Categories
Academy & Learning Business Case & News Science & Insights

The new norm – impact on internal auditing

Covid-19 has accelerated the need for change. We’re likely to face extensive remote working, with fewer people, either because of illness or headcount reductions. Productivity and reduced budgets add to the challenge.

The challenge increases…

  • There is significant need to understand and manage the invisible real world of culture and behaviour. What really drives effective business, compliance, and risk performance.
  • The value of backward looking KPIs, audit reports and risk methods is being challenged.
You can’t drive a business by looking in the rear-view mirror.

It’s no wonder that many are asking what they can do to still manage their business effectively

How do we:

  • Reduce costs – do more for less
  • Increase the value of business, risk and compliance data
  • Manage what is really happening & create the high performance organisation.

What techniques can we use?  Here’s a recent real case study:

The method : In this case, but not all cases:

  • No auditors were used – they couldn’t visit homeworkers who were self-isolating
  • All departments (essential staff) and home workers audited at the same time
  • Automatic analysis to generate results, confidential not a survey nor where any questions asked or right and wrong answers needed
  • A focus on what people achieve not just what they record or say is happening.

The results : sign post risks to business outcomes and governance requirements

Number of participants

Findings : sign post risks to business objectives / outcomes

Risks emerge from the invisible ‘business as normal’. 
In this case H&S in departments in orange and purple.    

Applies to any audit or inspection of any management process, standard, business or checklist.

Audit findings : sign post risk to, in this case, the clauses of the ISO45001 Health and Safety standard

Audit findings : sign post risks using job roles

The science and the practical realities

Have a question or want to know more then drop me an email at ianrosam@hpoorganisation.com

Categories
Business Case & News

Regulatory focus on behaviour and outcomes, are you ready?

The forever Regulatory focus on behaviour and outcomes increased even more following Andrew Bailey’s, CEO of the Financial Conduct Authority (FCA), comments at the recent Regulators Meeting on the future of conduct regulation and therefore compliance:

“A significant part of this debate turns on the issue of outcomes versus rules. Rules are a crucial mechanism for delivering outcomes, but can also be interpreted so rigidly as to become a box-ticking exercise”.

This is a lesson we want to see reflected in firm behaviour – any organisation that prioritises being within the rules over doing the right thing, will not stand up to scrutiny for long.’

This poses several questions:

  • How does audit need to change to meet this focus on the right outcomes?
  • What will the audit evidence look like if there are no documented and predetermined rules to subsequently audit against?
  • What does ‘firm’ behaviour mean?

Perhaps it is better to focus on the last question.  What is the regulator expecting from organisations?  Well the first thing will be the focus to reduce the tick box mentality. Often this means ask a question, look for the evidence that the pre-determined rules, procedures and processes have been followed.  If they have ‘tick the box’, if they haven’t raise a non-conformance. This is a backward looking approach. One that is focused on mechanistic outputs not outcomes which is the true deliverable, experienced by stakeholders.

This rule-based approach assumes that everything can be pre-determined and that human beings will always follow these rules.  It assumes that people are robots, which they are not. In reality they have to react to situations that cannot always be predicted.  The other factor is that rules are often someone’s mental construct.  It may be a picture of reality, but it isn’t reality.  These enduring failings of existing approaches is what, I believe, Andrew Bailey is targeting. By firm behaviour he may mean an expectation of change or, at least, a re-positioning of the balance between what can and cannot be predetermined and audit accordingly. A regulatory focus on behaviour and outcomes

Is the FCA alone in the change of focus?

Maybe not.  International Standards have changed to be more risk and outcome based. I have seen little evidence that certification, accreditation bodies and suppliers of audit training have changed the audit techniques. Perhaps there hasn’t been enough pain yet.  Unlike the Management Accounting world where their is pressure for change following the Carillon collapse and other well publicised failures. A Regulatory focus on behaviour and outcomes and its impact on conduct, compliance and performance risk. This is also being driven by changes in Corporate Reporting rules for larger organisations.

Avoiding the ‘will not stand up to scrutiny for long category’ trap?

