Visual Search: don’t get too excited Reply

https://www.linkedin.com/today/post/article/20130116062041-50510-a-great-day-for-human-computer-information-retrieval

visual searchVisual search is not new and it’s so obvious that it hardly seems something to get too excited about.  In well understood, discrete systems visual search is an excellent means to share and develop multi-disciplinary, cross-functional information without the need for complex ontological integration or the tedious and often futile process of trying to agree on corporate taxonomies.  If there is no visual boundary to the relevant information then creating contextual diagrams will hinder the retrieval of information.

The military have used visual information storage and visual representations of information in counter-terrorism generally and within intelligence systems in particular.  “Starlight” by PNNL and I2 (Analyst Notebook) both use various methods to visualise terrorist networks and their contexts.  Nimbus Control has used this technique for a number of years.  By building a simple graphical representation of a company’s process (eg, Carphone Warehouse etc) which then links to SharePoint file stores in corporate repositories allows various functions to collaborate around a common visual understanding.

In a recent blog I wrote about the utility of visual search (and its limitations) in managing corporate information.   It doesn’t matter if information overlaps but those intersections need to be link back to the relevant file systems.  The beauty of visual search is that visual representations are more easily understood so long as the user communities are not too disparate.  Moreover, they are more cost effective because they require less UI consultation and design as well as lower Change Management budgets.   In summ, there needs to be a purpose and the ability to draw a boundary around a discrete area of information and companies should limit visual systems in order to coral common understanding.

The Failure of Risk: lessons from the GFC Reply

risk management. hop scotchWe live in uncertain times. The failures in risk management which lead to the global financial crisis have created an unprecedented set of circumstances. Not only are regulators imposing heavier compliance burdens but shareholders and investors are demanding greater reporting and higher levels of information transparency. On top of all this operational costs are too tight to carry the overhead of separate risk and assurance functions.

When the analysis is done there are 6 key lessons to learn from the global financial crisis:

  1. Integrate G, R & C.  In medium and large corporations isolated risk management practices actively work against the business.  Technical and operational experts will identify risk from experience and create risk slush-funds to mitigate them.  These increase the cost of business and in many cases price the company out of the market.  In an integrated GRC system the firm is able to manage risks across business units so that the risk funds are held centrally and do not add a premium to initial project costs.  Risk identification and analysis percolates from the bottom up but governance is driven from the top down.  In an integrated system they both to work within the business lifecycle to add the right mix of checks and balances so that no additional drag is added to investment/project approvals.
  2. Make Passive GRC Active.  Systems need to be active.  They need to hunt out risk, define it, quantify it and measure the dependencies of the risk.  Then, those same systems need to bring it to the attention of the executives so that they may make informed investment decisions.  In the end, humans follow the law of least effort:  employees will follow the path of least resistance in designing and gaining approval for their projects.   GRC must not follow a system of honour & audit but rather one of  active assurance.  When GRC systems are passive the business lifecycle becomes clogged with nugatory and useless program reviews that turn into technical sales pitches by design teams.  Such events and practices only serve to affirm the belief that GRC is a legal burden and one which only serves to satisfy the needs of regulatory compliance.  Raytheon, for instance, have an excellent system of governance-by-exception.   Their Integrated Product Design System (IPDS) has active governance measures and allows Raytheon to manage a pipeline of thousands of critical projects dynamically and by exception.GRC
  3. Get Granular.  When projects fail it is not usually because the risks have not been adequately managed.  The primary problems in risk practices are the failures of risk identification and analysis.  Managers are simply unable to deal with risks at a granular level and then weigh them up on a per project basis.   This is largely because the technical skills needed to do so are not within the standard sets of most executives (but they are within the more mathematical ones of the FS&I industry).   Where this disparity exists then businesses need to develop separate Red Teams or Assurance Teams, either from the existing PMO of from hand picked executives.
  4. Bottom Up & Top Down.  Risk management is bottom-up but governance is top-down.  The technical skills and software reliance involved in effective risk management mean that the entire practice usually percolates from the bottom of a business, upwards.  Consequently, unless it fits within a comprehensive governance framework it will be open to being gamed by senior executives.  This is why major projects which are seen as must-win are often approved with little or no governance or assurance.
  5. Risk Ownership.  Risks need to be owned at the lowest responsible level.  This is to say that when things go wrong the person at the lowest level who has the greatest amount of operational responsibility must be able to take charge to mitigate all aspects of the risk.  It is vital that the person owning the risk be able to recognise the variables which may see the risk realised.  It is also critical that the risk owner understand the corporate decision points, i.e. the points at which the contingency plans should be triggered.
  6. Invest in the Right Type of Risk Culture.  Risk should not be a dirty word.  Risks are inherent in every project and balancing them quantitatively and qualitatively is an essential skill for all senior executives.  Risk should be as much about seizing opportunity as it is about guarding profitability.  Businesses need to invest in top talent in order to drive good risk practices from the top.  Effective, Active-GRC involves a complex array of tools, practices, structures and processes which need an experienced senior executive to drive them constantly and consistently in the business.  The softer side of risk management cannot be neglected.  The nature of risk forces people onto the defensive as they attempt to justify all aspects of their project designs.  CROs need to help executives understand that all projects must balance risk if they are to attempt to push profitability.  Otherwise, risk cultures will mire companies in conservative, risk averse cultures which only act to add friction and reduce profitability.

