A great email decision

/

One of my best decisions in a long time: I’ve ditched my email client at work in exchange for a regular, planned access through our email web client. Turns out that I actually spend a lot less time in my email browser window than I did in my email client.

To be more concrete, while I spent on average 1 hour per day in my Lotus Notes email client, I now spend about 20 minutes per day in my domino browser account. The end result is that I spend on opening and answering mail about 3 times less, with the same effectiveness.

End result: a lot less distraction and a great deal of work that actually gets done.

How to make your tools work for you

/

It's you and your workflow, not the tool

Let's be clear. There are a lot of really cool tools out there. Both in the Mac App Store and outside of it, there are plenty of interesting tools that may add quite a punch to your workflow. If you get to know them. Intimately. And if you can integrate them in your workflow. Efficiently. So the challenge really isn't finding that one brand new tool that will make all the difference ... it's integrating that one tool with your current workflow and optimize that flow.

Getting it backwards

Most people get this backwards. I've been there, you've been there. We get so enthused by this new tool (let's call it toy, really) that we will find reasons to use it in our flow. This leads to situations where people have 5 or 10 different text editing tools on their laptops. And probably why toolboxes are oh so popular. Look at all the great tools you get for one low price. While really all you need is one hammer. The question is, will you fall for the flavor du jour, or will you act more reasonably and rationally?

Impulse buying

So how do you deal with that call of the tool? How do you avoid spending your money on items which capacity may exceed your needs by 99%? For me there are a couple of steps to go through to avoid those impulse decisions. Because today you may be spending 99 cents in the App Store, tomorrow you may be spending a couple of million USD or EUR of unwarranted expenses on a new IT system. And if you believe there is a significant difference in that spending decision, let me assure you that as a consultant I've seen more impulse buying decisions than I ever thought possible ... some of those decisions cost quite a lot of money and never even got plugged in.

Steps to consider

Let me take you through a couple of steps which may not be complete, but at least will take you through a process that requires you to do some thinking before buying. This is not the traditional "Wait 30 days before spending an amount" because at the end of the day, if you are really adamant about buying something without a considered decision, you will have a difficult 30 days and then still buy it. At that moment, you've not only spent money on something you don't need, but you've given yourself an additional frustrated 30 days as well. Here's what I think is a considered approach:

  1. First, be very careful in the assessment of the specific need you want to acquire the tool for. Is there a need? What is that need, and is this a real need we have or just an argument we're using to acquire the tool? It is essential you clearly understand what you want to do with the tool. You need to identify all you want to do, and also what you don't want the tool to do for you. Then you need to clearly define how the tool will affect your workflow.
  2. Second, you need to identify multiple objective sources of information on the tool. Stay away from commercial presentations, they are likely to try to convince you of the added value of the tool. You will only find confirmation of what you want to believe, i.e. that you need that tool. Check the competition. What do they offer? Interesting to consider for example is that public services are required to have multiple suppliers bid on most contracts they put out in the market. If you assess, assess using multiple sources of non-commercial information. Do call reference users if the supplier provided you with that information, but consider they will likely not provide you with the coordinates of their worst clients ...
  3. Once you are clear and the total picture makes sense, also from a cost perspective, make the purchase. This really is about committing to your choice if it has been well considered.
  4. Once you have made the acquisition of the tool, invest time in getting to know the tool. Get to know the tool. No, really, get to know it inside out. Make this an acquisition which will be worth its money. If it's a large acquisition, make sure your users get the most training possible. Make sure the supplier stays responsible for the training and make training acceptance count. If it is a small tool, train yourself. Get to know all of the functionality of the tools. Use them. Learn all the shortcuts that exist. When you learn those shortcuts and those special ways of getting more out of your tool, be it a hammer or an ERP system, learn them as if you were to have to teach them. It provides you with a whole new perspective on skills or knowledge acquisition. It helps you focus and slow down, which enhances your learning. Once you are clear on your usage and you master the tool, you need to start optimizing full integration into your workflows.
  5. Once you know the tool and its use, start optimizing your workflows. The learning period for a tool should be long enough to achieve good knowledge of its use, not necessarily mastery. This will come with the integration in your workflows. Again, there is a process here. First, you will need to develop a workflow for the most optimal use of the tool in your process. The process really is key here. The process determines both the tool and the way the workflow is structured, not the other way around. Once you've done that, you need to work on integrating that workflow into the broader workflow of all of your tools. Again, your process and the desired end result should be the key factor here, not the tools or the workflows. Finally, if you get that right and you feel comfortable with it, you can look at possibilities of integrating the whole in an automation, where relevant and possible.

