Easily detectable business process defects will topple companies

Huge laughs around our kitchen table yesterday evening – about risks and controls. No, really.

Two of our sons are living at home this year, working in temp jobs. One is in QA for a global biotech company, the other in Procurement for a global food manufacturer.

Both have been given system-wide and global administrator access to their employers’ core ERP and document management systems – within a week of starting, which seems pretty amazing.

The biotech company is hilariously obsessive and mechanistic about its risks and controls. [it’s easy to see how compliance can chew up 25% of Pharma operating costs]

At the other end of the spectrum is the food manufacturer, which has a risks and controls culture designed by Homer [and we’re talking Simpson here, not the Odyssey dude].

The risk management person finally realised what my son had sussed on his first day: that he had unrestricted access to the SAP procurement suite for their global operations. So he could invent a supplier, create a PO for any sum and then approve its payment – all without anyone else being involved.

It was the solution that the risk officer came up with that had us falling off our chairs. This company’s global procurement team works on heroics. Its processes are folklore, an oral history shared at the cigarette breaks. Where there is a process and a rule, it is usually ignored in the interests of ‘getting the job done’. (And a high proportion are temp workers, which must be another risk..).

The solution had to fit with how the global procurement team work in practice. So my son was told yesterday not to use his access for certain SAP transactions. That would satisfy the audit requirement.

Instead he has been told to share a communal username and password with four others for those SAP activities. So the risk mitigation ‘solution’ rips up the only audit trail that could have proven wrongdoing. [You couldn’t make it up..]

Of course, the CFO of this organization – which is a household name – no doubt sincerely believes that the company’s risk and controls are properly managed, and that will be what the auditors are saying as well.

It’s an extreme example of the unseen risks faced by organizations that neglect process rigor and so can’t connect strategy with reality.

Hear stories like this and it’s easy to believe Gartner’s prediction that ten Global 2000 companies will fail or be crippled, due to overlooked but easily detectable process defects – within the next three years.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Mike Gammage is VP and Principal Consultant at Nimbus Partners. Mike has worked in performance improvement consulting, and more recently the BPM space, for more than two decades. He is particularly interested in the overlap between two very dynamic worlds: BPM and perfomance improvement (the drive across all industries to standardise, improve and automate) and sourcing and the virtualisation of the enterprise (the drive to create more flexible and lower-cost service solutions through outsourcing, offshoring and shared services). In either case, Mike believes the enterprise needs a single source of truth about its end-to-end business processes, as well as a framework for the design and implementation of change. It also needs to connect the end-user and all other stakeholders to ensure the adoption of change. These are the keys to sustainable transformation and continuous improvement.