Risk practices need to work together inside a single, comprehensive risk framework that goes beyond simple probabilistic modelling and disjointed regulatory compliance.   Businesses need to implement processes which not only integrate the business lifecycle but actively increase both liquidity and opportunity for risk to be seen to add real value to the company.   Only once this is achieved can risk management cease to be an operational drag for the business and become a value-adding proposition which works actively to increase the profit and performance of a company.

 

Is it really OK to bash HR? Reply

In a recent article in Forbes magazine online, Ron Ashkenas wrote a heartfelt piece on how essential the Human Resources function is in response to recent HR bashing.  He wove a lovely story of  how critical the function is, how deeply misunderstood its people are and how we should all band together to help this function succeed.

HR Survey. Mckinsey

The idea that we should all club together to support a non-operational function outside both our remit and remunerative motivation is farcical.  The truth is twofold:  (i) Firstly, bad hires come from bad specifications.  HR cannot be blamed for finding the wrong person that a business unit specified.  (ii) Secondly, HR needs to force the various business units to communicate their needs proactively and pre-emptively.

There is often a lot of subtext, contextual knowledge and peripheral information which comes along with requests for a new hire.  Internal HR managers need to get analytical if they are going to remain relevant and not cede their function.  If they fail to grasp the cost and revenue interdependencies of various roles then external boutique consultancies will thrive.  These companies will analyse, assess and source the best talent.  There will be a premium on this cost and it will ultimately be funded by removing more internal HRs.

Soccer TeamThe research tells a story.  In a recent survey by Mckinsey, CEOs identified the top 8 barriers to talent acquisition and management.  At the top of the list was the failure of senior management to spend enough time on HR.  This is not HR’s fault but that the blame lies with HR is topical.  Another factor was perceived to be the failure of managers to understand that good people are good for good business.  Good people execute strategy well.    The secret to this is understanding (a) the structural roles which people satisfy that are vital to the effective functioning of the business, and (b) the functional knowledge which is inherent in executing those roles.

In a recent post I wrote about the likely demise of internal HR and the rise of boutique consultancies which had the skills to analyse, assess and source talent.  Internal HR is better placed to deliver this role better and more cost effectively.  They should know and understand the people, they should understand the dependencies, they should have a clear understanding of contextual knowledge and they should also be able to bolster the role specs with additional peripheral information. Critically, managers need to know which position which their staff play.  Without this understanding businesses looks like an under-12 soccer team where everyone is chasing the ball.

 

Top 5 Benefits of Effective Risk Management 1

risk management.little menBENEFITS OF AN INTEGRATED “ACTIVE GRC” FRAMEWORK

After the failure of risk management during the recent (and ongoing) financial crisis one could be forgiven for thinking that risk management – as we know it – is dead.  However, effective risk management is the only means which businesses have to:  (i) assess and compare investment decisions, (ii) seize subtle opportunities, and (iii) ensure regulatory compliance.  Risk management has greater utility beyond these obvious benefits.  Listed below are 5 of the top financial benefits of effective risk management:

1.  IMPROVED LIQUIDITY

When managers cannot identify or mitigate complex risks they create risk contingency slush funds and pad their accounts with excessive risk premiums. This is not an efficient allocation of capital and it can even price a business out of the market. Precise identification of risk premiums removes these slush funds and creates greater firm liquidity and the ability to allocate capital where it is needed.

