Saturday, February 25, 2012

HOW TO STRENGTEN RISK MANAGEMENT


HOW TO STRENGTEN RISK MANAGEMENT


John Kyriazoglou*

Effective risk management requires both hard and soft controls.


Hard controls are formal policies and procedures and how well or not they are designed and implemented. They relate to tangible things, usually well-defined, formalized and approved like organizational structure, assignment of authority and responsibility, corporate standards, policies and procedures, risk methodology, ethics code, compliance procedures, computerized systems, company books, registers, audit trail mechanisms, personnel controls like segregation of duties, taking vacation, job descriptions, confidentiality statements, etc. These hard controls are implemented and used, in everyday business practice to carry out the activities of the organization, by various participants, i.e., people such as employees, managers, board members, customers, etc. These participants usually operate with their feelings, their beliefs, their trust and confidence, their motives, etc., collectively termed soft controls.


Soft controls are intangible things that have to do with behavioral aspects and social properties inherent in people (board members, executives, employees, etc.) and are utilized in applying hard controls in their daily business activities, and especially in business risk management, such as: tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, Ethical climate, Empowerment, Corporate attitudes, Competences, Leadership, Employee motivation, Expectations, Openness and shared values, Information flow throughout the organization and emotional contracting.


All of these types of soft controls (tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, ethical climate, empowerment, etc.), refer to the emotional contracting issue, also referred to as 'the psychological contract'. This is the crucial and powerful link between the organizational performance intent, and the motivations, values and aspirations of the people.


This emotional contracting element is sometimes overlooked by organizations, board, and managers, and that is the reason that may explain why people, at all levels of the organizations, have failed to do what the organization expected and asked them to do, and more specifically in the risk area. In management and organizational theory many employee attitudes such as trust, faith, commitment, enthusiasm, and satisfaction depend heavily on a fair and balanced Psychological Contract. Where the Contract is regarded by board members, managers and employees to be broken or unfair, these vital yet largely intangible ingredients of good organizational performance and risk management can evaporate very quickly. Where the Psychological Contract is regarded by all stakeholders to be right and fair, these positive attitudes including effective risk management can thrive in the long run.


Soft internal controls (trust, integrity, values and beliefs, etc.) should be part of the organizational process of strategy setting and ethical environment establishment. Corporate policies and procedures, vision and mission statements, strategic planning, ethics codes, job descriptions, training and coaching of staff, compliance programs, etc., are the tools and the hard controls that help define whether an organization consistently will do (supposedly ) the right thing. An organization might have written codes of conduct and other value defining type documents (vision, mission, values, social responsibility, etc.) but that does not guarantee whether they are actually followed consistently. Most of the real understanding will not be expressly written in any document but better evidenced in the day-to-day discharge of everyday duties and interactions. For example, the ethical culture can only rise as high as the tone set by the board and the senior executive management. If management distributes the message about ethics poorly or worst yet, delegates the message to subordinate levels, then the effectiveness of the ethical culture is greatly diminished.


Soft controls differ from organization to organization, but are typically set at a higher corporate level and are associated with the overall governance, mission and morale of the enterprise. In addition, measuring efforts like the ethics and integrity or the philosophy of the enterprise is not a simple task.


According to Aristotle ‘All human actions have one or more of these seven causes: chance, nature, compulsion, habit, reason, passion, and desire’. But how these human factors are used in a corporate setting and particularly in risk management in organizations is quite a difficult and tedious task to study, and it is usually forgotten, to say the least, by both boards and senior executives.


 


*Author’s Credentials

John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.










