I am sitting in a 6th floor office in Manhattan and ruminating between meetings. Over the past couple of years I have talked with numerous finance executives, controllers, risk and control specialists and audit folk on the topic of managing and monitoring risk in the processes that affect the financial statement. With that as input, I have just written a short paper with a Partner at a respected Big 4 firm. The paper will be published shortly, but these thoughts reflect the same theme and thinking.
I know I am not the only one who looks at the continuing eruptions of accounting and fraud scandals in the press, and wonders about the paradox. These organizations have healthy audit reports and a reputable system of internal control. Then one day it comes out that all is not what it seemed. Within months, the reality emerges that things have not been quite as rosy as previously painted. But what do we really learn from these events?
It is easy to dismiss the most egregious accounting failures as the ‘exceptions that prove the rule’ and assume that, in general, assurance over financial results and processes is improving all the time.
It is an interesting facet of the human condition that something that has not been observed for a long time (or at all) is felt to be of low likelihood of occurring in the future (think earthquake, volcanic eruption, disastrous tsunami, collapse in price of AAA rated securities, developed country default, fraud event . . . ) I believe our confidence in the current approach is misplaced. We have a false sense of security. The current ‘standard’ level of financial assurance is akin to periodically asking the manager of the parking lot that the barrier works and asking to see certificates of regular maintenance.
Andy Grove of Intel famously said ‘only the paranoid survive’. He was referring to a company culture that kept Intel at the top of its game for 25 years. A healthy paranoia in business would be calmed by an effective early warning system. Just as we keep on the lookout for unexpected seismic shifts . . .
At the risk of analogy overload, we know from a health perspective that ‘prevention is better than cure’. We are all comfortable with the fact that the medical profession has moved on from a simple visual observation by a general practitioner for a health check. Medical and technological advances mean that we now rely on blood tests rather than purely outward symptoms on the body. Why is that?
Blood tests give a much more precise ‘early warning system’ of future problems. The blood system carries ‘markers’ of potential dangers earlier (typically months or years) than the evidence of external symptoms. Early identification of these ‘markers’ makes for an effective diagnosis strategy in the fight against disease.
Our interest has been stimulated by this theme as we have identified similar characteristics in the latest approaches for assuring the health of the organization. Just as the blood system carries markers of potential disease in the body, so information systems of the organization carry data around the business that also act as ‘markers’ of business activity, risk and performance. Our approach to the assurance of business health needs a similar step-change to what we have enjoyed in personal healthcare over the past 20 years. We are learning and applying these lessons today. There is growing evidence that our confidence in financial controls is misplaced just as an external checkup of the body can provide a false sense of security.
We need an effective early warning system for risk exposure and performance breakdown. Financial control is about managing risk and, ultimately, reputation.
You can see my talk on this topic at http://bit.ly/AeFMr3
Now, back to business . . .
Thanks for reading!