The Failure of Risk: lessons from the GFC Reply

risk management. hop scotchWe live in uncertain times. The failures in risk management which lead to the global financial crisis have created an unprecedented set of circumstances. Not only are regulators imposing heavier compliance burdens but shareholders and investors are demanding greater reporting and higher levels of information transparency. On top of all this operational costs are too tight to carry the overhead of separate risk and assurance functions.

When the analysis is done there are 6 key lessons to learn from the global financial crisis:

  1. Integrate G, R & C.  In medium and large corporations isolated risk management practices actively work against the business.  Technical and operational experts will identify risk from experience and create risk slush-funds to mitigate them.  These increase the cost of business and in many cases price the company out of the market.  In an integrated GRC system the firm is able to manage risks across business units so that the risk funds are held centrally and do not add a premium to initial project costs.  Risk identification and analysis percolates from the bottom up but governance is driven from the top down.  In an integrated system they both to work within the business lifecycle to add the right mix of checks and balances so that no additional drag is added to investment/project approvals.
  2. Make Passive GRC Active.  Systems need to be active.  They need to hunt out risk, define it, quantify it and measure the dependencies of the risk.  Then, those same systems need to bring it to the attention of the executives so that they may make informed investment decisions.  In the end, humans follow the law of least effort:  employees will follow the path of least resistance in designing and gaining approval for their projects.   GRC must not follow a system of honour & audit but rather one of  active assurance.  When GRC systems are passive the business lifecycle becomes clogged with nugatory and useless program reviews that turn into technical sales pitches by design teams.  Such events and practices only serve to affirm the belief that GRC is a legal burden and one which only serves to satisfy the needs of regulatory compliance.  Raytheon, for instance, have an excellent system of governance-by-exception.   Their Integrated Product Design System (IPDS) has active governance measures and allows Raytheon to manage a pipeline of thousands of critical projects dynamically and by exception.GRC
  3. Get Granular.  When projects fail it is not usually because the risks have not been adequately managed.  The primary problems in risk practices are the failures of risk identification and analysis.  Managers are simply unable to deal with risks at a granular level and then weigh them up on a per project basis.   This is largely because the technical skills needed to do so are not within the standard sets of most executives (but they are within the more mathematical ones of the FS&I industry).   Where this disparity exists then businesses need to develop separate Red Teams or Assurance Teams, either from the existing PMO of from hand picked executives.
  4. Bottom Up & Top Down.  Risk management is bottom-up but governance is top-down.  The technical skills and software reliance involved in effective risk management mean that the entire practice usually percolates from the bottom of a business, upwards.  Consequently, unless it fits within a comprehensive governance framework it will be open to being gamed by senior executives.  This is why major projects which are seen as must-win are often approved with little or no governance or assurance.
  5. Risk Ownership.  Risks need to be owned at the lowest responsible level.  This is to say that when things go wrong the person at the lowest level who has the greatest amount of operational responsibility must be able to take charge to mitigate all aspects of the risk.  It is vital that the person owning the risk be able to recognise the variables which may see the risk realised.  It is also critical that the risk owner understand the corporate decision points, i.e. the points at which the contingency plans should be triggered.
  6. Invest in the Right Type of Risk Culture.  Risk should not be a dirty word.  Risks are inherent in every project and balancing them quantitatively and qualitatively is an essential skill for all senior executives.  Risk should be as much about seizing opportunity as it is about guarding profitability.  Businesses need to invest in top talent in order to drive good risk practices from the top.  Effective, Active-GRC involves a complex array of tools, practices, structures and processes which need an experienced senior executive to drive them constantly and consistently in the business.  The softer side of risk management cannot be neglected.  The nature of risk forces people onto the defensive as they attempt to justify all aspects of their project designs.  CROs need to help executives understand that all projects must balance risk if they are to attempt to push profitability.  Otherwise, risk cultures will mire companies in conservative, risk averse cultures which only act to add friction and reduce profitability.

Risk practices need to work together inside a single, comprehensive risk framework that goes beyond simple probabilistic modelling and disjointed regulatory compliance.   Businesses need to implement processes which not only integrate the business lifecycle but actively increase both liquidity and opportunity for risk to be seen to add real value to the company.   Only once this is achieved can risk management cease to be an operational drag for the business and become a value-adding proposition which works actively to increase the profit and performance of a company.