No doubt some will say they have already made the change or in part which is good.  Others may well be in denial believing what they currently do and have been doing for years is enough. There may not be a complete list of factors in terms of making this change. The following are offered as some thoughts and suggestions to meet this regulatory focus on behaviour and outcomes:

  • Is this change increasing the cost of compliance?  If it is or there is pressure to do so then this may be an indicator for a review of audit and risk activity.
  • Do auditors know the difference between a mechanistic system focused on outputs and an organic system (reality) focused on outcomes and how to audit each?
  • Do audit techniques gather evidence of what people achieve, the impact or outcome of how people behave, not just what they say they do or write down?
  • Do auditors have the capability to consistently analyse the outcome of how people behave (the real evidence) and report this against business performance and compliance outcomes? (what does the evidence mean to risk and compliance, is it this the FCA and others are seeking to achieve).
  • Do audit reports signpost predictive risk to compliance and performance outcomes?  Is this predictive analytical approach allowing business leaders to see risk levels and thus manage individual and collective behaviour accordingly.

This business issue is not now just about compliance, it is about optimising business outcomes be that profitability, management of overheads, customer experience and other desired & undesired outcomes.

Categories
Science & Insights

Focusing internal audits to improve performance targets and compliance

The UK National Health Service have concluded that having targets for target sake doesn’t improve patient care i.e. performance outcomes. This happens in organisations where the focus of audit, risk and performance management is on the improvement of a KPI. This also has an adverse effect on staff behaviour with evidence of people playing the system in order to meet targets. 

Using mechanistic targets

If this is the case then before we consider replacing existing KPIs with new ones we need to understand why these have not worked. The biggest factor is mechanistic nature of measurements upon which the KPIs are based. These mechanistic measurements work effectively when the inputs to the process can be controlled from within the process itself. In addition they work best when the process is stable.  For example, a car manufacturer can control the inputs. It can predetermine a series of manufacturing activities and model these in precise detail. It can also agree with suppliers when inputs will be supplied and in what form. 

KPIs are valuable as the conditions upon which they are based does not change from one period to the next.  There is an audit and improvement focused on stripping out variation and non-conformance to achieve better results. In doing so everyone becomes a cog in the machine. Each having no choice but to act in a prescribed way to meet the KPI and target.

The problem with mechanistic KPIs and targets

The problem comes when the inputs cannot be controlled from within the process.  For example, an Accident & Emergency department cannot control its inputs, the patients and their illness.  Hospitals can’t predict precisely who will be injured or when they will attend for treatment. Neither will they know when a disaster such as an explosion will occur.  These cannot be predetermined so neither can each cog in the machine.

If these natural input variations exist then the conditions on which the mechanistic measures are based will be continually changing. This makes mechanistic KPIs and targets logically weak as a vehicle of comparison.  In effect we would be auditing and measuring performance using the wrong approaches. This results in incomplete audit and risk information being provided to management. It also distorts people’s behaviour as they strive to get round a situation and approach that is unreal to them.

Thinking about KPIs and audits differently

In conclusion a hospital isn’t a mechanistic system, its an organic living system. Our A&E department, just like any business process or organisation, is a complex interaction of clinicians and non-clinicians, patients, their family and friends all adapting as one team to a situation they could not predict. 

They, like any organisation or team, are focused on delivering organisational and compliance outcomes, not outputs (that is mechanistic thinking). Sure team member involvement can be pre-determined or assumed – a consultant is a consultant, a nurse a nurse, a patient is a patient. How they behave at the granular level is influenced by the reality of the situation they find themselves in. Their behaviour is governed by the context or situation that presents itself. It is this issue which renders weakness in traditional audit, risk and performance management.

If this is the case, then what can we measure and audit?  What we cannot easily do is measure people’s individual behaviour. What we can more easily audit is the outcome or impact that behaviour has on other people, compliance and performance. It is this outcome based objective evidence that is critical.  Each individual behavioural outcome informs the overall performance criteria or KPI to a greater or lesser degree. Instead of KPI we prefer to call these measures drivers of performance and compliance.

Audit – using lead indicators of risk

This changes what is audited and what is reported against. The implication is quite profound as behaviours are lead indicators of risk, mechanistic audits and measurements are lag indicators.  As this qualitative behavioural data that can now be audited and consistently analysed. This analysis quantifies qualitative data to produce a risk profile against desired drivers of compliance and performance performance. Drivers as results provide forward looking and predictive view. The shift and understanding the reasons for this is fundamental we believe.

