One of the most challenging aspects of implementing corporate performance management or risk management projects is how to embed these philosophies into the daily culture of your organisation. Outlined below are a couple of examples of how the Risk-based performance approach can help embed corporate performance and risk management philosophies into your organisation – a topic we will return to often on this site. Here we look at issues relating to silo processes and internal control certification.
Whilst change management is clearly an important consideration, I am not going to touch on this in much depth other than to say there has been much written on the topic. Two articles that I would recommend as good reads are Leading Change: Why Transformation Efforts Fail, from HBR and Corporate transformation without a crisis, from Mckinsey quarterly.
From a practical point of view, one of the things we have seen create barriers to embedding performance and risk considerations relates to the organisation’s approach to implementation, (particularly on projects which are ‘ big consultancy’ heavy).
Both industry and our own research highlights silo processes as a key factor in increasing an organisation’s risk profile and contributing to operational losses. However, we often see organisations creating silo processes during the implementation of risk management projects. Examples of such silos would be the creation of ‘front to back’ process flows developed specifically for the risk project. Often these are impressive-looking, flow chart style diagrams but once the project is over, how are they used? Do they help employees understand their role? For example, if there are reconciliations to be completed and a temp staff member doesn’t show up, do these diagrams help another team member provide cover? If your claims process is out of control, do these diagrams provide a robust starting point for analysis to understand where things are going wrong?
In our experience too often these diagrams add some value during the project but do not live on in the business because they are too high-level and are not useful on a day-to-day basis. Often they are not maintained and kept up-to-date, so quickly become dated and misleading.
Another example of silo processes is the frequently seen quarterly or bi-annual ‘certification’ process whereby management certify their internal controls are effective. Again too often we see these processes developed in isolation. The result is every quarter or six months management are asked to sign-off the controls they are suppose to be responsible for, yet they do so without being able to access information to support their sign-off decisions. Too often such information, in particular historical trend information and root-cause analytics, is simply not available.
During a Risk-based performance implementation these issues are addressed by working with ‘coal face’ staff to develop sustainable processes that add value beyond the specific project. Below is how we would tackle the two situations mentioned above.
Rather than developing high-level ‘front-to-back’ process flows drawn from a systems or information flows perspective, we encourage the development of process flows from the perspective of employees at the coalface. Taking this perspective enables front-line employees to honestly document exactly what systems they interact with, and what information they process and how – including the workarounds and shortcuts taken.
Taking this bottom-up, ‘warts and all’ approach, while keeping the end-goal in mind, leads to business process flows that can be used to identify the right performance, risk and control indicators, adding value during and after the implementation project. In addition the flows will be critical to identifying high-risk workarounds and shortcuts, such as handcrafted spreadsheets and Access databases.
Overlying audit points with these flows can provide significant insights into the robustness of critical business processes. Because the flows are driven by frontline employees within a strategic framework, they often throw up opportunities for process improvements and restructuring as the processes are (often for the first time) considered from a performance, risk and controls perspective.
As for quarterly or bi-annual certification processes, asking these to have complete accuracy and with integrity on such an infrequent basis without proper trend information to support the certification is, frankly, a waste of time.
To improve certification quality, and reduce the workload related to it, organisations need to increase its frequency to match monthly reporting and review cycles. This may seem counter-intuitive, but it works. By integrating certification processes into existing reporting and review cycles they quickly become a normal, regular part of the organisation’s review process and part of normal management discussions that take place within these review processes.
Additionally, if individual control owners are regularly being challenged to back-up their assertions of control effectiveness, it drives the development of appropriate management information. It also enables internal audit to add more value, as the results from certification processes and audits become increasingly aligned due to improvements in the certification process and information around it. This often enables audit and risk staff to begin to truly work as business partners, rather than business policemen.
By ensuring that implementation projects and their outputs are designed from a sustainable perspective and by integrating processes such as certification into the normal business review timetables, management are able to use the Risk-based performance methodology to deliver the right information and set the right tone for the business. This is key to making performance and risk day-to-day considerations in the business.