Saturday, January 14, 2017

Critical Success Factors in Improving Corporate Performance

By John Kyriazoglou

1. Introduction

There are five typical questions (Q) that come to mind in evaluating and improving the corporate performance of any company:
Q1: Which are the critical success factors (CSFs) enabling the design and good operation of strategic controls to establish the performance framework and ensure the improvement of the performance of our company?
Q2: How do we target our bottom line and continuously improve our company’s performance?
Q3: Do all our business functions/units meet the corporate financial and other performance targets?
Q4: How do our business functions/units translate corporate targets into measurable actions?
Q5: How do we monitor implementation of these actions and their impact on our company’s profit and loss (P&L)?

My answer to the first question (CSFs) is presented next.

2. Critical Success Factors in Improving Corporate Performance

The critical success factors (CSFs) enabling the design and good operation of strategic controls are: management tools, performance measurement culture, training, professional knowledge, top management commitment, and modern reporting model. These are described below.

CSF 1: Management Tools. These include Policies, procedures and systems of corporate governance related to organization, financial management, human resource management, production, sales, IT management, etc.
CSF 2: Performance Measurement Culture. This includes establishing and enhancing the role of the performance management manager, adding resources to the performance measurement teams with the appropriate skills, dexterities and talents: financial management, sales, human resource management, IT systems development and operation, production process management, customer support, etc.
CSF 3: Training. Training and educating management staff is a must to enable them to acquire and enhance their skills on the analysis of all performance data (e.g., financial, customer, internal corporate processes, employee learning and development, etc.).
CSF 4: Professional Knowledge. Very strong knowledge of the given organization’s processes, the industry to which the organization belongs, the culture of the said organization and its business operating model, as well as effective inter-personal communication skills at all management levels are also required.
CSF 5: Top Management Commitment. Very strong commitment to performance is a must by all members of the executive board, corporate leadership, top management, management committees, various organizational committees, etc., and pursuing it to all levels (up, down, across) of the given organization, corporate management, organizational units, business functions, projects, systems, processes, stakeholders, etc.

CSF 6: Modern Reporting Model. The last CSF but also as important is an open and widely-distributed environment of information and know-how exchange regarding performance, and the production and support processes and a flexible, modern and continuously kept up-to-date reporting model for the organizational performance, and for the consequences of the organization’s operations  on the greater environment, society, economy, etc.

My answer to the other four questions (questions 2 to 5) are contained in my book described next.

3. Improving Corporate Performance with BSC                      

This book describes how to control better and improve your Company’s Strategy and Performance with the Balanced Scorecard Framework. It does this by identifying the concept and importance of strategic controls, describing the types of strategic controls (such as financial, output, IT, etc.), defining the roles and responsibilities of managers and others in these, proposing a Balanced Scorecard Approach to Strategic Control for all enterprises and organizations and providing examples of a Performance Management Policy, a Corporate Strategic Plan, and a set of audit checklists and Business Performance Measures.

1. Introduction
2. What is strategic control?
3. The Importance of Strategic Control
4. A Balanced Scorecard Approach to Strategic Control
5. Strategic Control Systems
6. Key Issues in Designing Strategic Control Systems
7. Critical Success Factors
8. Types of Controls (Financial, Output, Behavioral, IT)  
9. Roles and Responsibilities
10. Strategic Controls – Examples of BSC Implementation          
11. Review and Audit Tools and Techniques (Strategic Readiness Checklist (55 questions), Business Idea Development Checklist (11 questions), Corporate Strategic Plan Checklist (15 questions), Generic Performance Audit Program (16 questions))
12. Conclusion          
13. End Notes
14. Bibliography
Appendix 1: Performance Management Policy
Appendix 2: Corporate Strategic Plan-Example
Appendix 3: List of 42 Business Performance Measures (for finance, sales, production, management and IT)

4. Further Resources

For more details, see:
1. Improving Performance with Balanced Scorecard
2. Examples of  four BSC Case Studies

Thursday, December 15, 2016

Managing enterprises better in the 21st century

By John Kyriazoglou

1. Introduction

According to various sources1 ‘management control’ is a management function aimed at achieving defined goals within an established timetable, and usually understood to have three components:
(1) Setting standards,
(2) Measuring actual performance, and
(3) Taking corrective action.