2.  BETTER PROJECT PERFORMANCE

The best methods for risk identification and analysis of risk in projects are through the quantitative analysis of cost models and project schedules. However, these methods are only useful where such models are in enough detail. Good risk management leads to greater collaboration by cross-functional teams to optimise cost and schedule performance.

3.  BETTER OPPORTUNITY MANAGEMENT

With greater liquidity comes the ability to seize emerging opportunities. Not only can the company use this capital across portfolios to manage risks but it can also seize opportunities for M&A, talent acquisition, share buybacks, increased dividends, employee bonuses or increased project funding/investment.

4.  CONSENSUAL MANAGEMENT CULTURE

As managers work across the business to calibrate cost models with the project schedules; the contract and commercials with the technical architecture, the business is forced to adopt a more consensual, multi-disciplinary approach. Where GRC is implemented as part of a high-performance business initiative the culture is more likely to stick rather than one imposed from the top-down.

5.  IMPROVED REPORTING & DECISION MAKING

An active GRC process which is fully integrated with the business relies on the quantitative analysis of core artifacts (cost models, project schedules and technical architectures and contracts). A quantitative culture coupled with regular, detailed analytical outputs also greatly improves the standard of financial and operational reporting and therefore the possibility for improved investment decision making.

Managing data risk: APRA issues draft practice guide – Lexology Reply

Managing data risk: APRA issues draft practice guide – Lexology.

In their article on data security protection Helen Clarke and Melissa Burrill (Corrs Chambers Westgarth) set out an admirable approach to legal protections for data security.  However, their advice breaks the first rule of data security – if you don’t control it, you can’t secure it.  Fundamentally, businesses need to hold their secure information close, or have active measures to secure it, if they are to avoid data security breaches.  In the end, the threat of legal sanction will not stop criminal action by third parties.

The chart below shows the most high-profile data security breaches for 2012.  Clearly, the breaches do not reflect the strength of potential legal action or the drafting of data protection clauses.  No amount of due diligence would have assisted these companies’ clients as the breaches were not due to lax security procedures.

Contracts and legal sanction are only useful to deliver damages and enforce restitution to cover immediate financial losses.  They will not cover loss to brand equity or market share.

The only way to truly secure information is to manage it in-house.  If businesses wish to manage secret or confidential data in a cloud then they should store it encrypted and hold the keys themselves.  Alternatively, they can link databases and hold unencrypted information in the cloud but the actual names of clients can be held locally.

If businesses wish to remain wilfully blind (or take calculated risks) and outsource the storage of secret information then they should think about building in operational sanctions such as the moving, encrypting or the realignment of data against accounts to ensure their is no monetary loss for clients.

  • security breaches. 2012

Information Outsourcing Reply

Although the Gartner article deals with the monetisation of information assets, the sentiments may lead many businesses to outsource their entire information management responsibility.

The volume of data that most businesses can – or think they should be able to – manage is reaching an inflection point.  Businesses which grasp how analytics supports their revenue model will be able grapple with the continuing demands of information management (IM).  Businesses which cannot cope with the perceived threat of information overload may seek to outsource this responsibility.  The former will survive, the latter will fail. The research is clear:

  • IM is critical business:  derogating from one’s IM responsibility leads to an overall loss of revenue as businesses are unable to respond to market trends, develop appropriate differentiators, design suitable new products and services as well as leverage their information and knowledge for wider benefit.  Information is a firm’s core business, whether they like it or not.  Outsourcing the responsibility to understand the intricacies of a company’s business model and dependencies into the extended value net is a recipe for disaster.  Businesses should use all available software and technical expertise to do this but must do so with internal resources.
  • Outsourcing accounts for cost differentiators not key value drivers:  Firms which seek to cut costs by outsourcing their IT function do not recoup their losses.  The lessons of Ford, GM and Levi Strauss still remain.  Businesses which outsource their entire IT function continue to lose economic-value-added (EVA).  Although it is a good idea to outsource platforms and infrastructure it is rarely beneficial to outsource applications and services which are deeply intertwined with the more social aspects of a company’s business processes, i.e. if your process isn’t rigidly vanilla and perfectly understood then don’t outsource it.  Banks have well documented electronic processes which allow customers to manage their money and transactions remotely.  Even so, they manage these processes internally because it’s core business.

