I just passed by this vintage Macintosh in the window of a small repair shop close to my office in the center of Brussels.
It appears to be sitting there, very important and proud, on top of the display case. Old tech is wonderful.
I wanted to share it ...
But it is not always very clear why these meetings are organized. And given that many people actually do not really talk during or contribute to meetings, it makes you wonder whether all attendees need to be present. Why are employers paying money for having perfectly good employees sit through meetings which they do not add value to?
With a limited time budget available, how can you entice me to come to your meeting:
All the other possible reasons really do not seem to be valid enough for me.
Listen to (and watch) Merlin Mann over at 43 Folders talk about meetings in his excellent lecture to the Twitter team. You can find this talk here. Watching this talk got me thinking …
My three good reasons are not the only good reasons. But let’s step away from the intangible aspects for a minute. Is there a way we can start quantifying the burden of meetings?
Calculating the meeting preparation cost: A meeting is not just about bringing a number of people together in a room. Often documents, such as slide decks, need to be prepared. These decks need to be printed … and someone needs to take the time to do that and buy the paper to print everything on, if paper is your poison. The printing is often the work of executive assistants, but these people need to get paid as well. And perhaps some young collaborator was charged with gathering the information in the deck. Again a cost which is directly related to the decision of having the meeting. And what about the time spent calling people, inviting them over, sending emails, rescheduling meetings … All these things cost time and therefore money to the company.
Calculating the meeting infrastructure cost: Once prepared a meeting can get underway. But wait, in some cases there is a real cost to a meeting room. A number of organizations charge a small sum to a company project as a representative cost for a meeting room. And what if you have no meeting room, and need to go outside for this meeting? The cost gets very real very fast.
Calculating the meeting execution cost: Once all invitees are gathered in the room, the meeting gets underway, the clock starts ticking and the cost meter starts running. Every single person at that meeting has a cost to the company. This cost is real, as they are being paid wages. This may not be the only cost. If the alternative to presence at the meeting would be another, perhaps more relevant activity, there is a real opportunity cost here.
There are of course reasons to have a meeting. A good meeting has very clear objectives which align with a specific goal of the organization. If this is a meeting related to a significant project, and the contribution of the meeting to the success of the project is estimated at – say – 20%, it may well pay to have the meeting. Now, to be honest, I’ve seldom been party to meetings which had such a large impact on a project. Listing all potential benefits, quantifying them in monetary amounts and assigning contribution percentages to them will allow for some quantification of the benefit.
We add all the costs, and we add all the benefits. Then we divide the benefits by the costs. What are possible scenarios?
For the second scenario, I can imagine a situation where it pays to bring in a senior member of the management team in case you are working on a project where his or her input based on experience is very relevant, even if the percentage will be lower than 100. After all, you will significantly increase your chances of succesfully engaging with the project. On the other hand, it may be that you have underestimated the contribution of that meeting to the project.
I’ve quickly developed a very basic spreadsheet to illustrate. Please feel free to use and adapt. You can find the spreadsheet here.
The relevance of using risk models as the basis for risk management was disputed in the beginning of this century. It actually remains disputed as an approach by a number of authors. In the early ‘00’s, leading risk management advisory companies did not see the reason to use models. They felt it impeded organizations from assessing the entirety of their risks. In the late 1990’s, Arthur Andersen was the first company to start structuring risk models as a basis for the structural implementation of enterprise risk management. Some of their risk models remain as risk models you can for example find in Protiviti’s Knowledge Leader.
Risk models really came to the fore towards the end of the ’00s, when experiments in implementing enterprise risk management or ERM systems showed a significant flaw in the prior reasoning: people did not share a mutual understanding of the term ‘risk’ and even failed to agree on a common definition for the most traditional of risks.
A solution wasthe development of risk models: industry specific structured overviews of potential risks which could occur in companies active in a certain industry, with a clear definition of what the risk means in agreed upon terms. Agreed upon terms would be adapted to company specific terms, in order to limit the risk of misunderstanding and thus mistreatment of a specific risk.
In our quest to increase the transparency and the unified interpretation of risk models, I fear we may have overcomplicated them. Overcomplicating a risk model – or any model for that matter – lowers the adoption rates by users. Therefore, while the move towards a more complex set of risk models was necessary to develop enough detail in the risk models, we now need to make the reverse move. This move should not be towards no risk models, but towards a list, an overview of possible risks.
Because what is the actual added value of risk management? It is the optimization of our response to priority, identifiable risks if and when they occur. Risk management should NOT be a central pillar of a management system. It adds to better risk response, and can be added to ways in which an organization is run, but should not be the central element.
In essence, even if no management exists, this would not preclude risk management systems to exist across an entity or a group of entities.
Let me explain: we see the demise of certain (types of) corporations, especially, but not only in the services sector. These are being replaced by decentral, distributed networks of independent contractors which come together on a project-by-project basis. Perhaps more than ever, these decentralized networks need risk management, but they inherently do not have a management structure to, well, structure their risk management.
So, how do you manage risk in a distributed, decentralized environment, or in any type of environment for that matter, in an as cost-effective way as possible? You develop a risk trigger list.
Actually, this idea is not new. I borrow the central idea from David Allen, who in his excellent book called Getting Things Done refers to an incompletion trigger list as an essential tool for the brain dump, in essence a way of clearing any issues in your head and getting them on paper, for further processing.
The trigger list is a very powerful tool: it is small enough (David Allen’s trigger list covers at most 2 modest pages) to be used on a regular basis and yet complete enough so all elements you may have forgotten can be dealt with.
In order to enhance adoption of risk management as a tool, in order to make it usable on a regular basis and complete enough to deal with most risks one could forget, I would suggest to develop a risk trigger list per project, process, organization or even industry. This trigger list, which should not be more than 2 pages long, contains trigger words, words that will result in a comprehensive listing of most of the relevant risks which can occur in that process, project, organization or industry.
You may be surprised. At least per industry, I believe at least 50% of the risks will be the same across organizations. The list will partly be generic, and partly specific to the organization, the process or the project. Developing a risk trigger list should be one of the first responsibilities in any new process or project.
