Categories
Academy & Learning Business Case & News Science & Insights

The new norm – impact on internal auditing

Covid-19 has accelerated the need for change. We’re likely to face extensive remote working, with fewer people, either because of illness or headcount reductions. Productivity and reduced budgets add to the challenge.

The challenge increases…

  • There is significant need to understand and manage the invisible real world of culture and behaviour. What really drives effective business, compliance, and risk performance.
  • The value of backward looking KPIs, audit reports and risk methods is being challenged.
You can’t drive a business by looking in the rear-view mirror.

It’s no wonder that many are asking what they can do to still manage their business effectively

How do we:

  • Reduce costs – do more for less
  • Increase the value of business, risk and compliance data
  • Manage what is really happening & create the high performance organisation.

What techniques can we use?  Here’s a recent real case study:

The method : In this case, but not all cases:

  • No auditors were used – they couldn’t visit homeworkers who were self-isolating
  • All departments (essential staff) and home workers audited at the same time
  • Automatic analysis to generate results, confidential not a survey nor where any questions asked or right and wrong answers needed
  • A focus on what people achieve not just what they record or say is happening.

The results : sign post risks to business outcomes and governance requirements

Number of participants

Findings : sign post risks to business objectives / outcomes

Risks emerge from the invisible ‘business as normal’. 
In this case H&S in departments in orange and purple.    

Applies to any audit or inspection of any management process, standard, business or checklist.

Audit findings : sign post risk to, in this case, the clauses of the ISO45001 Health and Safety standard

Audit findings : sign post risks using job roles

The science and the practical realities

Have a question or want to know more then drop me an email at ianrosam@hpoorganisation.com

Categories
Science & Insights

Focusing internal audits to improve performance targets and compliance

The UK National Health Service have concluded that having targets for target sake doesn’t improve patient care i.e. performance outcomes. This happens in organisations where the focus of audit, risk and performance management is on the improvement of a KPI. This also has an adverse effect on staff behaviour with evidence of people playing the system in order to meet targets. 

Using mechanistic targets

If this is the case then before we consider replacing existing KPIs with new ones we need to understand why these have not worked. The biggest factor is mechanistic nature of measurements upon which the KPIs are based. These mechanistic measurements work effectively when the inputs to the process can be controlled from within the process itself. In addition they work best when the process is stable.  For example, a car manufacturer can control the inputs. It can predetermine a series of manufacturing activities and model these in precise detail. It can also agree with suppliers when inputs will be supplied and in what form. 

KPIs are valuable as the conditions upon which they are based does not change from one period to the next.  There is an audit and improvement focused on stripping out variation and non-conformance to achieve better results. In doing so everyone becomes a cog in the machine. Each having no choice but to act in a prescribed way to meet the KPI and target.

The problem with mechanistic KPIs and targets

The problem comes when the inputs cannot be controlled from within the process.  For example, an Accident & Emergency department cannot control its inputs, the patients and their illness.  Hospitals can’t predict precisely who will be injured or when they will attend for treatment. Neither will they know when a disaster such as an explosion will occur.  These cannot be predetermined so neither can each cog in the machine.

If these natural input variations exist then the conditions on which the mechanistic measures are based will be continually changing. This makes mechanistic KPIs and targets logically weak as a vehicle of comparison.  In effect we would be auditing and measuring performance using the wrong approaches. This results in incomplete audit and risk information being provided to management. It also distorts people’s behaviour as they strive to get round a situation and approach that is unreal to them.

Thinking about KPIs and audits differently

In conclusion a hospital isn’t a mechanistic system, its an organic living system. Our A&E department, just like any business process or organisation, is a complex interaction of clinicians and non-clinicians, patients, their family and friends all adapting as one team to a situation they could not predict. 

They, like any organisation or team, are focused on delivering organisational and compliance outcomes, not outputs (that is mechanistic thinking). Sure team member involvement can be pre-determined or assumed – a consultant is a consultant, a nurse a nurse, a patient is a patient. How they behave at the granular level is influenced by the reality of the situation they find themselves in. Their behaviour is governed by the context or situation that presents itself. It is this issue which renders weakness in traditional audit, risk and performance management.

If this is the case, then what can we measure and audit?  What we cannot easily do is measure people’s individual behaviour. What we can more easily audit is the outcome or impact that behaviour has on other people, compliance and performance. It is this outcome based objective evidence that is critical.  Each individual behavioural outcome informs the overall performance criteria or KPI to a greater or lesser degree. Instead of KPI we prefer to call these measures drivers of performance and compliance.

Audit – using lead indicators of risk

This changes what is audited and what is reported against. The implication is quite profound as behaviours are lead indicators of risk, mechanistic audits and measurements are lag indicators.  As this qualitative behavioural data that can now be audited and consistently analysed. This analysis quantifies qualitative data to produce a risk profile against desired drivers of compliance and performance performance. Drivers as results provide forward looking and predictive view. The shift and understanding the reasons for this is fundamental we believe.

Balancing audit and measurement techniques

The audit and performance management art is to recognize the nature of what is to be audited. Which process activities are concerned with managing variety and which variability. The audit technique used is dependent on this criteria. The mechanistic methods are used to question auditees against the planned requirements, do they carry out tasks as planned. The more organic unplanned activities that take place as the reality unfolds given the the context are assessed by auditing behavioural outcomes or impacts, simply because there is no predetermined plan.

