• Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Special Offers
Business Intelligence Info
  • Business Intelligence
    • BI News and Info
    • Big Data
    • Mobile and Cloud
    • Self-Service BI
  • CRM
    • CRM News and Info
    • InfusionSoft
    • Microsoft Dynamics CRM
    • NetSuite
    • OnContact
    • Salesforce
    • Workbooks
  • Data Mining
    • Pentaho
    • Sisense
    • Tableau
    • TIBCO Spotfire
  • Data Warehousing
    • DWH News and Info
    • IBM DB2
    • Microsoft SQL Server
    • Oracle
    • Teradata
  • Predictive Analytics
    • FICO
    • KNIME
    • Mathematica
    • Matlab
    • Minitab
    • RapidMiner
    • Revolution
    • SAP
    • SAS/SPSS
  • Humor

Advice For The CFO: Get Out Of Control (Part 1)

August 7, 2018   SAP
 Advice For The CFO: Get Out Of Control (Part 1)

After years as a practitioner in governance, risk, and compliance (GRC), I have come to believe that the biggest obstacle to safe and reliable performance of business processes is the internal-control paradigm. In my experience, most internal controls in business systems fail to address the root cause of failure. They have a life and purpose of their own. And if the role of the CFO is to drive reliable financial processes, it is clear that CFOs need to lead the transformation of the control paradigm.

The internal-control paradigm in the age of digitalization

The embodiment of the internal-control paradigm is Sarbanes-Oxley and the accompanying audit standards. Highly simplified, the thinking goes like this: Put fire extinguishers everywhere a fire could break out. More and bigger extinguishers are always better. Count them frequently and test them often. Report missing or faulty extinguishers. Require auditors to conclude and opine on whether there are sufficient working fire extinguishers. Don’t be deterred by the resources siphoned off by this effort.

This effort is not really risk management. The only risk being managed is the risk of faulty or absent fire extinguishers. (Tautology abounds in the control paradigm.)

But the next time you are in a large gathering in a public building, look around for fire extinguishers. You may notice automatic sprinklers, but you probably won’t see many fire extinguishers. You will not see many trash cans where fires can start, but you will see “No Smoking” signs. That’s because fires are prevented only by removing sources of ignition and flammable materials. Extinguishers do not prevent fires. Nor do most controls prevent process failure. In short, highly visible and pervasive controls should make you worry. They are signs of unresolved root causes of failure. Imagine boarding a plane and being handed a parachute.

Disconnect between controls and business objectives

In my career in governance, risk, and compliance, I have spent years as a chief audit executive, as a chief risk and compliance officer, in a consulting role, helping develop and sell software, and serving on boards.

During that time, I’ve witnessed too many practitioners who are unable to articulate either a risk or a business objective related to a control. In implementing software that documents and assesses controls in a business system, no attempt is made to assess process performance either before or after controls are in place. I’ve seen internal auditors in developing their “audit universe” consider a number of factors, but totally ignore business performance as a variable driving the allocation of audit resources. We have seen audit reports concluding that controls are effective, and yet the business is going broke.

Control effectiveness       ←    →    Process reliability

But the unintended consequences are serious. It is not uncommon in many companies to spend days getting a procurement authorized and the vendor paid. Order-to-cash processes are hindered by unnecessary controls, thus impeding progress. Critical business information arrives too late for decision-makers. Yet by contrast, fraud prevention technology in use today detects and blocks fraudulent credit card transactions even before the purchase is authorized.

We are accustomed to boarding airplanes and safely flying long distances. Whatever discomforts exist in air travel these days, flying is undeniably safe. Aviation safety is achieved not with the “fire extinguisher” approach. Instead, the focus is on identifying and monitoring everything that could cause failure. Safety performance and process reliability are the goals, not control effectiveness.

People: the essential element of process reliability

A major flaw of the internal control paradigm is the implicit belief that employees are inherently risky. (Think multiple approvals, segregation of duties, etc.) It is true that in every field of human endeavor I have seen for which statistics are kept, human error accounts for 50% to 60% of risk events. The aviation industry has dramatically reduced aviation accidents over the last decades, despite larger aircraft, more passengers, and more air traffic to more destinations. Yet the incidence of human error as the root cause of failure remains at about 50%.

The lesson to me is that it’s not possible to reduce errors in any system without properly engaging people. Pilots I have spoken with attribute the dramatic continuous reduction in aviation incidents to training. Clarity of purpose, high skill levels, clear accountability, and monitoring are the key.

It’s essential that compliance and control be embedded in people, not in systems. Digitalization should enable employees to achieve objectives and process reliability. Treat people like humans and cultivate intelligent, capable, motivated employees.

Lessons for the CFO

  1. Invest in digitalization combined with artificial intelligence: that is key, as well as machine learning, the Internet of Things, and predictive tools. Analyze patterns and behaviors, not transactions, to detect anomalies and thereby speed up processing and achieve reliability.
  1. Set quantifiable performance targets for all key financial processes. Develop metrics to track errors, loss events, and on-time performance, and track them with a real-time contextual display.
  1. Balance your investment in technology with an investment in developing your people.
  1. Insist that your control practitioners provide detailed root cause analysis of any control deemed ineffective. Solve the problem, not the symptom.

I am very interested in your response to this blog. I plan to follow up with three or four more to expand on my observations and conclusions. I do have ideas and suggestions to share. I’d welcome yours.

I will be at the IIA/ISACA Governance Risk and Control Conference August 13-15 in Nashville. Please join me and my colleagues Stephanie Gruner, Anne Marie Colombo, and James Chiu at booth 317.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | Facebook | YouTube

Let’s block ads! (Why?)

Digitalist Magazine

Advice, Control, Part
  • Recent Posts

    • Bad Excuses
    • Understanding CRM Features-Better Customer Engagement
    • AI Weekly: Continual learning offers a path toward more humanlike AI
    • The Easier Way For Banks To Handle Data Security While Working Remotely
    • 3 Ways Data Virtualization is Evolving to Meet Market Demands
  • Categories

  • Archives

    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    • December 2016
    • November 2016
    • October 2016
    • September 2016
    • August 2016
    • July 2016
    • June 2016
    • May 2016
    • April 2016
    • March 2016
    • February 2016
    • January 2016
    • December 2015
    • November 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • December 2014
    • November 2014
© 2021 Business Intelligence Info
Power BI Training | G Com Solutions Limited