Balancing audit and measurement techniques

The audit and performance management art is to recognize the nature of what is to be audited. Which process activities are concerned with managing variety and which variability. The audit technique used is dependent on this criteria. The mechanistic methods are used to question auditees against the planned requirements, do they carry out tasks as planned. The more organic unplanned activities that take place as the reality unfolds given the the context are assessed by auditing behavioural outcomes or impacts, simply because there is no predetermined plan.

The same applies to performance management. Use traditional KPIs and targets where the process activities are mechanistic and based on outputs. Use performance drivers where activities are more organic based on outcomes and where risk is an emergent characteristic.

There is a risk in simply changing all KPIs from mechanistic to organic ones, its a balance. For example, an Accident & Emergency department can’t control its inputs so a more reliance on drivers of performance based on outcomes is needed. However a specialist cancer unit can control its inputs as only those people with particular type of cancer are referred. In this case more mechanistic measures could be deployed complemented by the drivers of performance.

The future of auditing

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Business Case & News

Compliance, Corporate culture and senior management

Compliance – Senior Managers Competence Regime (SMCR), why it affects us all?

SMCR outlines a set of responsibilities and conduct risks.  Ultimately this leads to the conclusion that the only way Senior Managers of Financial Service organisations can demonstrate their compliance is to measure the corporate culture they are responsible for managing.  This set of requirements is being rolled out throughout 2019.

At the same time private sector organisations have a new set of compliance requirements to meet.  The Wates corporate governance requirements provide a framework within which larger private sector companies manage their businesses.  A significant shift in corporate reporting with two principles standing out:

1. Purpose and Leadership – including the monitoring of corporate culture.

2. Opportunity and risk – including risk management frameworks with a view on long term sustainability, risks that affect stakeholder needs, external and internal risk.

The Impact

Both SMCR and new Corporate Reporting requirements have at their heart the need to monitor culture.  This means that organisations need to have effective methods in place to identify where compliance and conduct risks are emerging from the corporate culture and that these risks are being managed and reported before they become a reality.

Once the risk emerges and appears on KPIs, audit reports and surveys it is too late and management can only manage the consequences.

Is the Financial Sector and larger private sector organisations alone?

No, ISO standards and H&S requirements for example are all heading in the same direction – monitor corporate culture and understand the risk this poses, so change is not optional for any of us.

The conclusion

Consequently, the traditional audit and assessment methods that continue to be used are not effective enough on their own.  These must change.

HPO Clearview uses an enhanced audit and assessment method and via a cloud-based platform measures that culture.  Making visible what is often invisible so that risks can be managed. 

Behavioural indicators / outcomes are forward looking risk indicators.  Audit reports, results, surveys and KPIs are backward looking, no matter how much big data is collected they are not truly predictive. 

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

Feedback & Participation – Audit, risk & assessment

Feedback to and from “The Crowd” is not optional when striving for business success

Crowd source auditing is effective because it involves “The Crowd” (i.e. the people who experience what is being audited). They feedback their experiences of what is really happening on a day-to-day basis – they are, after all, the ones who know this best.

No amount of traditional auditing can hope to collect this depth or breadth of evidence, especially as much of it is behavioural that, by its nature, is variable and often inconsistent. Giving the Crowd a voice benefits the organisation by exposing previously invisible risks posed by current operating practices. It is these that affect the delivery of outcomes, objectives and governance requirements. Whatever documents may show, it is the reality of current practices and behaviours that creates most of the risk and it is this that RSVista captures, analysis and reports.

Having involved the Crowd, providing them with effective feedback of what they are saying and what you are doing about it is critical to keeping them involved and motivated to do more, encouraging this empowerment of their ‘voice’. The organisation’s ability to respond to feedback from audits, either traditional or Crowd sourced, in the optimum way helps to drive business success. The effectiveness of the overall feedback cycle, Crowd to Organisation to Crowd, drives the organisation’s ability to proactively change to manage risk. Rather than re-actively after unplanned events occur. This is a key part of the organisational eco-system, with feedback stimulating growth and adaption, so that the organisation can continue to succeed. Choke this feed back cycle at any point and the organisation’s life-blood stops, the eco-system falters and the organisation becomes slower to adapt. That drives increased risk of failure to the delivery of business outcomes and compliance.

feedback poor performance
The Business Eco-system – ‘No feedback leads to poor organisational performance

In conclusion

Giving Feedback to the Crowd is therefore just as critical as getting feedback from it. This isn’t an optional extra or something for others to do! All Managers at all levels must understand why both forms of feed back are critical. The results of audits, what they are showing and what is being done with the results must be communicated to the Crowd on a regular basis to reinforce, through increased understanding, the key part they play. If not, they will have no reason to engage further and feedback will be stifled.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

Cultural Analytics turning qualitative to quantitative data

Have you ever noticed that following poor business performance, for example, Deepwater Horizon, Stafford Hospital and Supply chain failures, subsequent investigations always reveal that the cultural and behavioural conditions must have existed for the poor performance to emerge and become a reality?