In practical business terms, management controls, in a private company or public organizational environment, are used daily by managers and employees to accomplish the identified objectives of an organization (private company, public organization, or business entity, called ‘enterprise’ in this article).

Simply put, management controls are the operational methods that enable work to proceed as expected. 

Management is responsible for establishing and maintaining the business management control environment. Auditors play a role in a system of internal controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the specific company’s internal business management control system. Therefore, all employees need to be aware of the concept and purpose of internal business management controls.

How many, of these business management controls, however, does an enterprise need?

For more details, download the article from the following link:

Monday, November 28, 2016

Preparing for the EU General Data Protection Regulation (GDPR)

By John Kyriazoglou

Is your company ready?
What steps should you, as a manager, executive or board director take for your company by May, 2018?

My new book ‘Data Protection and Privacy Guide’ in five volumes (see links at the end), is designed to support you effectively in all these issues.

I am providing below a short summary of the GDPR and how it impacts your business operations (including your IT systems) and a flavor of what is contained in these volumes.

1. Introduction to the EU GDPR
On April 2016, the EU General Data Protection Regulation (GDPR) was approved, entering a two-year transition period (April 2016 to May 2018) during which member states and enterprises (private companies and public organizations) handling European residents’ personal data will need to adopt the new requirements. The Regulation introduces tough penalties for non-compliance, with breached organizations facing fines of up to 4% of annual global turnover or €20 million – whichever is greater.

The new law dramatically changes the way in which organizations approach personal data protection (for customers, employees, etc.), particularly in terms of access privileges. With financial penalties in place, which can be as much as 4 per cent of a corporation’s annual turnover, enterprises simply cannot afford to let personal data slip into the wrong hands through mismanagement or a malicious breach. One way to ensure this doesn’t happen is for personal data to be secured under lock and key with the help of identity governance, where entry is monitored and controlled around the clock, etc.

2. Preparing for the General Data Protection Regulation (GDPR)

What basic steps to take by May, 2018:

Step 1: Awareness. You should make sure that decision makers and key people in your company or organization are aware that the law is changing to the GDPR.
Step 2: Data Protection Officers. You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
Step 3: Personal Data you hold. You should document what personal data you hold, where it came from and who you share it with. You may need to organize a personal data audit, etc.
Step 4: Individuals’ rights. You should check your corporate procedures to ensure they cover all the rights individuals have, including how you will handle requests within the new timescales and provide any additional information, how you would delete personal data or provide data electronically and in a commonly used format, etc.
Step 5: Communicating privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Step 6: Legal basis for processing personal data. You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Step 7: Consent. You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Step 8: Children. You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Step 9: Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Step 10: Data Protection Impact Assessments (DPIA). You should familiarize yourself now with the guidance regarding when to carry out a DPIA. For example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals, etc.
Step 11: Data Protection by Design and by Default. You should ensure that all your products produced and sold and all services provided (including Information systems) by your company implement privacy and data protection according to the principles of the GDPR.
Step 12: International Operations. If your company operates internationally, you should determine which data protection supervisory authority you come under.

3. Resources to support you in implementing the EU GDPR
As noted above, my new book ‘Data Protection and Privacy Guide’ in five volumes (see links at the end), is designed to support you in all these issues.

This book, in 5 volumes, contains a complete set of methods, strategies, plans, policies, audit tools and other practical techniques to guide, support and facilitate you to effectively manage the personal data your company collects and processes and comply better with all privacy regulations (e.g. EU GDPR).

1. Data Protection and Privacy Management System: Data Protection and Privacy Guide – Vol I
2. DP&P Strategies, Policies and Plans: Data Protection and Privacy Guide – Vol II
3. Data Protection Impact Assessment: Data Protection and Privacy Guide – Vol III
4. Data Protection Specialized Controls: Data Protection and Privacy Guide – Vol IV
5. Security and Data Privacy Audit Questionnaires: Data Protection and Privacy Guide – Vol V

Thank you,

John Kyriazoglou

Monday, November 7, 2016

Data Protection Impact Assessment Toolkit

This is available at:


This document describes a set of methods and tools that enable, facilitate and support you in assessing your data protection risks and executing a Data Protection Impact Assessment
(DPIA) for existing as well as for new products, services, systems, functions and information systems, that collect, process and maintain personal data.