 

Top 5 Benefits of Effective Risk Management 1

risk management.little menBENEFITS OF AN INTEGRATED “ACTIVE GRC” FRAMEWORK

After the failure of risk management during the recent (and ongoing) financial crisis one could be forgiven for thinking that risk management – as we know it – is dead.  However, effective risk management is the only means which businesses have to:  (i) assess and compare investment decisions, (ii) seize subtle opportunities, and (iii) ensure regulatory compliance.  Risk management has greater utility beyond these obvious benefits.  Listed below are 5 of the top financial benefits of effective risk management:

1.  IMPROVED LIQUIDITY

When managers cannot identify or mitigate complex risks they create risk contingency slush funds and pad their accounts with excessive risk premiums. This is not an efficient allocation of capital and it can even price a business out of the market. Precise identification of risk premiums removes these slush funds and creates greater firm liquidity and the ability to allocate capital where it is needed.

2.  BETTER PROJECT PERFORMANCE

The best methods for risk identification and analysis of risk in projects are through the quantitative analysis of cost models and project schedules. However, these methods are only useful where such models are in enough detail. Good risk management leads to greater collaboration by cross-functional teams to optimise cost and schedule performance.

3.  BETTER OPPORTUNITY MANAGEMENT

With greater liquidity comes the ability to seize emerging opportunities. Not only can the company use this capital across portfolios to manage risks but it can also seize opportunities for M&A, talent acquisition, share buybacks, increased dividends, employee bonuses or increased project funding/investment.

4.  CONSENSUAL MANAGEMENT CULTURE

As managers work across the business to calibrate cost models with the project schedules; the contract and commercials with the technical architecture, the business is forced to adopt a more consensual, multi-disciplinary approach. Where GRC is implemented as part of a high-performance business initiative the culture is more likely to stick rather than one imposed from the top-down.

5.  IMPROVED REPORTING & DECISION MAKING

An active GRC process which is fully integrated with the business relies on the quantitative analysis of core artifacts (cost models, project schedules and technical architectures and contracts). A quantitative culture coupled with regular, detailed analytical outputs also greatly improves the standard of financial and operational reporting and therefore the possibility for improved investment decision making.

Managing data risk: APRA issues draft practice guide – Lexology Reply

Managing data risk: APRA issues draft practice guide – Lexology.

In their article on data security protection Helen Clarke and Melissa Burrill (Corrs Chambers Westgarth) set out an admirable approach to legal protections for data security.  However, their advice breaks the first rule of data security – if you don’t control it, you can’t secure it.  Fundamentally, businesses need to hold their secure information close, or have active measures to secure it, if they are to avoid data security breaches.  In the end, the threat of legal sanction will not stop criminal action by third parties.

The chart below shows the most high-profile data security breaches for 2012.  Clearly, the breaches do not reflect the strength of potential legal action or the drafting of data protection clauses.  No amount of due diligence would have assisted these companies’ clients as the breaches were not due to lax security procedures.

Contracts and legal sanction are only useful to deliver damages and enforce restitution to cover immediate financial losses.  They will not cover loss to brand equity or market share.

The only way to truly secure information is to manage it in-house.  If businesses wish to manage secret or confidential data in a cloud then they should store it encrypted and hold the keys themselves.  Alternatively, they can link databases and hold unencrypted information in the cloud but the actual names of clients can be held locally.

If businesses wish to remain wilfully blind (or take calculated risks) and outsource the storage of secret information then they should think about building in operational sanctions such as the moving, encrypting or the realignment of data against accounts to ensure their is no monetary loss for clients.

  • security breaches. 2012

Information Outsourcing Reply

Although the Gartner article deals with the monetisation of information assets, the sentiments may lead many businesses to outsource their entire information management responsibility.

