Academy & Learning Business Case & News Science & Insights

The new norm – impact on internal auditing

Covid-19 has accelerated the need for change. We’re likely to face extensive remote working, with fewer people, either because of illness or headcount reductions. Productivity and reduced budgets add to the challenge.

The challenge increases…

  • There is significant need to understand and manage the invisible real world of culture and behaviour. What really drives effective business, compliance, and risk performance.
  • The value of backward looking KPIs, audit reports and risk methods is being challenged.
You can’t drive a business by looking in the rear-view mirror.

It’s no wonder that many are asking what they can do to still manage their business effectively

How do we:

  • Reduce costs – do more for less
  • Increase the value of business, risk and compliance data
  • Manage what is really happening & create the high performance organisation.

What techniques can we use?  Here’s a recent real case study:

The method : In this case, but not all cases:

  • No auditors were used – they couldn’t visit homeworkers who were self-isolating
  • All departments (essential staff) and home workers audited at the same time
  • Automatic analysis to generate results, confidential not a survey nor where any questions asked or right and wrong answers needed
  • A focus on what people achieve not just what they record or say is happening.

The results : sign post risks to business outcomes and governance requirements

Number of participants

Findings : sign post risks to business objectives / outcomes

Risks emerge from the invisible ‘business as normal’. 
In this case H&S in departments in orange and purple.    

Applies to any audit or inspection of any management process, standard, business or checklist.

Audit findings : sign post risk to, in this case, the clauses of the ISO45001 Health and Safety standard

Audit findings : sign post risks using job roles

The science and the practical realities

Have a question or want to know more then drop me an email at

Business Case & News

Regulatory focus on behaviour and outcomes, are you ready?

The forever Regulatory focus on behaviour and outcomes increased even more following Andrew Bailey’s, CEO of the Financial Conduct Authority (FCA), comments at the recent Regulators Meeting on the future of conduct regulation and therefore compliance:

“A significant part of this debate turns on the issue of outcomes versus rules. Rules are a crucial mechanism for delivering outcomes, but can also be interpreted so rigidly as to become a box-ticking exercise”.

This is a lesson we want to see reflected in firm behaviour – any organisation that prioritises being within the rules over doing the right thing, will not stand up to scrutiny for long.’

This poses several questions:

  • How does audit need to change to meet this focus on the right outcomes?
  • What will the audit evidence look like if there are no documented and predetermined rules to subsequently audit against?
  • What does ‘firm’ behaviour mean?

Perhaps it is better to focus on the last question.  What is the regulator expecting from organisations?  Well the first thing will be the focus to reduce the tick box mentality. Often this means ask a question, look for the evidence that the pre-determined rules, procedures and processes have been followed.  If they have ‘tick the box’, if they haven’t raise a non-conformance. This is a backward looking approach. One that is focused on mechanistic outputs not outcomes which is the true deliverable, experienced by stakeholders.

This rule-based approach assumes that everything can be pre-determined and that human beings will always follow these rules.  It assumes that people are robots, which they are not. In reality they have to react to situations that cannot always be predicted.  The other factor is that rules are often someone’s mental construct.  It may be a picture of reality, but it isn’t reality.  These enduring failings of existing approaches is what, I believe, Andrew Bailey is targeting. By firm behaviour he may mean an expectation of change or, at least, a re-positioning of the balance between what can and cannot be predetermined and audit accordingly. A regulatory focus on behaviour and outcomes

Is the FCA alone in the change of focus?

Maybe not.  International Standards have changed to be more risk and outcome based. I have seen little evidence that certification, accreditation bodies and suppliers of audit training have changed the audit techniques. Perhaps there hasn’t been enough pain yet.  Unlike the Management Accounting world where their is pressure for change following the Carillon collapse and other well publicised failures. A Regulatory focus on behaviour and outcomes and its impact on conduct, compliance and performance risk. This is also being driven by changes in Corporate Reporting rules for larger organisations.

Avoiding the ‘will not stand up to scrutiny for long category’ trap?

