Hard-Boiled Compliance

Finance executives today are tired and stressed out!

As I'm "in the field" consulting to finance executives, I not only hear this constantly but I also observe it directly. It's always been a challenge in the past, but now with the growing awareness and concern for compliance, hard deadlines are more than just a monthly or quarterly constraint.

So in my constant quest to improve the condition of finance executives, I developed a new speech that addresses these concerns head-on.

But it gets better.

I enlisted the help of my mentor Dr. Alan Weiss, the ultimate management consultant and Speaking Hall of Famer, to elevate my speech to a new platform. Last week, I attended "Speaking with Alan" in Providence, Rhode Island with five other world class consultants, and it was amazing. The end result is a powerful, informative, and value-packed speech that will give you your life back.

Here's a high-level overview of what you'll get from this new speech:

• Learn how to get control of your time
• Learn how to leverage technology to get the most out of your time and budget
• Learn how to reinvent your organization for optimum results
• Learn the secrets to accomplishing your goals
• Learn how to meet objectives in the face of risk and uncertainty
• Learn how to be more productive at work by not working

Please contact me directly to see how we can arrange bringing this value to your organization.

My speech wasn't the only great speech to emerge from this workshop. Here are the other colleagues that attended, and the speeches they created. They're all dynamite, so it's worth your while to check them out.

• Roberta Matuson - Guard Your Exits: How to Retain Top Talent in Turbulent Times
• David Gammel - The World on Your Website : Generating Cross Border Business 24 Hours a Day
• Angie Katselianos - Unlocking Your Employees' Motivational DNA
• Pay Lynch - Hidden Gold : Mine Your Passion, Make Your Life
• Pamela Harper - Corporate Self Esteem : Building Resiliency, Creating Growth Markets

Please contact them directly to have them speak at your organization.

From Left to Right: John Weathington, Pat Lynch, Angie Katselianos , David Gammel, Pamela Harper, Roberta Matuson, Koufax the Wonder Dog, Dr. Alan Weiss.

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

If your company operates like most, your compliance efforts were brought about by an urgency. For instance, perhaps your company instituted its SOX compliance program because the deadline for SOX compliance was growing near, and the filing requirement forced your company into action.

There is a bigger picture here however. In the landscape of governance, risk, and compliance, the compliance part is a by-product of risk. You’ve heard me say this before. Compliance is about implementing controls ( like Segregation of Duties ), which is about controlling risk ( like risk of fraudulent activity ).

By understanding the overlying framework, prudent companies can build a compliance program not from urgency, but from a more sensible risk standpoint. And by engaging their database professionals ( that would be you ), they stand a good chance of modeling it correctly.

But You’re Already in Compliance – Why Should You Care About Risk?

Focusing on risk is an evolution from compliance, and has the following advantages:

• Convergence – Often times, risk will allow you to combine multiple controls into one. This reduces costs, as the number of controls is in direct relation to the cost of compliance.
• Identifying Control Weakness – Focusing on the risk allows you to address the real issue of potential loss, and derive controls instead of arbitrarily implementing them based on a demand. For instance, Segregation of Duties is only one way to control the risk of fraud. Only by focusing on the risk itself ( fraud ) can you properly control for it, which may entail multiple controls, of which the key control may not even be a Segregation of Duties control.
• Alignment with Strategic Objectives – In the framework presented, compliance and risk are supporting elements to strategic objectives. There’s no way to get compliance in alignment with strategic objectives, without bridging it through proper risk analysis.

Modeling Uncertainty

Risk is uncertainty – it’s that easy.

For some reason, trying to model uncertainty seems to give people problems, but it’s actually pretty simple. In our example above, the risk is fraud. We are uncertain if fraud is going to occur. And since the impact of fraud is probably pretty severe, we need to control for it – and this is the birth of compliance. Segregation of Duties is one way to do this. So what the regulators will suggest is that you focus on Segregation of Duties, and that’s what you implement. They’ve taken it upon themselves to assess the risk and recommend appropriate controls.

But now your company wants to be a little more mature about compliance, so they ask your help on profiling the risks that are being controlled. Here’s where you start:

• RISKS
  • RISK_ID – Unique Identifier of the Risk
  • RISK_NAME – Name the risk ( i.e. fraud )
  • PROBABILITY_GUAGE – The probability that the risk will occur. A number between 1 and 100.
  • IMPACT_DESCRIPTION – A general description of what will happen if the risk occurs.
  • IMPACT_COST – A quantitative measure of what it will cost if the risk occurs.
  • IMPACT_GUAGE – A degree of impact, expressed in terms of a scale from 1 to 100.
  • DETECTABILITY_GUAGE – How easy it is to detect the risk. A number between 1 and 100.