Businesses which purport to leverage economies of scale in order to be able to make sense of a firm’s information are not telling the whole story. It is virtually impossible to crunch structured and unstructured data to squeeze out additional value unless the vendor has also programmed the client’s value chain and key differentiator’s into their big-data algorithm.

“IM is not a software problem it is a business problem.  Regardless of the promises by vendors they will never be able to support management in their daily needs to navigate the subtleties and complexities of corporate information.”

It is highly likely that by 2016 the next fad, after Big Data, will be the monetisation of a firm’s information assets.  No doubt that in the low-end of the market there will be some level of commoditisation of information which will support more targeted marketing and the procurement of specialist advertising services.  However, businesses which outsource critical IM functions (largely through cost pressures)  in their business will turn unprofitable (if not already) as they become unable to respond to the market.

Improving Contract Management: manage the deal not the database 1

The guys at Selectica have some great points but to make expensive enterprise software work it’s important to work a system and not to work the software:

  1. Don’t try and put all your contractual information in one single database at once.  Not only do individuals have different ways and systems (what I call the e-Hub of someone’s daily life) from which they manage their data they may also run into legal issues around probity and confidentiality (by cross-contaminating case management with archival material).  Businesses do not need to invest in costly customisation but do need to strike a financial balance between customisation and counter-intuitive vendor processes.  One neat tool is to create  a visual model of the deal (its structures, functions and concepts) and provide hyperlinks to the various file systems.  This removes the need to develop a common taxonomy as workers now have a visual reference point (rather than a word) for their own understanding.
  2. With process automation it is critical to ensure that the business doesn’t  codefy its culture.  This will only calcify bottlenecks.  A firm needs to make sure that it re-engineers its CLM process before it creates a workflow from it.  Remove non-tasks and automate simple clerical work and approvals.
  3. The business also needs to make sure that experts are not only notified but they are also edified  and contextualised.  When pushing workflows out to experts, such as in-house counsel, outside counsel etc then these people must have a clear view of the dependent components of the deal’s architecture.  Businesses can speed this process and reduce its costs by linking their own systems to online legal databases such as Thomson Reuters (Westlaw AU, FirstPoint), Lexis Nexis or CCH.

In summ, good contract management needs a highly cross-functional and multi-disciplinary approach if it is not only to be successful but also if it isn’t going to add additional cost and friction to business operations.  Enterprise products such as Selectica’s are a great start but customers must be careful to make sure that the software supports their own system otherwise they will spend all their money and time working the software.

The Business End of Social Reply

Integrating Emerging Social Software Platforms (ESSPs) into a business is fraught with danger but the payoff can be substantial.  Not only does the company have the potential for positive brand messages to flood a series of trusted networks but it can also leverage the renewed engagement of staff for better knowledge management.  In the end, though, social is fun and sexy but it is utterly irrelevant to most employees until there is some link to an employee’s remuneration.  To rephrase the HBR article I don’t think social needs to get more businesslike, rather, I think business needs to get more social.

Measuring Risk in Logical Processes Reply

logical-architecture.-wire-diagram.pngLogical architecture is valuable in the design of large systems for 2 key reasons:  (i)  it helps developers instantiate the softer concepts and  more social aspects of large systems, and (ii) it provides another review-gate to iron out design flaws before proceeding to the physical system.  Military systems provide good examples of the value of logical architecture.  Many Defence systems are so complex that they are never developed at all.  If they are at all then they are often broken down into such small components that the integration can become unmanageable.  Joint Effects Targeting, counter-IED exploitation, systems to fuse operational and intelligence and the nuclear firing chain are all areas which have enormous social input so that the development of a logical architecture is paramount.

Unless a person has a pedigree in military systems logical architecture is, usually, the least understood/used part of the design process.  Certainly in Agile environments or any area requiring rapid applications development where the application is fixed (portals, billing systems, SAP etc) then logical architecture design is nugatory.

