Corporate Governance:
An integrated and innovative design approach
by Massimo Carosella
In my consulting experience, I always tried to highlight – and it was difficult, sometimes - the decisive role of information for effectively managing a Company.
Actually what I think is crucial is presenting that information so that it allows the manager to be able to view all the relationships among different data in an efficient and easy-to-use framework.
In this perspective, I have always been aware that technology can play a very important role in determining a consulting project's success: first of all it can boost the measurability of project results, so letting the customer acknowledge the value added by the project itself with regard to its company's organisation or the Profit & Loss Statement or the cash flow, etc.
Since some decades the consulting world offers a lot of very different delivery approaches.
Though, as for the fundamental choices and the skills deployed, they can be fairly grouped in two great categories.
In the first I would put Companies which adopt a traditional approach, so to say, in which the consultant analyzes the "as is" situation of the customer, sets his critical issues and opportunities, focuses the attention towards the customer's needs, either expressed or hidden, offers a study of the improvement areas and of the ways available to achieve such improvements.
On the other hand there are Companies oriented to technology exploitation to accomplish the customers information needs through analysing and modeling software tools organized in complex architectures. Such tools, through effective simulation, reporting and simulation features, allow the decision makers to dispose of the necessary knowledge derived from the available information assets.
Now, there are enterprises management areas which, either due to the increasing reference law and regulation corpus, or due to a new cultural, environmental, social sensibility, though keeping a single beneficiary (the Company itself) of their actions, have to face a variety of issues, rules and, in one word, knowledge dramatically wider than before.
On one side, what above furthered the migration from the Management Control and Planning concept to the Corporate Governance one, so embedding in it ethical, environmental and social motions, formerly irrelevant to the primary aims of a Company.
On the other side, it caused for the Manager the need to integrate with each other not only intrinsically related data, such as the Accounting and the Sales ones, but also absolutely unstructured and differentiated information, often not available in a digital form.
For example, it does not slip anyone’s mind how skills necessary to deliver a reliable and effective consulting service in the Corporate Governance area, formerly limited to the economic-technical ones, now cannot do without social, environmental, ethical contributions.
Moreover an interpretation problem arises referred to data which cannot be immediately expressed in terms of binary logic. It’s not sure that an IT Company possesses (no blame for it) skills necessary to draw electronically manageable information out of theoretic concepts, laws, regulations, expectations and aims.
The problem arising from such a situation is that nowadays, more than ever before, a sharp cut between a traditional methodological approach and a technology based one risks to leave dramatically important issues and topics unexplored and unmanaged.
In my recent experience, the a strong nous’s boost towards these subjects was due to facing complex project topics such as the Corporate Social Responsibility, in general, and, in particular, the Corporate and Auditing Accountability and Responsibility (Sarbanes-Oxley Act - 2002).
The main subject of organization review aimed at protecting from committing crimes (a typical legal topic):
- gets into a Company-wide economic-organizational context;
- takes advantage of data not always coming from a repeatable digital support;
- requires multidisciplinary skills spreading from criminal law to process analysis, risk management techniques, corporate engineering.
- emphasize, with regard to the wide range and completeness of contents, excellent professional contributions in the legal, social, environmental, managerial areas;
- allow an effective and coherent normalization and integration;
- guarantee the possibility of investigating output independently from either the data structure or any programming activities, not within any not skilled person’s reach.
- Objectives
- Controls
- Actions
- Capital reward sharing;
- Information transparency;
- Ethic investments in the long term;
- Correct quality/price relationship of product/service delivered;
- Correct suppliers selection procedure and relationship;
- Local development contributions;
- Continuus training;
- Delegation and Proxies System and Group Work;
- Correct suppliers selection procedure and relationship;
- Correct goods/services purchasing management;
- Efficiency in supply contracts management;
- Abstain from using goods and services produced through child or prison work.
- Preliminary analysis
- Risk Assessment;
- Action Plan;
- Follow Up.
- To understand the General Management expectations with regard to the project activity;
- To outline the Company’s Business Model.
- Organization areas survey;
- Operating areas’ mission and operating rules survey;
- Organization areas’ procedures (if any) survey;
- Process Analysis: survey, detection, tasks structure and relationship between each other (input/output, chronological sequence, workflow, document stream, etc.);
- Objectives’ detection, organization; responsible assignment and attributions;
- Risk Factors survey to find out those that can prevent from objectives achievement.
- To perform a thorough process objectives’ and key success factors’ survey;
- To measure Company’s potential risk and organize it by process and risk type;
- To deeply identify and evaluate risk level as to objectives achievement prevention and to existing controls.
- Check Lists arrangement for each Responsibility area. Questions shall be aimed at highlight default, lacks or misbehaviours existence which can compromise the Risk Factor related objective accomplishment.
- Each answer will be weighted according to its controls attitude to decrease the related risk level.
- At the end of the Check List drawing up by the interviewed manager, the score calculation based on the answers weight wil give the overall Inherent Risk Level.
- To identify and formalize action to be enacted in the selected time range, mainly depending on the Risk Assessment results.
- Risk Matrix, as previous step output, will provide guidelines according which corrective action will be defined with regard to their ability to take the Inherent Risk level to a level acceptable as compromise between risk mitigation and cost to be incurred in for risk reduction.
- Each action shall be defined in terms of relative weight, that is, its individual contribution to the related risk mitigation. Moreover the execution deadline and the responsible manager will be defined for each action.
- Audit interventions definition and planning;
- Plan outline;
- Plan approval.
