News

What is being done to help restore confidence in corporate reporting and governance and to avoid future attempts to mislead stakeholders by bolstering systems and process controls? FSN contributing editor Paul Quigley reports.

When Ken Lay and Andrew Fastow were given custodial sentences for their parts in the fraudulent business activities that epitomised Enron's fall from grace as a darling of the stock markets almost a decade ago, few could have foreseen that such a sorry chapter in corporate governance could ever plumb such depths again. Yet despite tough legislation and new codes of practice, corporate governance has witnessed such new upheavals that even Paul Sarbanes and Michael Oxley could never have expected matters to fall so far, so fast. So it was only a matter of time before new scrutiny would arise on corporate governance, risk and compliance in the wake of the global financial crisis. 

One of the first questions to be asked about the banks was, why didn't anyone see it coming, how could it have happened given Sarbanes-Oxley and the supposedly new mantras of corporate social responsibility, transparency and accountability - and hence what of GRC – governance, risk and compliance – the software systems and processes that were supposed to mitigate if not prevent such things happening again? Even with such measures, the damage to trust will be an altogether longer-term challenge to repair. Without more transparent models of accountability,  no amount of emergency measures will repair pensions, equities and capital markets. 

What next for GRC 

The U.S. Securities and Exchange Commission is in the process of implementing a raft of measures to bolster good governance and to close loopholes on potentially unethical if not unlawful current practices. Such measures will include greater oversight of credit ratings agencies, a ban on flash orders, closing down dark pool trading, tightening up on reporting procedures post-Madoff as well as rapid backing for XBRL reporting procedures. "We should never underestimate or take for granted the wide spectrum of benefits that come from transparency, which plays a vital role in promoting public confidence in the honesty and integrity of financial markets," said SEC Chairman Mary Schapiro in a recent pronouncement on planned changes to financial services reporting. 

While central banks pump liquidity into financial markets to help boost equity markets and lending to businesses, quantitative easing and bail-out plans alone will not form the basis for rebuilding confidence in corporate governance. That will have to come from the companies themselves. 

Chris McClean, analyst at Forrester Research, believes it would be unfair to discount the value or effectiveness of GRC based on the events that unfolded in the financial services industry and beyond in 2008. “It's true that many of these companies had implemented technologies to help them better track their risks and controls,” he says, “but none of them had really embraced GRC throughout the organization. In addition, GRC implementations are generally much more focused on operational risks and controls, such as anti-fraud, access control, as opposed to credit or market risks.” 

McClean believes that if anything, the financial collapse should serve as a lesson for companies in the value of monitoring all categories of risk and using this information to make good decisions. “I believe a lapse in both of these practices lead to the crisis, he says. “To be fair, there are legitimate reasons to be sceptical of GRC. There are hundreds of vendors that claim to offer GRC capabilities, but each one offers only bits and pieces of a large puzzle. GRC is much more of an organizational and process framework that helps compliance, risk, audit, and other functions work more closely with each other.” 

McClean is adamant that it was not the fault of GRC or their use of support technology that has been to blame. “Technology simply helps in the facilitations and documentation of that work,” he asserts. “To say that the failure of workflow, document management, control testing or reporting technologies helped cause the crisis is clearly missing the point. To say that companies should have had more rigour in their corporate governance, risk management, and compliance functions is much more accurate. And of course, that's ignoring the market conditions, regulatory shortcomings and scores of other factors that also contributed to the collapse.” 

“What's next? Most companies I talk to are still working on improvements in their strategic and organizational issues related to governance, risk, and compliance. Many are getting to the point of making significant investments in GRC technologies as well. One of the lessons they need to keep in mind is to work on making GRC a part of how they do business. If they expect managers to make better decisions related to risk, are they giving those managers resources to measure and analyse those risks? Are they evaluating and compensating those managers on performance as well as risk metrics? These are critical questions to ask.”

 Market forces affecting GRC 

John Kelly, Vice President at OpenPages concurs and is positive about GRC's place in restoring trust and its rising importance to businesses. “We've had one of our best years in many,” he says. “Overall, the financial meltdown really raised the awareness for effective risk management. We've been told by clients that our project is the only one to go through budget approval sequence without any delay. Some companies do have good risk management programmes in place but their people are not adhering to them, there's not a real good top-down risk culture where executives are setting the tone at the top, they may be going through the motions saying they have a risk management programme in place, but, as in the meltdown, there was too much greed.” 