In this blog we look at logical process design but the method is equally applicable to the entire logical design phase.

BENEFITS OF LOGICAL ARCHITECTURE

When designing processes, however, logical architecture is an invaluable tool in measuring, assessing and comparing risk before moving to the more expensive technical design & implementation phases.  Because logical designs can be created, compared and assessed, quickly,  they become an excellent technical/commercial appraisal tool.   Cross-functional teams of executives and architects can collaborate on logical designs before a GO/NO-GO investment decision and thereby create 3 major benefits:

  • Reduce the time of the physical design cycle.
  • Increase executive involvement and the effect of executive steering on designs.
  • Significantly reduce the risk in physical designs.

PROCESS VALUE

The Value of a Process

There is a way of viewing, and thereby measuring risk in logical processes.  Ultimately, the value of a process is its cost divided by its risk.  So, a process which has a total cost of $100,000 and a 60% chance of success has a nominal value (not “worth” or “price”) of $60,000.  Which is to say that on average the business will realise only 60% of its value.  This is roughly the same as saying that, on average, for each $100k in earnings, the firm will spend $40k on faults.  Whether the value indicator is dollars or white elephants does not matter, so long as it is applied consistently over the choices.  This simple measuring mechanism allows senior executives to engage in the design process and forces architects to help assign costs to difficult design components.

COSTS & CONCEPTS

The difficulty is in ascribing costs to concepts.  In order to do this the team must first instantiate the concepts win some form of logical structure, such as a software system or a management committee/team.  The team then ascribes an industry benchmark cost to this structure, accounting for uncertainty.  Uncertainty is important because the benchmark cost will not represent the actual cost exactly (in fact the benchmark cost should represent the 50% CI cost).  So, when it comes to determining the probability it is vital to use the experts to come up with what the construct could cost (as little as and as much as).

PROCESS RISK

The difficulty with measuring logical architectures is in measuring concepts.  Concepts usually have no value and no standard means of comparing them.  In short, (i) assemble a small, cross-functional team of experts, (ii) ascribe costs (with uncertainty) to the concepts, apply a risk equation, and then (iii) simulate.  One possible equation is:

Logical Risk Equation - An equation for measuring process risk in logical architectures.

Where:

  • R is the overall risk.
  • P is the probability of an adverse event occurring in the process.
  • Ct is the criticality of the location of the event, in the process.
  • is the likely time it will take to notice the manifestation of the risk (i.e. feedback mechanisms).
  • Cy is the availability of a contingency plan which is both close and effective to the point of the problem, in the process, and
  • Sl is the likelihood of success that the process will be fixed and achieve an acceptable outcome.
  • 100 simply makes it easier for the team to see differences between scores.

In this equation, we determine the overall risk of the process.  It does not have to be perfect but rather it just needs to be applied consistently and account for the major variables.  If applied rigorously and evenly, measuring risk in logical architectures has the ability to reduce the design cycle, increase the certainty of the choice, build better stakeholder buy-in and significantly reduce the risk in the physical solution.

Building a Risk Culture is a Waste of Time 3

The focus of a good risk management practice is the building of a high-performance operational culture which is baked-in to the business.  Efforts to develop risk cultures cultures only serve to increase risk aversion in senior executives and calcify adversarial governance measures which decrease overall profitability.  The right approach to risk management is a comprehensive, holistic risk management framework which integrates tightly with the business.

risk management. waste of timeThe financial crisis is largely due to the the failure of risk management and over-exposure in leading risk-based institutions.  More specifically, the failure of risk management is linked to:

  • The failure to link link risk to investment/project approval decision making.  The aim of risk management is not to create really big risk registers.  Although, in many organisations one could be forgiven for thinking that this is the goal.  The aim of identifying risks is to calibrate them with the financial models and program plans of the projects so that risks can be comprehensively assessed within the value of the investment.  Once their financial value is quantified and their inputs and dependencies are mapped – and only then – can realistic and practical contingency planning be implemented for accurate risk management.
  • The failure to identify risks accurately and comprehensively.  Most risk toolsets and risk registers reveal a higgledy-piggledy mess of risks mixed up in a range from the strategic down to the technical.  Risks are identified differently at each level (strategic, financial, operational, technical).  Technical and Operational risks are best identified by overlapping processes of technical experts and parametric systems/discrete event simulation.  Financial risks are best identified by sensitivity analysis and stochastic simulation but strategic risks will largely focus on brand and competitor risks.  Risk identification is the most critical but most overlooked aspect of risk management.
  • The failure to use current risk toolsets in a meaningful way.  The software market is flooded with excellent risk modelling and management tools.  Risk management programs, however, are usually implemented by vendors with a “build it and they will come” mentality.  Risk management benefits investment appraisal at Board and C-Suite level and it cannot be expected to percolate from the bottom up.