It may also be used to evaluate the data protection and privacy risks of the personal data your company collects, processes and stores and to comply with the requirements of the EU General Data Protection Regulation (Articles 27, 28, 34, 35, 36, 39, 53, 57, 58, 64 and recitals 53 and 58) for any enterprises located within the EU or doing business in the EU, regardless of their home base and central location offices (headquarters).

Table of Contents

Chapter 1: Summary of the New EU General Data Protection Regulation
Chapter 2: Data Protection Impact Assessment Methodology

Chapter 3: Data Protection and Privacy Audit Tools

Annex 1: Data Protection Impact Pre-Assessment Survey
Annex 2: Data Protection Risk Identification Questionnaire
Annex 3. Privacy Risk Register
Annex 4. Suggested DPIA Report Format
Annex 5. Proposed Risk Resolution Actions
Annex 6: Personal Data Checklist

This is available at:

Monday, February 22, 2016

A Manager's 'duty of care' responsibilities

A Manager’s ‘duty of care’ responsibilities

By John Kyriazoglou

Plato: ‘The most important of all goods is health, the second is beauty of the soul and the third is to be able to become rich without doing anything bad’.

This short article describes a plan for improving the responsibilities you have as a business owner, board director or manager towards the wellbeing of your employees.


Our workplaces are full of problems, to put it lightly. According to the World Health Organization ‘Mental health problems, such as depression, anxiety, substance abuse and stress, are common, affecting individuals, their families and co-workers, and the broader community. In addition, they have a direct impact on workplaces through increased absenteeism, reduced productivity, and increased costs1.’
As 60-70% of people with common mental disorders were in work, according to various experts and governmental studies, it is up to each company and its individual owners and managers to do something about these crucial and debilitating problems at work.
The principle that investing in support for employees who may be struggling is not just morally correct but a financial imperative is well established, according to experts2.
Also you must remember that your staff, quite rightly so, are the single most valuable asset your organization has. This definitely means that when they work and travel for your company, you need to be assured of their safety at all times, to the best of your abilities.

In general terms, a manager’s or professional’s duty of care responsibility is a legal, and many times, professional obligation, which is imposed on an individual manager or professional, requiring them to adhere to a standard of reasonable care while performing their duties and avoid any acts that could foreseeably harm others (organizations, societies, people, environment, et).

In practical terms, duty of care means that every party to a contract must comply well according to the rules included in it as well as other relevant industry and state laws and regulations on ethics, health and safety. The same goes for an accountant in correctly maintaining financial transactions and preparing company accounts; Auditors, in confirming the financial statements of a company; Board and managers in managing well their corporate resources, etc.

More details at:

Wednesday, October 28, 2015


By John Kyriazoglou*
The main purpose of IT Controls is to ensure the safe and secure operation of information systems and the protection from harm or other potential damage of the organization’s I.T. assets and data maintained by these systems. These objectives are achieved by a set of policies, procedures, practices, methods, techniques and technological measures, collectively called ‘controls’.
IT systems and infrastructure controls are classified as General IT Controls, i.e., controls applying to the whole of an organization’s Information Systems activity, and as IT Application Controls, which are specific to a given application, such as payroll processing, general ledger accounting, accounts receivable, etc. Both of these types of controls, within any type of organization (private, public, etc.), must operate within the greater framework of corporate governance and internal controls system, to fulfill their purpose to the fullest.
Sometimes the boundary line between these control types  (General IT Controls, IT Application Controls) is rather arbitrary, particularly in client/server, web-based and cloud computing applications, most of which may run on several computers.
What is important and crucial is for IT management, systems development professionals and other stakeholders (auditors, fraud examiners, etc.) is to realize that a comprehensive and effective combination of both of these control types (General IT Controls and IT Application Controls) arer required to ensure, as much as possible, an adequately safe and secure processing environment. We need to be proactive, plan and prepare both ourselves and our organizations for possible attacks, frauds committed, and errors occurring to information systems, disasters to IT facilities, and unusual events.
We should probably note that modern intruders to IT systems and networks do not publish their tools, successful or failed attacks or profits. They act with anonymity, quietly, in a step-by-step approach, from both inside and outside the organization, across the planet, and they usually cover their trail.
The players now include terrorists, white collar criminals, hackers, open source. The global underground cyber criminal community is actually trying to do better than what we do. Ten years ago, people sold you user IDs and passwords. Now the menu includes your CVs, ATM and credit cards with pin numbers, whole e-mail inboxes. They will ship information to anywhere in the world for money.
There is an army of them with new skills and capabilities.
There are: mappers, scanners, hackers, crackers, password sniffers, readers and shooters with van Eck tools, programmers who write code to enter network and application systems without leaving a trail, moles (personnel) employed to work in an organization much before it is attacked, vendors who sell illegal and improper hardware and software, social engineers who get passwords and other sensitive information by various means, etc.
They need to be controlled by society on the one hand, by the enactment of rules, regulations, laws, ethics codes, etc., and by organizations on the other hand, by devising and implementing overall corporate and detail IT controls.
Corporate and IT control issues are quite complex and may be included in corporate and business strategic and operational concerns, rather than on their own ground, as such. Detail IT controls require far more than the latest methods, practices and software tools or technology. Organizations must understand very precisely what IT entities, data, media, systems, services, and assets they are trying to protect, and why, before selecting any general or specific IT control solutions.
We also must note that according to recent international data breaches cases data privacy and protection shortcomings can do irreparable harm to companies’ balance sheets, not to mention their brands, credibility and customer trust and relationships.
IT management, IT professionals, IT auditors, Internal auditors, fraud experts, etc., must be always on their guard to protect their organizations, the data stored and reported by their IT systems, and the greater society, by using, implementing and improving IT controls and methods in a most efficient and effective way.
IT controls, operating within the greater IT Governance Practices Framework, can create value for an organization, as we have seen in several consulting projects for various clients.
It is our mission, moral duty, responsibility and job to do this. IT application systems are the life-blood of organizations. Quick dissemination of correct and timely information drives forward, enables and facilitates our national and global economies, benefiting everyone across the globe.
We need to work hard to achieve effective and working IT controls. As Menander (ancient Greek writer, 342-291 B.C.) has said: ‘He who labors diligently need never despair; for all things are accomplished by diligence and labor’.
We need to both plan and act. And as William Shakespeare has said: ‘Be great in act, as you have been in thought’.
We must be persistent in reaching the goal of controls, and be aware of what Friedrich Nietzsce has said: ‘Many are stubborn in pursuit of the path they have chosen, few in pursuit of the goal’
Last but no least, we may require to be disciplined in our approach, because as Abraham Lincoln has said: ‘Be sure you put your feet in the right place, then stand firm’.
For more specific details on IT Controls as well as Business Management Controls see the following books by John Kyriazoglou:

1. Book ‘IT Strategic & Operational Controls’, 2010, IT Governance, U.K.
2. Book ‘Business Management Controls: A Guide’, 2012, IT Governance U.K.

3. Book ‘Business Management Controls: Toolkit’, 2012, IT Governance U.K.      

Wednesday, February 11, 2015

Free e-book: How to reduce occupational stress

Free e-book: ‘How to Reduce Occupational Stress’

Book inspired by ancient Greek wisdom
Published: Feb, 12 2015, by John Kyriazoglou
A self-help guide and an approach to manage and reduce occupational stress and improve the mental health of your people
Table of Contents


Chapter 1: The Stress Management Approach
Chapter 2: Occupational Stress Management Action Plan
Chapter 3: Strategy #1: Incorporate Basic Stress Reduction Actions
Chapter 4: Strategy #2: Add Spirituality to Your Basic Stress Reduction Actions
Chapter 5: Strategy #3: Improve Your Stress Reduction Management Process with Better Relationships
Chapter 6: Strategy #4: Strengthen Your Stress Reduction Management Process with More Robustness
Chapter 7: Improve Stress Efforts
Chapter 8: Concluding Remarks


Over 10 appendices with examples of Plans, Policies and Questionnaires that support Part A of the book.