By simplifying the comprehensive risk models we’ve developed in the past 10 years and condensing them into risk trigger lists, we may reach the critical threshold to wider adoption of risk management principles, which will in turn lead to better managed processes, projects, organizations and industries.
The management of an organization depends for a significant part on established procedures which govern the way in which the organization confronts its challenges. Developing and writing procedures often comes as a afterthought, with either the quality department of a junior collaborator being charged with writing these procedures.
However, these procedures will govern how processes are executed in the organization for a long time to come, often long after the initial process designers have left. So it pays to make these procedures as SMART as possible. More SMART than SMART = SMARTER.
Duncan Haughey highlights that the established goals of a certain procedure need to be specific. They need to be well defined and clear to anyone that has a basic knowledge of the process which is being decribed. Hence, a procedure should not be considered SMARTER unless it is shown to have a clearly defined purpose which is understood by anyone implicated by that specific procedure.
Think about it. This makes sense. After all, if there is no purpose to the procedure, why are you executing it?
A goal, a purpose needs to be measured, in order to assess where we are in the executing of our activities with respect to the specific goal set. We start from the premise that a procedure serves a specific purpose, as per our first point. However, how will we ever know whether or not the procedure achieves its intended target if there are no measurement elements provided? In order to be SMARTER, a procedure needs to contain adequate provisions for data collection which allows measurement of both its degree of implementation and its effect.
Process goals are highly dependent on the buy-in which exists regarding the objective of the process. Introducing a process which is not at least discussed with those impacted by it and ideally agreed upon by them, will not easily be complied with. Compliance is a function of acceptance of the relevance of the process. A SMARTER process is a process which is carried by its constituency.
If a process goal is unattainable, it is not realistic. I’ve encountered many processes or procedures which had been written in an ivory tower, not taking in account the situation on the ground. An attainable, achievable and adapted set of goals or purposes, taking in account the actual reality, is a cornerstone of SMARTER processes.
If a goal is specific, measurable, agreed upon and realistic, it can be time bound. A process can be bound in time. We tend to introduce processes without any restrictions on how long they will stay in force. A SMARTER process is a process which is bound in time, allowing for the achievement of its related objective after which it should extinguish.
This covers my interpretation of the SMART process. But wait, aren’t we talking about SMARTER processes? Indeed, some management literature introduces the SMARTER goals.
Any process that is SMARTER needs to make sure that it in itself is ethical. This however is not enough. It also needs to ensure that it avoids inducing unethical behavior. This aligns with the “agreed upon” aim for SMARTER processes. The less collaborators are supporting a process, the more they will aim to avoid following it … which can lead to borderline ethical or even unethical behavior.
Any author of a process needs to ask the question whether that specific process is the most relevant way of reaching the intended objective. If not, the process cannot be considered SMARTER.
I am convinced that the application of the SMARTER evaluation criterium on a process will result in processes more adapted to the reality of human beings.
Most organisations do not realize they are imposing significant burdens on their users. Any interaction involves a transaction cost. Organizations competed on cost reduction platforms, trying to drive down the transaction cost as low as possible … for their own operations. Quite often, an important part of the transaction cost is pushed onto the user, especially in situations of market dominance. What organizations often fail to see is that users will integrate the cost of the interaction in their choice. Organizations should therefore strive not to lower only their transaction costs, but to reduce the overall transaction burden, including the burden to their users.
Since the late ’80s we’ve gone from reengineering over right sizing to reengineering revisited. The aim, often rightly so, was to cut the fat out of organizations. This ‘fat’ does not add to the value delivery nor to the internal optimization of activities, and has to be removed. As with any exercise, in some cases we cut too deep. On occasion, this turned into an opportunity for certain companies which provided outsourcing services, hence the sudden bloom of the outsourcing business. After all, whether you cut costs or not, the job had to be done.
Questions on which activities were ‘core’ to the business were asked more and more often, and non-core activities were pushed away, in order for organizations to focus on their core business. Again, not necessarily bad. However … When reengineering and restructuring, organizations often pushed out part of the requirements they had and put these responsibilities with users. It started out as a fadish project. I remember walking around in Southern California in the late 80’s, being charmed by the ‘build your own teddybear’ shops that sprouted like mushrooms. Teddybear fans built their own, and part of the production process was pushed out to the fans. This can go wrong, and we often find it has. We’ve seen situations where users were asked to provide information which the organization had in its systems, again and again.
What a lot of companies do not understand is that users will walk away from a difficult interactions. On the contrary, the easier the transaction, the more often users will stick with the organization.
Let’s look at a couple of internet enabled examples: * Look at purchasing habits of people owning Amazon Kindles. Their purchasing effort is minimal. The ‘one-click’ system allows for a purchase of a book with only one click. Amazon even offers advice based on their extensive purchasing profiles. People who purchased this book, also purchased … * look at the recent introduction of the Genius function to the Apple App Store. Previously reserved only for music selection advice, Apple has extended its functionality to advice clients on relevant apps for their iPhone, iPod Touches or iPads.
Organizations should strive to make the use decision and especially the administration related to the use decision and actual act of using their tools, services, products … as easy as possible. The information to do this is available, often in the organization’s systems. In addition, the technology exists to enable even fysical purchases to be a lot less painfull. What organisations need, and currently lack, is a good, quantified understanding of the cost of the transaction to their users.
For those of you who speak either Dutch or French, a nice journalist named Brigitte Doucet wrote a comprehensive article based on the keynote I gave at the Software AG Process Forum in February 2011. While I am formally no longer actively working in burden reduction, one of the key elements in our internal audit approach at the Belgian Development Agency will be to reduce both the administrative burden to beneficiaries and the internal cost of managing that to the optimum point. While written for for-profit environments, some of the ideas and lessons apply to non-profit as well. Enjoy the read!
You can find the Dutch article here, and the French article here.
I’ve been using mind mapping in combination with with OmniFocus for better capture, processing and next action execution. Let me tell you a bit on how I got there.