 

Friday, February 24, 2012

Global Public Sector e-Governance Issues


Global Public Sector e-Governance Issues



John Kyriazoglou*

Governance is the act of governing. It relates to decisions and actions that define what is expected, assign power, or assess and verify performance. It is derived from the ancient Greek word ‘kyvernao’.  To distinguish the term ‘governance’ from ‘government’ it is worth noting the following. ‘Governance’ is what a ‘government’ does. It might relate to a national, state or provincial government, a corporate government for private companies and public organizations (including non-profits, NGOs, etc.), a socio-political government for tribes, families, etc., or any number of different kinds of government, but governance is the physical exercise of management power and policy. ‘Government’, on the other hand, is the collective mechanism that does it. The term government is also used more abstractly as a synonym for governance, as in the Canadian motto, "Peace, Order and Good Government".

Governance in every-day life has to do with the quality of being governed by others or governing other people, commonly identified by how we relate to our mother country, our society, our laws, and the ways we practice ruling others.

It is one of the universal values for all peoples of the earth as identified by Schwartz and his associates belonging to the category of power, which includes authority, leadership and dominance.

Governance is also recognized as a human right in article 21 of the Universal Declaration of Human Rights (adopted by the United Nations Assembly on 10 December 1948, France) which states thatEveryone has the right to take part in the government of his country, directly or through freely chosen representatives. Everyone has the right of equal access to public service in his country. The will of the people shall be the basis of the authority of government; this will shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures’.

The term ‘eGovernance’ implies technology driven governance. E-Governance is the application of Information and communication Technology (ICT) for delivering Government Services, exchange of information communication transactions, integration of various stand-one systems and services between Government-to-citizens (G2C), Government-to-Business(G2B), Government-to-Government( G2G) as well as back office processes and interactions within the entire government frame work.

Through the e-Governance, the government services will be made available to the citizens in a convenient, effective, efficient and transparent manner. The four main target groups that can be distinguished in governance concepts are Government, Citizens, Businesses and Special Interest groups.

The model for eGovernance is a one-stop portal, such as the ones used by the U.S. federal government, or Canada Service, or the New Zealand model, where citizens have access to a variety of information and services.

eGovernance is not the introduction of IT using the government's existing organizational model, but the optimization of government processes using IT. 

The main technological challenges, infrastructure, security, reliability, and availability, seem to be solvable. 



On the other hand, socio-cultural challenges are more difficult to tackle. These include social exclusion, adaptation of legal standards, public employee culture and user skills. 

eGovernance involves access to information and services.  These include legal information systems, access to geographic information, patent information, e-democracy, e-procurement, workflow and knowledge management.  Many of those can be implemented in an anywhere-anytime fashion (e.g. through WAP phones) and personalized to the needs of the individual citizen. 

Current eGovernance global implementations (according to U.N’s 2010 e-Government Readiness Index Study) show that South Korea (index: 0.87), U.S. (index: 0.85) and Canada (index: 0.84), are the top three performers, followed by U.K. (index: 0.81), Netherlands (index: 0.80), Norway (index: 0.870, Denmark (index: 0.78), while the rest of Europe fall below. Australia is quite good (index: 0.80) while the rest of the world countries score below 0.55.

The low score countries and their public sector organizations suffer from a number of drawbacks.

They are based on market provided proprietary solutions, their contents are not updated regularly (static rather than dynamic), integrated transactions are not always supported, and many existing applications are not integrated with others. 

The basic reason behind this problem is the national government's chronic underinvestment and mismanagement in public administration effectiveness and efficiency, internal controls, organization systems, public service cultural approach, management controls, IT and lack of external (citizens) stakeholder involvement. 

New bold initiatives and actions are needed.



*Author’s Credentials

John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.











Saturday, February 18, 2012

BUSINESS MANAGEMENT CONTROLS FOR SMART DEVICES


BUSINESS MANAGEMENT CONTROLS FOR SMART DEVICES


John Kyriazoglou*

Virtualization, cloud computing, and wireless technology are fundamentally changing enterprise computing, providing revolutionary gains in productivity and cost savings. Powerful enterprise applications can now be delivered to almost any device, anywhere, at any time and take advantage of tremendous computing power available in consumer devices, such as smartphones and tablets. Regardless of whether these devices are issued corporately or personally owned, almost every IT department is experiencing the effects of unprecedented smart device adoption in their enterprise.

