I wrote a few weeks ago of the pride and complacency of the middle management fraudster and the 'smartest guys in the room'
On a recent ski trip I had met a guy on a chairlift who proceeded to tell me his approach to 'supplementing his income' including "finding suppliers you need on a consistent basis who you can overpay, and get cash back later, minus a ‘consideration’"
Some readers of my blog expressed disbelief at these comments.
This week the humble potato made headlines for a similar fraud. In 2008 a senior buyer for Sainsbury's was arrested on suspicion of fraud together with a senior manager from their key potato supplier, Greenvale, on suspicion of bribery and corruption. Financial control specialists, fraud experts and those following the UK Bribery Act and its US cousin, FCPA, will find this fascinating.
The story goes back to 2005 when the Sainsbury buyer 'consolidated and streamlined' potato supplies to one vendor commenting "By streamlining our potato supply base we are in a much better position to improve efficiencies for everyone involved in the supply chain, which ultimately means we will be able to serve our customers better." Sounds great, right?
Arrested in 2008, the trial has just started in the last week and is expected to last three weeks.
The Sainsbury buyer is accused of receiving 5 million pounds in corrupt payments. A self funding scam where the supplier made money, the fraudster made money and ultimately the company may not have lost out since the costs were probably recovered in consumer pricing. This case is especially interesting in that there was no obvious loophole which explains why it went undiscovered for so long.
The full story is well worth a read here . . .
This sorry story obviously raises questions. Segregation of duties? Mandatory rotation of supplier (and customer) management responsibilities? Monitoring unusual price changes? Is supplier single sourcing such a great idea? Multi-source supply has inherent risk management benefits . . .
The lesson in all this? Financial control isn't just about protecting the cash, you gotta protect your spuds too!
Thanks for reading . . . .
Search This Blog
Sunday, May 6, 2012
Are we all better than average at risk management?
Who's fooling who?
CFO magazine recently published a fascinating article that is another example where executives all think their organizations are above average. The article observes that experts estimate that internal fraud costs companies 3% to 5% of revenue each year. But executives are prone to underestimating the amount of fraud that exists within their company.
They want to believe that their internal controls are better, their employees are more honest, and their ability to stop fraud is more effective than that of executives at other companies.
In my meetings with executives are a wide cross-section of industry, in discussions about risk management, financial control and assurance, it is still surprisingly common to hear the opinion that management see no need to improve their risk management or financial control approach because 'the risk here is very low', 'we trust our people', 'we don't see the benefit'. I suspect that it just these firms that get the nastiest surprises along the line. Fraud prevention should not be the prime reason for improved financial governance, but it is a consideration. Having confidence in the business working the way it should should be a priority for the executive team, the audit committee and all stakeholders and investors.
Much more reassuring is the comment from the executive responsible for financial control at a top 10 global leader when he tld me "we spend a lot of money with the Big 4 and benchmarking firms who all tell us we are in the top 10% worldwide in terms of our financial control effectiveness. Why don't I feel good about that? I know a lot of things still go wrong, and those are just the 'known unknowns'!".
This got me thinking about the 'Rumsfeldian' comments and perhaps it's the 'unknown unknowns' that cause the biggest issues. Either way, we should not get caught in the trap of ASSUMING our company is much better than average . . .
Read the full article at CFO magazine at http://www3.cfo.com/article/2012/4/fraud_internal-fraud-detection
CFO magazine recently published a fascinating article that is another example where executives all think their organizations are above average. The article observes that experts estimate that internal fraud costs companies 3% to 5% of revenue each year. But executives are prone to underestimating the amount of fraud that exists within their company.
They want to believe that their internal controls are better, their employees are more honest, and their ability to stop fraud is more effective than that of executives at other companies.