Sometimes, I have chaos for a brain. I’m not kidding. In the past, this has led to those well known and recognized moments of quiet, significant desperation and the feeling of impeding doom and trepidation as deadlines approached. I hope at least some of you have on occasion felt the sudden realization hit that you completely forgot about one crucial aspect which will be discussed by your boss, peers or colleagues that very same day. That one element that you needed to contribute, and forgot about.
Now, that’s the kind of situation I really wanted to avoid. So I did all the required reading. I started with the 7 Habits. Interesting, but I missed the bullet list telling me what to do. What can I say, I’m an operationally minded guy. I read Getting Things Done, even became a paying member of GTD Connect, and reaped some of the benefits, although I really didn’t use it enough. I filled Moleskine after Moleskine, and still things slipped through the cracks.
Then I discovered mind mapping. And started to understand some of the power of a tool like OmniFocus.
Now, I’m a very visual thinker. I think in images. Mind mapping has always helped me to formulate thoughts and ideas. I use it even to blog. Most of my blog posts, even this one, have been at least partly mind mapped before I start to write. Developing my capture list in a mind map was a revelation. Note I call this a capture list, not a next action list. My capture list is about exactly that: capturing.
What I do in this mind map is true brain dumping. The free format works for me. Free thinking about stuff I need to do or deal with, or even not but that is still on my mind. I feed it with notes I have taken when I was not in the opportunity to work on the mind map directly during the day. These notes are in my trusted Moleskines. Hey, I spent the money on them, better use them. So if it doesn’t go directly on the mind map, it goes in the Mokeskine.
Oh, by the way, I use the GTD completion checklist as an important weekly backstop to make sure I haven’t forgotten anything. It’s an excellent tool, and this way it does not get in my way.
After I have done the capture phase, and I try to do this at least every three days (equivalent of twice a week), I open the entire mind map, which I have saved in OPML format, on my Mac. This is still a bit labor intensive but it does the trick on making me focus on processing, I highlight the words/characters of the topic of the mind map, usually at the end of the branch since I find the basis for my capture activity there.
Using services, I can then easily export this to OmniFocus’ inbox or even in a specific context or a folder. Now, and this is an important bit, using the services, I need to rewrite the OmniFocus entry. This is processing as I decide at that moment what I aim to do with this entry. I have the freedom to decide at that point whether I want to file this away for later or even discard it. It is an approach that focuses me on my decisions to define next actions on stuff, as David Allen calls it.
In terms of tools, I already mentioned OmniFocus. A great tool, I just wish there was a way to work with it in Windows as my most important client uses that platform rather than OS X. The mindmapping I do, I do in Mindnode Pro on Mac and iThoughts HD on my iPad. I save the mind map in OPML on my Dropbox account so I can retrieve the latest version from whatever device I am working on.
There you go. I just wanted to share what works for me.
I often wonder what makes stories so powerful. Most of the successful business presentations I see are based on powerful underlying stories. The best presenters, be it in the boardroom or in front of a large audience, are able to entice their listeners into entering a story with them. They then lead them through it and live the conclusion of the story together. The best storytellers can move their audiences to tears or have them at least nod in empathic identification. As especially board room meetings can have a significant influence on the direction large organizations take, of course I am very interested in this powerful tool.
From a risk management perspective, another angle is relevant as well … how complete and accurate is the story painted a representation of the actual situation of the organization it is being told to and tries to influence. We appear to have some built in defense mechanisms against stories which do not align with the operational reality of an organization; but if a story is close to but not quite the actual reality, it may pass. If is story is influenced by risks which are relevant, but perhaps not the most relevant, we may have an issue. And due to the “close and immediate” issue which often skews risk assessments, a well told story, if not completely accurate and complete, may well lead an organization astray. So stories are relevant from a risk management perspective as well.
Reviewing a number of great presentations and related stories, I’ve come up with the following four points I believe make a story powerful. They may not be all of the elements. They were however the elements I found back in all of my notes, over and over again.
What does this point to? If a story is good, it is in line with the reality of the organization. If the storyteller is good, he will allow for the minds of his listeners to fill in the blanks. He takes them to a land of his choosing, where the characters are defined by him, but the environment is entirely the choice of the listener. By taking his listeners through his ideas, he guides them through a thought process that eventually will lead them to an understanding or a decision. The best storytellers determine in advance, when building the story, what the outcome should be. It also tells us that the best storytellers don’t use too much visual materials such as Powerpoint because they realize this distracts the listeners rather than assist them in gaining access to the story.
Some regulations are notoriously difficult to ensure compliance with. Take speed limits for example. Few people will, when confronted with an empty or almost empty road, stick to the speed limits as indicated and “enforced”. Unless you are unlucky or not aware of where fixed and mobile camera’s may be positioned, the likelihood of getting caught is very small. However, in doing so, you are breaking the law. You are no longer compliant with the regulations as they apply to you as a road user.
Why do people speed when given the chance under the right conditions? Because they believe it to be fair to do so in case the opportunity presents itself and the risk is limited, and mainly a risk to themselves. Their concept of fairness and relevance is taken into account when the take the decision not to obey the rules. If 90 miles per hour is not relevant under specific conditions, the propensity to comply will reduce. What about taxes? The situation is comparable. As long as we pay an amount equal to or, depending on the variables, in line with our neighbors, we will pay what we are required to. This accounts for a higher degree of perceived compliance issues in certain geographical locations, especially in those with a consistent demographic character.
Thus, the challenge to government: if people are willing to comply with regulation of they perceive this regulation as fair, how can government increase this perception of fairness?
I would like to propose three elements, which I believe to be a necessary part of the solution:
This way we may have a shot at increasing compliance without significantly increasing the monitoring and follow-up costs, as target groups are informed on impact and wider context and are able to provide their feedback during a regulatory renewal process.
The cost of informal networks getting together, creating something and then splitting apart again has gone down considerably because of the internet and the collaborative and co-creation tools it now offers to these organizations. The economies of scale which once heralded the birth of corporations no longer holds for most services.