RISK MANAGEMENT IS COUNTER-INTUITIVE

All this does not mean that risk management is a waste of time but rather it is counter-intuitive to the business.  It is almost impossible to ask most executives to push profits to the limit if their focus is on conservatism.  Building a culture of risk management is fraught with danger.  The result is usually a culture of risk aversion, conservatism and a heavy and burdensome governance framework that only adds friction to the business lifecycle and investment/project approval process.  Executives, unable to navigate the labyrinthine technicalities of such a systems achieve approvals for their pet programs by political means.  More so, projects that are obviously important to the business actually receive less risk attention than small projects.  Employees learn to  dismiss risk management and lose trust in senior management.

If risk management is to be an effective and value-adding component it must be a baked into the business as part of the project/investment design phase.  If not, then risk management processes  just build another silo within the business.  The key is to forget about “Risk” as the aim.  The goal must be a performance culture with an active and dynamic governance system which acts as a failsafe.  The threat of censure is the best risk incentive.

risk management. immature disciplineAWARENESS IS NOT MANAGEMENT

risk management. immature disciplineManagement has long been aware of risk but this does not always translate into true understanding of the risk implications of business decisions.  Risk policies and practices are often viewed as being parallel to business and not complimentary to it.

Why is it that most businesses rate themselves high on risk management behaviours?  This is largely because businesses do not correlate the failure of projects with the failure of risk and assurance processes. 

In a 2009 McKinsey & Co survey (published in June 2012 “Driving Value from Post-Crisis Operational Risk Management”) it was clear that risk management was seen as adding little value to the business.  Responses were collected from the financial services industry – an industry seen as the high-water mark for quantitative risk management. 

COLLABORATION IS THE KEY

Risk management needs to become a collaborative process which is tightly integrated with the business.  The key is to incentivise operational managers to make calculated risks.  As a rule of thumb there are 4 key measures to integrate risk management into the business:

  1. Red Teams.  Despite writing about collaboration the unique specialities of risk management often requires senior executives to polarise the business.  It is often easier to incentivise operational managers to maximise risks and check them by using Red Teams to minimise risks.  Where Red Teams are not cost effective then a dynamic assurance team (potentially coming from the PMO) will suffice.  Effective risk management requires different skills and backgrounds.  Using quantitative and qualitative risk management practices together requires a multi-disciplinary team of experts to suck out all the risks and calibrate them within the financial models and program schedules in order that investment committees can make sensible appraisals. 
  2. Contingency Planning.  Operational risk management should usually just boil down to good contingency planning.  Due to the unique skill sets in risk management, operational teams should largely focus on contingency planning and leave the financial calibration up to the assurance/Red teams to sweep up.
  3. Build Transparency through Common Artefacts.  The most fundamental element of a comprehensive  risk process is a lingua franca of risk  – and that language is finance.  All risk management tools need to percolate up into a financial model of a project.  This is so that the decision making process is based on a comprehensive assessment and when it comes to optimise the program the various risky components can be traced and unpicked.
  4. Deeper Assurance by the PMO.  The PMO needs to get involved in the ongoing identification of risk.  Executives try and game the governance system and the assurance team simply does not have the capacity for 100% audit and assurance.  The PMO is by far the best structure to assist in quantitative and qualitative risk identification because it already has oversight of 100% of projects and their financial controls.

Traditional risk management practices only provide broad oversight. With the added cost pressures that businesses now feel it is impossible to create large risk teams funded by a fat overhead. The future of risk management is not for companies to waste money by investing in costly and ineffective risk-culture programs.  Good risk management can only be developed by tightly integrating it with a GRC framework that actively and dynamically supports better operational performance.