This is a good starting point for modeling the pure risk. If you have a compliance program already in place, do an exercise for each control to explore the risk that’s being controlled.

Completing your Risk Model

To finish out your risk model, you will need to consider the following tables:

• RISK_INDICATORS - There will be a many to one relationship between RISK_INDICATORS and RISKS ( a risk can have multiple indicators ). In this table will be the probability ( INDICATOR_PROBABILITY ) that if this event shows up, a risk is soon to follow. You will also want to track the lead time between the risk indicator and the risk occurrence.
• RISK_CAUSES - There will be a many to one relationship between RISK_CAUSES and RISKS ( i.e. a risk can have multiple causes ). This is, in essence, all the entries in the RISK_INDICATORS table with an INDICATOR_PROBABILITY of 100%.
• CONTROLS - Ah, this is where you started! Obviously, your controls table will contain all the ways you are controlling your risk. Of course once the analysis is under way, you may modify this table with more or less entries. The key here that you did not have before, is now you have a link between your risks and controls. The link is many to many, so you’ll need to introduce an associative table ( i.e. RISK_CONTROLS )

This should get you started in profiling the risks at your company. Once complete, with some simple reporting your company will have a very good picture of where it’s exposed, and your auditors will have an easy time understanding your compliance control structure.

...read the article on ToadWorld

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

The “Who’s On First” comedy routine by Abbot and Costello is a classic that I’m sure everybody is aware of. What’s not such a comedy is that situations like this happen in Corporate America all the time. Where it becomes a tragedy, is in compliance.

Like a lot of other things, nice-to-haves become musts when compliance comes into the picture, and accountability is no exception. If an auditor shows up on your users’ doorstep looking for who’s responsible for a failed control, and your user starts the “Who’s on First” routine, things could get very ugly.

In looking through numerous advisories and best practices on compliance, accountability is one of those things that seems to always emerge. The reasons should be pretty obvious. If nobody’s steering the boat, then the boat’s probably out of control.

Let’s talk about some design architectures that can support your users’ need for demonstrating accountability.

Organizational Breakdown Structures

We’ve all seen org charts, and I’m sure you are familiar with your company’s organizational structure. You may even have the organizational structure modeled somehow in your company’s ERP and / or Human Resource Management system.

What’s important to highlight, is that the same people in your organization can be organized for different purposes, creating alternate organizational breakdown charts. Take a project for example. For the life of a project, you may have a project manager that has team leads, who each have team members. Also reporting to the project manager may be a project coordinator, communications manager, risk manager, and / or change acceptance manager. This is the project organization.

Closer to the compliance home front, your company should have an organization built around its processes. You could have a process manager that has process owners, process auditors, and contingent response team leads. Moving up the chain from process manager could be process group managers, and global process managers.

So, process organizational breakdown structures support the objectives of the processes, however the intelligent enterprise that has compliance as a strategic objective, will have a compliance organizational breakdown structure.  To ensure compliance, there will be a host of roles involved which could include; legal professionals, finance professionals, process analysts, auditors, program officials – and yes IT support people.

Organizing all these people to ensure compliance success is beyond the scope of this article, however what is extremely relevant to you, is how your data system is going to support this.
Communicating Involvement

The practice of business process management gives us a good framework to model involvement which you may have already heard of. It’s called RACI, and it stands for:

• Responsible – The person who will perform the actual action
• Accountable – The person who will get fired if something goes wrong
• Consultant – The “expert” with all the answers, but none of the responsibility
• Informed – The people who have to know what’s going on, but don’t actually do anything

Of course, I’m a little tongue-in-cheek here ( there’s a big surprise ), but you get the point.
To put things in context, let’s take a compliance process of control. The control is a reconciliation control, and we’re controlling for the risk of inexperienced people accidentally posting the wrong numbers.

There could be more than one person responsible for the process, and in our example there is. There are two finance analysts that will independently do the reconciliation. This is a very intelligent way to organize the control, and will greatly reduce the risk.

There should only be one person accountable for the reconciliation process. More than one can introduce finger pointing. That said, there could ( and should ) be multiple levels of accountability. This is where things really start taking the shape of a traditional org chart. In our example, we’ll have a finance manager who’s accountable for the process, and will be called the process control owner, and he reports to a process control group owner.