In conclusion

Tools are tools, but they also put bread on the plates for someone. Those developers will do their best to promote their tools, and so they should. However, you have a mission as well, which is usually not tool testing. Your mission is getting your work done. The best possible way to get your work done is very effectively and efficiently. Not just to do some more work, but also to find time to be able to focus on the essentials of life, such as spending time with loved ones. So don't go out and buy the next best thing. That's all the difference between right now and right, period.

The need for an integrity oversight committee

/

Integrity and the continuous batlle against fraud and corruption are stepping out of the limelight where they've been pushed into for far too long. Recent integrity issues, such as the LIBOR scandal, highlight the need for ethical behaviour from the top down, with clear and hard boundaries which are consistently enforced. The case should also be made for the establishment of integrity oversight committees to complement existing committees in organization's boards to ensure consistency and transparancy.

Past initiatives have not solved the problems

If I look at the past 12 years, starting with the Worldcom and Enron affairs, it seems like every year has been marred by at least one large fraud or corruption scandal. And I'm still to be convinced that initiatives such as Sarbanes-Oxley and others matter all that much in combating fraud and corruption. With hindsight it appears that we're trying to fix a problem not at the root cause, but at the point where it starts showing up: in financial and administratives processes and procedures. That is not necessarily a cost-effective manner. These past initiatives have clearly not solved the problem.
The question then appears to become an easy one: are there alternatives? I actually believe this to be a complex question, but establishing integrity oversight committees at the level of the board, in addition to compensation and audit committees, can go towards a viable solution in the combat agains fraud and corruption.

Where do we start?

As a point of departure for this approach we need to agree that there is to be a zero tolerance for fraud, corruption and breaches of integrity. "Zero tolerance" needs to be read here not as "we will not have any", but as "when we become aware of a breach, we will irradicate it." Now that's easy to say, but where do we start?

Values as a reference for behavior are best established by all stakeholders

Most control frameworks such as COSO-ERM and ISO-31000 state that the "tone at the top" is an important if not the most important element in establishing a pattern of ethical and non-corrupt behavior in collaborators. A number of studies, such as this one, this one and this one have also highlighted that ethical behavior or lack thereof is influenced by the behavior of the manager directly responsible for that collaborator.
Hence, management at all levels of the organization needs to walk the talk for the collaborators to comply to a certain required pattern of ethical behavior. You cannot expect your direct reports to behave in a certain manner if you yourself are not consistently showing this behavior as their manager. This is not new.
The question then becomes, what constitutes a recognized behavioural pattern? Going all the way up, what is the correct behavior to reflect? What are the values of the organization that you need to show and to comply with as a manager? What behavior are your managers showing you? Is this a set of values which are imposed on an organization from the outside, often as a result of an external consulting project? Or is something else needed?
I believe that values are established by and with all stakeholders, people we touch as an organization, collaborators of the organization and owners of the organization. I also believe the board, as representative of the owners, has a significant role to play in both determining the relevant values, monitoring compliance with them and dealing with identified transgressions of them. After all, owners own a business which operates in a business reality. The stakeholders influence that business reality. Owners therefore need to be very aware of that influence and make sure they adeqately adapt to it. If they fail to do that, they will have no business left.

Developing the integrity framework is an integrated, concerted effort

An integrity framework is aset of values and corresponding behaviors which serve as guiding principles for an organization. It should be a formal translation of all of the above mentioned factors and influences. But of course such an integrity framework only makes sense if it has been developed in close collaborating with the people working for the organization and the people with a stake in the organization: clients (in the broadest possible sense), collaborators (those who develop and deliver to clients) and the board.
Thus, for an integrity framework to make sense to the collaborators and clients it needs to be developed in collaboration with the collaborators and the clients, in their language to ensure a proper understanding of the specifics of the framework which they will need to apply and comply with.
In my personal opinion, it also pays to have the board intimately involved in the development effort. After all, while the board members are not usually actively involved in day to day management, they need to see their positions and concerns reflected in that ethical framework. Again, as stated above, those concerns need to be, amongst other factors, a reflection of the way they see the influence of outside stakeholders on their activities.