The following controls are suggested for enhancing control in this very critical area:

1. Deployment of Smart Devices: A corporate policy must be crafted and instituted to outline the use of personal devices for corporate uses and their aspects of application processing and data exploitation.

2. Purchases of Smart Devices: Follow Corporate Purchasing Policy and Procedures.

3. Registry: All smart devices should be included in the IT Assets register to be maintained by a central function (e.g., IT Department).

4. Data: All data maintained in smart devices should follow the same guidelines used for maintaining and backing up the corporate data of the given organization.



*Author’s Credentials

John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.









Monday, February 13, 2012

MANAGING STRESS AS A MANAGER/PROFESSIONAL


MANAGING STRESS AS A MANAGER/PROFESSIONAL

John Kyriazoglou*

Consulting experience and various international studies have shown that business managers (top, middle, bottom, etc.) and professionals in all fields: IT, Internal Audit, Compliance, External Auditing, Medical Services, Educational and Academic Services, etc., have very difficult and stressful jobs, in to-day’s business environment (increased workloads and demands, downsizing, unlimited-many times- ranges of accountability, too wide span of controls, increase emphasis on performance, etc.) and volatile socio-economic conditions of doing business across the globe. When you take into full consideration the full array of duties, roles and responsibilities in leading and managing their units, departments, organizations, etc., one thing becomes clear: business managers and professionals have difficult jobs. But how can a business manager and/or a professional handle this stressful environment? The "guidelines" set forth in this short article are based on various consulting experiences and sources and may be used when necessary to stimulate us mentally and morally, as a business manager or professional, and then resolve the situation troubling us, with specific actions and activities.

Guideline 1: Make the necessary changes with harmony and balance

Put happiness in its right perspective in your life.

If you must change in order to become happy, do it with a calm attitude and patience and by respecting your limits.

You must remember to balance happiness to other things in life.

Look inside you and you shall find harmony.



Guideline 2: Make silence your useful tool

Put silence in your life.

Be silent for at least 15 minutes every day.

Use silence to envision happiness and success.

Breathe slowly and get rid of all your negative thoughts.

Disregard physical pain and functions of the body.

Allow only pleasant, happy and harmonious thoughts to fill your mind.



Guideline 3: Preserve your-self

It is absolutely necessary to take care of your-self in order to be happy.

This does not mean to buy expensive goods, clothes, go on a consumer-spending journey, and generally buy a lot of things of no value to you.

It means to eat healthy foods, rest daily, pray and exercise both body and mind.

It means to respect your limits and to take care to fulfill your dreams.



Guideline 4: Love Nature

Get up close and personal with the natural world.

Ramble through forests, mountains, seas, and fields.

Get an intensive, hands-on learning experience.

Study and photograph objects of nature like flowers, plants, rivers, trees, lakes, insects, birds, fish and other animals.

Spend a day honing your identification skills for fauna and flora and discuss ecology, natural history, and plant lore, and the meanings of species' common and scientific names with experts and members of ecology groups.

Plant a tree in your home and parched local community land-spaces.

Involve others in planting and watering plants and trees.

Feed birds and provide them with small nests and water pedestals, full of water. 
Expand your understanding of the meaning and contribution of the natural world.



Guideline 5: Pray (meditate) daily

The power of praying and meditation is tremendous.

Praying guards you against angry and irresponsible acts.

It lowers your egoism and self-centeredness.

It clears you from bad and jealous thoughts and acts.

It demolishes injustice.

It makes you more respectable and pious.

It frees you to think more clearly and wisely.

It opens your soul to hope and compassion.

It enables your heart and psyche to seek friendliness and love.



Guideline 6: How to handle failure

If I feel depressed: I will sing.
If I feel sad: I will tell a joke to myself to laugh, and I will read something cheerful and optimistic.
If I feel uncertain about something: I will act in a more positive and powerful way.