In my meetings with executives are a wide cross-section of industry, in discussions about risk management, financial control and assurance, it is still surprisingly common to hear the opinion that management see no need to improve their risk management or financial control approach because 'the risk here is very low', 'we trust our people', 'we don't see the benefit'. I suspect that it just these firms that get the nastiest surprises along the line. Fraud prevention should not be the prime reason for improved financial governance, but it is a consideration. Having confidence in the business working the way it should should be a priority for the executive team, the audit committee and all stakeholders and investors.
Much more reassuring is the comment from the executive responsible for financial control at a top 10 global leader when he tld me "we spend a lot of money with the Big 4 and benchmarking firms who all tell us we are in the top 10% worldwide in terms of our financial control effectiveness. Why don't I feel good about that? I know a lot of things still go wrong, and those are just the 'known unknowns'!".
This got me thinking about the 'Rumsfeldian' comments and perhaps it's the 'unknown unknowns' that cause the biggest issues. Either way, we should not get caught in the trap of ASSUMING our company is much better than average . . .
Read the full article at CFO magazine at http://www3.cfo.com/article/2012/4/fraud_internal-fraud-detection
Thursday, April 19, 2012
Perception, Risk and Safeguards
I gave a talk today at the Enterprise Risk Management (ERM) Symposium in Washington D.C. We divided the time 60/40 between my presentation and a group discussion on implications, especially for the Insurance industry. We had a lively discussion with CROs and risk professionals and my observations on perception of risk seemed to resonate. I summarise this element here.
I read recently of a study performed in 2008 in which an audience was asked to watch a video clip and count the number of passes made by a basketball team in one minute. A high percentage of the audence got it right. The number was 13.
They were then asked if they spotted the person in a fancy dress bear outfit who moonwalked across the basketball court in the middle of the one minute clip. Confused, most people admitted they did not. It is fascinating that we tend to see what we expect and block out events or images we are not expecting. This has amusing consequences (in video conferences, for example) but has a serious implication for risk management professionals and executive management tasked with driving performance and avoiding the pot-holes of commercial existence.
In these days of regulation and compliance, the consequence for risk management and the finance team is that we tend to view the world through the lens of the safeguards we have implemented to protect us from risk. These safeguards are typically internal controls which are tested rigorously and with great focus (I hope), but we sometimes lose sight of the underlying risks. My recurring analogy for this is the car park barrier (safeguard, internal control) and the tyre tracks (risk) . . .
The evidence of the weakness of human perception and our tendency to see what we expect drives a common reaction in our continuous risk monitoring work. 'THAT CAN'T HAPPEN' is a typical response to some of the more worrying exceptions reported. Of course, these things can happen and do. The tyre tracks tell the story. It takes some time of gradual realisation before the stakeholders really understand the image above and recognise that we make big assumptions about the existence, operation and effectiveness of our safeguards and internal controls.
If you are still not convinced about the vagaries of perception, take a look at this image below. What do you see?
Thanks for reading . . .
I read recently of a study performed in 2008 in which an audience was asked to watch a video clip and count the number of passes made by a basketball team in one minute. A high percentage of the audence got it right. The number was 13.
They were then asked if they spotted the person in a fancy dress bear outfit who moonwalked across the basketball court in the middle of the one minute clip. Confused, most people admitted they did not. It is fascinating that we tend to see what we expect and block out events or images we are not expecting. This has amusing consequences (in video conferences, for example) but has a serious implication for risk management professionals and executive management tasked with driving performance and avoiding the pot-holes of commercial existence.
In these days of regulation and compliance, the consequence for risk management and the finance team is that we tend to view the world through the lens of the safeguards we have implemented to protect us from risk. These safeguards are typically internal controls which are tested rigorously and with great focus (I hope), but we sometimes lose sight of the underlying risks. My recurring analogy for this is the car park barrier (safeguard, internal control) and the tyre tracks (risk) . . .
The evidence of the weakness of human perception and our tendency to see what we expect drives a common reaction in our continuous risk monitoring work. 'THAT CAN'T HAPPEN' is a typical response to some of the more worrying exceptions reported. Of course, these things can happen and do. The tyre tracks tell the story. It takes some time of gradual realisation before the stakeholders really understand the image above and recognise that we make big assumptions about the existence, operation and effectiveness of our safeguards and internal controls.