The volume of data that most businesses can – or think they should be able to – manage is reaching an inflection point.  Businesses which grasp how analytics supports their revenue model will be able grapple with the continuing demands of information management (IM).  Businesses which cannot cope with the perceived threat of information overload may seek to outsource this responsibility.  The former will survive, the latter will fail. The research is clear:

  • IM is critical business:  derogating from one’s IM responsibility leads to an overall loss of revenue as businesses are unable to respond to market trends, develop appropriate differentiators, design suitable new products and services as well as leverage their information and knowledge for wider benefit.  Information is a firm’s core business, whether they like it or not.  Outsourcing the responsibility to understand the intricacies of a company’s business model and dependencies into the extended value net is a recipe for disaster.  Businesses should use all available software and technical expertise to do this but must do so with internal resources.
  • Outsourcing accounts for cost differentiators not key value drivers:  Firms which seek to cut costs by outsourcing their IT function do not recoup their losses.  The lessons of Ford, GM and Levi Strauss still remain.  Businesses which outsource their entire IT function continue to lose economic-value-added (EVA).  Although it is a good idea to outsource platforms and infrastructure it is rarely beneficial to outsource applications and services which are deeply intertwined with the more social aspects of a company’s business processes, i.e. if your process isn’t rigidly vanilla and perfectly understood then don’t outsource it.  Banks have well documented electronic processes which allow customers to manage their money and transactions remotely.  Even so, they manage these processes internally because it’s core business.

Businesses which purport to leverage economies of scale in order to be able to make sense of a firm’s information are not telling the whole story. It is virtually impossible to crunch structured and unstructured data to squeeze out additional value unless the vendor has also programmed the client’s value chain and key differentiator’s into their big-data algorithm.

“IM is not a software problem it is a business problem.  Regardless of the promises by vendors they will never be able to support management in their daily needs to navigate the subtleties and complexities of corporate information.”

It is highly likely that by 2016 the next fad, after Big Data, will be the monetisation of a firm’s information assets.  No doubt that in the low-end of the market there will be some level of commoditisation of information which will support more targeted marketing and the procurement of specialist advertising services.  However, businesses which outsource critical IM functions (largely through cost pressures)  in their business will turn unprofitable (if not already) as they become unable to respond to the market.

The Business End of Social Reply

Integrating Emerging Social Software Platforms (ESSPs) into a business is fraught with danger but the payoff can be substantial.  Not only does the company have the potential for positive brand messages to flood a series of trusted networks but it can also leverage the renewed engagement of staff for better knowledge management.  In the end, though, social is fun and sexy but it is utterly irrelevant to most employees until there is some link to an employee’s remuneration.  To rephrase the HBR article I don’t think social needs to get more businesslike, rather, I think business needs to get more social.

Wall Street Beat? The Fiction of 2013 IT Spending Forecasts Reply

Wall Street Beat: 2013 IT Spending Forecasts Look Upbeat.

If this is the case then an organisation with a $USD 100m IT spend is set to increase their capex by $3.3m this year and $6.1m next year.  This represents almost $10m increase in capex in the next 2 years.

I am not sure where they get these figures from?

technology spending. tech rebound. mckinsey chart

If we assume the standard wisdom that economies traditionally take 2 years to recover from recession and a further 2 years to return to trend growth then it will be 2017 before IT budgets hit 3.4% growth.  Given the savage cuts in IT budgets after the recent recession(s) I think these figures are conservative.  A further factor to consider is that the ICT industry is so highly segmented that generalised growth is meaningless.

Looking at the finances of the tech rebound of 2003/3 (shown above in the Mckinsey & Co chart) we can see that – at the high end – IT capex of $73m accounts for 12% of the overall budget.  At this rate, 6% growth equals a $36.5% growth in capex by 2015.

This is, of course,  nonsense.  The moral of the story is:  don’t look at reports of astonishing growth in the tech sector.  Research has shown that the ICT sector is made up of so many tiny segments that even McKinsey’s figures are to be viewed with caution.

In summ, the burst of the 2001 tech bubble saw IT budgets plummet roughly 70%.  There are no reliable current fugures as to the general sum of cost cuts per sector in ICT budgets.  However, if we count on 10-25% overall budget reductions then it will be well beyond 2017 before we see budgets returning to pre-2008 in real terms. If anything is certain, however, tech always surprises.

 

The Cost of Capability: a better way to calculate IT chargebacks Reply

IT_Profit_Centre

THE VALUE OF SHARED SERVICES

Almost every C-Suite executive will agree that shared services, done well, are a critical factor in moving the business forward.  The problem is that implemented poorly they can potentially overload good processes and profitable service lines with villainous overhead allocations.