If I feel poor in material possessions: I will remind myself of the mental and spiritual goods I have.
If I feel inferior: I will think something wonderful that I have done before.
If I feel insignificant: I remember how precious I am to my own people and to my colleagues.

If I feel too confident: I will remember my failures.
If I feel too great: I will remember the moments of my shame.
If I feel too proud: I will remember the times I was weak.

If I am without a useful job to do: I will find something creative to complete.
If I'm not disciplined in my thoughts and my actions: I will reduce my activities and put priorities.
If I feel anxious: I will think in a positive and optimistic way.
If I feel that people are abandoning me: I will find ways to act with love, friendship and optimism.



Guideline 7: How to handle difficult people

1. Take a short walk outside of the location where the conflict has taken place.
2. Make silence your useful tool.
3. Use silence to envision happiness and success.
4. Breathe slowly and get rid of all your negative thoughts.
5. Allow only pleasant, happy and harmonious thoughts to fill your mind.
6. Think out a solution as regards the difficult person and situation.
7. Work out a mutually-agreed solution with the person(s) involved.

*Author’s Credentials

John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.












        


Saturday, February 4, 2012

Business Fraud Management Checklist


Business Fraud Management Checklist
By John Kyriazoglou*

This is complemented by Business Ethics Policy Example and Business Ethics Policy Checklist. See my blog: http://businessmanagementcontrols.blogspot.com/





Ethics Policy Statement

1. Does the organization have, within the corporate ethics policy, a statement with respect to fraud?

2. Who is responsible for the issue of this statement?

3. Has this policy statement been approved and ratified by the Board or other Top Management Committee?

4. Is this statement widely publicized in the organization?

5. Is this statement reviewed and improved annually (at least)?

6. Is the policy statement linked to Internal Controls?

Fraud Policy Statement

7. Does the organization have a Fraud Policy?

Consider: Procedure for a disciplinary interview, employee services termination procedure, obligations of employees during notice periods and upon termination of employment, complaints procedure, theft and threats policy, obligations of external contractors, investigating procedure, use of external approved investigators or expert internal audit personnel, and the protection procedure for the information sources.

8. How is fraud defined?

9. Has this policy been approved and ratified by the Board?

10. What kind of aspects does the policy deal with (e.g. preventive, investigative or recovery aspects)?

11. What are the objectives of the policy (e.g., avoid fraud, catch fraud, take legal action, etc.)?

12. Does the policy apply to all employees, management, board members, and external contractors?

13. Who is (manager, function, etc.) responsible for ownership and administration of the Fraud Policy?

14. How are fraud risks monitored e.g. through risk registers?

15. Is there a budget for investigative costs on potential fraud issues?

16. Does the organization specify roles and responsibilities within the Fraud Policy (e.g., for the audit committee, the Board, the HR Function, a Fraud Liaison Officer, etc.)?

Reporting Fraud and Corruption

17. What is the procedure for reporting suspicions of fraud?

18. What guidance is provided on dealing with incoming mail (such as anonymous letters, e-mails, etc.)?

19. Who are the first points of contact for reporting suspected dishonesty?

20. Does the organization operate a Fraud Hot-line?

21. Does the organization have a Whistle blowing Policy, which sets out the principles for protection of employees when reporting suspicions?

Response to Fraud and Corruption

22. Does the organization keep a register of fraud?

23. Who is responsible for maintenance of this register (e.g., A Fraud Officer)?

24. What the access rights to the fraud register?

25. Is the fraud register held securely?

26. Who is responsible for the investigation (e.g., Internal Audit)?

27. Who oversees the investigation?

28. Do written reports have to be submitted and to whom?

29. How does the organization deal with enquiries from the media?

30. Are employees suspended from work pending an investigation?

31. Are all reasonable means of recovering any identified loss pursued?

Investigation of Fraud and Corruption

32. Who monitors actual resources used against the agreed budget?

33. If a member of staff refuses to cooperate in a workplace investigation, are they liable to disciplinary action?

34. How is the interview recorded?

35. If the interview is tape recorded, is this with the permission of the suspect?

36. What does the organization do to avoid a similar occurrence of fraud in the future?

37. Who is responsible for making claims under insurance policies?

38. What is the process for notifying the police?

Rights of Employees

39. If an employee is charged with a criminal offence involving potential exposure to a term of imprisonment, are they required to report this and who to?