If you are still not convinced about the vagaries of perception, take a look at this image below. What do you see?
Thanks for reading . . .
Tuesday, April 17, 2012
Fraud, 'Smart Guys' and 'Better Than Average'
I was skiing the weekend before last in the Swiss Alps and as luck would have it, a rather interesting conversation developed on a chair lift. A pretty long lift as it happened . . .
The only other person on the chair was a guy who introduced himself as Peter who asked what I did for business. I told him, expecting the usual glassy stare, and got a far more interesting reaction.
“Monitoring, you say? Unusual patterns of activity? I’m glad you don’t work with my company!’. He seemed like a fairly senior chap in his late 40’s. His exposure and involvement in both the sales and spend activities implied a pretty broad role.
My interest piqued, I quizzed him a little and he gave me a full blown account of some of HIS more ‘unusual’ paterns of business activity.
‘Find suppliers you need on a consistent basis who you can overpay ’, he told me. ‘Then I get the cash back later, minus a ‘consideration’. Helps with all those exceptional expenses.’. ‘Like skiing trips?’ I ventured. ‘Surely there are controls though, both in your company and with your suppliers?’ He informed me that you need to deal with senior people . . .
He has 2 or 3 of these special suppliers . . . .
‘Then, I have a couple of very good customers’, he went on (it sounded like they were distribution agents). I cut special deals with these customers where they get our product well below the price they should get. A lot of ‘promotional goods’ in his business perhaps. They keep an account for me with 50% of the undercharge.
He didn’t seem remotely guilty about this, I even sensed some pride or entitlement.
‘How long have you been doing this, Peter?’ I asked. ‘About 15 years’ . . . .
Of course, when we got off the chairlift and said our ‘au revoirs’, i shouted after him ‘who do you work for?’. He sped off on his skis with a laugh, and that was the last I saw of him.
Perhaps I am naive. I was stunned by the relaxed way he described his activities. He obviously felt smug and smart about how he maintained this situation. I was reminded of that article, I think in Fortune magazine, entitled 'The Smartest Guys in the Room' about the Enron debacle . . . .
And as coincidence would have it, CFO magazine today published a fascinating article that is another example where executives all think they are above average. The article observes that experts estimate that internal fraud costs companies 3% to 5% of revenue each year. But executives are prone to underestimating the amount of fraud that exists within their company. They want to believe that their internal controls are better, their employees are more honest, and their ability to stop fraud is more effective than that of executives at other companies. CFOs and other top executives should not get caught in the trap of believing their company is much better than average . . . Read the full article at CFO magazine at http://www3.cfo.com/article/2012/4/fraud_internal-fraud-detection
Thanks for reading . . .
The only other person on the chair was a guy who introduced himself as Peter who asked what I did for business. I told him, expecting the usual glassy stare, and got a far more interesting reaction.
“Monitoring, you say? Unusual patterns of activity? I’m glad you don’t work with my company!’. He seemed like a fairly senior chap in his late 40’s. His exposure and involvement in both the sales and spend activities implied a pretty broad role.
My interest piqued, I quizzed him a little and he gave me a full blown account of some of HIS more ‘unusual’ paterns of business activity.
‘Find suppliers you need on a consistent basis who you can overpay ’, he told me. ‘Then I get the cash back later, minus a ‘consideration’. Helps with all those exceptional expenses.’. ‘Like skiing trips?’ I ventured. ‘Surely there are controls though, both in your company and with your suppliers?’ He informed me that you need to deal with senior people . . .
He has 2 or 3 of these special suppliers . . . .
‘Then, I have a couple of very good customers’, he went on (it sounded like they were distribution agents). I cut special deals with these customers where they get our product well below the price they should get. A lot of ‘promotional goods’ in his business perhaps. They keep an account for me with 50% of the undercharge.
He didn’t seem remotely guilty about this, I even sensed some pride or entitlement.