As coined by Seth Godin, the consumer tribes ask for more and more individualized services. Their needs in terms of solutions are different, as the needs of more and more fragmented markets become dramatically different from the one size fits all of prior periods. Malcom Gladwell has a well-known talk on TED, on spaghetti sauce. He states there is no market, there are multiple markets. Tribes are the new markets, in which tribe members communicate with each other, with other tribes, with non-affiliated consumers, and ideally, with the corporations catering to the markets. These tribes are vocal, they are driven, and they are aware. The most essential mistake to make here is to underestimate the tribes and their inherent market powers.
Therefore, in order to provide for these markets, business will need to adapt and change. They will need to become more agile, probably smaller or at least adopt a structure that allows for quick reaction to opportunities and to tribal needs. Whereas the shareholder stays very important, the needs of the myriad of stakeholders will become more and more important.
This does not necessarily spell the end of the IPO and of market money making. However, make no mistake about it, large funding for development will still be needed, but growth for growth’s sake is unlikely to remain acceptable. High performance will be required, and the structures will be determined by the performance requirements, whereas currently performance is mainly determined by the existing structures. There appears to be building an anti-reaction, in which the corporatization trap is a trap te be avoided at all costs, because this trap results in a corporation looking inward and losing touch with reality, instead of looking outward and being in tune with the world of their customers, their tribes. Let’s make sure we don’t lose all good elements and lessons the corporation has brought us.
Quality was for a long time the only thing an organization appeared to care about. Not necessarily high quality, but good enough quality. Now, quality is no longer a distinguishing factor. I can buy a high quality car pretty much anywhere in the world, my laptop and my mobile come from the other side of the world … therefore, the average corporation’s peak performance is becoming the bare minimum condition to play in the new markets. Note that this peak performance has been influenced by reengineering, by cost reductions, by right sizing, by process optimizations, by producing for an acceptable average quality. The customer experience has been anonymized. The new reality is a reality in which customers are understanding their power of purchase, and are exercising this power on a daily basis. Ask Dell, ask RIM, ask Toyota …
Large professional services organizations are the first to promote innovation but I believe they will only survive if: * They become enablers of linchpins in their organizations: Read Seth Godin’s excellent book on Linchpins if you have not already; * They value experience: Instead of trying to leverage on every project, large service corporations will need to put more experience and especially more client centric experience in the line, and less young people learning the trade. There is no issue with young people learning the trade, but not at the fees easily asked in the past; * They become cost effective in the new reality: They will need to compete with lower cost, high value providers, with less overhead. Large service organizations will need to restructure and reinvent themselves.
There is discussion ongoing at the Belgian federal government level about the (minimal) independence requirements for internal auditors active the Belgian federal administrations. I want to weigh in with some thoughts on that. This article is partly based on a recent position paper by the IIA on independence and objectivity, which I found very clarifying.
Internal audits are not new to these administrations. They existed, some had active audit committees, but the Copernicus reform of the late ’90s and early ‘00 embedded them. Sadly, the control and monitoring pillar of this reform was never implemented.
The initial royal decrees were rewritten from their original 2002 texts to correct for some inherent contradictions and dysfunctions and republished in 2007. Over the course of these years, internal auditors were either embedded into program management offices or maintained their assurance functions by adding a significant amount of consulting activities. The audit committees which had been disbanded because of pending re-establishment in the context of the Copernicus reform were not there to shield the auditors from the management teams of the federal government services … so the auditors protected themselves and created a modus vivendi. Quite often they reported to the president of the federal government service, in absence of the availability of any other structure. This survival strategy is now considered to be a main factor in questioning independence.
An off-topic remark: whatever the criticism thrown at these people and their functioning, I admire the way in which the auditors survived in this often initially quite hostile environment. It’s a sign of their persistence and commitment.
Now, independence is at the core of the internal audit profession. The internal auditor performs what is essence amounts to an oversight activity for the board or its equivalent, and provides that board with a reasonable assurance that the internal controls and the systems of risk management of an organization are under control. In order to be able to provide that assurance in the most objective manner possible, factors which may impede this objectivity need to be reduced as much as possible. The more independent internal audit is from management and operations, the less likely impairments of objectivity become.
The objectivity and thus the need for independence is most relevant in the assessment of the required aspects to cover (establishing the audit universe, performing the risk analysis and the resulting audit planning) as well as in the way in which the internal audit activities will be executed.
For certain operational aspects, internal audit often needs to consult with the management team. An example would be the funding of internal audit activities, as these represent a cost to the organization. The wages and expenses of internal audit are real expenditure and represent an opportunity cost for other projects. For this reason and because it may be used as a weapon against objectivity, the audit committee acts as an advisory committee to the board for two broad roles:
to act as an oversight committee on overall audit activities;
to act as recourse for internal audit in case of disagreement with management.
This may seem to be adequate basis for an as complete independence as possible. However, there are limitations to that independence.
The need for independence is not the only relevant need that exists. Given internal audit in itself is a cost to the company, it needs to be relevant. Now, what may impede relevance?
Internal auditors that are too far removed from the operational reality of an organization will operate and audit outside of the true or relevant scope of operations. Quite a few outsourcing projects have borne witness to that in the past. This has little to do with ill will or incompetence. In order to assess the true risk exposures, there is a need for understanding the operational reality in which the organization works.
This is one of the key limitations of independence: the lower the proximity to the day-to-day operations, the lower the true operational relevance of the internal auditor, even if he or she understands the context in which the activities are executed. Understanding is not enough. There needs to be a true proximity to the daily reality. There’s another reason for this as well …
Being the first to audit a process or a function is usually a great experience, especially if you understand how the process is organized and can be improved: process and control deficiencies are easy to identify and recommendations are quite easy to formulate.
However, assuming recommendations are implemented, even if not completely as recommended by the auditors, the more often you audit a process, the more incremental the recommendations tend to become. Small corrections in process and controls which may have significant impacts, but which require a thorough understanding of what can be done in a process to be relevant. After a couple of audits, there is no low hanging fruit left. It’s about understanding not only the process, but also the environment in which it is being executed.