To illustrate, consider an organization which has its ethical framework developed by outside consultants, without active board involvement. A significant risk exists it will reflect only the vision of the few people consulted in the development, it will likely use the consultants' language rather than that of the collaborators, and it will not necessarily reflect the values held high by the investors, owners or stakeholders, represented by the board members. The likelihood of acceptance by the board and adoption and application by the collaborators will therefore be significantly lower than a framework which was developed in close collaboration by the members of an organization themselves.

Compliance monitoring is ultimately a board responsibility which requires a strengthening of internal audit

Once the framework is in place, its application needs to be monitored. It's clear that if a framework is only considered to be an exercise in writing, with no monitoring taking place, its adoption will not be very high. Monitoring the compliance of an organization and its members with the specificities of the adopted ethical framework should occur under the ultimate control of the board, just like internal audit is ultimately under control of the board. Because of its independence and yet its proximity to the organization the "analysis and assessment" capacity directly linked to the board, the internal audit, can both monitor and investigate allegations made of transgressions of the ethical framework. Of course, assigning this as an additional responsibility to internal audit will require a strengthening of internal audit both in numbers and in capabilities. For example, we've significantly invested in enhancing our capabilities in data analysis for fraud investigations.
Compliance monitoring is important not only for enforcement through identification and appropriate action, but also to ensure that the message of the framework has gotten across. It's entirely possible that for all intents and purposes the development of the framework was done in the best possible manner, but the message fails to be clear on a number of aspects. These need to be clarified. Monitoring of compliance can give us an indication of where things have gone wrong or were not appropriately formulated to be well understood.

Enforcement needs to be transparant with respect for the individuals involved

There will be transgressions. Every organization needs to get rid of the naïve assumption that this will not happen to them. It's likely to happen. Quite probably, it has happened already. Fraud, corruption and breaches of ethical behavior do occur. However, once identified and appropriately confirmed they need to be dealt with as soon as possible.
And while the management team has a role to play here, I would strongly suggest to actively involve the board as well.
Why? First, it's about transparancy. The board has a right to know where and how the integrity framework they helped establish as a reflection of their values is being circumvented.
Second, management is not always the best placed to take the appropriate measures. The board remains a structure which is removed from day-to-day operations. Management, on the other hand, needs to deal with these people every single day. Correct enforcement may influence or damage working relations. Some managers may not feel comfortable enforcing a policy towards direct reports. Even if they want to, management is not necessarily, in substance nor in form, totally independent in deciding on the most appropriate measures.
We can have a long discussion on whether or not this is a task of the manager (I think it is, for the record) but with direct reports it may turn into some sort of hidden self-regulation. It is not necessarily transparant, hence my suggestion to involve the board in this. Its role is not complex: based on the analysis of the breach, assess the severity of the breach, recommend appropriate measures to deal with the breach, and monitor correct application of the recommendations. All of this needs to occur in a manner which is both transparant to the organization and which maintains the anonimity of the people involved in the specific case.

The need for a structure: the integrity oversight committee

Given the width of the activities the board will actively be involved in, establishing a separate committee in addition to committees such as compensation committees and audit committees makes sense. These are advisory committees to the board and help in the preparation of the decisions for the board.
The integrity oversight committee is a way of ensuring a more consistent ethical conduct in organizations.

Embedding risk management in the strategy cycle

/

As of its inception, there have been a lot of comments on COSO-ERM and how it can be applied in practice in an organizational setting. Those of you, dear reader, who have followed this blog know I am not an avid fan of the framework. However, contrary to some experts I don't agree the authors made an error when introducing risk appetite as a concept as early in the ERM cycle as they have.

Understanding risk appetite

Dr. Larry Rittenberg (Ernst & Young) and Frank Martens (PwC) authored a short(ish) document on understanding and communicating risk appetite, which was published by COSO in January of 2012. It aimed to present a set of answers to the unclarity surrounding the concept of risk appetite as it was introduced in COSO-ERM:2004. In its executive summary, they clearly state that:

"Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is will to undertake in doing so."

In defining risk appetite in this way, they aim to get ERM out of the compliance corner it has been painted in for a long time. It elevates risk management above the level of a mere tool or requirement and positions it where it should be and informally often already is: an integral part of the strategy process.