IT chargebacks are important because, used well,  they can assist the business with the following:

  • help IT prioritise service delivery to the most profitable business units,
  • help the business understand which IT services are value-adding to the market verticals, and
  • reduce the overall vulnerability of IT-enabled business capability.

OVERHEAD ALLOCATIONS CAN RUIN GOOD PROCESSES

However, many shared service implementations are poorly received by the business units because they add little or no value and are charged at higher than the market rate.  As Kaplan pointed out in his seminal work “Relevance Lost: the rise and fall of management accounting” the result of poor overhead cost allocation is that perfectly profitable processes and services, burdened by excessive and misallocated overhead costs seem to be unprofitable.  Kaplan goes further and points out that all overhead which cannot be directly incorporated into the cost-of-goods-sold should be absorbed by the business and not charged back to the market verticals and service lines.  This is the fairest method but most businesses avoid this method because high SG&A costs has a negative impact on financial ratios and therefore investor attractiveness.

HIGGLEDY-PIGGLEDY 

In a recent article (shown below) McKinsey & Co pointed out a variety of methods which their client firms use to calculate IT chargebacks.   Even though they differentiated between new and mature models it is worth noting that very few companies charged their business units for what they used (Activity-Based Costing).   Rather, they used some form of bespoke methodology.  This is usually (i) a flat rate, (ii) a budget rate with penalties (for behaviour change), or (iii) a market rate (usually with additional penalties for IT R&D costs).

IT Chargebacks. McKinsey. IT Metrics

 

 

 

 

 

 

 

 

 

 

 

 

 

ALIGNMENT & ACCOUNTABILITY

Chargebacks are essential.  They are a critical means for companies to take charge of their IT costs.  Otherwise, a ballooning IT overhead can destroy perfectly good processes and service lines.  However, chargebacks can obscure accountability.  If they are not calculated transparently, clearly and on the basis of value then there will be no accountability of IT to the business and whose capabilities they enable.  Without  accountability there can also never be alignment between IT and the business.

CHARGEBACK AS AN INDICATOR OF MANAGEMENT-VALUE-ADDED

Traditional methods of IT cost modelling, on which standard chargebacks are calculated, only account for the hard costs of ICT,  namely infrastructure and applications.  It should be noted that chargebacks should only be applied for Management Information Systems (eg, knowledge bases, team collaboration sites such as MS Sharepoint, CRM systems, and company portals etc).  All other systems are either embedded (eg, robotics etc) or operational, (ie mission critical to a business unit’s operations).  MIS are largely used by overhead personnel whereas operational systems and the finance for embedded systems should be accounted for in the cost-of-good-sold.  The real question therefore, is: what is the value of the management support to my business?  The question underlies the myth that Use = Value, which it does not.  Good capability applied well = Value.

THE COST OF CAPABILITY

The cost model, therefore, needs to determine the cost of capability.  Metrics based on per unit costs are inappropriate because the equipment amortises so rapidly that the cost largely represents a penalty rate.  Metrics based on per user costs are unfair because each user is at a different level of ability.  In previous blogs we have outlined how low team capabilities such as distributed locations, poor requirements, unaligned processes etc all have a negative and direct financial correlation on project values.  We have also written about how projects should realise benefits along a value ladderdelivering demonstrable financial and capability benefits – rung by rung – to business units.

It is reasonable to say, therefore, that managers should not have to pay the full chargeback rate for software which is misaligned to the business unit and implemented badly.

It is unfair for under-performing business units to be charged market rates for inappropriate software which the IT department mis-sold them.  If that business unit where a company in its own right they be offered customisation and consulting support.  In large firms the business often scrimps on these costs to save money.  Given the usual overruns in software implementations business units are traditionally left with uncustomised, vanilla software which does not meet their needs.  The training budget is misallocated to pay for cost overruns and little money is ever left for proper process change.

In order to create a fair and accurate chargeback model which accounts for the Cost of Capability, use the following criteria:

  • Incorporate the COSYSMO cost coefficients into software and service costings so that low capability business units pay less.
  • Only charge for  professional services which the business doesn’t own.  Charging for professional/consulting serrvices which are really just work substitution merely encourages greater vertical integration.  This is duplication and duplication in information work creates friction and exponential cost overruns.
  • Watch out for category proliferation, especially where the cost of labour for some unique sub-categories is high.  Don’t let the overall cost model get skewed by running a few highly specialised services.  Remove all IT delivery personnel from the verticals.  Where there are ‘remoteness’ considerations then have people embedded but allocate their costs as overhead.
  • Do not allow project cost misallocation.  Ensure that cost codes are limited.