In order to be able to provide an organization with relevant recommendations, even after a couple of audits, you need mature, well-trained, objective internal auditors that understand the operations they are confronted with. I am not convinced a centralized internal audit service is the solution. I believe that the audit committee should be one of the major safeguards to ensure that the internal auditors present in the federal government services have adequate independence, not by creating an entity physically separate from the federal government services but by making sure that the active internal auditors can be as objective as necessary while still maintaining a proximity to the daily operations of a federal government service.
Only then will the combination of assurance activities and consulting activities, as described in the definition of internal audit, yield the most optimal results.
Matthew Leitch has posted an interesting article on what integrated risk management actually means on his site, here. This analysis is based on a survey he executed and I participated in. As usual, his methodology as well as the scope of his analysis is well defined and well executed.
I believe his conclusions are well founded based on his results. You really need to read the entire analysis, including the analysis of responses to each of the 10 scenarios he offered. I have a couple of remarks on his analysis.
Where an aspect of the scenario, most respondents have chosen those scenarios which allowed for an as broad as possible data set to be available for risk management. They also chose to involve an as large as possible group of collaborators in such an exercise. Clearly, good risk management should not be separate from the organization in which it is being executed.
This is completely in line with the experience we’ve built in the Belgian federal public sector. The more, the merrier, it seems, but the more in a well executed process are involved, the better the information which is used in the risk management process.
Matthew refers to BS 31100:2011, the British risk management standard, and its definition of risk appetite. This definition shies away from the limits or thresholds for risks and focuses on policy decisions with respect to risk. I feel this to be a very important distinction. Establishing risk thresholds has always felt as a rather retroactive approach. Once the bells and whistles go off, we’ll decide what to do or how to react. By establishing a clear policy framework on risk, most of the thinking on risk has been done. This is not cast in stone, but at least a lot of the required assessments, which do take time, have been executed. In addition, I believe that the nature of the risk related policies a company adopts is indicative for the risk appetite or risk tolerance of that organization.
Reading through the scenarios Matthew offered in his survey, I could not fail to notice that the effort in setting up an integrated risk management system always appears significantly heavier than the effort in going for the less integrated approach. In selling risk management to management, this may be an issue. In order to allow for a full implementation, you will need a strong champion in the organization.
One of the main conclusions Matthew draws from his survey is that listing risks is not critical to integrated risk management. I do agree as I am rather allergic to the traditional risk register. However … in the context of risk management, every stakeholder has his or her own way of looking at risks related to their day-to-day activities and environment. This unique way is very much determined by factors which are in turn different for each of the participants. No one position will allow for a complete view on all relevant risks. It’s my experience that developing a Risk Identification Model, a sort of reference or vocabulary of potential risks which as an instrument is alive and can be added to or amended is a good tool for two purposes:
The survey is a very interesting view on integrated risk management. Matthew Leitch has again done a wonderful job. A good read.
Many organizations have invested significant time and means in internal process optimization. Often for all the right reasons, such as performance improvements which were essential and reduced organisational bloat. Occasionally for the wrong reasons, such as the reaction the stock market will have on the intent to reengineer: management by announcement. These optimizations are almost always internal: for most comanies, direct cost control over a process ended at their door. But does it? Should there not be an external focus?
Internal processes impact the customer base, either directly or indirectly. So if an organization starts restructuring these processes, it will impact its customer experience. You really can’t have one without the other. So during a reengineering project, the focus needs to be external as well. This is often neglected. If an organization fails to address the impacts of its process adaptations on its customer base, it is likely to alienate customers. This way, internal cost reduction leads to an external revenue reduction. Usually not the purpose.
There are a couple of concrete actions an organization can commit itself to in order to gain a better understanding of the external impact its reengineered procedures can have.
A first thing to do, to paraphrase Steven Covey, is to first seek to understand. You can only truly appreciate the issues your customers have if you understand them. Not only on the intellectual level, but on the emotional level as well. And the best way to do that is to become your own customer.
Approach your organization as if it were a third party, and engage in a transaction. What happens? What do you need to do? Do you understand why the process requires you to perform certain actions? Is it apparent to your customers? Is it really necessary?
Based on this initial insight, this understanding, you will be in a much better position to understand the genuine concerns your customers may have.
Listening to a recent back to work here and Merlin Mann’s comments on slides, I started thinking:
“If we don’t use slideware to tell stories to children, why do we insist on beating to death adults with PowerPoint presentations when in essence we are doing the same thing: telling stories?”
Recently I came across an article on David Allen’s GTD Connect site. In essence, what David was talking about was the need to perform regular waste management tasks on personal processes. Quite often a process that served a specific purpose in a specific context no longer serves that purpose or no longer represents the best possible way to execute a certain task. Many reasons can contribute, such as a context having changed or disappeared. In other cases, the grounds for the task have disappeared. We have a tendency, as people, to remain hooked on these “traditions”; long after their useful life has passed. And what is relevant in personal processes is in this case as relevant or even more so for organizational processes.
Most processes start as the result of projects which were initiated to address one or more specific issues. As a result of the project, a set of recommendations was issued, among which the suggestion to develop a certain work method to address part or the whole of the issue set. In order to execute the work method, you need resources, i.e. people and money, engaged for a longer term.
These structures (an organizational structure with people, processes and systems) are developed to solve an issue. However, structures with people in a hierarchical structure tend to try to maintain their existence. It gets worse; these structures will try to extend their roles and responsibilities. Eventually, they become too heavy and start clogging the system. What’s so bad about this is that rather than eliminating the structures at the end of their useful life, the issue is avoided and structures are repurposed. This results in structures being used for purposes they were not designed for. Thus, efficiency, effectiveness and economy are not assured.
A possible way to avoid this is to establish structures with a built-in sunset clause. Once a certain period is over or a specific condition is no longer met, the structure is to be dissolved in order to make place for new structures which are designed for the task. Of course, the people involved in those structures, either directly (employees) or indirectly (providers of services to the structure) will be resistant to change. They feel secure where they are, and they will want to remain where they are. Few people go out actively looking for a exposed position. However, this shows the issue. Currently, people identify with their position, not with their role or contribution. In order to allow people to move away from their association with structures as they relate to their position, we need to focus on the value their contribution brings, rather than their position.
