Considerations on Risk, Control and Performance

Will it make the boat go faster?

2012-03-01T05:05:00.003-08:00

I had a interesting chat with a friend the other day, where he recounted this quote from a world record beating sailor (I forget the name, but it is not critical to the story).

With any new suggestion for additional 'stuff' for his craft (especially technology), he would always respond 'will it make the boat go faster?'.

It got me thinking that to be a leader in a business or even to win anything, we need to very clear in distilling the key elements of success to their very essence. Hence, clearly (although I am hardly even 'competent crew' as my sailing friends will attest) it seems that a leading indicator of success in ocean racing is to have a fast, and consequently light, boat.

It's an interesting thought when you apply to business. I watched the news on TV this morning and listened to Sir Martin Sorrell, CEO of WPP, talk of their record results just announced where they have broken through the 10billion (sterling) revenue barrier, with record EBITDA.

These seemingly random inputs this week got me thinking about received wisdom. The dominant theme in driving efficiency (and thus profit) in big companies is around transformation and standardistion in common processes, a shift to shared services and common, single instance global ERP systems. This has become almost a religion, and I have to say my company is involved in this too. A whole industry has grown up around advising, executing, reviewing and benchmarking this kind of 'finance transformation'.

Back to the sailor. Very interesting to ask with all these initiatives - 'will it make the boat go faster?'

Whilst generally senior executives will answer a resounding 'yes', there is less evidence than we might expect. Certainly there is a high correlation between leading firms and these transformation strategies. But is there a causation, or is it just the trend that all successful firms feel the need to follow?

This brings me round to some of the giants of business today who eschew such standardisation. WPP is a tremendous business and a global leader in its field. Do they standardise? From my friends there I know the answer is 'ONLY IF IT MAKES THE BOAT GO FASTER' . . . Hence, WPP is a powerful network of marketing agencies, not an organizational behemoth with centralised planning, execution and control.

Likewise, BMW, one of the leading global automotive brands and a client of my firm, don't blindly follow the standardisation and centralistion philosophy. They respond to such challenges with the response 'only if it sells more cars' . . .

Now, to be clear, there is standardization and common systems at these organizations, but they rigorously challenge the scope at which standardization and consolidation makes business sense.

There is a lot to be said for individual business unit responsibility and accountability, and obviously there is a question where on the spectrum to make the call.

Food for thought I think. How many other global leaders in their industries take this particular 'road less travelled'?

Thanks for reading . .

Risk, misplaced confidence, early warning systems and health checks

2012-02-03T10:26:00.000-08:00

I am sitting in a 6^th floor office in Manhattan and ruminating between meetings. Over the past couple of years I have talked with numerous finance executives, controllers, risk and control specialists and audit folk on the topic of managing and monitoring risk in the processes that affect the financial statement. With that as input, I have just written a short paper with a Partner at a respected Big 4 firm. The paper will be published shortly, but these thoughts reflect the same theme and thinking.

I know I am not the only one who looks at the continuing eruptions of accounting and fraud scandals in the press, and wonders about the paradox. These organizations have healthy audit reports and a reputable system of internal control. Then one day it comes out that all is not what it seemed. Within months, the reality emerges that things have not been quite as rosy as previously painted. But what do we really learn from these events?

It is easy to dismiss the most egregious accounting failures as the ‘exceptions that prove the rule’ and assume that, in general, assurance over financial results and processes is improving all the time.

It is an interesting facet of the human condition that something that has not been observed for a long time (or at all) is felt to be of low likelihood of occurring in the future (think earthquake, volcanic eruption, disastrous tsunami, collapse in price of AAA rated securities, developed country default, fraud event . . . .)

I believe our confidence in the current approach is misplaced. We have a false sense of security. The current ‘standard’ level of financial assurance is akin to periodically asking the manager of the parking lot that the barrier works and asking to see certificates of regular maintenance.

Andy Grove of Intel famously said ‘only the paranoid survive’. He was referring to a company culture that kept Intel at the top of its game for 25 years. A healthy paranoia in business would be calmed by an effective early warning system. Just as we keep on the lookout for unexpected seismic shifts . . .

At the risk of analogy overload, we know from a health perspective that ‘prevention is better than cure’. We are all comfortable with the fact that the medical profession has moved on from a simple visual observation by a general practitioner for a health check. Medical and technological advances mean that we now rely on blood tests rather than purely outward symptoms on the body. Why is that?

Blood tests give a much more precise ‘early warning system’ of future problems. The blood system carries ‘markers’ of potential dangers earlier (typically months or years) than the evidence of external symptoms. Early identification of these ‘markers’ makes for an effective diagnosis strategy in the fight against disease.

Our interest has been stimulated by this theme as we have identified similar characteristics in the latest approaches for assuring the health of the organization.

Just as the blood system carries markers of potential disease in the body, so information systems of the organization carry data around the business that also act as ‘markers’ of business activity, risk and performance.

Our approach to the assurance of business health needs a similar step-change to what we have enjoyed in personal healthcare over the past 20 years. We are learning and applying these lessons today.

There is growing evidence that our confidence in financial controls is misplaced just as an external checkup of the body can provide a false sense of security.

We need an effective early warning system for risk exposure and performance breakdown. Financial control is about managing risk and, ultimately, reputation.

You can see my talk on this topic at http://bit.ly/AeFMr3

Now, back to business . . .

Thanks for reading!

May we live in interesting times !

2011-12-19T06:56:00.000-08:00

2011 has been a year of both turmoil and progress in the world and in many businesses. It’s certainly been a roller coaster ride!

Ups and Downs . . .
Looking back, January 1st saw Estonia officially adopt the Euro currency and become the seventeenth Eurozone country. But the Euro became a much bigger story during the year and remains so, not just for governments and banks but also for businesses trying to predict and manage how their operations will fare across the region.

We saw euphoria and tragedies of the ‘Arab Spring’ which continued through summer and autumn into winter and there is still a long road ahead there.

Earthquakes, tsunamis, nuclear emergencies, terrorist attacks and flooding became a major part of the 2011 narrative as well as the governmental debt crises for most of the ‘developed’ world.

In the UK, we had both the ignominy of televised riots for the first time in 20 years as well as some light relief and an extra day off work for the wedding of Prince William and Kate Middleton at Westminster Abbey in London.

The United States formally declared an end to the Iraq War and it was reported that the secretive North Korean regime is in a state of uncertainty following the death of the ‘Great Leader’.