In order that businesses do not fall into the “Build and they will Come” trap a clear and precise chargeback model should be created for all IT costings.   Businesses should start by charging simple unit costs such as per user.  Everything else will initially be an overhead but firms may then move to a more complex chargeback model later.

It is important that low capability business units do not pay full price for their software and services.  As Kaplan is at pains to point out, where businesses do this they are at risk of making perfectly good processes and service lines seem unprofitable.  The only way to properly broker for external services is to account for the cost of capability.

 

The Complexity of Cost: the core elements of an ICT cost model Reply

cost model. financial modelThere are 2 reasons why IT cost cost reduction strategies are so difficult:  Firstly, many of the benefits of ICT are intangible and it is difficult to trace their origin.  It is hard to determine the value of increased customer service or the increase in productivity from better search and retrieval of information.   Secondly, many of the inputs which actually make IT systems work are left unaccounted for and unaccountable.  The management glue which implements the systems (often poorly and contrary to the architecture) and the project tools, systems and methods which build/customise  the system (because IT, unlike standard captital goods, is often maintained as a going concern under constant development, e.g. upgrades, customisation, workflows etc) are very difficult to cost.

Standard IT cost models only account for the hard costs of the goods and services necessary to implement and maintain the infrastructure, applications and ancillary services.  Anything more is believed to be a project cost needed to be funded by the overhead.

This is unsatisfactory.

The value of technology systems – embedded systems excluded – is in the ability of information workers to apply their knowledge by communicating with the relevant experts (customers, suppliers etc) within a structured workflow (process) in order to achieve a corporate goal.

Capturing the dependencies of knowledge and process within the cost model, therefore, is critical.   Showing how the IT system enables the relevant capability is the critical factor.  A system is more valuable when used by employees who are trained than less trained.  A system is more valuable when workers can operate, with flexibility, from different locations.  A system is more valuable where workers can collaborate to solve problems and bring their knowledge to bear on relevant problems.  So how much is knowledge management worth?

The full cost of a system – the way they are traditionally modelled – assumes 100% (at least!) effectiveness.  Cost models such as COSYSMO and COSYSMOR account for internal capability with statistical coefficients.  Modelling soft costs such as information effectiveness and technology performance helps the business define the root causes of poor performance rather than subjective self-analysis.  If a firm makes the wrong assessment of capability scores in COSYSMO the projected cost of an IT system could be out by tens of millions.

Financial models for IT should therefore focus less on the cost of technology and more on the cost of capability.  The answer to this is in modelling soft costs (management costs), indirect costs and project costs as well as the hard costs of the system’s infrastructure, apps and services.

 

Never Calculate Without First Knowing the Answer! Reply

The core problem in modeling of anything, especially of project performance, is not understanding what the answer should look like. This leads to naive and uninformed decisions. Know what you’re looking for before you start looking for it, than you’ll have a higher probability of recognizing it when you see it.

via herdingcats.typepad.com

One senior executive of a financial institution was recently reminiscing about the implementation of probabilistic modelling in his organisation.  He said that Monte Carlo analysis was implemented, enthusiastically at first, but then the joy died down.  

He explained how they had a number of investments and projects within a range of portfolios.  Each one showed a 100% chance of success when the financial models were simulated.  Limited attention was paid to these projects as they ran their course and each one suffered catastrophic losses.  How could probabilistic modelling fail them so badly?

For any mildly experienced manager at a financial institution there would have been a gut feeling for standard risks.  Senior managers would have know, roughly, the risks and opportunities on each project – within range.

The key to decent probabilistic modelling is to infuse some element of Bayesian analysis, i.e. build in what you do know to what you don’t know.  This will not only help improve the granularity of the model itself (and therefore the usefulness of the simulation) but it will also limit the uncertainty of the critical ranges themselves.

The Complexity of Cost (Pt.2): a 3-tiered strategy for an effective ICT cost reduction program Reply

cost-reduction

In our last blog we recounted that most ICT cost reduction programs fail.  More to the point, we noted how they fail in larger businesses through a vicious cycle following increased overhead from poor process analysis.  All this stems from a limited view of direct and indirect ICT spend.