The article outlines how people’s behaviour can be the subject of audit and assessment.  Cultural analytics turns qualitative data into quantifiable management information.  This allows organisational risk, conduct risk and compliance and performance management risk created by the business culture to be exposed.

HPO-Whitepaper-Cultural-Analysis-Blockchain-2

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Business Case & News

Targets, Outputs or Outcomes?

Is it time to change how we think about targets?

NHS England recently announced it was overhauling NHS targets for A&E departments along with changes to waiting times for cancer, mental health and planned operations.

They have come to conclusion that having targets for target sake doesn’t improve patient care.  More so, these targets are starting to have adverse effect on staff behaviour. Some hospitals had started playing the system in order to meet targets.  NHS staff didn’t join the service to become target hitters, they joined to care for us in community.  The Government should be welcome this approach and we should support them.

Using mechanistic targets

But before we replace old targets with new targets, we need to understand why these have not worked in the first place.  The biggest factor is mechanistic nature of performance measurements upon which the targets are based.  These mechanistic measurements work effectively when the inputs to the process can be controlled from within the process and where they are stable.  For example, a car manufacturer can control the inputs, it can predetermine a series of linear manufacturing activities, model these in precise detail and agree with the supplier when inputs will be supplied and in what form.  This makes measurement and targets valuable as the conditions in which they are based do not change from one period to the next.  There is focus on stripping out variation to achieve better results so that everyone / every machine has no choice but to act in the way it does. 

The problem comes when the inputs cannot be controlled from within the process.  For example, an A&E department cannot control its inputs, the patients and their illness.  Hospitals can’t predict who will be injured and when or know when a disaster such as an explosion will occur.  They also can’t predetermine how extreme our injuries will be. Targets drive out variation, but these variations exist, they can’t be avoided in such an environment making mechanistic measures and their targets logically weak

Thinking about measures and targets differently

In conclusion a hospital isn’t a mechanistic system, its an organic living system.  Our A&E department is a complex interaction of clinicians and non-clinicians, patients, their family and friends all adapting as one team to a situation they could not predict.  They are all focused on medical and social outcomes, not outputs (that is mechanistic thinking).  The activity is non-linear and the precise way the team is to behave cannot be predetermined or modelled because of the variety.  Sure their involvement in the process can be pre-determined or assumed – a consultant is a consultant, a nurse a nurse, a patient is a patient but how they behave is influenced by the reality of the situation and it is this reality that drives in variety to the process and renders the mechanistic targets less relevant. 

If this is the case, then what can we measure?  As the team is focused on medical and social outcomes. Therefore, what we can do is not measure their individual behaviour but measure the outcome of that behaviour as experienced by others in the same team or outside that team.  It is this outcome, the objective evidence, that is critical.  The collective individual outcomes informs the measurement criteria i.e. the desired whole team medical and social outcomes to a greater or lesser degree.

This changes what is measured and what this is reported against.  The implication is quite profound because behaviours are lead indicators of risk, mechanistic measurements are lag indicators.  As this qualitative behavioural data can now be collected, consistently analysed and quantified it is possible to produce a risk profile against the desired outcomes. Each desired outcome can, of course, have a target. The shift from outputs to outcomes i.e. the impact of the output on the true intention is fundamental we believe.

Balancing mechanistic and organic risk measures

The first step in this environment is to define the desired and undesired outcomes and express these as performance drivers i.e. what we are seeking the measure.  Add a target

Of course, there is a risk in simply changing all mechanistic measures and targets to organic measures and targets.  Rather a balance is needed based given the context of the medical facility and what its purpose is. For example, an A&E department can’t control its inputs, however a specialist cancer unit can as only those people with cancer are referred not people who have broken a leg. It’s a performance management art.  Obviously we would never claim to be medical experts but hope that the example explains the difference.

