An open letter to the Fat Controller

Dear Sir Topham Hat,

I am writing to you as an experienced GRC consultant who was watching a documentary, with my two sons, about your Sodor railway.

The number of accidents, delays and confusion is unusually high for the size of your network. The very fact that you have your own well equipt often used rescue centre, should have alarmed you to the level of risk you are tolerating on your rail network.

Continue reading “An open letter to the Fat Controller”

Spreadsheet Risk

Spreadsheets are everywhere in business. From organising the Christmas party to modelling market behaviour, there is likely a spreadsheet sitting behind it somewhere.

These sheets are part of what is referred to as  End User Computing (EUC) and become more and more critical to the continuing success of the business.

The problem is that these EUC solutions tend to be owned and operated by business areas away from IT and can cause quite significant problems.

Continue reading “Spreadsheet Risk”

GRC Notifications and Alerts, create too much business noise

When implementing a GRC technology it is only a matter of minutes before someone says, “Can you send X an email when Y is updated?”. The answer is, of course, yes but why do they need an email. During a recent deployment, I have configured over 100 notifications. With a few clicks a single user can generate 10 or more emails.

Emails are a major source of inefficiency and stress in the workplace. Many of us have emails arriving on our phone into the evening. Acas makes a recommendation that we should be doing less emailing and more face-to-face discussion.

Continue reading “GRC Notifications and Alerts, create too much business noise”

[News] Nuclear plant with a virus

Power Station Cooling Tower

In a headline that would make Jack Bower proud a German nuclear power plant identified viruses on their office computers.

Fortunately the control systems for the plant were air gapped from the office computers with no means of direct connection to the internet.  However the viruses were found on USB sticks used to move rod modelling data around the plant.

It isn’t believed that any of the viruses are targeted at the plant in a destructive capacity but rather general malicious programs to steal data.

While there is no suggestion that the USB devices would ever have cross the air gap and infect the control systems, it has highlighted that an air gap is not a panacea for removing IT risk.

From a GRC standpoint cyber risk is getting more targeted and most experts are predicting a move from disruptive attacks to destructive attacks. Although the idea of a nuclear meltdown might be something for TV and movies. Shutting down Germany’s highest output power station for a few days would certainly have economic repercussions. Criminal enterprise and nation state cyber attacks are becoming more sophisticated and targeted, if you are big enough or important enough you will be on the radar for these types.

You can read more about this story on the BBC http://www.bbc.co.uk/news/technology-36158606

 

Incentives and risk

Girl Reaching for Marshmallow

We are all the same. I don’t care if you are a saint or sinner. Incentives will gnaw away at our morals and ethics.

The kids and the marshmallow test makes us all smile. The deferred gratification often collapses under the pressure of delicious marshmallow. Even those who succeed can be seen to have had their willpower tested.

We are just an advanced breed of monkeys on a minor planet of a very average star.
Stephen Hawking

Few have sympathy for the banks in the recent spate of miss-selling incidents. While I’m not sympathetic to the organisation, the individuals were placed in a position where breaking rules carried low risk and high reward.

Our brains are wonderful things we will rationalise acting unethically as ‘bending the rules’, ‘everyone does it’ and other excuses. From the outside others would be judgemental, from the inside it will be rationalised.

the money was resting in my account
Father Ted Crilly

How do we incentivise without bad behaviour

Good Governance. Identify the aspects of an incentive scheme that increase the risk of behavioural conduct issues. Review frequently.

Clarity. Being crystal clear on what is and isn’t acceptable. Avoid meaningless sentiment (“act with integrity”) and use concrete statements (“product is unsuitable for X”). This makes it more difficult to rationalise bending rules.

Emphasis on quality. Ensure that schemes incentivise the quality and compliance of a sale not just the volume.

Claw back. The ability to take back incentives if issues are identified. This is also a great metric to track as claw backs are an indication of conduct risk becoming more widespread.

Capped or decreasing incentives. This prevents sales ‘milking the cow dry’ as each additional sale has diminishing returns. Inappropriate behaviour tends to happen at the higher end of maximise incentives.

Deferral of incentive payments. Deferring payment allows for more time for issues to become apparent before rewarding.

Monitor. Good monitoring of patters for individuals receiving incentives, particularly those paid the most and those who are most at risk.

Conflicts of interest. Identify your incentivised people and those operating key controls. Ensure there is no conflict here. Sales managers are often operating the controls that are managing the very risks they are incentives upon.

Additional controls. When inappropriate behaviour is identified, add extra controls. This requires effort as much of the behaviour happens in conversation.  Monitor calls, use mystery shoppers, seek customer feedback.

Learn. When inappropriate behavior is identified. Learn from it. Don’t seek to be overly judgemental. If someone did it, the system allowed them to do it.

Teach a man to fish and he will fish till satisfied. Incentivise him and he will fish till there are no fish left for tomorrow.
Alex Hollis

Are you a Special Snowflake

Snowflake under microscope

Working as a vendor I have knowledge of your competitors. I speak to many different companies working in the same or similar market. I see many different methods of solving the same problems. Some are better than other and as such I can help make recommendations.

This is the number 1 question I am guaranteed to be asked. “How does everyone else do it?”

When bringing that experience to clients there is a resistance. It could be pride, it could be fear of change. In either case, those who resist try to rationalise that feeling. The most common is “that wont work, we’re different to everyone else”.

You are not special. You’re not a beautiful and unique snowflake.
Chuck Palahniuk, Fight Club

I call this “Special Snowflake Status”. Continue reading “Are you a Special Snowflake”

Stay Simple

Simple is beautiful, stay simple.

This week I was asked the question by a new client about the common pitfalls when implementing GRC technology. There are a lot of specific examples but many of them have a common theme.

Every time you ask the system to do something, you trade the simplicity of the system in exchange for the request function. That sounds obvious but it is a trade that often goes undetected.

Lets jump into an example…

Continue reading “Stay Simple”