The world welcomed its 7 billionth inhabitant this year, fuelling concerns on fresh water, food and energy availability and price.

Isn’t that more than enough for any 12 month period?

Evolutionary shifts?

HP suffered another abrupt change of leadership, to contrast with IBM’s more orderly and un-newsworthy one! For the waning stars, who would have expected a few years ago to be speculating about the future of RIM and the ‘Crackberry’, but they have certainly had an ‘annus horribilis’.

Talking of bad years, after a decade of regulatory tightening to protect investors and employees, MF Global went spectacularly ‘bust’ after making more bad bets than it could handle and it seems somewhere between 600m and 1.2bn dollars has gone ‘missing’! The Accounting and Assurance profession is once again under the spotlight as is ‘risk taking’ without personal risk.

On the more positive business side, Apple once again hit the high spots with its technology across the board, but especially with the voice activated ‘personal assistant’, Siri, that has captured so much of the public imagination. My colleague and co-founder at Consider, Dr Tom Gruber, is the architect of the Siri technology and I can see this changing the landscape for what we see today as both ‘search’ and ‘user interface’ technologies. Sadly, in the same year, we saw the passing of Steve Jobs, but he has left us an amazing legacy! Amazon, of course, continues to amaze with its inexorable domination of online retail and move into cloud services. Mobile applications, social platforms, cloud/SaaS, ‘Big Data’ (analytics & monitoring) and security assurance all look like continuing to increase in interest and applicability.

At Consider we have expanded our operations with new clients in Asia, the US and South America, as well as our home turf of Europe. We continue to work hard to advance the state of the art of continuous exception monitoring for risk & compliance as well as for driving performance improvement. We have made some great strides in this respect and are very grateful to our clients worldwide for their confidence and investment in us.

From the experiences of 2011 it seems that many more governments, institutions and businesses could benefit from a some ‘continuous monitoring’ to avoid nasty shocks and to maintain transparency!

My talk entitled ‘Continuous Assurance – The Next Frontier’ for management and audit was well received at the ISACA NACACS conference in Las Vegas and was also presented at IIA chapters and delivered as a webcast. You can see it at http://www.consider.biz/events/185-ca-the-next-frontier-webcast-0711.html if you want something to intersperse the excesses of the holiday season! I can’t guarantee it won’t drive you to drink, only that I can claim a festive catalyst . . . .

We also delivered an interesting event entitled ‘Finance Transformation – The Next Chapter’ which proved a big draw worldwide, as did our client specific update webcasts and our recent BMW client case study under the ‘GRC Success Stories’ banner.

On the recommendation of a friend, my curiosity was fuelled by an excellent book entitled ‘Genome’ by Matt Ridley. By far the best book of my year, with a light and occasionally humorous touch, exploring the topics of genetics, evolution, disease, population movement, sociology and philosophy (to name a few!) from the perspective of the successes in decoding the human genome. A genuinely fascinating read . . .

Looking forward to 2012

I have made a few New Year resolutions myself, not just the obvious ones relating to driving our continued focus and growth as a business and as a team, but others that have been, in part, stimulated by some of the more thought provoking experiences of this last year;

‘Follow curiosity and intuition’ – I was really captivated by the Steve Jobs’ Harvard Commencement speech, ‘How to live before you die’. Obviously it is made more poignant with his passing, but you can’t fail to think deeply after watching this, especially his final exhortation to ‘stay hungry, stay foolish’ http://www.youtube.com/watch?v=mUlN78N1NN8

In the same vein, I plan to make time to watch at least one TED talk each week, and it can be on any topic. I don’t know if you have come across this great forum of creativity and insight, but the subtitle is ‘Ideas worth Spreading’. The talks cover a wide variety of topics from the technologically innovative to the deeply thought provoking. You can find an example at http://www.ted.com/talks/pattie_maes_demos_the_sixth_sense.html

Use Twitter more - yes, even for business and other topic updates, it is surprisingly useful. I have found it a great way to connect with news, information, opinion and new ideas, directly from individuals without editorial.

Do more yoga. Yes, frightening thought isn’t it? I don’t look like a yogi, but it is a great experience for mind and body, I plan to make it a habit not an occasion.

Let’s see how I get on!

Finally, as we approach the festive season and the New Year, take a look at this very amusing, warm and brief video of Siri at Christmas http://techwhack.com/apple-iphone-4s-santa-claus-760/

Happy Christmas (or ‘Happy Holidays’ if you don’t subscribe to that!).

I wish you all the best for 2012.

Dan

Why CONTROLS Monitoring is not enough . . .

2011-07-18T13:11:00.000-07:00

This picture says it all for me. I could stop here . . . . .

The car park barrier is the 'control' over access and use of the car park. The automatic gate opens only when you swipe your employee badge on the reader and it only lets one car through at a time. This way, it is clear that only authorised people can use the facility and that a record is kept of each visit. The automated control works perfectly and as designed. There is even a regular testing and maintenance cycle!

The tyre tracks tell us whether this control is achieving its desired effect.

Obviously not in this case!

Thats why, irrespective of the debate on where the responsibility lies, it is important to test key controls in business and equally important to check the 'tyre tracks'. The tyre tracks tell us what is actually happening and whether our risks are being effectively mitigated.

The CFO Agenda and Performance, Risk & Compliance - The Next Chapter

2011-07-05T03:21:00.000-07:00

At the end of last year, I read an excellent book by Jeremy Hope entitled 'Reinventing the CFO' (http://www.amazon.co.uk/Reinventing-CFO-Financial-Managers-Transform/dp/1591399459/ref=sr_1_1?s=books&ie=UTF8&qid=1292578362&sr=1-1 ) .

The book challenges some long held assumptions about centralisation, planning, budgetting and forecasting as well as the role of the finance function as real business partner. The chapter headings really encapsulate the focus, but I recommend this book to anyone looking for breakthrough approaches to business as a whole, not just finance. Here are just a few;

The CFO as Freedom Fighter
The CFO as Analyst and Advisor
The CFO as Warrior against Waste
The CFO as Master of Measurement
The CFO as Regulator of Risk
The CFO as Champion of Change

There are two video summaries here also;

Jeremy Hope - Reinventing the CFO (Part 1)

http://www.youtube.com/watch?v=xTzCCYT9tqk

Jeremy Hope - Reinventing the CFO (Part 2)

http://www.youtube.com/watch?v=zx7jx_GgZv0&feature=related

This creates some interesting insights for the financial controls profession. Hackett Group reported that world class Finance functions with effective controls operate with 51% lower costs.