In summ, the answer is detailed cost modelling of ICT which analyses the firm’s technology in its place as a business capability enabler. This is vital in the current economic climate otherwise businesses will simply benchmark their costs against similar firms rather than try to pare ICT costs to the bone.

The results of traditional IT programs?

  1. ICT cost reduction programs usually only attack the easy and obvious.  For sustained cost management in ICT the cost reduction program needs to attack:  (i) soft costs (indirect spend), (ii) managerial costs and (iii) program costs as well as all the standard hard costs.
  2. Cost cutting reduces capability.  Traditional approach is to cut applications and services as well as heads but capability will eventually suffer.  Senior people are often made redundant was work is pushed from higher to lower paybands.  With them also goes much of the firm knowledge capital and goodwill of the firm.  If we want to quantify this cost of lost knowledge it is the difference between the market value and the book value of a business.

The problem is that IT is usually seen as a black box.  Few senior executives understand the subtle dependencies which stretch from technology throughout the business.  More importantly, few understand that actual capex and opex of ICT  just represents the hard costs of ICT.  In addition to the hard costs are the soft costs, the management costs and the program costs of ICT.  In more detail:

  • Soft Costs relate to all the indirect spend which flows from ICT procurement.  This may include travel for non-IT personnel involved in change, training and customisation or process change etc.
  • Managerial Costs is the accumulated cost of decision making from management.  This is pure overhead and is not accounted for in the Cost of Goods Sold but rather shows up in bloated Sales, General & Administrative (SGA) accounts.
  • Program Costs are the costs of running ICT programs beyond the costs accounted for in the various cost allocation systems.  These can be the cost of running distributed teams, the cost of low development capability etc.  Such cost coefficients are statistically generated.

On top of all these are the hard costs of ICT.

Borrowing diagrams from Accenture  the solution is to run a 3-tiered cost reduction strategy:

strategic cost management.accenture

After the easy stuff is done, the business must ultimately streamline its processes (and align cost structures accordingly) and then lower it non-discretionary spend.  The key is to (i) see the whole process, (ii) understand the dependencies, and (iii) engage locally.

  • Minimise (Hard Costs) –  Tactical Cost Reduction. Grab the low hanging fruit and take out the obvious costs; the costs in plain sight.  Engage locally with account managers and business unit leaders to reduce headcount but understand and model the dependencies by seeing the whole capability.  The Boston Consulting Group advise that managers proceed on third of a third rule, ie 1/3 of all FTEs are non customer facing and 1/3 of those can be removed without adverse impact on the business.
  • Optimise (Soft & Program Costs) –  Proactive Cost Governance.  This involves detailed spend analysis and process optimisation.  Indirect process costs grow like barnacles on a ship.  The longer they are there the more they are accepted but ultimately they increase the financial drag on a business.  Remove all the invented tasks by modelling the firm’s value chain and seeing where the processes fit into larger business capabilities.  Once this is done executives can optimise the key cost drivers and their inputs.  This improves the delivery model for ICT and enables better demand management.  Accompanying these operational actions the business should improve cost governance.  It can achieve this by removing the management structures around excessive process governance.  This requires a more active and dynamic GRC system but ultimately the business feels a lighter GRC touch.  Most importantly, simplify processes and remove the  ‘cost of complexity‘ ie vertical integration and convoluted workflows which increase process time and transactional costs.

cost reduction level.accenture

  • Re-design (Program & Managerial Costs) –  Strategic Cost Management.  In order to achieve significant and lasting cost reduction benefits the business must lower its discretionary spend.  However, managerial cost structures (which are significant) can only be made redundant when the overall complexity is reduced.  Once this happens shared services may be implemented and rationalised.  The ICT offering can be standardised and the business can create re-usable technology components.  Then the business can change its transfer pricing models and look towards offering the customer-facing SBUs a more sophisticated multi-channel mix of capabilities, ie give them the agility to increase their high-end customer offerings.   Only once this is achieved can the business look towards modernising and streamline technical architectures.

The key is to look at ICT as a capability enabler and not as a business unit in its own right.  ICT should have to justify its very existence.  However, once it does and develops full cost transparency then and only then can it move forward in real partnership with the business.