As stated in a prior blog post, we can use the extended Gruber-Mann theorem to assess contribution. By measuring topical relevance (“obsession”), availability of proper communication channels, both formally and informally (“voice&”) and the intrinsic motivation (“purpose”) of employees, and by feeding that with well focused training and freedom to exercise their brains in the context of their work but outside of the daily grind, I am sure we can build functional organizations where position is less relevant than topic, voice and purpose. Where contribution becomes very relevant.
This is a curation of a prior post on Risk & Reengineering
After a slow start in the 19th century, management consulting came into its own during the Great Recession, in the early 1930’s. If you want to read more about the dynamics behind the growth of the profession, there are worse papers to read than Christopher D. McKenna’s paper on The Origins of Modern Management Consulting. The paper provides a non-traditional view on the reasons for the growth of the profession which ring true to most veterans of the profession reading it. In addition, it shows that what is currently often marketed as new or groundbreaking is anything but. Deep collaborations between management consultants, bankers, accountants and engineers form the basis for the profession, not a new opportunity.
Whatever the drivers, management consulting has provided organizations with access to independent, external expertise in areas which were not core to these organizations. Just as it doesn’t pay to have a plumber in your house at all times, a management consultant was often called when the need arose. Given the assymetry of access to information, the one stop shop for management consulting was a good deal for many companies at that time.
Recent years have seen a steady increase in the level of professionalism of support functions in a lot of organizations. Quality management, for example, long a function outsourced to experts, has been internalized by most organizations and is seen as core to its functioning and reputation. By building these competencies internally, often driven by former consultants who joined the organization, enterprises have steadily been cannibalizing the most profitable areas for management consulting: those areas in which management consultants can use low level resources to provide the brunt of the work. That model, often called the 1to3 model, is the basis of leverage. And well leveraged jobs are the key to management consulting profitability.
A second evolution is the advent of the internet as a true business tool. Where before there was a real information assymetry and as a client you had limited to no information on other compentencies outside of your traditional providers, unless you actively went and spent a lot of time looking for it, nowadays information on similar or comparable service offerings is at most a couple of clicks away. The only real barrier to switching is the experience with and knowledge of the organization the incumbent consultant has gathered over the years working for you. However, if you can transfer the responsibility and especially the cost of onboarding and learning to a new management consultant, you can start shopping around as a client.
The pressure on the traditional management consultants has been mounting for a number of years, as witnessed by fee pressure, which was apparent even before the 2008 crisis. On the other hand, the market has never been more accessible. And lots of smaller management consulting teams, often composed of a handful of consultants, put their stake in the ground and declare their intent to serve. Often at very interesting fee levels, as they are not burdened by the significant overhead and higher level personal revenue expectations traditional management consultants have.
I have a strong feeling a key tipping point has been reached that will redefine this service area forever. I’m making abstraction of the IT implementor and integrator arena, which requires significant numbers of technically proficient consultants but which has been under pressure since the late 1990’s, as witnessed by the steady decrease in fee levels and the emergence of new players in that market. No, I’m on the contrary talking about the core management consulting as provided by the Big 4, by Bain, McKinsey and the Boston Consulting Group.
The future holds, in my opinion, a significant redefinition of the market. Consulting firms, which have been growing since the early 1930’s, will start to become smaller again. Their intake of new recruits will slow down and they will start to invest in building a deeper understanding of the issues. Partners and directors, which are currently mainly sales people, will need to invest in deep knowledge development and will need to commit to invest multiple years in really learning and understanding a market. I predict this will be a bridge too far for an entire generation of older partners, who will not be willing to make the investment, will cash out and retreat from the business.
The possibility to leverage will decline to a fraction of what it currently is. People who enter into the profession will need to take in account that while it will still be possible to make very good money in this market, the traditional structures of past consulting practices are over. For good. The projects which allow for the past level of leverage just won’t be there, and clients will refuse to pay for the education of people not on their own payroll. After all, at the market you don’t pay for both the grain and the bread. You only pay once, and that once contains the cost of the expertise of one who knows how to make bread.
People entering the market will do so with a true passion for the issues or for the profession of assisting organizations in their development and growth. With the need for continuous and continued investment in content development to a high required level of expertise, you will need to be very passionate to succeed.
However, and that is a very positive evolution, gaining access to the market will become easier and easier. As mentioned above, I note many smaller firms being established with a very limited number of partners, with a very specific and targeted focus area and with a clear vision of what they can and especially cannot do. These niche consulting boutiques find each other through the internet, through networks such as LinkedIn and the like, and are able to come together around a specific project for a limited period of time. After the project, each organization goes its separate way. Project management of both the project itself and the relationship between the multiple providers is slowly becoming a separate consulting market, or even a meta-market. After all, the participating consulting organizations attract a third party to manage the project and the interdependencies between them without getting bogged down in the specifics themselves.
Their partners are partners in the consulting organization but retain the independence to do stints of a couple of years in organizations, further developing their knowledge and trade. They may return or they may not. If they don’t, they exemplify the McKinsey concept of keeping the vast McKinsey allumni network alive. If they do return, they bring both a network and newly gained knowledge and understanding which can only enhance the quality of service delivery.
The internet, combined with the internalization of core non-traditional skills in enterprises is leading to the bursting of the 80-year bubble of management consulting. In my opinion it will in time lead to a significant enhancement of the added value consulting can bring to the table and show that McKinsey had it right all along. Combining the network with deep skills and access to information developed in depth can only enhance market positioning.
However, a last word of warning: as with many markets, a significant change results in a period of Wild West behavior in the market. Exercise due diligence and avoid the snake oil salesmen you find in every market.
Full disclosure: the organization I am employed by will until November 11th 2011 be providing services to one of the Big 4 advisory companies. Since 1995, I have worked for Big 4 advisory companies and with a number of consulting companies active in the same space. I have also been active in strategic consulting. This text represents my personal opinion and is not representative of any opinion held in the past, present and future my past or current employers or clients.