An IBM Global CFO Study reported some interesting conclusions also. Performance and Risk were the top 2 priorities. You can get their report at http://www-935.ibm.com/services/us/gbs/bus/html/gbs-2010cfostudy.html

You can also view a webcast where we developed on these themes with Vagn Hansen, former VP Finance at Shell and David Mitchell, Partner at Kurt Salmon. You can access it at http://www.consider.biz/events/161-finance-transformation-webcast.html

Food for thought . . .

Best Practices in Continuous Controls Monitoring (CCM)

2011-07-01T00:33:00.000-07:00

I just reviewed this webcast again, and it is an excellent case study in increasing visibility and coverage over business risks and automating SOX control testing at Philip Morris International (PMI). 100% coverage, not sample testing. Entirely complementary with a drive to increase and enhance automated controls in SAP.

I was reminded of a story recently and CCM seems a lot like some teenage experiences in many respects.

Everyone is talking about it, not so many are actually doing it and nobody is doing it very well !

Of course, there are some notable exceptions, and PMI is definitely a good one.

This is a great practical case study of making it work in practice. The topic of continuous monitoring has been much discussed over the years, but there are few really good large scale operational examples out there. I have to commend Philip Morris International and their journey and achievements. A very large scale, global consumer goods business, you can hear some of their experiences at

https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=179366&sessionid=1&key=7E47F7A423F54AE0E8AEFC8B269D9AD2&sourcepage=register

The 'End of Days' and 'Test Once - Comply Many'

2011-06-30T02:52:00.000-07:00

Tomorrow sees yet another compliance regime, the UK Bribery Act, come into force. A much debated legislation which remains unclear in parts but reflects and puts even more teeth into the key tenets of the FCPA reglation from the US. Both these regulations have broad arms and dont limit their interest to UK and US companies. Even China is on the anti-corruption bandwagon with their own legislation recently announced.

Most organisations have a plethora of compliance topics to concern themselves with, and often multiple compliance teams. The challenge is to focus on ASSURANCE rather than just CONTROL. There is often a tendency to focus on implementing additional control mechanisms that allow management to feel that their 'compliance' obligations are despatched. While some of these are important, whatever controls we implement do not always leave us with the assurance we would like to have over business operations. And as they say, ignorance is not an excuse in these matters.

There is little doubt that best practice is now to focus on the set of key risks that the organisation faces and certainly map them to the compliance areas, but focus on risk management as a business tool, and don't fall into a checkbox 'compliance regime'.

We have a choice, see this as another cost of legislation and bureaucracy or use it as an opportunity to enhance risk management in the business to drive enhanced performance.

To paraphrase a great observation (was it Henry Ford?) 'whether you think of this as cost or value, you are probably right!'.

To maximise the value to the organisation, think of risk identification, assessment and monitoring as well as control testing with a model of 'TEST ONCE, COMPLY MANY'. As well as reducing the burden of compliance, it helps focus on key risks.

Of course, you will have done your risk assessment already on UK Bribery Act and FCPA, right?

You will have identified the risks as they relate to your business operations and geographic spread, your markets and channels and your product groups. You also want to think about how performance measures and reward systems may cause some unanticipated consequences in this area. Where are the conflicts of interest?

You will be developing enhanced policies and standards of operation that focus on the sales and marketing end of your business and the whistle-blowing channels you provide. You will be communicating and reinforcing this at every level on regular basis, even for new hires and your channels to market. You may even have a self certification program that every employee undertakes that they comply to policy and have been trained.

These programs and supporting systems can be expensive and time consuming to implement. The key balance to draw is for an appropriate mix of control and alert processes with assurance processes. If you can be confident that relevant management will be alerted to any potentially inappropriate payments or gifts making their way through your sales channel, then you reduce the dependence on relying on individuals 'blowing the whistle' on colleagues.

The ability to combine the well publicised education, self certification and reporting processes with the automated monitoring of potentially inappropriate or suspicious activities in sales, accounting, purchasing and payments systems is now well proven. The reality is that we need to have a healthy scepticism of the claims of controls and systems to PREVENT inappropriate activities. They can help, but only so far. We need to combine a healthy balance of prevention and DETECTION.

The processes exist, the tools exist and the expertise exists.

This balanced approach reduces the cost of compliance and, even more importantly, drives greater assurance and visibility for management.

But remember! Anti-bribery and corruption is just one stream of compliance - 'Test Once - Comply Many' is an effective mantra for driving down the cost of control and compliance AND enhancing risk assurance.

Tomorrow is a new day!

Good luck on your journey . . . .

Internal Audit and a Changing World

2011-06-17T04:36:00.000-07:00

I always read the annual CEO, CFO, CAE, CIO reports from the Big 4 firms. They usually arrive in the first quarter of the year and are based on interviews carried out up to a year before. As a result, they are not usually as topical as they claim. But it is always interesting to compare these macro surveys and opinion pieces with your own direct experience. You typically see obvious areas of convergence and a few divergent ones. If the two perspectives are too far out, I tend to rely on personal experience and interactions with clients and business partners.

However, I read this year’s PWC report entitled ‘2011 – State of the internal audit profession study’. You can access it here

It is an interesting report with a subtitle of ‘scripting internal audit for a changed world’.

The authors refer to the impact on internal audit of the big 3 CEO drivers;

· Risk management

· Crisis prevention

· Cost efficiencies (doing more with less)

My personal experience in this post recession world is that CEOs care about those three issues, but are back to a primary focus on top line growth !

The big challenges for the Head of Internal Audit, VP Risk & Assurance, CAE (choose your title!) are reported as;

· Growth and acquisition

· Increasing regulation

· Emerging technologies

I can definitely identify with these! My own experience in the last 9 months has led me to Asia for two new client engagements with 3 more developing in China itself. In addition to these, I am having an increasingly common discussion with both Finance and Internal Audit departments about the impact of growth strategies in the developing economies (developing? These economies are putting the traditional markets in the shade!). Finance and Internal Audit/Assurance leaders are trying to come to terms with newly acquired or rapidly growing units in regions where they have little management insight into operations. Asia and Latin America particularly can be a challenge for an Internal Audit department largely located in Europe or North America. ‘How do we get good visibility and comfort on risk and control in these areas’ is the common discussion.