No doubt some will say they have already made the change or in part which is good.  Others may well be in denial believing what they currently do and have been doing for years is enough. There may not be a complete list of factors in terms of making this change. The following are offered as some thoughts and suggestions to meet this regulatory focus on behaviour and outcomes:

  • Is this change increasing the cost of compliance?  If it is or there is pressure to do so then this may be an indicator for a review of audit and risk activity.
  • Do auditors know the difference between a mechanistic system focused on outputs and an organic system (reality) focused on outcomes and how to audit each?
  • Do audit techniques gather evidence of what people achieve, the impact or outcome of how people behave, not just what they say they do or write down?
  • Do auditors have the capability to consistently analyse the outcome of how people behave (the real evidence) and report this against business performance and compliance outcomes? (what does the evidence mean to risk and compliance, is it this the FCA and others are seeking to achieve).
  • Do audit reports signpost predictive risk to compliance and performance outcomes?  Is this predictive analytical approach allowing business leaders to see risk levels and thus manage individual and collective behaviour accordingly.

This business issue is not now just about compliance, it is about optimising business outcomes be that profitability, management of overheads, customer experience and other desired & undesired outcomes.

Business Case & News

Compliance, Corporate culture and senior management

Compliance – Senior Managers Competence Regime (SMCR), why it affects us all?

SMCR outlines a set of responsibilities and conduct risks.  Ultimately this leads to the conclusion that the only way Senior Managers of Financial Service organisations can demonstrate their compliance is to measure the corporate culture they are responsible for managing.  This set of requirements is being rolled out throughout 2019.

At the same time private sector organisations have a new set of compliance requirements to meet.  The Wates corporate governance requirements provide a framework within which larger private sector companies manage their businesses.  A significant shift in corporate reporting with two principles standing out:

1. Purpose and Leadership – including the monitoring of corporate culture.

2. Opportunity and risk – including risk management frameworks with a view on long term sustainability, risks that affect stakeholder needs, external and internal risk.

The Impact

Both SMCR and new Corporate Reporting requirements have at their heart the need to monitor culture.  This means that organisations need to have effective methods in place to identify where compliance and conduct risks are emerging from the corporate culture and that these risks are being managed and reported before they become a reality.

Once the risk emerges and appears on KPIs, audit reports and surveys it is too late and management can only manage the consequences.

Is the Financial Sector and larger private sector organisations alone?

No, ISO standards and H&S requirements for example are all heading in the same direction – monitor corporate culture and understand the risk this poses, so change is not optional for any of us.

The conclusion

Consequently, the traditional audit and assessment methods that continue to be used are not effective enough on their own.  These must change.

HPO Clearview uses an enhanced audit and assessment method and via a cloud-based platform measures that culture.  Making visible what is often invisible so that risks can be managed. 

Behavioural indicators / outcomes are forward looking risk indicators.  Audit reports, results, surveys and KPIs are backward looking, no matter how much big data is collected they are not truly predictive. 

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Business Case & News

Targets, Outputs or Outcomes?

Is it time to change how we think about targets?

NHS England recently announced it was overhauling NHS targets for A&E departments along with changes to waiting times for cancer, mental health and planned operations.

They have come to conclusion that having targets for target sake doesn’t improve patient care.  More so, these targets are starting to have adverse effect on staff behaviour. Some hospitals had started playing the system in order to meet targets.  NHS staff didn’t join the service to become target hitters, they joined to care for us in community.  The Government should be welcome this approach and we should support them.

Using mechanistic targets

But before we replace old targets with new targets, we need to understand why these have not worked in the first place.  The biggest factor is mechanistic nature of performance measurements upon which the targets are based.  These mechanistic measurements work effectively when the inputs to the process can be controlled from within the process and where they are stable.  For example, a car manufacturer can control the inputs, it can predetermine a series of linear manufacturing activities, model these in precise detail and agree with the supplier when inputs will be supplied and in what form.  This makes measurement and targets valuable as the conditions in which they are based do not change from one period to the next.  There is focus on stripping out variation to achieve better results so that everyone / every machine has no choice but to act in the way it does. 

The problem comes when the inputs cannot be controlled from within the process.  For example, an A&E department cannot control its inputs, the patients and their illness.  Hospitals can’t predict who will be injured and when or know when a disaster such as an explosion will occur.  They also can’t predetermine how extreme our injuries will be. Targets drive out variation, but these variations exist, they can’t be avoided in such an environment making mechanistic measures and their targets logically weak

Thinking about measures and targets differently

In conclusion a hospital isn’t a mechanistic system, its an organic living system.  Our A&E department is a complex interaction of clinicians and non-clinicians, patients, their family and friends all adapting as one team to a situation they could not predict.  They are all focused on medical and social outcomes, not outputs (that is mechanistic thinking).  The activity is non-linear and the precise way the team is to behave cannot be predetermined or modelled because of the variety.  Sure their involvement in the process can be pre-determined or assumed – a consultant is a consultant, a nurse a nurse, a patient is a patient but how they behave is influenced by the reality of the situation and it is this reality that drives in variety to the process and renders the mechanistic targets less relevant. 