‘How long have you been doing this, Peter?’ I asked. ‘About 15 years’ . . . .
Of course, when we got off the chairlift and said our ‘au revoirs’, i shouted after him ‘who do you work for?’. He sped off on his skis with a laugh, and that was the last I saw of him.
Perhaps I am naive. I was stunned by the relaxed way he described his activities. He obviously felt smug and smart about how he maintained this situation. I was reminded of that article, I think in Fortune magazine, entitled 'The Smartest Guys in the Room' about the Enron debacle . . . .
And as coincidence would have it, CFO magazine today published a fascinating article that is another example where executives all think they are above average. The article observes that experts estimate that internal fraud costs companies 3% to 5% of revenue each year. But executives are prone to underestimating the amount of fraud that exists within their company. They want to believe that their internal controls are better, their employees are more honest, and their ability to stop fraud is more effective than that of executives at other companies. CFOs and other top executives should not get caught in the trap of believing their company is much better than average . . . Read the full article at CFO magazine at http://www3.cfo.com/article/2012/4/fraud_internal-fraud-detection
Thanks for reading . . .
Tuesday, April 3, 2012
Accounting Regulation Reducing Fraud, Really?
An article in CFO magazine today announced the opinion that the US 'Jumpstart Our Business Startups' (JOBS) Act, whilst easing the Sarbanes-Oxley (SOX, Sarbox) standards, might pave the way for fraud. You can read the article here . . .
From my viewpoint, the SOX benchmark has done little to address the causes or even the identification of fraud. You just have to look at the news headlines of the recent months with Madoff, MF Global, Olympus etc and countless FCPA violations (which admittedly are outside SOX scope).
I remain unconvinced that SOX-style focus on 'Internal Control Systems' actually addresses the issue. The major accounting scandals, even post SOX, all boasted an independently validated system of internal control and a clean audit by one of the Big 4.
Readers of this blog will know by now my fascination with the myopic focus of some Finance, Audit and IS teams on 'controls' (the car park barrier) rather than the genuine risk (the tyre tracks). If this makes no sense to you, I explain my metaphor more visually here.
I am a big believer in focusssing effort on identifying and managing risk and on identifying and managing performance gaps. I just worry about the 'compliance' mindset . . .
There was a great letter sent to the SEC by Ken Lever, then CFO of Tomkins which was quoted verbatim in the excellent book 'Reiventing the CFO' by Jeremy Hope (my synopsis can be found here). I quote it here as it is the clearest expression that I have seen in print . . .
From my viewpoint, the SOX benchmark has done little to address the causes or even the identification of fraud. You just have to look at the news headlines of the recent months with Madoff, MF Global, Olympus etc and countless FCPA violations (which admittedly are outside SOX scope).
I remain unconvinced that SOX-style focus on 'Internal Control Systems' actually addresses the issue. The major accounting scandals, even post SOX, all boasted an independently validated system of internal control and a clean audit by one of the Big 4.
Readers of this blog will know by now my fascination with the myopic focus of some Finance, Audit and IS teams on 'controls' (the car park barrier) rather than the genuine risk (the tyre tracks). If this makes no sense to you, I explain my metaphor more visually here.
I am a big believer in focusssing effort on identifying and managing risk and on identifying and managing performance gaps. I just worry about the 'compliance' mindset . . .
There was a great letter sent to the SEC by Ken Lever, then CFO of Tomkins which was quoted verbatim in the excellent book 'Reiventing the CFO' by Jeremy Hope (my synopsis can be found here). I quote it here as it is the clearest expression that I have seen in print . . .
"All that SOX does is to force us to have lots of detailed documentation to support our control systems. And then it forces management to keep testing them. This has added a lot of work for marginal benefit.
To be fair, there are areas where it has identified a few control weaknesses that should have been addressed. But I do think that SOX is not addressing the real problem. I think that 90 percent of value destruction in business comes from strategic error, not from problems in control systems. I’d be very surprised if a weakness in any of our control systems gave rise to a material financial error, whereas making a big strategic mistake could cost a company and its shareholders tens of millions of dollars.