The regulation topic has seen a resurgence in the last year or so. The FCPA regulation out of the US was a bit of a slow burner to start with, but the number of investigations and settlements in 2010 (and continuing into 2011) tell the story that organisations are still not really prepared. To add insult to injury, we now have the UK Bribery Act coming into force in July, which in many ways has even more teeth than FCPA. And if you are not based in the UK, don’t relax. Just like FCPA, this one has long arms!! Even China has announced their own provisions.

The big topic in anti-corruption compliance is not just about awareness, knowledge and preparedness but a frustration with costly, time consuming and seemingly bureaucratic compliance programs (or programmes if you are in the UK!). There has to be a better way to focus on the real risks rather than simply implement a ‘check box culture’ of training, self certification, reporting and whistle blowing. After all, these anti corruption regulations make it clear that ignorance is no excuse, so a mass of documented ‘procedure’ isn’t really a recipe for a good night’s sleep for the CEO and CFO. My team at Consider Solutions has done some excellent work in this area, but I am obliged not to allow this to go to their heads! My personal observation is that the dominant issue for business is now REPUTATION and mis-steps over preparedness for regulation are just one (very effective) way of exposing it’s fragility.

The PWC report states that some 70% of CEOs surveyed in a sister report are investing in technology to reduce costs and become more efficient, while 54% are investing in IT to enable growth through such initiatives such as mobility, social media and data analytics. The impact of emerging technologies could perhaps be better characterised by the term ‘changing behaviours’. Yes, the myriad of new devices, the ‘consumer-isation’ of technology, the march of social media, the dramatic shift brought about by the iPad (and other tablets) and the emergence of ‘cloud computing’ as both a ‘buzzword bonanza’ (SaaS, IaaS, PaaS, perhaps to some of you it’s even all just ‘aaS’) and a growing deployment model for systems that support our business processes, are all great technology shifts.

But the most interesting element of them all is the change in attitudes and behaviours that accompany them. Just a few years ago, that fancy new smartphone you bought was ‘banned’ in the workplace, and you had specific devices ‘blessed’ by IT which you could use. The tsunami of devices which are just so easy to use is leading more and more firms to implement a BYOD policy ( a bit like ‘Bring your own bottle’ at a party but in this case you don’t end up with the dodgy Merlot from North Dakota). In a flashback to timesharing and outsourced hosting, the shift to cloud computing and the business friendly SaaS model is encouraging managers with revenue and growth targets to bypass conventional IT project cycles for the promise of immediate gratification in the cloud. These trends are accelerating the shift of the CIO from ‘guardian of the technology and data’ to a business service provider. All this poses massive challenges for those task with risk assurance.

At the more prosaic end of the technology spectrum, the report comments that ERP upgrades and implementations remain a key risk area for internal audit professionals, due to their complexity, the nature of financial processes they support and the continued separation between the business process specialists who define WHAT is needed and the IT specialists who define the HOW. There is an ocean of assumption between these two worlds and the report questions whether there should be more focus on ensuring the implemented processes and control environment genuinely refelect the performance needs and risks of the business. This is a major area of focus for a stream of our work.

The PWC report also touches on the CAE response. How does internal audit react? The report addresses skills, communication and relationship building and engaging internal and external partners. But I sense an even bigger shift. The dangers inherent in the classic demarcation of business, process and IT risk and control are becoming starkly clear.

Just as in lines of business, in finance, procurement, sales and marketing, internal audit needs to develop new hybrid professionals who have a passion and thirst for knowledge in business strategy and execution, the relationships between processes and systems, vision for technology and an understanding of its application. They need to be as comfortable considering the social media impact of a business initiative as they are in assessing the risk and performance impact of business processes. The new hybrid will find it much easier to ‘earn their seat at the table’ across the organisation as they demonstrate the real value they can offer to both operations and assurance. The new hybrid will be better able to balance focus between risk and compliance assurance and recommendations to improve the efficiency and effectiveness of processes and controls. 66% of those surveyed by PWC reported that specialised technology expertise is a key requirement. The essence, however, is balance. Long live the new hybrid !

We have a lot of work to do in this changing business world. How do we compare to our peers, to our business realities and to our expectations for the next few years? It’s time to perform. . .

Lights, camera, action . . . .

Risk and Performance, Transformation & Continuous Improvement

2011-03-30T09:27:00.000-07:00

Following on from our earlier discussions on Finance Transformation, process change and continuous improvement, I coincidentally hit on three very interesting and relevent items in my mailbox.

In the first mail that caught my eye, Gartner Group, the well regarded technology analysts, had just released a report entitled 'Developing Key Risk Indicators: Developing Causal Chains to Link Risk to Business Outcomes'. I was intrigued by this line of thought, in no small part because it reflects my own experience and thinking, as well as some of the insights in our webcast I described in my previous post. I believe there is a lot of valuable thinking and action that will come from a better appreciation that risk and performance are two sides of the same coin, not different topics to be managed by different organisational units with different performance measures!

Some of Gartner's key observations are;

Good risk management informs better business decision making
The relationship between risk management and corporate performance should be conceptually and intellectually obvious!
'Causal Chains' are useful tools to map risk to performance impact (very similar to the description of defect monitoring and the impact on management decisions to optimise performance, from the webcast)
Linking KRIs to KPIs is A GOOD THING

The Gartner report is available at http://response.approva.net/forms/GartnerDevelopingKRIs2011?elq=c83748b0d49e41a1aa64dcd4c2a29b71

I also received a link (thank you Hans!) to a YouTube recording of a great, and funny, presentation from 1994 by Dr Russell Ackoff, who I believe was a peer of the 'Total Quality' guru Dr W. Edwards Deming. The talk is dated, yes, but many of his points are well worth listening to and thinking about. Large scale processes as a 'system' in the biological sense is a powerful metaphor and helps address some of the issues of the 'Law of Un-intended Consequences' that we spent some time on during the webcast. There is one point I probably disagree with, but I will leave you to guess that one! The talk is entitled ' Beyond Continuous Improvement' and can be found at http://www.systemswiki.org/index.php?title=Beyond_Continuous_Improvement_with_Russell_Ackoff

Finally, in this stream of consciousness, I read a brief article by Linda Tucci entitled ' Disruptive Innovation vs Performance Improvement'. This article led on a historical review of a 1970's technology leader and the start of their fall from grace. Again, there are a lot of parallels here for whtat we are trying to achieve in the business world today. Food for thought, for sure. Linda's article is at http://searchcio.techtarget.com/news/2240033844/The-CIOs-dilemma-Disruptive-innovation-vs-performance-improvement?asrc=EM_NLN_13565182&track=NL-964&ad=822905

If you want to work out the particular lens I was observing these issues through, you could do worse than view the recording at http://www.consider.biz/events/161-finance-transformation-webcast.html

Talk again soon

Best Regards

Dan

Finance Transformation: The Next Chapter

2011-03-22T07:47:00.000-07:00

I have just finished an interesting discussion with Vagn Hansen, former VP FInance, Finance Operations at Shell and David Mitchell, Partner - Finance & Performance Management at Kurt Salmon.