40. If an employee is the subject of an improper approach where a bribe is offered, is there a requirement for this to be reported and to whom?

41. Is there a presumption of innocence, unless proved otherwise?

42. At fact finding or investigative interviews, are employees suspected of dishonesty entitled to representation and by whom?



*Author’s Credentials

John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.







Blogs:Articles, Opinions, etc.: http://businessmanagementcontrols.blogspot.com/






Business Ethics Policy Checklist


By John Kyriazoglou*

This is complemented by Business Ethics Policy Example and Business Fraud Management Checklist. See my blog: http://businessmanagementcontrols.blogspot.com/

1. Does the organization have an ethics policy?

Consider: Formal approval process and contents: Guidance should be provided on how to handle issues such as, conflict of interest, gratuities and gifts, outside employment, contacts with external parties, confidentiality of information, personal obligations and commitments, etc., on the principles of fairness, openness, trust, integrity, responsibility, and mutual respect. Inclusion of the ethics and anti-fraud policy statements

2. Does the organization have a meaningful anti-fraud policy statement?

Consider: Instructions should be provided on how to manage potential fraud issues in vendor relationships and competitors, making illicit proposals and payments to get sales and contracts, proper maintenance of corporate books, systems and records, and effective management and control of corporate assets.

3. Does the organization have an ethics office and is it properly established?

Consider: Office space and computer facilities, ethics officer, support staff, ethics incidents register, office for confidential discussions and conference room.

4. Has a communication plan for ethics been formulated, approved and executed?

5. Has a training plan for ethics been formulated, approved and executed?

Consider: Budget, issues covered, attendance by all staff (Board, Executives, Managers, Employees).

6. Is an ethics culture apparent at all levels of the organization?

Consider: Behaviour of Board Members, Executives, Managers, Employees, existence of an open style of communication, a positive work environment, the procedure for getting ethics advice,   the operation of an ethics hot line, the procedure for resolution of conflict, incident investigation process, etc.

7. Is an anti-fraud ethics culture apparent at all levels of the organization?

Consider: Strong commitment of Board Members, Executives, Managers,  and Employees with the vision, mission and values of the organization, anti-fraud policy statement, compliance issues for ethics and fraud, and commercial crime prevention techniques.

8. Are all of the major players -- including stakeholders, shareholders, management, employees, customers, key suppliers, etc. participating?

9. Is there meaningful participation by board members at all stages?

10. Is a strong management committee in place to manage policy development and implementation?

11. Does the industry have a good record of similar initiatives in the past?

12. Are the organization leaders demonstrating strong commitment?

13. Have the background conditions and motivations been clearly identified?

14. Are the policy proponents inviting meaningful third-party representation and involvement by consumer groups, other standard-setting bodies, and are they prepared to pay for this involvement?

15. Are the processes for developing and implementing the policy open and transparent?

16. Is there a clear articulation and understanding of the rights and responsibilities of all stakeholders?

17. Is there clear evidence that the policy will promote the corporate interest in areas such as confidentiality, fraud protection, conflict of interest, and other ethics concerns?

18. Does the policy include effective complaints-handling and redress mechanisms accessible to everyone, effective programs to inform consumers and the public, and an evaluation framework to track progress and provide credible evidence of success and failure?

19. Will a reputable third party regularly monitor the policy?

20. Does the policy have the capacity to mature through time and respond to new learning and developments?



*Author’s Credentials

John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.







Blogs:Articles, Opinions, etc.: http://businessmanagementcontrols.blogspot.com/