If this is the case, then what can we measure?  As the team is focused on medical and social outcomes. Therefore, what we can do is not measure their individual behaviour but measure the outcome of that behaviour as experienced by others in the same team or outside that team.  It is this outcome, the objective evidence, that is critical.  The collective individual outcomes informs the measurement criteria i.e. the desired whole team medical and social outcomes to a greater or lesser degree.

This changes what is measured and what this is reported against.  The implication is quite profound because behaviours are lead indicators of risk, mechanistic measurements are lag indicators.  As this qualitative behavioural data can now be collected, consistently analysed and quantified it is possible to produce a risk profile against the desired outcomes. Each desired outcome can, of course, have a target. The shift from outputs to outcomes i.e. the impact of the output on the true intention is fundamental we believe.

Balancing mechanistic and organic risk measures

The first step in this environment is to define the desired and undesired outcomes and express these as performance drivers i.e. what we are seeking the measure.  Add a target

Of course, there is a risk in simply changing all mechanistic measures and targets to organic measures and targets.  Rather a balance is needed based given the context of the medical facility and what its purpose is. For example, an A&E department can’t control its inputs, however a specialist cancer unit can as only those people with cancer are referred not people who have broken a leg. It’s a performance management art.  Obviously we would never claim to be medical experts but hope that the example explains the difference.

Conclusion, we believe

  • Changing the target will mean going the loop again, change the nature of the measurement first
  • Focus on performance drivers and define these, place a target
  • Measure behavioural indicators / outcomes and mechanistic outputs at the same time, it’s a balance based on the context of the medical facility and its purpose – no one size fits all
  • Risk and performance emerge from an organic system, medical and social outcomes emerge from complexity of the medical and non-medical team working as one team
  • The thinking is informed by Ethnographic Research, in outline the study of group behaviour over team.

As indicated, we are not medical professionals, but we hope you find the above useful in helping to determining what is to be measured, why and therefore what the target should be.

About the author: Ian Rosam is an experienced sales professional working in and leading sales teams. Focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Business Case & News

Organisational Culture – Businesses urged to ‘do more’ to win public contracts

Why Organisational Culture is more important than price to many public sector bodies

Reports are emerging that supports the movement towards organisational culture being effectively managed in order to win public sector contracts.  A part from the usual factors there is to be a focus on bidders to demonstrate a:

  • Reduction of modern slavery and cyber risks in their supply chains
  • Climate change, a focus on environmental sustainability
  • Increase in employee’s employability through, for example, training and development
  • Employment of people through diverse backgrounds.

The thought process being that tax payer funded projects should have a social responsibility angle beyond the cost.  For too long the lowest cost wins has, it is claimed, resulted in the above practices being needed in order to deliver costs expressed in the Tender. 

“By making sure that these social values are reflected not just across the government, but through all the companies we work with, we will take a major step towards our goal of creating an economy that works for everyone,” Mr Lidington will say.

But how do we provide this information without increasing procurement costs?

No doubt many organisation’s are already looking at or seeking to address these issues so what are the challenges:

  • How do know what the exposure is to modern slavery risks?  What are the behavioural indicators that determine whether or not modern slavery exists in our supply chains or in our business?  How do we measure it?
  • Is the training we deliver effective? How do we know the level of risk that training and development poses to optimising employee employability? 

What these more social requirements are factoring in is a recognition that people related issues are as important as the financials associated with project delivery.  They may have been a by product before but now have equal importance.

The focus is on measurement of outcomes

Was is interesting is that these requirements appear to have defined business outcomes.  For example, doing training and development isn’t good enough.  There is a need to demonstrate that the outcome of the training is increased employability.  It is a reduction in modern salary, just knowing the risks and having the right processes and procedures in place and auditing these across the supply chain isn’t enough.

The impact on Financial Management and Balance Sheet

Whilst not mentioned in the article above I was speaking with a gentleman based in London concerning the inclusion of data related to business culture and its impact on risk to business results.  This influences, he felt, both business and intellectual property valuation. 

The conclusion being that if the factors mentioned are being managed effectively and it can be demonstrated that their risk is being managed and minimised there is a direct link to business worth.