The discussion and presentation were an exploration of our respective and collective experiences in large scale change, especially that Finance variety typically referred to as 'transformation'. Some key insights came out of the discussion.

There is some great best practice out there, stimulated and benchmarked in a large part by the work of such organisations as the Hackett Group.

The key benchmarks of World Class Performance are detailed below or can be summarised as finance moving from 'counting the beans' to becoming a true business partner;

Finance is looking to achieve substantial reductions in costs related to revenues from nearly 2% a few years ago, to 1% today and an aspiration of 0.5% in the future.
No compromise - Effective AND efficient
Shared services delivery model
Enhanced decision support for management
Improving overall operating results

We discussed some of the key insights we have observed and developed;

Change & Transformation Insights

Change is a Process not a Project
The Law of Un-intended Consequeneces is alive and well with regard to performance measures
An effective and detailed 'Operating Standard' is critical

Performance & Control Insights

Standardisation & Simplification CREATE complexity - It is not a bad thing, but it is reality.
The Systems Myth - The process is NOT the system - This can blind us to a lot of real issues
Performance measures alone do not drive effective management action

In benchmarking studies, much is made of the role of 'Decision Support'. This term has been used to describe various reporting and business intelligence tools as well as the role of analytical finance teams. One of the key insights has been that to provide effective support for actionable management decisions, we need to both DEFINE and MONITOR a detailed operating standard for the business processes. This operating standard includes the classic components such as process definitions, taxonomy, performance measures, organisational elements etc. The key to the new insight is the need to have process defects defined and monitored. It is only through exposing and analysing exceptions to our expected processes and operating standards can we aggregate the issues into root causes and take effective management action to accelerate the journey to the target model and operating performance.

You can link to a recording of the discussion, presentation and insights at http://www.consider.biz/events/161-finance-transformation-webcast.html

There is also a survey we would like you to participate in. You will get access to this after the session. We will share the survey results with all participants to help develop a shared view of common practice and best practice.

Best Regards

Dan

Business Performance at a macro level – The Economic Wonder that is Germany

2011-03-18T11:49:00.000-07:00

In the last three weeks I attended two very different networking events. The first, European Technology Forum aka ‘Snowball’ in Gstaad and the second, the Deutsche Bank Business Leaders event with Dr Josef Ackermann in London.

‘Snowball’ is very relaxed affair in the mountains with some 52 entrepreneurs, business owners and investors from around the world. Some great people, sharp minds (during the day, anyway!), fascinating experiences and some genuinely thought provoking content sessions and discussions intermingled with some skiing and dining. As an aside, there was talk about renaming the event as the World Technology Forum to better align with the geographic spread of the attendees. There was some consternation however at the requisite acronym which would be WTF!

The Josef Ackermann event was a more sober forum in Deutsche Bank’s beautiful London Wall offices. About 80 people listened to an interview and open Q&A session with the Deutsche Bank CEO. He was fascinating, sharp, thoughtful, precise as well as humble and light. That’s not a combination of adjectives commonly used to describe many people in his position. He covered a wide range of topics from the Euro, the UK and US economies and regulatory environments, the people’s uprisings and political unrest in the North Africa and the Middle East, the Banking crisis and increased regulations and proposed levies, the role of a CEO, China and India to the worrying world food and water shortages that pose a serious risk to societal and economic development. Not bad for an hour!

He had a genuinely impressive global outlook. There was an interesting discussion referring to the European and North American habits of extolling the virtues of ‘developing economies’ and the harnessing the talent there and then implanting leaders from the headquarters country in these operations. Dr Ackermann commented that when he took over as DB CEO, most DB Asian operations were led by a German national. Justifiably proudly, he claims that now all the leaders of these operations bar one, are the local talent.

He made some quite amusing quips including the comment that on his recent trip to Delhi he could get mobile/cell phone signal at all times and a clear reception for calls to anywhere in the world, a feat that is still somewhat challenging in the centre of Manhattan!

I was fascinated by the discussion on why Germany is doing so uniquely well post recession. German industrial output has been storming along for the past 18 months. This topic came up in answer to a question from Tony who was sitting next to me. Josef Ackermann gave a thoughtful view of why Germany has done so well. In summary (I didn’t take notes but this is my recall), he gave six reasons for Germany’s strong recovery from the recession;

· The unions, government and management have learned to work together harmoniously and this relationship seems to balance the economy from extreme shifts. I suspect also that job cuts in Germany were less severe than in some countries, enabling quicker response and upswing as the economic headwinds turned.

· There is a very strong segment of family owned businesses, the Mittelstand, where management and owners take a long term view and run very tight businesses. Some of these businesses, although small by some standards, have apparently secured a 60-80% global market share in their specific niche. No mean feat!

· The new younger generation of German entrepreneurs and business people are much more bottom-line focused rather than purely growth or market share driven.

· German industrial firms have invested for decades in building strong operations and distribution networks around the world. Some of these were the first into China for example. This creates strong brand awareness and builds demand.

· The weak Euro has done marvels for Germany’s exports. The irony is that while debates on the future of the Euro continue on the back the woes of the PIGS countries, Germany would be in a much weaker position if it were running an economy on the Deutschmark – which would be so strong as to damage exports!

That’s only 5 reasons, I can’t remember the 6^th but thinking back to the European Technology Forum, there wasn’t a single German national still living in Germany that attended this event in Gstaad! They were all probably busy building their businesses and contributing to that economic miracle, rather than talking about it. Perhaps that’s the 6^th reason – genuine hard work!