This text is a curation of an article I wrote a couple of weeks ago for my blog “Risk & Reengineering”
I’m again returning to the excellent talk Merlin Mann and John Gruber gave in 2009 at the famous South by SouthWest conference (SxSW). In their talk, they defined by means of a simple formula the key requirements for consistent delivery of quality work. It requires obsession feeding voice and voice working with obsession. Their formula, which reads “voice x obsession”, is powerful in all its simplicity. As great ideas often are.
If the formula is that brilliant, why try to add to it? Two reasons:
first, I see a link with quite a few other ideas that I’ve come in contact with in the past years, which may enhance our understanding of the Gruber-Mann theorem;
Second, because I want to see where it leads if we link the theorem to the idea of contribution, or, as Stephen Covey puts it, the idea of leaving a legacy.
Now, what I propose is to merely add a context to the performance, the quality work which results from voice and obsession. And that context is formed by something which I refer to as purpose. Hence, I would like to expand the Gruber-Mann theorem by adding purpose to the equation. Thus, the amended theorem becomes:
Obsession x Voice (the Gruber-Mann theorem) x Purpose = Contribution
It’s a proof of concept. While we need to assess our fellow human beings as the complex creatures they are, just as we want to be assessed in all our complexity, this day and age is looking for a more meaningful contribution. Look at Occupy Wall Street. Look at the adoration for iconic figures, such as Steve Jobs. You feel a whole society scream out for deeper relevance. Perhaps this is a way to assist in assessing this. I was looking for the equal sign in the theorem when I thought about the extension.
But before we get into the implications of the extended Gruber-Mann theorem, let’s make sure we are on the same page regarding definitions: These are the internet dictionary definitions of the words used in the formula:
Obsession: The domination of one’s thoughts or feelings by a persistent idea, image, desire, etc.
Voice: The expression in spoken or written words, also, the person or other agency through which something is expressed or revealed.
Purpose: the reason for which something exists or is done, made, used, etc or the intended or desired result, end, aim or goal.
Contribution: the act of contributing, to give (money, time, knowledge, assistance etc) to a common supply, fund, etc as for charitable purposes.
Let’s talk about voice first. We learn voice. From our first breath we are surrounded by voices, which exert influence over us and teach us to become what we are. They learn us how to speak, how to write, how to draw, to dance, to present, to interact. They assist us in finding our own voice. The internet has increased the number of voices we are exposed to a million-fold. Voice can be misleading, and a key accomplishment for anyone is to learn how to recognize authentic voice.
Then there is obsession. Such a negative word. More and more people are being diagnosed with disorders related to some form of obsession. Yet at the same time, true constructive obsession in the positive sense of the word becomes more and more difficult to find. I really enjoy Sir Ken Robinson talk about education, its narrow definition (my interpretation of his words) and its impact on our ability to find our obsession. Most people take a long time to find out what they are really good at. I might even say that schools are breeding the obsession out of our kids. But if there is no obsession, if there is no striving to understand just for the purpose of understanding, what then is next? Where do we go from here? Do we only go where it glitters, or do we find our way back to what matters? I’m quoting Umair Haque, of Harvard’s Media Lab, in his excellent article in the Harvard Business Review.
The point with obsession is that a good obsession develops, matures over time, through regular exposure. However, at the current speed of consumption, where consumables are offered faster and faster still, we are creating touch-and-go people. Perhaps we are going through a transition where the minds of the next generations (I’m generation X, by the way) are learning to deal with this. On the other side, it’s entirely possible we are breeding a generation of generalists, with no one capable any longer of doing a really profound deep dive in a subject. Let me be an Apple fanboy for a moment: the longevity and the focus of Apple products is completely counter to most other brands, and I believe part of the appeal for a lot of people.
A last point about obsession, before we more to purpose: when you are obsessed by something, you tend to be able to focus longer on that specific subject, whatever the stimuli. Your need to switch tools will therefore be less frequent, and you will be more productive as an effect. Hence, if you stick to your obsession, you are likely to be better performing. This makes a lot of sense: it’s all about care.
Let’s look at purpose. I see quite a few good signs as far as the increasing presence of and striving for purpose is concerned. Is it because we realize the noise is drowning out our voices? Is it because we realize we no longer have the luxury of time to become obsessed with something? There appears to be more striving for purpose now than I have seen in the past decades. It may be that the internet is again a conduit for something bigger. That community, a concept we lost in the 1970’s and 1980’s is slowly returning as a value. We’re certainly more aware that we were before about what is going on on the other side of the world. We also start to realize what is going on next door. Of course, this is a double edged sword. On the one hand, our awareness increases our need to do something, to intervene. On the other hand, most things we learn about are really big (again, if not they get drowned out by the noise of voices yelling at a slightly different frequency than our own), and the scope often renders us helpless. This may lead to a lethargic response, to a deadening of the senses.
And finally, what about contribution? Please make sure you retain perspective. Contribution is what we have added to the mix. There is no absolute measure of value here. I’ve developed a few examples of what valuable contribution could be. It really depends on all factors as well as whom they matter to. Contribution can be enormous in the monetary sense. Or it may not involve money at all, but be about a child that was cared for. Looking at the reporting out of Ethiopia during the drought, I was heartbroken by the stories and images of parents having to abandon their deceased children. As a parent myself, it grabs my heart with a cold hard fist and squeezes. There’s quite a lot of contribution to be done there, in many forms.
I’ve identified one well known person, a group of reasonably known people and an unknown theoretic person, just to elaborate on the application of the extended theorem. Let’s see if the slipper fits:
Steve Jobs: An obvious test. He had an obsession, which was consumer electronics and usability, coupled with a very strong voice. Just look at the 2007 WWDC Keynote, where he announced the iPhone. His obsession x voice served a purpose, which was it disrupted traditionally asymmetric markets and put down the baseline for consumer electronics usability. He also put a darn big dent in the world. Considering all that, he made a very high contribution.