If you want to know how to manage these factors as part of your procurement process or generally given the business environment in which we work then let us know and we can explain.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Business Case & News

Digitising Health & Safety risk assessments

The challenge of digitising Health & Safety

Was speaking with a colleague about the digitising Health & Safety risk assessments.  The challenge for our customer is that they have 10 sites that need routine H&S checks but they do not have the necessary expertise on each site nor can afford to do so.  Neither do they want to keep training people who are really employed to perform a different job role.

Whilst thinking through the problem we concluded that we could use the cultural analytics online platform to create intelligent inspection checks.  Currently Engineers use this to check cars in the UK but realised we could use the same approach for H&S.

Building an assessment

The start point was details of the existing H&S inspections.  These are currently in a log, about 15 inspections mainly fire safety related.  Some are daily others weekly and some annually. 

We created one assessment that could be accessed via a mobile device.   Via a selection screen the user in any of the locations could select one of the 15 inspections, add their name and then follow the on-screen instructions.  Took about 20 minutes to set up. 

HPO Clearview trial

Critically the User is not H&S fire expert and therefore the ‘intelligence’ as to what is acceptable, not acceptable or risky is built in.  This is not a survey or tick boxing.  This allows assessments to be carried out consistently across multiple sites, locations or departments.  As Users select what they are experiencing the results are automatically analysed and audit trails stored.  Reporting is via an online analytics tools for benchmarking purposes and so that the person responsible for H&S can see what is happening elsewhere.  Areas of high risk or below target are emailed straight away for management attention.

Next step is to pilot in Houston from London and check that the content is OK, amending is easy.

It would seem many organisations have the same challenges, alternative more intelligent solutions are available.  We can show you how.

About the author: Ian Rosam from HPO Risk Solutions is focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Business Case & News

IP exploitation managing the risk & opportunity

How good IP exploitation can increase value and reduce risk?

Managing IP value and risk is important to the exploitation of Intellectual Property. Newly acquired, developed and developing IP is often invisible which creates a challenge for IP management. Generally speaking, operational and conduct risk often points to the lack of an integrated IP enterprise management system. A system that involves all relevant departments who create, improve, use and manage IP.

This often impedes further R&D and the prospects for maximising IP exploitation and driving business growth, i.e there is a direct link to asset value. This at a time when the use and protection of trade secrets is in the headlines. However this management and risk issue effects all types of IP in any business.

For businesses with these challenges in mind we suggest merging best practice IP exploitation practices and Enterprise Risk Management (ERM). Together with our partner ISS, we call this IP Risk Management (IPRM). Once a IPRM exists it can be assessed alongside corporate culture to identify risk and drive improvement.

The IP Exploitation management system

We see best practice as developing a system of cross-departmental business processes designed to maximise IP exploitation.  These processes define roles, responsibilities and controls needed to deliver IP objectives.  Their purpose is also to drive out risk to exploitation:

IP exploitation
IP Risk Management
  • Identify and adjust corporate missions and new product sensitivities based on an understanding of stakeholder and market needs.
  • Align departmental goals, objectives / targets and business plans to drive IP exploitation across the organisation. This creates a single organisational wide approach to IP Risk Management.
  • Cross matching retained and maintained IP to corporate strategy and advising divestment or abandonment.
  • Building advanced Freedom to Operate reporting into IP and exploitation business processes.

IP Development and management approach

This includes:

  • Creating IP Registers used within the IP management system.
  • Embedding IP tell tales to capture potential and emerging IP opportunities and risk as the ‘business as normal’ unfolds.
  • Identifying latent and undeveloped IP and appropriate protections to prevent misuse inside and outside the organisation.
  • Building sub-processes for matching ongoing searches against the existing IP Register informing emerging competition.

Assessing IP management, risk and compliance

In summary, the IP Risk Management system comprises a range of business processes that define roles, responsibilities and controls aimed at maximizing the value of the IP and reduce risk to its exploitation.

These processes are typically documented so they are visible and subsequently can be audited to check compliance with their requirements. Documents are mental constructs or models as they do not define reality or what is really taking place. Consequently, the reality is too difficult to define, model or pre-determine, yet it this corporate culture that delivers results. HPO RS Vista is an assessment technique & platform that digitizes the outcome or impact of people’e behaviour. From this and its consistent analysis risk to the delivery of IP Exploitation objectives is reported. This in effect creates a new type of KPI to manage IP, one that is forward and not backward looking. This allows change and improvement to be made before poor performance becomes a reality.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Business Case & News

Digitising risk and compliance

Much of our life has gone digital, so why aren’t we digitising risk and compliance?