- To set up adequacy and effectiveness of corrective actions started by managers in response to an Audit survey.
- Corrective actions execution verification;
- Target Risk level acceptance.
- Auditing Plan monitoring will be performed by periodic or extemporaneous (typically when a critical situation happens) checkups of the execution status of each action and, in case of gaps between expected and actual results, by urging or re-tuning actions.
Notwithstanding the research of solutions for any of these problems was successful either at an individual level or a global one, another one remained unfixed related with getting some phenomena or information measurable and integrate them in a Model able to extract a significant global information.
Such a problem arose already while creating project teams, when we had to take note of the differences in languages and interpretation means between different professionals involved.
Even though we succeeded in making such teams coherent, the problem of normalizing all available data toughly engaged team members: models followed one after another, methodology was repeatedly tuned embedding techniques coming from different sources and application areas, plenty of data structures were investigated in order to guarantee the highest efficiency while implementing the model and, at the same time, the greatest output information intelligence thoroughness and versatility.
The decision we took, as consultancy entrepreneurs, was to invest in realizing a Model which would
Our idea of developing such a Model was encouraged by realizing that the consulting market in the risk management and in the legal compliance (Corporate Social Responsibility, SOX and SEC regulations in the U.S., Corporate Administrative Responsibility in the E.U.) areas has plenty of companies that normally use data repository tools -such as spreadsheets, spreadsheet compliance validation tools or databases- that, just for the integration and application problems we were talking about earlier, do not allow to manage each and every phase of an integrated Legal Compliance oriented project.
Nor all of these tools keep in a specific database what was “first, meanwhile and then”: it is important to keep the story of Business Processes in order to analysize gaps, corrections and decision and measure the outcome!
First of all, what we felt is broadly missing are reporting features that translate into numbers the risk level and the effectiveness of each corrective action, monitor the risk mitigation process based on the evidence of the corrective actions plan and allow the user to measure and analyse, whenever necessary, the gap between current and target compliance levels.
The Model was conceived thanks to several consulting experiences either in the Corporate Governance or in the Planning & Management Control areas. In fact it gathers all those experiences, the notes, the papers coming from those projects and organizes them in the form of a software application able to respond to some requests or suggestions expressed by the companies we dealt with.
The Model has been defined according to three dimensions (typical of any Auditing process) which led its development
Objectives, generally speaking, are effectiveness, economy and efficacy of management.
Their declination in more specific objectives depends on the Company’s activity nature, on its organization and on the main processes carried out to accomplish the corporate goal.
They can be divided in global objectives, as long as they are pursued in any Company’s process, and specific objectives, as long they are strictly tied, as to their nature and responsibility, to a single process.
I think it’s useful to point out that the approach by which we defined and organized objectives is coherent with Corporate Social responsibility principles: therefore to the traditional (economic, financial organizational) ones, we gathered others aimed to Society, homeland, environment, etc.
In order to give an example, some global objectives can be:
while, between process objectives (here we use Purchasing process as an example) we can group:
Controls define tasks and operation rules aimed at verifying the attitude of the Organization and of operating procedures applied, to achieve the global and process objectives.
Such an attitude can be expressed in terms of its ability to mitigate the risk of one or more events (illegal behaviour, organization default, procedure lack) disturbing or even preventing Company from accomplishing one or several objectives.
Actions are all those new activities, operating protocols, procedures, rules – or their modifications, if existing – that must be introduced into the organization in order to empower its attitude to avoid risks that can prevent from reaching corporate/process objectives.
Model application steps
The Model supports the whole Compliance Modeling and Auditing lifecycle. In detail, we can detect 4 fundamental steps whose hereinafter we will outline the structure
For each step we will summarize objectives, main tasks to be delivered and output.
Step 1 – Preliminary Analysis
Objectives
Main Activities:
Step 2 - Risk Assessment
Objectives:
Main Activities:
Step 3 – Risk Matrix and Corrective Actions Protocols
Objectives:
Main Activities:
Step 4 – Monitoring and Follow Up
Objective:
Main Activities:
As anyone can see, this methodology achieves what expected in terms of integration, processing speed and affordability.
Integration is accomplished through:
- moving from being forced to get contribution from several tools and skills, to a unique project approach, in which merging and integrating work was done earlier tank to previous experiences,
- starting from process analysis and following and analysing all steps of the intervention up to the Action Plan Monitoring with a single Model, though adaptable to different focuses, such as environmental, social, ethical, economic,
- the application sphere estende to the entire Company, to its specific industry and organization structure, its ties and strategies,
- the integration towards a Balanced Scorecard cockpit to monitor, in an innovative way, the Corporate strategies achievement level.
This dramatic cut down of the processing time for most of the activities proves the increased Model design and realization speed.
It turns into a great economic advantage represented by the fact that, for many tasks and forthe Follow Up phase,
- the external consultants contribution is waived,
- the internal resources involvement is reduced and
- through the features implemented by the technology, a sensible cut in the investment is accomplished,
which means an out standing overall cost saving (up to 40%!) off the average costo f a CSR Project.
Massimo Carosella, electronic engineer and Management consultant, from 1998 engages in technology-based Management Consulting: the technology used evolved from original Dss’s to the most up-to-date simulation and analysis management intelligence tools. Is CEO of C.C.S.- Carosella Corporate Solutions LLC, based in the Dallas area, Texas – USA. In This Company, he implemented and tuned an innovative approach to Corporate Governance, with valuable focus on Corporate Social responsibility themes, supported by in-house developed software applications, integrated as to the approach and innovative as to their uniqueness on the specific market.