in the market and adapt accordingly. In recession customers interest, values and budgets change. With new competition and changing regulations, organizations need to reinvent business models. Hence, as a first step risk managers  need to bench-mark the organization’s marketing function.

Philip Kotler and Johan A. Caslione in their book “Chaotics – The business of managing and marketing in the age of turbulence” have presented a table on marketing function attributes. Out of the 14 attributes, below are 5 critical ones distinguishing between poor, good  and great marketing functions.

Srl    Poor                                        Good                                              Great

1. Product driven                    Market driven                                    Market driving

2. Product offer                       Augmented product offer                 Customer solutions offer

3. Price driven                        Quality driven                                     Value driven

4. Reacting to competitors    Bench-marking competitors             Leapfrogging competitors

5. Function oriented               Process oriented                                Outcome oriented

McDonalds marketing strategies reflect these attributes. In India, McDonalds is opening a purely vegetarian restaurant near Vaishu Devi ( a renowned Hindu temple) and Golden Temple (Sikh’s foremost gurdwara). It is catering to the Indian sentiments; in most religions Indians do not eat non-vegetarian food in a place of worship. Near the temples, generally local vegetarian eating joints thrive and there are no global food chains. The huge number of devotees provide a large market.

A few years back, McDonalds customized its menu according to Indian tastes and introduced vegetarian burgers. The McAloo Tikki (a potato burger) contributes to 25% of the total sales.  It may shock the Americans, but no beef burgers are served in India.

2. Evaluate Cost-cutting Measures

The attitude frequently is to cut costs across board. For instance, if marketing budget is XXX dollars, the total budget will be reduced by 25% without assessing the details and profitable products. Here risk managers need to assess the soundness of decisions taken to reduce costs. Below are a few examples to look for:

a) Advertising : Is the total advertising budget reduced? This would be a wrong move. During recession, the core products that contribute to revenue need aggressive advertisement. The advertising budget spent non-core products and loss making products can be dropped. Moreover, explore cheaper advertising models – social media, internet etc. and reduce budgets on paper and television media.

b) Discounts : Another option adopted to increase sales is to discount all products by a certain percentage. This is a self-destructive strategy as discounts on core premium products would damage the revenue stream in the long-run. If customers require cheaper products, cut the frills in the premium products and introduce a bare minimum model. This will maintain the brand and revenue.

3. Assess Strategy and Systems

Risk managers must assess the marketing strategy and systems to ensure that the risks are systematically identified in a timely manner. Here are a few examples of the same:

a) Core products: Does the strategy focus on core products? Are there systems in place to show the winners and losers? If the systems are inadequate profitability, market spend and customer behavior cannot be captured accurately. Hence, the organization will be unable to adapt strategy to the changing marketing trends and customer behavior. Moreover, companies cannot  reduce costs without identifying inefficient spending.

b) New products : Has the organization delayed the launch of new products during recession? The customers require cheaper products during hard times. Hence, the strategy should be to delay expensive products but focus on products that cater to the new customer requirements and changes in behavior.

Closing thoughts

With economies slowing down, the marketing functions are facing many challenges. Customers are better informed through social media and internet, competitors copy products faster, and price of the product is a driving factor. Risk managers can contribute by conducting risk assessments of the marketing function and helping the teams in identifying the upside and downside risks to their strategies. This is a good place to add to  profitability.

References:

1. Chaotics – The business of managing and marketing in the age of turbulence – Philip Kotler and Johan A. Caslione
2. Beefy McDonald’s to Open Veg-Only Outlet in Katra – Economic Times