We’ve come to that part of the year when a good number of people, employees and business owners, start to look forward to the end of year break, and the opportunity to recharge those batteries. Business meetings seem to become less frequent, traffic develops into a far more merciful activity, and our minds tend to wonder to laughter-filled holidays and festive cheer. Days and nights spent in reckless abandon, the worries of our nine to fivers a hazy mist barely pressuring the edges of our holiday realities.
Of course, for most people, the true “reality” is something far more complicated and markedly less carefree than all that. The modern world has made it very difficult for anyone to completely switch off, for anything but the shortest amount of time. The increasingly challenging economic conditions compel us to always “be in touch” via mobile phones and tablets, laptops, social media, news alerts and company data feeds. For those of us whose operations span multiple countries, across numerous time-zones, often with complex cultural and language hurdles to clear, these obligations to remain available at all times multiply exponentially.
In the realms of GRC (Governance, Risk Management and Compliance), the drive to achieve goals and objectives is impacted by the same technologies, people, processes and streams of information that are traditionally hindered due to a skeleton staff compliment, and system and process downtimes. Organizations can find it challenging to maintain a culture of risk and control when the owners of these risks and controls are either away on leave, or simply less focused, and caught up in the palpable slowdown in activity. Companies may choose to employ temporary staff to fill the gaps, or rely on junior staff to take on greater responsibility, a practice that in itself can be fraught with risk. Increased fraud, break-ins and theft, compromised passwords, payment diversions, reduced segregation of duties, and of course, the upsurge in cybercrime.
The global intensification of cyber-attacks such as hacking, phishing, viruses and malware, particularly at this time of the year, has meant that organizations have to ensure that their controls (defences and mitigations) are closely aligned with the top threats, and that cognisance is taken of the compromised lines of defence as a result of staff, system, and process downtime.
For some industries, and during the festive period we think particularly about retail stores, banks, and the hospitality sector, the upturn in business activity is coupled with a marked increase in risk exposure. In South Africa, the substantial rise in the flow of cash leads to an intensification in the potential for robberies, heists, organized attacks on retail centres, burglaries and ATM bombings. Retailers often experience considerable declines in sales for several months subsequent to these incidents making it incredibly difficult to recover any losses.
On the other end of the scale sits the manufacturing sector, which, due to factors like labour requirements, decreased product demand and supply shortages, face a full-scale or partial shutdown in operations, leaving empty business premises, standing stock, and stationary machinery. Temporary plant shutdowns require detailed planning, meticulous co-ordination, well-managed execution, and the capacity for a rapid return to service, but all of this can come to naught if attention is not paid to the risks inherent in the absence of access to systems or people during these downtimes. Who are your risk and control owners, and what degree of assurance can they provide that controls effectiveness levels will be maintained, and any incidents or control failures will be quickly and adequately addressed while they’re relaxing on a beach in Clifton, cocktail in hand, oblivious to any potential crises?
The answer lies in the same elements that led us into this fast-paced, ultra-connected world, and that’s technology. Whatever we can do to speed up production, ultimately leads to more business. Successful organizations often stand out based on their ability to leverage technological progress to devise and exploit any market advantages. This incorporates the automation of office functions to reduce business costs, data integrity through the maintenance of a secure ICT environment, constructive use of the internet both to external and internal stakeholders, constant and streamlined research and development, and vastly improved communication.
Some would argue that technology does have its downside. Up until recently, the jobs most vulnerable to machine automation were those comprised of routine, monotonous tasks. But the steep rise in processing power makes it not unreasonable to believe that up to 50% of today’s jobs could become automated in the next 15-20 years. Will human employees become isolated beings, limited to electronic communication, with restricted physical interaction? Will over-reliance on technology lead to negative impact on the business if the technology fails? Funds need to be allocated to upgrading and maintaining technological infrastructure to safeguard against falling behind the curve. Is this ongoing investment sustainable into the future?
Speeding up production will often lead to more flashpoints where things can go beautifully right, or horribly wrong, and the key for any modern organization is to be sentient of these little signals that prove to be early warning indicators that something could happen, leading to a positive or negative consequence. The risk management fraternity has long advocated the use of indicators related to risks, controls, compliance and performance, as metrics capable of exposing areas where a company may be subjected to risks that exceed the acceptable risk appetite and tolerance levels, or as measures of how well an assignment or project is being completed. Using these indicators in conjunction with a well-managed GRC approach goes a long way to facilitating proactive action, and providing real-time analysis and intelligence to decision makers as and when they need it.
For example, an indicator measuring the number of credit notes in a particular period could provide valuable insight into any process glitches or improvements along the supply and value chains that lead to an increased or decreased number of occurrences. Linking this KRI to the relevant risks themselves, and informing risk owners (e.g. the Debtors Manager) of the potentially volatile situation empowers these owners to make the necessary adjustments to their mitigation strategies to prevent the downside risk from occurring, or encouraging upside risk-taking within acceptable appetite and tolerance levels.
So, how do we go about using technology to more effectively govern our organizations, and how do we create a setting where regardless of whether staff are on site or not, the signs of impending doom, or fervent opportunity are taken note of, and the necessary actions are initiated? The levels of business intelligence within most modern software solutions, combined with the extent of integration possible between these systems presents a fantastic opportunity for indicators of any kind to be measured, monitored, tracked, managed and reported on in real-time. Delivery of this information to a mobile platform such as a tablet or smartphone further entrenches the discipline in day-to-day activities, ensuring decisions are made based on relevant, tangible facts, backed by powerful data. By being clear about the information you are trying to extract, as well as the nature of the indicator being measured, clarity of management information can be vastly improved.
By utilizing Key Performance Indicators (are we achieving our objectives), Key Risk Indicators (is risk being kept within our desired tolerance levels) and Key Control Indicators (are our controls working) the uncertainty around the achievement of organizational objectives can be greatly reduced. These indicators are all fundamentally related, and when assessed holistically provide a dynamic bird’s eye view of the company’s changing GRC environment. The considered utilisation of these indicators can and should play a fundamental role in ensuring that the goals and objectives set by the organization are achieved, based on the fact that risks and the various strategies related to these risks are managed far more proactively. Key to this approach is ensuring that indicators are quantifiable, and that the measurable units can be compared across data periods to enable trending. These trends can then be utilized to analyse historical movement, with a view to predicting future occurrences, and assisting in providing an appreciation of how risks change over time, and how they are affected by the organizational environment. By going one step further, and establishing thresholds for these indicator values, appropriate actions can be created to ensure that certain steps are followed once these thresholds are reached or exceeded.
The deployment of the right knowledge, expertise and technological assistance (for example through the implementation of GRC software) can ensure that once these indicators reach their thresholds, the relevant people are not just notified, but also prompted to action to either safeguard against any negative effects, or to take advantage of an upside risk opportunity. By taking cognisance of these early warning signs, an organization is able to react before the risk materialises, based on a well-thought-out and documented mitigation approach. Most modern software applications have functionality for web-based and/or mobile notifications, and these can then be set to automatically generate to the relevant people (multiple owners, with multiple roles if necessary) regardless of the time of year, staff capacity, or distribution of offices and infrastructure.
Indicators are fast becoming the alarm system that protects our businesses, forewarning us of uncertainties on the horizon, which can either lead to losses, or the smarter achievement of our goals and objectives. By being mindful of these signs, organizations have a far better chance of negotiating the minefields they operate in, and placing safeguards on their future success.