Kelly believes companies were aware of the risks, but they chose to ignore them. “Even having the best risk management technology in place only gets you so far. You have to have the right approach and culture to make sure that's actually adhered to. It's interesting that GRC has got a lot of awareness, vendors like ourselves have benefited from the meltdown” he admits. 

So, has the meltdown brought GRC more into focus? The answer appears to be that it has quite likely shifted it right up the corporate agenda, and that boards are realising they can't leave things to chance again. While there is arguably no such thing as risk elimination, just risk mitigation, everyone was so busy growing their businesses post-dotcom and pre-credit crunch that boards took little heed of how things – convoluted processes - were being done. So are we collectively accountable? Is socially responsible corporate governance still viable? It would appear so. 

According to OpenPages' John Kelly, in terms of clients, they are fairly switched on now, few are sceptical and they are starting to really want to sign on to GRC. “We target typically the largest companies that understand the value of GRC, that need a framework in place that enables them to try to aggregate all of their different risk and compliance domains into one, so that you do get that 'dashboard', and we do have customers with monthly or quarterly executive-level meetings where they will review their risk dashboard that shows which risks they've identified, which controls they've put in place, then how they're performing against those risks – a risk 'heat-map'. But not only risk, compliance too – there are just so many different areas it's hard to get them all into one, but that's what a lot of companies are coming to us for. Typically, what'll happen in financial services is they'll kick off with operational risk – a few years ago it was financial controls after Sarbanes-Oxley, and the project will get awareness within the company and then the financial controls people, the CFO or the Chief Compliance Officer will say they don't want to put another standalone solution in place, we've got one for IT risk, we've got one for Sarbanes-Oxley, now we're coming up with one for operational risk – why don't we try to aggregate those so that we can get at them at an enterprise level view of our risk. That's what we've been seeing. Whether it starts off as this holistic, idealistic we need an enterprise view – doesn't always start that way. It might start as a particular department or function within a company.” 

So does companies' awareness of Sarbanes-Oxley and GRC fall away amongst lower tier companies who are not listed? Not so, according to John Kelly. “We do see that in financial services,” he says. “If you go down a tier to Tier 2 or Tier 3 kinds of regional banks, for example, they are very much interested in managing their operational risk such as for Basel II compliance. With insurance, we are seeing a lot of Solvency II [compliance] now. So if they are not publicly-listed companies that need to follow Sarbanes-Oxley, they do feel like they need to manage the risk.” 

OpenPages' John Kelly also sees GRC as getting stronger, having seen a significant 'uptick' in project proposals that the company is working on for 2010. The Financial Reform Bill going through Congress in the U.S. will, Kelly believes, drive new business and certainly require vendors such as OpenPages to adapt their GRC solutions to it. “We actually have a patent for what's called our 'configurable platform', meaning that from our user interface, you can change or update a field and that immediately gets represented in the database – the data object model which is important if you think back to Sarbanes-Oxley three or four years ago. The market was going crazy and our revenue was growing commensurately. But the company saw that the market was a limited opportunity, because either all the companies are going to get Sarbox-compliant and, eventually, there'll be market saturation – and it seemed a bad idea to put all our eggs in one basket, so fortunately, the company revamped the architecture so that it was flexible and looked at other opportunities – the first one being operational risk.” 

According to Kelly, the difference is that Sarbanes-Oxley and those types of regulations are straightforward since every listed company has to do the same thing to comply. Whereas, internally, things are anything but the same. “However, with operational risk,” Kelly notes, “every company has a different set of risks they need to manage, so you do need a platform that can be customised to that company's individual methodologies or taxonomies. But you don't want to do that by custom-coding, because then you have a tough time maintaining it and upgrading it. So one of the nice things about our platform is that you can make changes through the interface – you can add a new field and then automatically report on it. As regards upcoming new regulations, we are pretty well positioned to be able to take advantage of those, and to be able to deliver a solution pretty quickly.” 

Endgame: What next for GRC? 

After the gold rush, once the dust finally settles on what some commentators are calling thirty years of so-called 'predator capitalism', where greed was good and Milton Friedman trumped Keynesian economics in the boardrooms of Corporate America and beyond, hopefully, a new era of corporate social responsibility integrated with governance, risk and compliance has finally dawned. Some economists and financial analysts are still predicting a 'double-dip' to the current crisis. Financial institutions such as SocGen are even warning bearish clients to batten down the hatches to protect their current investment portfolios from another possible slump – a so-called 'double-dip'. The time for effective GRC systems and processes has never been more compelling on so many levels. 