Thoughts on 2010

2010-12-20T08:04:00.000-08:00

It is the time of year for a bit of reflection . . . .

I have had a lot of interesting (and some amusing) discussions and experiences this year, related to the topic(s) of performance, risk and compliance. I thought I would share them here in no particular order;

1) Risk - Are we getting the right balance?
2) The CFO Agenda and relationship to Performance, Risk & Compliance
3) The 'GRC' term, eGRC, CCM et al - what is the difference?
4) Evolution of Continuous Controls Monitoring and some great case studies of making it work in practice.
5) Anti-Corruption and FCPA - keeps coming up!
6) Segregation of Duties - Evolution of SoD and my dentist . . .
7) Preventive vs Detective controls - what is the right balance?
8) Independence of control testing, prevention and detection - independent or ERP embedded?
9) Making my guitar - performance, risk and compliance in practice?
10) What does 2011 hold in store?

1) Risk - Are we getting the right balance? There is a lot of talk and discussion on risk, risk management and ERM these days. We talk about risk mitigation, risk reduction, risk avoidance etc. But risk in business is a good thing. In fact, business would not exist without risk. There would be no markets and no innovation. There is no performance without risk. There is a lovely thought provoking short article on this at; http://www.managementtoday.co.uk/features/1042678/Dont-believe-it-Risk-bad-thing/

2) The CFO Agenda and relationship to Performance, Risk & Compliance. I am reading an excellent book by Jeremy Hope entitled 'Reinventing the CFO' (http://www.amazon.co.uk/Reinventing-CFO-Financial-Managers-Transform/dp/1591399459/ref=sr_1_1?s=books&ie=UTF8&qid=1292578362&sr=1-1 ) . The book challenges some long held assumptions about centralisation, planning, budgetting and forecasting as well as the role of the finance function as real business partner. The chapter headings really encapsulate the focus, but I recommend this book to anyone looking for breakthrough approaches to business as a whole, not just finance. Here are just a few;

The CFO as Freedom Fighter
The CFO as Analyst and Advisor
The CFO as Warrior against Waste
The CFO as Master of Measurement
The CFO as Regulator of Risk
The CFO as Champion of Change

There are two video summaries here also;

Jeremy Hope - Reinventing the CFO (Part 1)

http://www.youtube.com/watch?v=xTzCCYT9tqk

Jeremy Hope - Reinventing the CFO (Part 2)

http://www.youtube.com/watch?v=zx7jx_GgZv0&feature=related

Performance and Risk are two sides of the same coin. In the world of Continuous Monitoring, we continue to see that 'Key Risk Indicators' (KRIs) are just another perspective on 'Key Performance Indicators' (KPIs). It is all about managing business exceptions. This creates some interesting insights for the financial controls profession. Hackett Group reported that world class Finance functions with effective controls operate with 51% lower costs. This years IBM Global CFO Study reported some interesting conclusions also. Performance and Risk were the top 2 priorities. You can get their report at http://www-935.ibm.com/services/us/gbs/bus/html/gbs-2010cfostudy.html

3) The 'GRC' term, eGRC, CCM et al - what is the difference? Rightly or wrongly, the 'GRC' term relates to technology in most peoples minds. Whilst organisations like OCEG are trying to define a broad based definition, perhaps too broad, I am constantly meeting organisations who tell me they want to 'do GRC'. When probing into this comment, the initiatives they are considering usually fall into two camps; either risk and control frameworks or Segregation of Duties (SoD) for ERP applications. I guess this is largely because the tools that use the "GRC' label in their naming focus heavily on these topics. GRC is a small label for a BIG area, but I see common confusion in the areas of 'eGRC' and 'CCM'. Gartner Group have produced some good definitions and market analyses for these domains, but in summary my view is as follows;

'eGRC' tools (the 'e' refers to 'Enterprise' apparently) are those that enable the documentation and publication of a risk and controls framework, allow the capture of working papers etc and, importantly, record and track the results of testing key controls, often based on a manual, sample based testing approach. Quite often these capabilities are provided by intranet applications such as provided by Microsoft Sharepoint.
Entirely complementary with 'eGRC' is CCM, or Continuous Controls Monitoring. CCM perhaps should be called just CM, as in the 'Continuous Monitoring' of Risks, Controls and Performance, or 'CA' when applied to the narrower 'Continuous Audit' perspective. The focus of CCM is the COMPLETE, CONSISTENT, CONTINUOUS monitoring of systems and processes, and is a major step forward in management assurance and exception reporting from traditional sample based approaches. The results from CCM technologies can be presented in the 'eGRC' tools through standard interfaces, although often summarised. CCM typically stimulates some change to the way risks and controls are viewed by management, as it contributes to 'management by fact' rather than 'management by opinion'.

Typically 25% of risks / controls cannot be fully automatically monitored using CCM because they are typically entity level controls such as policies, policy conformance, evidence of education, delegation of authority etc. Whilst there is often the ablity to monitor system data for evidence of such policy implementation (eg training records), typically some form of management assurance is required as well. Of the 75% of controls that can be automatically monitored, these usually span multiple systems and processes.

In summary, the scope of 'eGRC' is typically broader than CCM but penetration into processes and controls is shallow, whereas CCM is narrower (typically 75% as above) but much deeper, monitoring detailed exceptions to real business processes.

4) Evolution of Continuous Controls Monitoring and some great case studies of making it work in practice. The topic of continuous monitoring has been much discussed over the years, but there are few really good large scale examples out there. I have to commend Philip Morris International and their journey and achievements. A very large scale, global consumer goods business, you can hear some of their experiences at

https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=179366&sessionid=1&key=7E47F7A423F54AE0E8AEFC8B269D9AD2&sourcepage=register

There is also a good webcast on 'Transforming Financial Control Practices using CCM' which is worth a watch while you are recovering from the holiday period. http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.jsp&eventid=244800&sessionid=1&key=BAC93AA5F28EC38A62F8523FB0C934EC&eventuserid=41377509

5) Anti-Corruption and FCPA - this keeps coming up! After many years in force, FCPA investigations and judgements just keep coming. Despite FCPA being a US regulation, it reaches far beyond the US as a growing number of European multinationals can attest. To make matters worse, other jurisdictions such as the UK are introducing their own anti-bribery legislation which is perceived by many to be even more draconian. There is an interesting philosophical issue as to whether it is reasonable for western cultures to assert their code of ethics onto others, but thats a separate discussion! There are some good recommendations for helping develop an 'anti-bribery' and 'anti-corruption' culture, but ultimately ignorance is no defence. Continuous Monitoring of Purchasing to Payment, especially for one-off 'services' is a key weapon in the defence against investigation. Even a rumour of an FCPA investigation can cause a stock price drop of 5%.