Of course nothing happens without expertise, so we have a few consultants in the mix here also. There is a much higher probability that there will be multiple people in this category, than that of the responsible category. Consultants can be external consultants ( the priceless variety ), or internal consultants ( legal, finance, etc. ). To illustrate a point, we’ll have the process control owner and the process control group owner as consultants as well.

Finally, we have the “informed” group. I really love these guys. These are the people that just “have” to know what’s going on. Actually this is a legitimate category, and there are legitimate reasons to be in this category, but based on my experience, the number of people that sign up for this group of involvement is usually way overboard. We still need to model for it however, so here we go.

Modeling the Compliance Organization

So how do we pull this all together?

I really like the star schema architecture for this problem – with a little twist. I think you have a number of dimensions going on here:

• TIME. Don’t forget about time because we need change history in the fact table.
• FUNCTIONAL PROCESS. This is the process that we’re trying to control ( i.e. subledger posting ).
• CONTROL PROCESS. This is the process for controlling the functional process ( i.e. reconciliation).
• EMPLOYEE OWNER. This is my organizationally correct way of saying human resource.
• INVOLVEMENT. This is a static dimension that contains the RACI involvement categories discussed above.

This could be a factless fact ( a fact with no metrics ) which is fine. The sole purpose of the fact is to organize all the dimensions together. Here are some other points to consider:

• Downstream from your ERP or Human Resources management system. Do not try to replicate your employee database here. You run the risk of inconsistency, and could create a maintenance nightmare.
• All dimensions MUST be Type 2 slowly changing dimensions. This should be a hard fast rule for any star schema related to compliance.
• If you’re process is broken down into process groups you could expand the FUNCTIONAL_PROCESS dimension. You could keep it flat, or snowflake. I would prefer keeping it flat. Of course, the same goes for the CONTROL_PROCESS dimension.
• Don’t model levels of accountability into this. If your process has process groups, and you have process group owners in your organization, resist the urge to connect dimension to dimension. This will create a mess. We’ll handle accountability in just a second.
• Theoretically the FUNCTIONAL_PROCESS could be in the CONTROL_PROCESS hierarchy. Don’t model it this way – keep the functional process as its own dimension. As you evolve in your design, you may start to get a many to many relationship between the functional processes and the control processes. You want to keep the flexibility of design here.

So this should handle everything but the levels of accountability, so this is the twist. As noted above, don’t try to model this in the star schema – model this off in its own normalized area. You can use a self referencing table ( i.e. unfold the organization with a COMPUTE BY statement ), but I don’t like these for practical reasons. I think it’s better to just build a flat table with 5 or 7 layers of accountability, and just maintain it there. Make sure you have a one to one link with your dimension, so when asked to produce your hierarchy for accountability, you can drive from any control process.

Accountability is a critical component to your organization’s compliance structure, and they need your help in the design and implementation of systems to support these requirements. A compliance organizational breakdown structure is how your company organizes for compliance success. You can use the RACI model to model involvement, and a star schema architecture to put all the pieces together. Talk to your program manager today about drafting a project charter to get this initiative started.

The August 2008 issue of Flawless Compliance is available, with Center Stage article, A Hard Look at Principles Based Account, Is it a New Wave or a Tsunami? Plus, should Apple shareholders be concerned with Steve Jobs' health? Also, how to break dependencies on a compliance project, a mid-level manager at Siemens is in the soup, and a gold medalist gets a bronze level ceremony.

... read the August 2008 issue of Flawless Compliance

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

Edward Yourdon, in his classic book “Death March” ( Prentice Hall PTR ), describes a death march project as a project “whose ‘project parameters’ exceed the norm by at least 50 percent.” In other words, this is a project that is doomed to fail.

The reason I bring this up, is because if you’re going to be a resource on a compliance project, there is a very good chance that you will be placed on a death march. The odds are highly stacked against you. The first problem is that as a database professional, you will by definition be part of an IT project. It may not necessarily be IT compliance, however there will obviously be an IT component to it. There have been numerous studies done on IT projects, and the grim reality is that IT projects usually fail. In fact, the Standish group did a study around the turn of the Millennium, that showed that IT projects fail to meet all the business objectives on budget and on schedule -- 99% of the time. I’m hoping things have improved since then, but based on my experience, probably not that much.