While technological tools now exist, as evidenced by the many GRC software solutions now available, what still remains is the political will to make organisations put their money where their mouths are and invest wisely for once in a long time. Forrester's Chris McClean suggests the way forward is to harness the available technological systems and tether them to business processes. “From a technology standpoint, these questions are starting to lead organisations toward GRC technologies that are more closely connected to transactional systems, that offer capabilities to model risks related to business processes and objectives, and that offer more sophisticated business intelligence and analytical capabilities to support good decision making,” he adds. “The vendor landscape is still very broad and full of small niche players, but as the market matures and requirements become more standardized, consolidation with start to pick up even more.” 

As the price of gold tops out a thousand dollars an ounce and equity market feel the rosy glow of government gilts, for industry and commerce, the glow of success lies in sustainability and in caring capitalism. But for now, a serious period of reflection is in order. The battle for principles-versus-risk based compliance may not yet formally be over, but the need to comply or explain certainly is.

read more - GRC - after the gold rush, where next?

Sussex Health Informatics Service (HIS) and partner organisations have chosen the BOARD the provider of a Business Intelligence and CPM toolkit to deliver improved reporting and KPI’s. The BOARD solution will allow end users to have greater visibility of their data, combine various previously difficult to align data sources, automate a currently time consuming and manual reporting process and facilitate users with the flexibility to view critical KPI’s in a way that makes most sense to each individual and team.

Colin Styles, of Sussex HIS comments that “BOARD will allow users the freedom to access data and report on it, in a way that best suits them, yet provide them with a standardized format, within set guidelines and security”. Overall the BOARD solution is expected to bring greater accuracy to the reports, deliver information much more quickly and allow users to become far more proactive.  Data silos will be eliminated and distribution of reports will be streamlined.  Users will see almost immediate benefits in terms of time saving and further KPI’s, risk analysis, planning and forecasting will be able to be introduced.

By loading data at the lowest level of detail BOARD says that users will be able to drill down to event level, across several data sources including patient activity and workforce information, allowing users to have a much more complete view of activity at an enterprise level.

The programming -free approach of the BOARD toolkit is expected to deliver improvements to Sussex HIS’ KPI reporting by the in less than 15 days.  In addition, says BOARD, users will be able to create their own reports and dashboards, without the need to place pressure on IT departments, promoting Self Service BI(Business Intelligence) and PM (Performance Management) within the Sussex HIS environs.

Sussex HIS regard this solution as innovative as it will enable them to very quickly provide to their users access not only to source data, but value added information created locally, including healthcare analysis data which includes population profiling and predictive analytics (risk prediction). Styles continues “Our adoption of BOARD as an element of our DW/BI strategy provides us with an innovative solution that allows users to report, analyse, budget, plan, forecast and produce KPIs and Balance Scorecards, in one single product.  The possibility for using BOARD across multiple NHS departments is endless, the more we use the toolkit, the more opportunity for improvements we discover”.

Other organisations in Sussex have also expressed an interest in using Board and are considering it for support reporting on emerging work areas including World Class Commissioning and supporting the 'Enhancing Quality' initiative.

Dominic Policella, Managing Director of BOARD UK adds “ We are delighted to be working with Sussex Health Informatics Services and look forward to helping them bring added value to their business units.  BOARD is a single, programming-free product for reporting, dashboards, KPIs, planning, budgeting and forecasting.  It is easy to use and speedy to implement and allows users to really understand their data”.

read more - BOARD Business Intelligence and Performance Management toolkit chosen by Sussex Health

read more - ATP International selects Tagetik 3.0 to automate Financial Consolidation and Management Reporting

read more - CFO vs CIO - Let battle commence!

read more - iForce takes stock with IBM Cognos 8 Business Intelligence

According to Gartner, sales of BI systems will grow by an estimated 25% from 2008 to reach $7.7 billion by 2012. They also reported that from a survey of 1,500 CIO’s, BI is their top priority and has been for the last 3 years. So it would seem that organisations see real value in BI – otherwise why would they invest in it?  But is this true in every organisation – or is money being wasted that could be better invested elsewhere? Michael Coveney, senior FSN writer questions the role of BI and urges organisations to set their sights much higher.

In a 2007 survey reported by Information Week, executives said that the top three reasons that prevent their organisations from implementing BI throughout the enterprise are problems with ‘integration’; ‘ease of use’ and there being ‘no clear Return on Investment’.

This last point is somewhat surprising given Gartner’s prediction.  After all, why continue to invest in a product or service, if it’s not contributing to the overall value of the organisation?

BI is like any other resource.  It consumes organisational assets – money, people and time – all of which could be used elsewhere to help meet corporate goals.  And yet software vendors and analysts alike proclaim that if organisations fail to invest in BI, then they will be at a competitive disadvantage.