Risk appetite as a key element in strategy setting

A strategy can be defined as it is in venerable Wikipedia as follows:

"A plan of action designed to achieve a vision. Strategy is all about gaining (or being prepared to gain) a position of advantage over adversaries or best exploiting emerging possibilities. As there is always an element of uncertainty about future, strategy is more about a set of options ("strategic choices") than a fixed plan."

Hence, reading this again, the key risk element, the uncertainty element, is an inherent part of the definition of a strategy. A lack of awareness of what, in broad terms, this risk may be and to what extent it would be acceptable for the organization to be confronted with it, is required to develop the action plan. Hence, risk and especially risk appetite drives strategy.
In my personal opinion, the authors did not adequately emphasize this.

An illustrative example

Imagine that your organization, for the sake of argument a non-profit organization, is offered the opportunity to start activities in an area which in content is adjacent to what the core purpose of the organization is. Imagine the organization is about assisting the development of civil society in fragile states, and the area you are invited into would like you to work in post-conflict issue resolution between two tribes. There are some elements of uncertainty here.
However, the geographic area and its culture is completely unknown to your organization. There is no prior experience here. Hence, there are quite a few elements of uncertainty here.
Without a clear view on the risk appetite of the organization as compared to the potential risk exposure the organization may encounter, it is virtually impossible to develop a relevant strategy.

Conclusion

COSO-ERM is far from perfect. However, in light of some of the, already old, comments on the risk appetite, I believe it to be essential to consider risk and risk appetite, even in the broadest of terms, during strategy setting.

The rotational audit staffing model - a small audit department's perspective

/

Richard Chambers recently published an excellent article on the rotational audit staffing model. I wanted to add my perspective as the CAE of a small audit department, active in an inherently complex sector, development aid.

The reality of a small audit department

The size of the audit department is most often a function of the size of the organization it operates in. Yes, I am making abstractions here, there are other significant factors of influence, but look at any GAIN analysis and you will find a significant correlation between size of the organization and size of its audit department. The complexity of the sector and its activities is not usually a factor, although it should be.
As the most important influence is organizational size, organizational complexity is often just something the audit needs to come to terms with. In reality it's unlikely that a small audit department has all the competencies within its confines to adequately audit each aspect of the organizational complexity.
Of course, not auditing this subject area is not an option, quite often because these more complex areas of operations are the more if not the most risk prone. This is an important aspect in our operations. The more complex the project structures, the more exposed they are to risks. So, how do we go about this?

The rotational guest auditor

We actually turned the rotational audit staffing model which Richard talks about around about 180°. Rather than having people rotating in and out of internal audit as part of their management (fast)track, we actually have a small permanent audit team, which is there for the long(er) term, with operational collaborators rotating in and out on an ad hoc basis as a function of individual audit projects. For example, we will use a person with a deep understanding of our different reporting structures and requirements if we need to look at reporting as an aspect of an operational assessment of on of our regional sectoral support structures.
Of course, this approach is not without its challenges. Confidentiality of the audit findings and independence of the guest auditor are aspects which we approach with due and necessary care. Failure to appropriately address these concerns will lead to the loss of confidence in the adequacy of the internal audit process and hence of the validity of the internal audit department's approach. of course we want to avoid that.

What the guest auditor brings to the table

The guest auditor operates as a subject matter expert. He or she has experience in a field adjacent or related to the field being audited. This eliminates the need for a significant investment in audit techniques training, as the guest auditor is surrounded by an audit team well versed in these aspects of the audit process. He assists in developing the audit approach, explaining us what we need to look at and what we can expect to find, he assesses and interprets what we see coming out of the audit tests (as compared to what we expected to find there) and he adds an additional dimension of interpretation to the results which the small audit department not necessarily would be able to offer as quickly or at all.
Even when working in a field adjacent to his or her own, the guest auditor's independence is very closely monitored by critical auditors, in turn supervised by the CAE.

Additional value for internal audit

Our currently limited experience of this new way of operating has already shown that not only does the guest auditor add value to the internal audit work, but the appreciation for the daily internal audit activities increases significantly after a spell as a guest auditor. The guest auditor is often surprised at the level of intensity and the work rhythm of internal audit professionals, which increases the appreciation for our work.
We are actually looking forward to auditing some of our guest auditors. We expect them to both be more aware of our challenges and to be better prepared for the audit itself.

In conclusion

All in all, this approach which was conceptually developed by my predecessor and which we have now implemented seems to work well for our small internal audit department. It actively adds value both to our audits and audit reports and to the guest auditor.