I think the problem with SOX is that it doesn’t focus on the real issues. These are about risk. So we’ll end up with lots of documentation and a testing regime so that the auditors and the SEC can come along and make sure we are doing it properly. Now, if that adds value to corporate America I’d be very surprised. It just seems to me that it’s a big value shifting exercise from shareholders to accountants and lawyers.
Couldn't have said better myself !
Thanks for reading . . .
Thursday, March 1, 2012
Will it make the boat go faster?
I had a interesting chat with a friend the other day, where he recounted this quote from a world record beating sailor (I forget the name, but it is not critical to the story).
With any new suggestion for additional 'stuff' for his craft (especially technology), he would always respond 'will it make the boat go faster?'.
It got me thinking that to be a leader in a business or even to win anything, we need to very clear in distilling the key elements of success to their very essence. Hence, clearly (although I am hardly even 'competent crew' as my sailing friends will attest) it seems that a leading indicator of success in ocean racing is to have a fast, and consequently light, boat.
It's an interesting thought when you apply to business. I watched the news on TV this morning and listened to Sir Martin Sorrell, CEO of WPP, talk of their record results just announced where they have broken through the 10billion (sterling) revenue barrier, with record EBITDA.
These seemingly random inputs this week got me thinking about received wisdom. The dominant theme in driving efficiency (and thus profit) in big companies is around transformation and standardisation in common processes, a shift to shared services and common, single instance global ERP systems. This has become almost a religion, and I have to say my company is involved in this too. A whole industry has grown up around advising, executing, reviewing and benchmarking this kind of 'finance transformation'.
Back to the sailor. Very interesting to ask with all these initiatives - 'will it make the boat go faster?'
Whilst generally senior executives will answer a resounding 'yes', there is less evidence than we might expect. Certainly there is a high correlation between leading firms and these transformation strategies. But is there a causation, or is it just the trend that all successful firms feel the need to follow?
This brings me round to some of the giants of business today who eschew such standardisation. WPP is a tremendous business and a global leader in its field. Do they standardise? From my friends there I know the answer is 'ONLY IF IT MAKES THE BOAT GO FASTER' . . . Hence, WPP is a powerful network of marketing agencies, not an organizational behemoth with centralised planning, execution and control.
Likewise, BMW, one of the leading global automotive brands and a client of my firm, don't blindly follow the standardisation and centralistion philosophy. They respond to such challenges with the response 'only if it sells more cars' . . .
Now, to be clear, there is standardization and common systems at these organizations, but they rigorously challenge the scope at which standardization and consolidation makes business sense.
There is a lot to be said for individual business unit responsibility and accountability, and obviously there is a question where on the spectrum to make the call.
Food for thought I think. How many other global leaders in their industries take this particular 'road less travelled'?
Thanks for reading . .
It got me thinking that to be a leader in a business or even to win anything, we need to very clear in distilling the key elements of success to their very essence. Hence, clearly (although I am hardly even 'competent crew' as my sailing friends will attest) it seems that a leading indicator of success in ocean racing is to have a fast, and consequently light, boat.
It's an interesting thought when you apply to business. I watched the news on TV this morning and listened to Sir Martin Sorrell, CEO of WPP, talk of their record results just announced where they have broken through the 10billion (sterling) revenue barrier, with record EBITDA.
These seemingly random inputs this week got me thinking about received wisdom. The dominant theme in driving efficiency (and thus profit) in big companies is around transformation and standardisation in common processes, a shift to shared services and common, single instance global ERP systems. This has become almost a religion, and I have to say my company is involved in this too. A whole industry has grown up around advising, executing, reviewing and benchmarking this kind of 'finance transformation'.
Back to the sailor. Very interesting to ask with all these initiatives - 'will it make the boat go faster?'