So what is the reality of BI and organisational value, and how can management ensure that BI delivers on what it promises?

What exactly is BI?

It was Howard Dresner who in 1989 proposed BI as an umbrella term to describe "concepts and methods to improve business decision making by using fact-based support systems”.  This was later refined in a Gartner Research document as:

 “The systems that help decision-makers throughout the organization understand the state of their company’s world.  A set of methods that support sophisticated analytical decision-making aimed at improving business performance”

BI is the fusion of both systems and methods, although today the term BI is synonymous with technology alone.  But like any other technology, it is only when applied in the right way, can it generate value for an organisation.

‘BI” systems had been around commercially since the early 1970’s. They can quickly sift through enormous volumes of data to report trends, variances and relationships to end-users, in a format that helps those users make informed decisions.  When used correctly they can help identify potential savings in costs and time; adverse trends; optimal production costs; fraudulent activities; and revenue opportunities.

However, for this knowledge to have any real value, data must be presented in the right context, which lead to actions that take advantage of what has been identified.

Context is everything

BI systems are primarily about data analysis.  It is often assumed that the more data (assuming it is accurate and timely) a system has, the more ‘insightful’ those analyses will be.  But nothing could be further from the truth.

For example, a BI system could reveal that a contribution of 50p is made on every item a company manufactures.  It could also reveal that this contribution level has increased marginally year on year, and that volumes had grown by 5%.  From this data, management could make a decision to continue current levels of investment in the product line.

But what if the same management found out that competitors had made a contribution of 60p, that their volumes were growing by 20% which now made them market leader and that they were planning to drop their prices by 70%?  With this contextual information, the decision would probably be very different.

For BI systems to add real value they must present data in the context of what’s going on inside an organisation and in the market being served, so that informed decisions can be taken.  Without the right context, data can cause organisations to destroy value through wrong investments as well as supporting wrong operational and strategic decisions.

Actions speak louder than alerts

In 1983, Comshare developed one of world’s first Executive Information Systems (EIS).  It was so successful that it propelled Comshare into dominating the market for EIS during the 1980’s and early 1990’s.  One of its attractions was ‘Detect and Alert’ – a software ‘robot’ that would trawl through a sea of information and alert managers to exceptions they could easily have missed in traditional reports.  It was thought that the era of ‘missed opportunities’ was over.

But by itself, an alert is only the start of a process.  The idea was that when an alert was triggered, management would analyse the cause of the alert and determine a course of action.  These actions would be communicated, resources allocated to them and subsequent results monitored. 

For BI to have real value, there needs to be a mechanism where identified alerts are followed up and any subsequent actions linked into the organisations planning/budgeting and decision monitoring systems.  So often, BI systems are implemented as totally separate systems with little or no thought on how to deal with their findings.

Tactical or Strategic?

BI can be used both tactically and strategically.  Tactical deployment covers applications that are focused on either saving costs or identifying revenue opportunities.  Strategic deployment consists of applications that focus on helping organisations achieve long-term aims and objectives.

Most BI implementations are tactical, and while that may improve operational efficiency, the things that drive the future value of an organisation are being ignored.  To deploy BI strategically involves the following steps:

Determining the long term objectives/goals of the company and how they are measured

Defining the strategy (i.e. the way) in which those objectives are to be achieved, e.g. launching new products, expanding territories, acquisitions, etc.

Developing activities/actions that directly influence and implement the chosen strategy

Finding out how the organisation is performing those activities today

Assessing how competitors could perform those activities in the future

Forecasting how activities would need to change to beat competitors

Allocating resources to enable those changes

Monitoring results and making adjustments

A strategic deployment of BI would consist of systems that directly support steps 4, 5 and 6.  Tactical deployment only concerns itself with part of step 8 – monitoring results, but can’t help with making adjustments as the strategic context is missing.

In the paper ‘Five Business Intelligence Predictions for 2009 and Beyond’, Gartner note that:  “Because of lack of information, processes, and tools, through 2012, more than 35 per cent of the top 5,000 global companies will regularly fail to make insightful decisions about significant changes in their business and markets.”

The real value of BI is bound up in how information is presented in a strategic context and how that affects the decision-making process.

read more - Getting real value from Business Intelligence, BI

read more - CODA 2go becomes FinancialForce.com

read more - SAP under pressure as sales fall and outlook remains difficult

read more - Sage UK enters upper mid market with launch of Sage ERP X3

read more - Microsoft expands Dynamics AX ERP capabilities