Assuring the organisational cardio-vascular system, insights for the CFO and the Audit Committee
Today’s standard practice in business assurance is focused on symptoms of problems, followed by diagnosis and cure. This approach has significant risks in itself. If you consider the human body, we have learned in recent decades that for many illnesses there are markers in the blood system long before a medical problem exhibits symptoms. In the same way, long before symptoms are apparent in the organization, there are markers in the information systems and processes of the business. Jürgen Müller, Partner – PwC & Dan French, CEO – Consider Solutions
The human body as an analogue for the organisation
Whilst analogies can be dangerous, they also help us to understand complexity and challenge the status quo. It is often observed that the head can represent strategy, planning and leadership and the limbs the primary interaction with the world of markets, customers, suppliers. If the torso is the ‘operational centre’, then the cardio-vascular system of the heart, arteries and blood that pump oxygen around the body can represent the digitized information flows in our systems and data that are critical to running the business. The part of the analogy that really stands out is the role of the blood in disease identification and prevention. In today’s world, we are all comfortable with the fact that the medical profession has moved on from a simple visit to a general practitioner for a health check. Medical and technological advances mean that we rely far more on blood tests than purely outward symptoms on the body. Why is that? Blood tests give a much more precise ‘early warning system’ of future problems. The blood system carries ‘markers’ of potential dangers earlier, often months or years, than the evidence of external symptoms. Early identification of these ‘markers’ makes for an effective diagnosis strategy in the fight against disease in today’s society and contributes to our ever extending lifespan. Our interest has been stimulated by this theme as we have identified similar characteristics in the latest approaches for assuring the health of the organization. Just as the blood system carries markers of potential disease in the body, so information systems of the organization carry data around the business that also act as ‘markers’ of business activity, risk and performance. Our approach to the assurance of business health needs a similar step-change to what we have enjoyed in personal healthcare over the past 20 years. We are learning and applying these lessons today.
Today’s typical model of process, risk and performance assurance
Financial control and audit activities in today’s business world are focused on detection of malfunctions and problems in organizational units or business-wide processes. In most cases an audit report or a control assessment is answering questions about the past based on selective, sample based assessments. The absence of identified problems results in a clean bill of health. If a malfunction is detected a good auditor or controller will try to identify the root cause, but will typically identify a solution or recommendations based on ‘best practice’ from similar organizations or situations. This approach is labour intensive, based on an incomplete picture, focused on the past, and typically targeted at one business unit, country or region in sequence. This approach is focused on symptoms not on real markers of business health. It is common practice today that ‘risk’ in business is managed through ‘controls’. The evidence of controls gives us a false sense of security that risk is effectively mitigated. This is a dangerous assumption as we have learned. The focus on ‘controls’ can lead to an organizational ‘blind spot’ for the true risks. It is our experience that both risk and control need direct monitoring, significantly through the organizational blood stream of information systems. Consider below, the evidence of risk and control . . .
Interestingly, we find performance monitoring suffers a similar fate, with much of the focus on the headline numbers of KPIs, and not enough focus on the ‘markers’ that can indicate future KPI achievement issues and the specific exceptions that need to be managed to drive KPI achievement.
What we have learned from ad-hoc and continuous organisational blood testing
When analysing the flow of data in its entirety, it is very powerful to compare regions, countries and business units which have comparable maturity and business environments. One can now easily detect where indicators and markers differ by operation. Organizations can now identify key cases for action, diagnose the causes and address the issues in entirety while moving the entire organisation towards industry leading performance. To achieve this requires a test, continuous or periodic, of the complete set of critical markers in the system. This is not yet common, but repeatable processes and technologies are available and mature, and we have the experience of running this kind of project. We have learned that constant monitoring also requires adjustment over time. For example, when an organisation undertakes a business initiative to reduce working capital, new markers may need to be identified for monitoring. There are as many types of markers or conditions for monitoring as there are strategies to measure improvement and health in the business. Clearly when monitoring produces exception results that support management in steering the business initiatives in the desired direction, the use of continuous monitoring and data assurance is very powerful. Because of the volume of transactional data circulating in a business, a big bang approach to monitoring for every possible health condition is not wise. There is more to consider than purely the monitoring, particularly the identification of the right business conditions or markers. The key questions in considering market conditions for each cycle are ‘what does good look like?’ and conversely ‘what does bad look like?’ Selecting the right pilot area and monitoring for the right markers where exceptions can drive appropriate management action is the key. Getting a clear and reliable picture of the markers and the health they indicate is important before extending to organisation-wide scope.
Implications – moving the focus from symptoms and cures to markers and causes
From our work together and our drive to improve business processes and systems and provide new levels of assurance for the organisations stakeholders, we are seeing a new imperative. Just as ‘prevention is better than cure’ is a powerful slogan for wellness in society, we need to take a similar approach in business. We need to move away from testing for external symptoms and embrace a business health check that gives us a view of potential problem markers many months or even years before the external evidence becomes clear. By checking the organisational health and risk exposure with an ad-hoc, or better still continuous, ‘blood tests’, we can shift the majority of our focus from symptoms and samples to markers and causes. This has the potential to transform our current approach to control, risk and performance management and assurance to something dramatically better for our business’ long term health and at a much less severe cost! We know that in the heat of driving a business forward day to day, month to month, and year to year, it is sometimes difficult to step back and consider a new approach. At some point however, there is a need to embrace newer, more effective tools and methods! When did you last have a real health check in your business based on a complete analysis of the performance or risk ‘markers’ in your information systems?
About the authors
Dan French is CEO of Consider Solutions, a firm that provides business solutions and consulting services to help organisations on the journey to World Class Finance. The firm applies management advisory and technology capabilities focused on finance process optimisation, risk management and reducing the cost of compliance, control and assurance. Consider Solutions’ methodologies deliver rapid, cost-effective results whilst providing the flexibility required by business management. Dan has run the firm for 12 years and has a background of 25 years in general management, performance improvement, process change and technology. Dan advises organisations in Europe, US and Asia on strategies for continuous monitoring and exception analytics. Dan claims to live in London despite his travel schedule. He can occasionally be observed playing blues guitar or sampling fine red wines, but rarely at the same time for reasons of practicality rather than preference. Dan can be contacted at email@example.com.
Jürgen Müller is Partner and Swiss market leader for Risk Assurance at PwC, the world’s largest providers of assurance, tax, and business consulting services. Jürgen has a 20 year experience in IT implementation and Audit and leads the PWC practice in risk, control and IT enabled performance. Jürgen lives in Pully near Lausanne, Switzerland and is a keen yoga aficionado. He can be contacted at firstname.lastname@example.org