Whilst generally senior executives will answer a resounding 'yes', there is less evidence than we might expect. Certainly there is a high correlation between leading firms and these transformation strategies. But is there a causation, or is it just the trend that all successful firms feel the need to follow?
This brings me round to some of the giants of business today who eschew such standardisation. WPP is a tremendous business and a global leader in its field. Do they standardise? From my friends there I know the answer is 'ONLY IF IT MAKES THE BOAT GO FASTER' . . . Hence, WPP is a powerful network of marketing agencies, not an organizational behemoth with centralised planning, execution and control.
Likewise, BMW, one of the leading global automotive brands and a client of my firm, don't blindly follow the standardisation and centralistion philosophy. They respond to such challenges with the response 'only if it sells more cars' . . .
Now, to be clear, there is standardization and common systems at these organizations, but they rigorously challenge the scope at which standardization and consolidation makes business sense.
There is a lot to be said for individual business unit responsibility and accountability, and obviously there is a question where on the spectrum to make the call.
Food for thought I think. How many other global leaders in their industries take this particular 'road less travelled'?
Thanks for reading . .
Friday, February 3, 2012
Risk, misplaced confidence, early warning systems and health checks
I am sitting in a 6th floor office in Manhattan and ruminating between meetings. Over the past couple of years I have talked with numerous finance executives, controllers, risk and control specialists and audit folk on the topic of managing and monitoring risk in the processes that affect the financial statement. With that as input, I have just written a short paper with a Partner at a respected Big 4 firm. The paper will be published shortly, but these thoughts reflect the same theme and thinking.
I know I am not the only one who looks at the continuing eruptions of accounting and fraud scandals in the press, and wonders about the paradox. These organizations have healthy audit reports and a reputable system of internal control. Then one day it comes out that all is not what it seemed. Within months, the reality emerges that things have not been quite as rosy as previously painted. But what do we really learn from these events?
It is easy to dismiss the most egregious accounting failures as the ‘exceptions that prove the rule’ and assume that, in general, assurance over financial results and processes is improving all the time.
It is an interesting facet of the human condition that something that has not been observed for a long time (or at all) is felt to be of low likelihood of occurring in the future (think earthquake, volcanic eruption, disastrous tsunami, collapse in price of AAA rated securities, developed country default, fraud event . . . .)
I believe our confidence in the current approach is misplaced. We have a false sense of security. The current ‘standard’ level of financial assurance is akin to periodically asking the manager of the parking lot that the barrier works and asking to see certificates of regular maintenance.
Andy Grove of Intel famously said ‘only the paranoid survive’. He was referring to a company culture that kept Intel at the top of its game for 25 years. A healthy paranoia in business would be calmed by an effective early warning system. Just as we keep on the lookout for unexpected seismic shifts . . .
At the risk of analogy overload, we know from a health perspective that ‘prevention is better than cure’. We are all comfortable with the fact that the medical profession has moved on from a simple visual observation by a general practitioner for a health check. Medical and technological advances mean that we now rely on blood tests rather than purely outward symptoms on the body. Why is that?
Blood tests give a much more precise ‘early warning system’ of future problems. The blood system carries ‘markers’ of potential dangers earlier (typically months or years) than the evidence of external symptoms. Early identification of these ‘markers’ makes for an effective diagnosis strategy in the fight against disease.
Our interest has been stimulated by this theme as we have identified similar characteristics in the latest approaches for assuring the health of the organization.
Just as the blood system carries markers of potential disease in the body, so information systems of the organization carry data around the business that also act as ‘markers’ of business activity, risk and performance.
Our approach to the assurance of business health needs a similar step-change to what we have enjoyed in personal healthcare over the past 20 years. We are learning and applying these lessons today.
There is growing evidence that our confidence in financial controls is misplaced just as an external checkup of the body can provide a false sense of security.
We need an effective early warning system for risk exposure and performance breakdown. Financial control is about managing risk and, ultimately, reputation.
Now, back to business . . .
Thanks for reading!
Subscribe to:
Posts (Atom)