Dan Benjamin and his team of co-hostson the 5by5 network: Yes, I am an avid 5by5 fan. Dan and his co-hosts have an obsession, which is making high quality podcasts on a wide range of subjects. Dan has a voice. He has a very good radio voice but he also has a way of bringing subject matter to the fore which he is able to adapt to his co-host and his audience. For example, if you hear him talking to Marco Arment on Build & Analyze he is very different from the way he interacts with Merlin Mann on a Back to Work He has a purpose, which is providing all this information to a group of listening nerds and enhancing their lives with the ideas he and his co-hosts put forward. All considering, his contribution is significant.
A single mother working two or three jobs to feed her children: I am in awe of these people. Their purpose is to help build a future for their children, a future most of them never would have had were it not for the effort of these mothers. Their voice is often their silence. Or the motivation they give their children, after having worked for many hours, to get good grades, to study, to do well. Their voice is the manners with which they raise their children in dire circumstances. In the end, their children become their voice. Their obsession is their relentless commitment to what they can do, working, and working, and if they are tired, working some more … and still be there for their children.
If you wonder what this has to do with process reengineering … replace obsession by topic, as Gruber and Mann did in the SXSW talk, and use it as a measure for continued process relevance, or call it process contribution. It leads nicely into another blog topic on cleaning and clearing processes.
Any evaluation, however objective you want it to be, is necessarily subjective. Just read some of Nassim Nicolas Taleb’s books which provide ample illustration of how easily we start to act based on subjective assessments. Now, contrast this to new risk management methodologies and applications which frequently tout new and improved ways and means of measuring impact of a risk on objectives and likelihood of occurrence of that risk as part of their process.
We need to raise the question: can subjectively assessed impact and likelihood be considered that relevant? Can we ensure that the evaluation of these two criteria is done in an as objective as possible manner? * The negative: performing this assessment in an entirely objective and therefore relevant manner will be very difficult. * The positive: these criteria do not necessarily need to be evaluated to perform good risk management.
When assessing likelihood of occurrence of a risk, participants tend to over-evaluate risks which occurred recently or at all. If there is a reference point, people charged with evaluating will often attribute a higher likelihood to these recent events, even if the probability of occurrence has in effect been reduced by the (over)reaction to the event. An example: Remember 9/11? People were more scared of terrorist events after the attacks on New York and Washington than before, whereas the actual likelihood of occurrence had diminished because of reactive measures taken. The conclusion If it has happened before, we think it more likely to happen again. Turning this around, we also tend to under-evaluate those risks we know little or nothing about. Often these risks won’t even show up in an assessment until they occur … after which they are over-evaluated in terms of likelihood of occurrence.
If we cannot imagine a risk occurring, we cannot assess the potential impact of it and we tend to underestimate its impact. On the contrary, the more informed we are, and the more concrete a risk is formulated, the better we are at assessing its impact. Now, this does not only make the case of a significant investment in a risk (identification) model which aims at translating a risk in as concrete as possible terms, but it also warns for risks in skewing assessments if risks are not appropriately described.
Assessed inherent risk, as a function of impact and likelihood of occurrence will likely not be a correct representation of the actual inherent risk. Assessments are skewed as the evaluations are done by people, are always subjective and are very difficult to correct for as we have no insight in the motivation to vote one way or another.
The problems, however, do not end there. Often, a third dimension is measured: the current control level or the current risk management level. In this assessment, the presence of known and trusted collaborators charged with working on internal controls will skew management’s assessment of the current level of internal control or current level of risk management, which they will tend to overrate. The better the measures functioned in the past, the more concrete the measures are to the manager evaluating them, the more likely he or she will actually overestimate their effectiveness.
Not necessarily. There are however a couple of elements to keep in mind. The traditional risk matrix, representing impact and likelihood on two separate axis will more than probably misrepresent the objective truth. When using a standard risk matrix, do so with caution. The risk control matrix can be used as a good tool subject to certain preconditions:
Do not merely and blindly use impact and likelihood as this will create a false sense of security. Evaluate level of (inherent) risk as one evaluation instead. Inform participants in the assessment level of (inherent) risk is a function of their perception of impact and likelihood, but ask them to perform their own ‘integration’ of the two factors. Level of (inherent) risk remains an intuitive assessment.
Instead of assessing level of current control, reverse the question and ask participants to assess ‘exposure’ or ‘vulnerability’. Again, this is an intuitive assessment. I refer to this post for some more ideas on that.
Develop the risk control matrix by combining level of (inherent) risk with exposure or vulnerability in a two dimensional representation.
Remain very aware the assessment is a subjective assessment at all times. The map is NOT the territory.
Correct quadrant III of the risk control matrix (which I will detail in a further post) for under-evaluation of level of (inherent) risk due to the factors discussed above. Internal audit, in executing its assurance function, needs to focus on both quadrant II and III of the risk control matrix.
A way of structuring a risk identification model is by using categories. A category is a risk cluster which clusters risks according to area of (possible) occurrence. I use the following three categories, and do further clustering within a category according to types (a post on this to follow later):
Environment (risks related to): in this category I put all identified risks to the objectives of the area in scope which occur outside of the scope (i.e. the external environment). You may find risks such as availability of budgetary means, legal changes, demographic evolutions etc here, as long as these risks occur outside of the scope of risk review, and can impact the objectives of the area within scope;
Operational activities (risks related to): in this category you can find all risks related to actual operational activities within scope of the risk management exercise. Risks related to process structure (bottlenecks) but also risks related to personnel motivation, ICT or integrity, to name a few, find their place here;
Interfaces and decision making (risks related to): this last categories contains all risks related to reporting about the operational activities. For example, the risk that the balanced scorecard system is not adequately structured and thus provides erroneous information on the process can be found in this category.
“Why do you insist on using a risk (identification) model as the basis for risk management? We can easily do this without a model” It’s a question that comes up on occasion when I am teaching risk management or executing a risk assessment. It’s a relevant question. I’ve put together 5 good reasons to use a risk model, but there are many more, I am sure.