6) Segregation of Duties - Evolution of SoD and my dentist . . . Yes, an odd thought, I know. We all understand the concept of conflict of interest where money or items of value are concerned. This concept is well embedded in principles of accounting and associated controls under the term 'Segregation of Duties'. Good corporate governance practice is to ensure that 'four eyes' are needed on any activities where there is a risk of fraud, significant error or waste (fraud, of course, always gets top billing in the press!). I was a little concerned recently, while visiting the dentist, to be advised that the treatment I needed involved 3 or 4 visits to the same dentist, some very expensive filling material (gold) and various other procedures. As I sat there uncomfortably with dentists tools in my mouth, I considered this a major 'SoD' issue. I want to have the right treatment, but wouldn't it be better to have the diagnosis and proposed treatment plan conducted by someone who didn't have a financial interest in performing the treatment? I have no idea whether I am being quoted a fair price, but it seems very high. My colleagues suggest I take a trip to one of the very good dentists in Hungary. Whilst Budapest is a beautiful city, I can't really afford the time. I guess I have to perform my own mitigating control and validate the proposed treatment plan. Of course, I have to pay for that too!

All of this brings me nicely to the issue of mitigating or compensating controls. SoD programmes in business (rather than dentistry!) are now realising that there are always unresolvable SoD issues in business and systems. The requirement here is to have a compensating control, where a third party (usually the manager or process owner) reviews the specific situations to establish that there has been no funny business. Of course, most organisations suggest that a report will be run monthly so that the relevant manager can review and confirm appropriateness of the activity. The reality is these reports often don't get run, they are run too late after the event to be useful or frankly just get signed off after a cursory glance, because we are all too busy. The problem is that after clearing the expensive audit issues associated with the original SoD findings, the next audit issue is compensating controls, and we are back to square one!

Keeping compensating controls to a minimum by ensuring that the functional leader owns them is a good start. The other part of the solution is to have automated compensating controls, provided through continuous monitoring so that every time, for instance special pricing for a customer is set by the same person that approves the sales order for that customer, a specific alert is sent to the responsible manager. The manager doesn't have to review a substantial report at the end of the month. Instead, they get specific information by exception and their approval is auditable.

I just need to work out this process for my dentist!

7) Preventive vs Detective controls - what is the right balance?

What is wrong with this picture?

This is a lovely illustration of risk and control, where the difference is only visible with monitoring technology (snow in this case!).

The entrance to the car park facility in this photograph has a state of the art control system, an automatic gate that opens only when you swipe your employee badge on the reader and only lets one car through at a time. This way, it is clear that only authorised people can use the facility and that a record is kept of each visit. The automated control works perfectly and as designed. However, the tyre tracks in the snow illustrate how people get round the control, and that the real risk isn't fully addressed. This is a great analogy for controls monitoring and the role of the preventive control (the automated barrier) and the detective control (snow and a sharp pair of eyes, in this case).

Automated, embedded configuration controls in systems such as ERP are very important and should be used to an appropriate level for the business. But every preventive control has 'workarounds' and, because they are complex, are not always set where management think they are. The effective combination for management assurance and efficient exception management in the business is to use the configured preventive controls in ERP to support the process as far as possible (recognising geographic differences in process, policy and culture). It is impossible to run a business on purely preventive controls. Business is about exceptions and if no exceptions are allowed the business grinds to a halt or the systems are by-passed. To complement the appropriate preventive controls, effective detective monitoring should be applied to key risk areas and key performance areas. Detective monitoring, as in Continuous Controls Monitoring (CCM), should monitor the ERP configuration controls themselves (are they set where we think they are, for all vendors/materials etc, have they been changed?). Detective monitoring should also alert to Segregation of Duties issues, as well as core static data (Master Data) and transactions that fall outside expected norms.
This highlights exceptions to expected business practice, whether in areas of risk, fraud, waste, error, performance deviation or even process transformation/harmonisation exceptions. This is powerful decision support information for management.

Gartner Group produced an excellent report and 'Magic Quadrant' on CCM which you can access at http://www.gartner.com/technology/media-products/reprints/approva/article3/article3.html

8) Independence of control testing, prevention and detection - independent or ERP embedded? Another interesting topic of discussion this year. As organisations attempt to standardise and simplify onto a common set of processes supported by a common ERP system, there is often the question 'should I use independent controls monitoring solutions or ones that are embedded into the ERP platform?'. The answer to this relates a little to the previous point about preventive and detective controls. It is clear that wherever possible, preventive process controls should be implemented in the appropriate business process in the ERP system using configuration settings/tools in that system. But we must accept the practical limitations in such controls!

Detective monitoring, however, is a different animal. There two reasons to take a different approach to this;

Complexity - setting configuration settings in ERP systems is a technical job and is subtly complex. I regularly meet companies who believe they have the simple 3-way match (PO, GR. IR) implemented in their processes and systems. Following some detective monitoring, it becomes apparent that these controls were only implemented for 20% of vendors! The challenge is that this is a business control and needs to be monitored by the responsible business function. It is not, nor should it be, an IT responsibility.
Independence or 'Four-Eyes' principle - the principles of accounting and control have long espoused 'checks and balances' since the invention of double-entry book-keeping in the 15th century (http://www.canhamrogers.com/HDEB.htm) . The idea of independent checking has a lot going for it, both by using an alternative route to confirm accuracy and to separate the duties of 'control implementor' and 'controls tester'.

Every organisation needs to make their own judgement, but keeping controls monitoring independent from the applications under scrutiny proves valuable in practice.

9) Making my guitar - performance, risk and compliance in practice? I spent 3 weeks in the summer building a guitar from two blocks of mahogany wood on a beautiful Mediterranean island. I learned some interesting things about myself as well as guitars. Primarily, despite believing 'I am not good at wood-working', I found that if you really want the outcome, you tend to focus on the process. It worked!