As if the odds weren’t stacked against you enough, now throw in the compliance factor. As you’ve probably heard me say before, compliance projects are arguably one of the worst types of projects to be involved in. Things are getting better with the current awareness, however still today a good majority of compliance projects are reactive – in response to some real bad news. Your executive sponsor, and all your stakeholders will invariably adopt a “wishful” attitude about the your “project parameters”, as Mr. Yourdon puts it.

So, here comes the death march ( sound the music of doom ). This has to be done yesterday, and we weren’t planning on this showing up, so we don’t have any people or money to work on it – but it has to be done.

Of course there are strategies that can be employed at the program and project level to avoid the death march, but that’s not what this article is about. This is a survival guide for the team member that recognizes that they’re stuck in one of these.

Tell Tale Signs of a Death March

It should be obvious, but how can you tell?

You may not believe this, but I’m generally an optimistic person. I like to approach situations with an open mind, and even with those glaring statistics staring me in the face, I tend to give projects the benefit of the doubt to start with. It doesn’t take very long however, when the tell tale signs of a death march show up. Here they are:

• No Project Charter. This isn’t a deal-killer, but it’s a strong warning. A project that has no charter is a project that is probably being run by an inexperienced project manager. If there’s no project charter, there should at least be some document that clearly states what the objectives of the project are, and why you’re doing the project.

• No Project Plan. This is the biggest indicator, and a sure sign that you’re on a death march. If your project manager cannot show you a project plan, either he doesn’t know what’s going on, or he doesn’t want to share with you what’s going on. In either case, you’re certainly in trouble. The only exception to this is project that’s following some sort of Agile methodology. But even in this case, there should be some evidence of a planning exercise.

• Static Project Plan. This is project plan that never gets updated. This is almost as bad as having no project plan at all. Projects don’t execute that way. As the project progresses, reality takes over, and adjustments need to be made.

• Right to Left Project Plan. This is a plan that starts with an end date and works backwards. These are usually unrealistic because they probably started with an unrealistic end date, and fudged the activities back to the starting date. These are sometimes subtle and hard to catch, but if you study the project plan, you can usually see glaring problems ( like a 2 day deployment that you know will take at least 2 weeks ).

There are other signs, but the bottom line reason why a death march shows up, is poor project management. Even if the stakeholders are unrealistic, it’s the project manager’s job to demonstrate how unrealistic they are, and hold ground. If you sense that your project manager is not qualified to take on the project, you’re probably on a death march.

Death March Survival Tactics

So, now that you know you’re on a death march, what do you do? In 3 Key Tips for Surviving a Firefight, I shared with you some techniques for bracing in on a hot compliance project.  To review, here’s what we came up with:

• Get good tools and learn them well
• Don’t take it personally
• Keep grounded in reality

This is all good and well, but in that article we were assuming you still had a chance to succeed. In this case, we know you won’t. Keep these points in mind and do the best you can. In addition, because of you’re impending doom do the following:

Tip # 1: Understand the Doom Timeline

The doom timeline can be deceiving, so it’s good to be aware. On a project slated for doom, attitudes will be fine until the very end, and then everything will explode. The reason why there’s no concern until the very end, is because ignorance is bliss. But at some point, everybody will “suddenly” realize that the project is not going to make its objectives. When that happens, look out!

Tip # 2: Keep a Daily Journal

This is a defensive move. The instant you recognize that you’re on a death march, start a daily journal. Hopefully, this will be early in the blissful segment of the doom timeline. It’s important to understand the doom timeline, because it won’t feel like you need to take a defensive position, as everybody is still happy about everything. Don’t let this fool you. You need records. When things blow up, they will come looking to justify the time that was spent. You need to have detailed records — not only of what you did, but how the project’s direction has moved over time ( i.e. decisions made by the project manager ).

Tip # 3: Insist on Feedback Meetings

In Six Sigma, these are called “Plus Deltas.” These are meetings to explore what you are doing right ( Plus ), and ways you can improve ( Delta ). Insist on doing one of these every couple of weeks, and take good notes on the feedback from your project manager. Poor communication is a killer, and if the project isn’t being run correctly, most likely there are communication problems. These usually manifest as ambiguities caused by lack of communication. When things blow up, you don’t want to be wedged in one of these corners of equivocalness.

A death march is not a fun place to be, but if you’re a database professional on a compliance project, chances are you’re in one. Look for signs of poor project management like a missing project charter or project plan. Once you’ve determined you’re on a death march, be sure to keep the doom timeline in mind, keep a daily journal, and insist on getting feedback on your performance from your project manager. Keep these things in mind, because when things blow up – and they will – you want to make sure you have on your protective gear.