Conclusion, we believe

  • Changing the target will mean going the loop again, change the nature of the measurement first
  • Focus on performance drivers and define these, place a target
  • Measure behavioural indicators / outcomes and mechanistic outputs at the same time, it’s a balance based on the context of the medical facility and its purpose – no one size fits all
  • Risk and performance emerge from an organic system, medical and social outcomes emerge from complexity of the medical and non-medical team working as one team
  • The thinking is informed by Ethnographic Research, in outline the study of group behaviour over team.

As indicated, we are not medical professionals, but we hope you find the above useful in helping to determining what is to be measured, why and therefore what the target should be.

About the author: Ian Rosam is an experienced sales professional working in and leading sales teams. Focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Categories
Science & Insights

Block Chain Auditing – Breaking through Organisational Silos

How block chain auditing can help you see the woods from the trees.

I recently read a very interesting article by Dr Jacqueline Conway from Waldencroft titled “The cost of organisational silos”. In the article Dr Conway describes how organisational silos conceal risk and cites the example of UBS;

“These executive leaders believed that the bank was both healthy and safe. UBS had become so large and complex and “riddled with structural silos” that no-one really knew what was going on. Not the leaders, not the risk managers, not the regulators.”

Conway, J.The cost of organisational silos. Retrieved March 11, 2019, from https://www.linkedin.com/pulse/cost-organisational-silos-dr-jacqueline-conway/

Typically, these silos hide the true business processes that are often cross-departmental.  It is this inter-departmental activity that deliver outputs and outcomes to customers and results in value for shareholders and other stakeholders.

Outdated traditional auditing

In this case the problem with silo auditing is that reports focus on effective departmental silo performance and not the end to end business process performance.  Of course, the other effect is that each department may be 95% effective when viewed in isolation. But when viewed as a process, lets say of three departments, the overall performance isn’t 95%; it is 95%x95%x95% and therefore 85.7%. Departmental silo auditing masks the true effectiveness to the delivery of business outcomes.

The risk is that audit schedules are based on processes as silos where the cross-departmental nature is hidden. Senior managers will comply and demonstrate they are able to identify risks and that the appropriate actions take place.  Risk based business process auditing requires the collection of meaningful evidence where the inputs and outputs between different departments within the same business process need to identified. That evidence being analysed to produce a report highlighting risks to business outcomes is complex not least because the evidence is one department experience the output of another.

Block chain auditing focuses on outcomes

The future is to look past the silos and focus on people impacted by the processes and actions.  For example, if our HR department has a people management process, aren’t we better off asking the employees what they experience of the HR Departments activities rather than just speaking with the HR department?  Different types of employee will be experiencing what the HR Dept do based on the context and their unique job role. In auditing terms these are individual blocks of data.  By asking a large range of people or blocks we can explore the true nature of a cross-departmental process where people are interacting as a chain – hence block chain auditing.  By involving different participants as blocks we remove the value judgements because the output of each block is checked against the experience of the next as to its value and impact.

So why aren’t we doing this already?

Seems straight forward, but this isn’t an approach adopted by many organisations, mainly for two reasons;

  • Change is difficult – it can be hard for individuals and organisations to embrace change.  But if we are to improve, then change we must.
  • Capacity – Interviewing 100+ employees that comprise a single cross-departmental process is time consuming. It can get very complex and analysing all the interactions can be beyond a single auditor to collect, analyse and report. We must look to tools which enable us to achieve this.

Digitising risk and compliance

In summary, using block chain technology and experiential audit techniques allows us to digitise audit evidence and translate the importance of this in terms of risk to cross-departmental process outcomes. 

About the author: Ian Rosam from HPO Risk Solutions is focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Categories
Business Case & News

Organisational Culture – Businesses urged to ‘do more’ to win public contracts

Why Organisational Culture is more important than price to many public sector bodies

Reports are emerging that supports the movement towards organisational culture being effectively managed in order to win public sector contracts.  A part from the usual factors there is to be a focus on bidders to demonstrate a:

  • Reduction of modern slavery and cyber risks in their supply chains
  • Climate change, a focus on environmental sustainability
  • Increase in employee’s employability through, for example, training and development
  • Employment of people through diverse backgrounds.