Performance, Risk & Compliance? OK - this is a bit of fun, but I had 21 days in the guitar workshop with the professor. There was no extra time - I had to be back at work! That focussed the mind. Long days . . . . Efficient performance required regular control checks to ensure I was on track. Risk - Every day that went by raised the potential impact of any mistake significantly. In fact, Day 10 was the 'point of no return' where any serious mistake would have left me with no chance of completing the guitar in the available time period. We became more and more focussed on quality of workmanship to mitigate the risk of disaster. Another student had the misfortune to suffer an 'exploding guitar', which was a lesson to us all. Compliance - There are some basic laws of nature that apply to musical instruments, strings, resonance and electromagnetics. You can't make it up. If you are 'non-compliant' you end up not with a guitar, but a lifeless lump of wood . . .

Some of the struggles and fun of this experience can be found at http://guitarra-adventura.blogspot.com/2010/08/day-1.html

10) What does 2011 hold in store? Despite the dire economic conditions of 2008-2009, 2010 has definitely turned the corner. Obviously, different countries and economies are faring to different degrees. Here are a few things I think we will see in 2011;

The US, European and so called 'Emerging Markets' (they seem prety well 'emerged' already!) are progressing at different paces and in different ways. It will be an interesting couple of years
Risk and compliance issues will remain important for organisations and is growing in some markets.
There will be a growing acceptance of the synchronicity of business performance and risk. Two sides of the same coin.
Rate of adoption of Continuous Monitoring will continue to accelerate, both stimulated by FCPA and other compliance and audit issues as well as driven by Finance Transformation and harmonisation initiatives
Sadly, IT organisations will continue to be left with the 'controls issue' in some organisations, although it is not their responsibility or expertise. We will continue to help these organisations drive better dialogue and education between all stakeholders. For the organisations where that exists already, we have an even better foundation to drive improved business performance, optimised risk and effective and efficient compliance.

If you have read this far, you need a break!

Happy Christmas and all the best for 2011

Dan

Governance, Risk & Compliance (GRC) . . . . hmmm

2010-11-23T05:30:00.000-08:00

Semantic debate can be intellectual fun but rarely drives a satisfactory outcome or enhanced business performance (in my experience).

Being involved in a lot of activities related to an area often referred to as 'Governance, Risk and Compliance' or simply 'GRC', I continue to be puzzled by the phrase itself as well as the multitude of meanings it seems to project. Is it a business management ethos, the essence of how to run a business, a class of business software, a fancy term for the management of business risk and internal controls or what?

The independent OCEG body has both tried to define the ‘GRC’ term and even published a ‘Red Book’ on GRC capability maturity at http://www.oceg.org/view/RB2Project

Compliance Week has gone a stage further and produced a series of illustrations at http://www.complianceweek.com/Page/345/grc-illustrated-series (now we KNOW the management consultants are at work!). If a picture tells a thousand words, then these six (or is it 24?) illustrations indicate how this ‘GRC’ concept has become complex, ambiguous, shape-shifting and quite a significant commercial machine for a whole ecosystem of consultants, software vendors, advisors etc. Industry analysts report that the ‘GRC market’ is already huge at 33.5 billion USD (yes that’s BILLION) in 2009 - 11 billion for technology, 9.3 billion for services, and 13 billion for internal effort. I hope all that investment is driving the economic and social output of the organisations spending the money. I suspect half of it wasted along the lines of the famous comment about advertising (I can’t remember the source but it has been attributed to every marketing guru in the last 100 years!)

But I still don’t know what it means – Seriously! You ask 10 different people and you get 15 different answers. I am often asked to help a company that wants to ‘do a GRC project’. The hardest part is working out what they are trying to achieve. It often emerges that a ‘GRC project’ is a pseudonym for implementing an improved access control process for ERP systems. Even then, it is not always clear what (business) problem is the target of this new found affection . . .

Counter-intuitively, it’s easier to address this amorphous entity of ‘GRC’ from right to left (which may be easier if Arabic is your script of choice!). But despite reading and discussing the debates around the phrase (see this debate for example Debate on 'GRC' ), I am left with the uneasy feeling that the term confuses more than it helps . . . .

The 'Compliance' bit is fairly easy to comprehend, even if you extend from the generally accepted implication of adherence and assurance to external rules and regulations to a broader definition of all rules and policies that encompass 'the way we want to operate' . . .

The 'Risk' bit starts easy then gives you a bit of a headache when you move outwards from identified business risks and how to assess and mitigate them. When you start to consider all of the risks that you may not even have thought of as a business you start to wonder if the process actually helps or hinders business progress. As the famous Peter Drucker simplified perfectly, 'There is the risk you cannot afford to take, and there is the risk you cannot afford not to take.' . Risk is in essence the entrepreneurial activity at the basis of all business. Risks are taken for economic and, hopefully, society's advantage. When 'risk' becomes such a substantial and all-encompassing concept, we move into philosophical ground well beyond the comfort of most businesses as they try to define and allocate components of the business to be managed.

Oh! You thought that was bad? Governance? My head hurts. Governance in an organisational context, to me anyway, is the essence of stewardship relating to decisions that define expectations and authority and validate performance. This is usually what we refer to as a key element of the process of management or leadership (Ouch! Another debate lies there . . .). Governance is a big word . . .

So this is why I worry about software vendors, consultants, auditors, IT specialists and management gurus constantly referring to 'GRC' as if it is a neat new set of concepts to support business management.

There is nothing new in the concept.

At a detailed level, it covers too broad a territory to have a meaningful (and time-limited) conversation!

I respect these great folks who are labouring for common definitions and standards and XML thingummyjigs, but in essence I think we need to get back to first principles in any business.

To my simple brain there are two things in the domain that this 'GRC' term touches on

1) Business Performance - how to make the organisation as effective and efficient as reasonably possible and be able to measure and assure the levels achieved

2) Risk - how to reasonably identify, measure where possible and optimise risk in business, insofar as it makes economic sense. Whether the risk is compliance risk or internally identified risk, doesn’t make a lot of difference in the big picture, except in the level of fines and interruption you can expect if established rules are broken.

Which brings me to 'controls'. Internal controls for finance or operations, are the tools we use to manage risk and streamline operational performance. In fact controls have two sides of their coin, the performance perspective and the risk perspective. I believe this is where the interesting and value-creating activity should be focussed.

Large organisations are striving to achieve step change improvements in performance AND risk management. Let’s focus on these issues and leave the semantic debates for later years when we have the time with our feet up in front of the fire . . . . .

However, I did reach a significant birthday this last weekend, so that day may be sooner than I thought!

Dan