Agility vs. Control
October 23, 2005 | Boston, MA: Once the crucial element in determining whether a business initiative was possible, technology is no longer even on the critical path. Dramatic advances have made technology so agile and powerful that it can accomplish virtually anything a company requires. According Karl Taylor, Senior Vice President and CIO of CVS/pharmacy, ten years ago, integrating an acquisition into the corporate IT infrastructure took 24 months to complete. Today it takes just 4 months.
“Before you could do only what the technology allowed or enabled,” agrees John Schoenherr, Vice President at Oracle Corporation. Today, technology is no longer on the critical path.
Now, the gating factors are business and operational controls. And many companies are struggling with this, because until recently business tools have not been available to help companies objectively and consistently identify, assess, mitigate and monitor risk action plans to improve its business processes. With the advent of sophisticated risk management solutions, however, that is changing.
Why is Balanced Scorecard not enough?
At the SIMposium 2005 conference for financial and technology executives held recently in Boston, balanced scorecard was a hot topic among the participants. The balanced scorecard approach can be enormously useful in connecting performance to corporate objectives, but it is imperative that companies avoid the dangerous pitfalls of implementing this strategy, most notably metric overload and tunnel vision.
Case in point: In response to a request for its key performance metrics, one large insurance company proudly presented an eight-inch binder of pages chock full of data in eight-point type. While impressive, the level of detail was so overwhelming that the company was suffering from metric overload.
Tunnel vision occurs when support departments like IT, finance and legal zoom in too closely on their own metrics and fail to take a broader look at how their performance influences the success of its clients, namely operations. An IT organization that effectively measures its performance against SLAs but is unable to gauge how it contributes to corporate objectives is falling short.
To integrate the balanced scorecard approach effectively across functional silos companies need to add another important discipline to their planning and analysis: risk management.
Closing the gaps with risk management.
The very first thing a risk management solution evaluates is the degree of alignment the organization has in establishing clear, measurable corporate objectives and communicating them throughout the organization. Most senior executives believe they have done this but, more often than not, employees further down in the organization cannot define these objectives. Push a little more by asking how the daily transactions within their jobs relate to specific objectives and the answer is often an uncomfortable silence.
These employees are not at fault. They work hard to accomplish their tasks, but separation of duties, the core principle of corporate management, has an unfortunate side effect; a communications gap has left them working in a vacuum. Corporate objectives have not been effectively communicated from the top down. Risk and lost opportunity is lost in translation from the bottom up.
Risk management technology closes the gap in the planning and analysis process by bringing all levels of the organization together to ensure that the right objectives are established as a lens to identify risk and opportunity and to evaluate priorities and controls. With risk management technology, senior managers establish an initial set of policies to govern the corporation. These policies are then transformed by the employees on the front lines, the people who know the operations of the business and the needs of the customers better than anyone else in the organization into controls and operating procedure. Risk management then becomes the feedback loop to provide that critical information to the executive team to determine if the policies are effective or if adjustments need to be made. Having been a part of the process, employees are now in tune with the company’s goals.
Do not mistake complexity for sophistication. Making risk management programs intuitive and easy to implement means delivery of bottom line results quickly. Strong risk management software can put more than a pretty face on sophisticated and rigorous financial theory.
Agility, like fire, can heat your house or burn it down.
When interpreting vague corporate policy one can make his or her own determination and ask for forgiveness or conclude that if it’s not explicitly permitted, it’s not allowed.
According to Phil Zwieg, Northwestern Mutual, “The challenge of effective performance management is similar to the challenge that IT faced years ago when implementing security management.”
The difficulty is in first determining effective policy management and controls, not in the IT execution. The role of the policy management software is to guide users in knowing what is allowed and to guide administrators and managers in making choices about system configuration and use. This process establishes specific control goals and a plan to tackle them. Before you can manage business processes you have to have a way to identify and measure its key drivers for effectiveness. Your performance management policy provides the acceptable baseline standards against which to measure risk and reward.
Some organizations have the tendency to define policy from the bottom up, starting with the capabilities of the tools at hand. Successful enterprises know that sound policies begin from the top down. Risk management technology can also identify policy and procedures of an operation that are causing conflict or otherwise limiting performance. For example, sales account management is a critical area for generating follow-on revenue in an account. Well meaning corporate policy in a multi-divisional company dictates which group takes account relationship management responsibility, but on the ground, the result may be the stagnation of future revenue by not enabling other products to get through overprotective gatekeepers. Risk management is able to bring dysfunctional policies to the surface and align business units to achieve corporate objectives.
Garry Lowenthal, the chairman of the Finance and Technology Committee of Financial Executives International (FEI) has seen first hand the downside of “bad” business controls in his role as Managing Partner of Growth Capital Partners, an investment firm that creates spin-off companies from larger organizations.
“After these units get out from the bureaucracy of the parent company, they experience significant bottom line improvement, typically double in profit and revenue. People will call afterwards and say ‘How come I couldn’t get them to do that?’ The answer is that counterproductive controls and administration can really smother performance,” he said.
To Achieve Corporate Objectives, Implement Risk Management
Now that technology is agile, flexible and robust enough to accomplish just about any initiative a company can envision, it is time for businesses to get smart about business and operational controls. Risk management solutions bring a new level of visibility into every aspect of an organization to allow companies to build business processes that capitalize on the strength of their infrastructure and their employees to ensure corporate objectives are met.
Caitlin Seele: firstname.lastname@example.org | (617) 530-1208