We can sometimes take for granted how much of our lives have been digitised. For example my morning routine often sees me prepare multiple lunch boxes and breakfasts while listening to my favourite radio station on my DAB radio. I then read the morning news and catch up on Linkedin updates on my smart phone while eating breakfast. Once at work I open my email and unified communication tools and my dispersed team begin to collaborate. The team begin work by reviewing the data collected from multiple sources such as customer requests, trends and performance against KPIs . To sum up, our personal and professional lives have been digitised. So why aren’t we digitising risk and compliance?

The truth is the need hasn’t really existed till now, the “old ways” were sufficient. Auditors carrying out traditional audits proved processes existed and were probably being followed. Until now this was typically enough to prove compliance to clause in standards, governance or business objectives.

So what has changed?

In today’s world of compliance, the ticked box approach is not enough. Senior Managers and Certification Regime (SMCR) expects senior managers and business leaders to understand the corporate culture of their businesses. After all, its the culture of the organisation that generates the opportunities and creates the risks, not the written down processes.

Managers are expected to identify compliance and conduct risks as they emerge from the corporate culture before they became a reality. However, “old ways” are not capable of achieving this. They are backward looking, they focus on what has happened, not what could happen.

The risk and compliance digital revolution

Digitising risk and compliance solutions is a growing priority for many businesses. However, these solutions must fulfil a number of requirements. Firstly solutions need to enable mass auditing of both internal and external stakeholders. Customers, suppliers and other external parties are often over looked, but who else is likely to be less bias? Secondly, hidden scoring algorithms enable qualitative data to be quantified. We need to remove the bias of value judgements and simply focus on the experiences.

Reporting needs to insightful and accessible in real time. Senior managers require simpler and more effective reporting using dashboards which measure results against multiple reporting groups, business objectives & compliance requirements. It is their responsibility to recognise risks and opportunities before they emerge. The utopia is to carry out fewer audits that prove compliance across a range of reporting groups, reducing time and costs.

To this end we have developed RS Vista. Its an enhanced audit and assessment method and via a cloud-based platform that measures corporate culture.  It uses blockchain technology to audit the crowd to remove value judgments and report data across a range of reporting groups. Therefore making visible what is often invisible so that risks can be managed.

About the author: Ian Rosam from HPO Risk Solutions is an experienced sales professional working in and leading sales teams. Focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Business Case & News

Health & safety checks, how do we ensure these are carried out

How health & safety auditing can be improved by HPO RS Vista

The Challenge

Lets consider the needs and challenges of businesses carrying out health and safety inspections and why several have asked if HPO Clearview is suitable tool to help.

The Health & Safety of employees and work environments is very important to business performance and regulatory compliance.  Physical injury, events that threaten business continuity and creating a valued work force they are valued all require proper health & safety checks.

The effectiveness of health and safety checks are at risk from a number of challenges.

Cost – often these audits are the responsibility of the facilities or the health & safety team.  These teams are not always located in every satellite office and need to travel the country to carry out audits, incurring costs such as travel, accommodation and expenses.

Lack of consistency – Ensuring consistency across a team of people can be challenging, if audits are being carried out by non-skilled site staff  across multiple sites its almost impossible for the business to be 100% confident with any audit result presented to them.  Home working just makes the situation worse.

Multiple Locations – Satellites offices and home working are examples of the new flexible working environments businesses are creating. These create challenges for health & safety audits.

The solution – HPO RS Vista

These are just some of reasons businesses are turning to RS Vista as a viable inspection tool because it offers businesses the following benefits;

Reduce costs – Reduce the need for travel by having Employees that carry out online assessments .  The assessments have the built in expertise.

Improved consistency – We use statements and responses to capture what the user is experiencing.  We don’t ask questions or ask participants to make value judgements that they are unable to answer.  Inbuilt subject matter intelligence reduces the risk of inconsistencies and need for training.

Assessments can be carried out by multiple people simultaneously, enabling benchmarking to pinpoint risks .

Sign posts areas of risk – Results are bench marked against compliance groups automatically and communicated to stakeholders in real time for review.  This allows auditors and facility managers to target areas of risk quickly and effectively.

About the author: Ian Rosam from HPO Risk Solutions is focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Business Case & News

Supply chain management auditing the risk

An article exploring the assessment of conduct risk, operational risk and compliance to enable supply chain management. This uses blockchain technology to include everyone in the supply chain and expose risk to overall chain performance management objectives.

To view the article click here

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.