The thought process being that tax payer funded projects should have a social responsibility angle beyond the cost.  For too long the lowest cost wins has, it is claimed, resulted in the above practices being needed in order to deliver costs expressed in the Tender. 

“By making sure that these social values are reflected not just across the government, but through all the companies we work with, we will take a major step towards our goal of creating an economy that works for everyone,” Mr Lidington will say. https://www.bbc.com/news/business-47518333.

But how do we provide this information without increasing procurement costs?

No doubt many organisation’s are already looking at or seeking to address these issues so what are the challenges:

  • How do know what the exposure is to modern slavery risks?  What are the behavioural indicators that determine whether or not modern slavery exists in our supply chains or in our business?  How do we measure it?
  • Is the training we deliver effective? How do we know the level of risk that training and development poses to optimising employee employability? 

What these more social requirements are factoring in is a recognition that people related issues are as important as the financials associated with project delivery.  They may have been a by product before but now have equal importance.

The focus is on measurement of outcomes

Was is interesting is that these requirements appear to have defined business outcomes.  For example, doing training and development isn’t good enough.  There is a need to demonstrate that the outcome of the training is increased employability.  It is a reduction in modern salary, just knowing the risks and having the right processes and procedures in place and auditing these across the supply chain isn’t enough.

The impact on Financial Management and Balance Sheet

Whilst not mentioned in the article above I was speaking with a gentleman based in London concerning the inclusion of data related to business culture and its impact on risk to business results.  This influences, he felt, both business and intellectual property valuation. 

The conclusion being that if the factors mentioned are being managed effectively and it can be demonstrated that their risk is being managed and minimised there is a direct link to business worth.

If you want to know how to manage these factors as part of your procurement process or generally given the business environment in which we work then let us know and we can explain.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

What is an audit? What is objective evidence? How do you audit culture?

Auditing mechanistic and organic systems. What objective evidence do we really need?

There are two types of system, mechanistic and organic or social.  Mechanistic systems can be predetermined, and people have no choice but to comply, drive out variation, focused on outputs & are managed by SPC, Six Sigma, KPIs etc.  When we audit these types of systems objective evidence is clear and while we audit we look for ways of improvement to help produce better results.

Organic or social systems cannot be predetermined or modelled, they are complex interaction of human behaviour (culture) in the ‘here and now’ where people have choice, from which risk and results emerge.  It is focused on outcomes and managing variety by its nature.  What then is the objective evidence in this living world?  Of course, nothing is ever totally mechanistic or organic, the audit art is to understand this mix.

The methods for mechanistic auditing are will established.  Start with a defined process or procedure, follow this and ask questions to auditees about what they do and collect objective evidence to show they comply and are effective and look for improvements and risks.

Collecting objective evidence in organic systems

The gathering of objective evidence in an organic system is more of a challenge as it is created at the time the human interaction takes place and cannot be predetermined.  Often the details are not written down – they just happen as part of everyday live, they are not remembered accurately and of course the auditor cannot witness every interaction.  But it gets more complicated.  We could quantity the number of interactions, lets say there are 50 people who interact 100 times a day i.e. 500 interactions and then work 30 days in a month so 15,000 data points available for audit assuming the auditor could be there all the time. 

But each interaction varies in its degree of effectiveness, to a greater or lesser extent, this is the qualitative nature of the objective evidence. This is isn’t necessary in mechanistic auditing as the behaviour expected is predetermined and there is no choice but for people to comply.  Auditors in effect just check this compliance and make comment.

So, in an audit of the real world we need to quantify qualitative data and thus reveal the objective evidence needed.  Part of this is not to establish what people do (mechanistic) but the impact or outcome of what they do on others and then the business outcomes as a whole.

Critically as mentioned above nothing is ever totally mechanistic or organic, the audit techniques needed are based on the nature of what you are auditing.  

A new approach

What is happening is that we are trying to audit organic and living systems using the same mechanistic techniques which is inappropriate as by their nature the systems are different.  Its, like comparing chalk and cheese.  Maybe the reason for this is that we, as humans, do not have the mental capacity to collect 15,000 data interaction points, understand / place a value on the qualitative nature of each point and then a value on its effect on business results and compliance.  Hence HPO RS Vista.

Given that culture is a social interaction we can enhance our auditing understanding by borrowing techniques more akin to social science.  One such approach is Ethnographic which in overview is the study of group behaviour over time.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.