The same applies to performance management. Use traditional KPIs and targets where the process activities are mechanistic and based on outputs. Use performance drivers where activities are more organic based on outcomes and where risk is an emergent characteristic.

There is a risk in simply changing all KPIs from mechanistic to organic ones, its a balance. For example, an Accident & Emergency department can’t control its inputs so a more reliance on drivers of performance based on outcomes is needed. However a specialist cancer unit can control its inputs as only those people with particular type of cancer are referred. In this case more mechanistic measures could be deployed complemented by the drivers of performance.

The future of auditing

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

Feedback & Participation – Audit, risk & assessment

Feedback to and from “The Crowd” is not optional when striving for business success

Crowd source auditing is effective because it involves “The Crowd” (i.e. the people who experience what is being audited). They feedback their experiences of what is really happening on a day-to-day basis – they are, after all, the ones who know this best.

No amount of traditional auditing can hope to collect this depth or breadth of evidence, especially as much of it is behavioural that, by its nature, is variable and often inconsistent. Giving the Crowd a voice benefits the organisation by exposing previously invisible risks posed by current operating practices. It is these that affect the delivery of outcomes, objectives and governance requirements. Whatever documents may show, it is the reality of current practices and behaviours that creates most of the risk and it is this that RSVista captures, analysis and reports.

Having involved the Crowd, providing them with effective feedback of what they are saying and what you are doing about it is critical to keeping them involved and motivated to do more, encouraging this empowerment of their ‘voice’. The organisation’s ability to respond to feedback from audits, either traditional or Crowd sourced, in the optimum way helps to drive business success. The effectiveness of the overall feedback cycle, Crowd to Organisation to Crowd, drives the organisation’s ability to proactively change to manage risk. Rather than re-actively after unplanned events occur. This is a key part of the organisational eco-system, with feedback stimulating growth and adaption, so that the organisation can continue to succeed. Choke this feed back cycle at any point and the organisation’s life-blood stops, the eco-system falters and the organisation becomes slower to adapt. That drives increased risk of failure to the delivery of business outcomes and compliance.

feedback poor performance
The Business Eco-system – ‘No feedback leads to poor organisational performance

In conclusion

Giving Feedback to the Crowd is therefore just as critical as getting feedback from it. This isn’t an optional extra or something for others to do! All Managers at all levels must understand why both forms of feed back are critical. The results of audits, what they are showing and what is being done with the results must be communicated to the Crowd on a regular basis to reinforce, through increased understanding, the key part they play. If not, they will have no reason to engage further and feedback will be stifled.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

Cultural Analytics turning qualitative to quantitative data

Have you ever noticed that following poor business performance, for example, Deepwater Horizon, Stafford Hospital and Supply chain failures, subsequent investigations always reveal that the cultural and behavioural conditions must have existed for the poor performance to emerge and become a reality?

The article outlines how people’s behaviour can be the subject of audit and assessment.  Cultural analytics turns qualitative data into quantifiable management information.  This allows organisational risk, conduct risk and compliance and performance management risk created by the business culture to be exposed.

HPO-Whitepaper-Cultural-Analysis-Blockchain-2

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

Block Chain Auditing – Breaking through Organisational Silos

How block chain auditing can help you see the woods from the trees.

I recently read a very interesting article by Dr Jacqueline Conway from Waldencroft titled “The cost of organisational silos”. In the article Dr Conway describes how organisational silos conceal risk and cites the example of UBS;

“These executive leaders believed that the bank was both healthy and safe. UBS had become so large and complex and “riddled with structural silos” that no-one really knew what was going on. Not the leaders, not the risk managers, not the regulators.”

Conway, J.The cost of organisational silos. Retrieved March 11, 2019, from https://www.linkedin.com/pulse/cost-organisational-silos-dr-jacqueline-conway/

Typically, these silos hide the true business processes that are often cross-departmental.  It is this inter-departmental activity that deliver outputs and outcomes to customers and results in value for shareholders and other stakeholders.

Outdated traditional auditing

In this case the problem with silo auditing is that reports focus on effective departmental silo performance and not the end to end business process performance.  Of course, the other effect is that each department may be 95% effective when viewed in isolation. But when viewed as a process, lets say of three departments, the overall performance isn’t 95%; it is 95%x95%x95% and therefore 85.7%. Departmental silo auditing masks the true effectiveness to the delivery of business outcomes.

The risk is that audit schedules are based on processes as silos where the cross-departmental nature is hidden. Senior managers will comply and demonstrate they are able to identify risks and that the appropriate actions take place.  Risk based business process auditing requires the collection of meaningful evidence where the inputs and outputs between different departments within the same business process need to identified. That evidence being analysed to produce a report highlighting risks to business outcomes is complex not least because the evidence is one department experience the output of another.

Block chain auditing focuses on outcomes

The future is to look past the silos and focus on people impacted by the processes and actions.  For example, if our HR department has a people management process, aren’t we better off asking the employees what they experience of the HR Departments activities rather than just speaking with the HR department?  Different types of employee will be experiencing what the HR Dept do based on the context and their unique job role. In auditing terms these are individual blocks of data.  By asking a large range of people or blocks we can explore the true nature of a cross-departmental process where people are interacting as a chain – hence block chain auditing.  By involving different participants as blocks we remove the value judgements because the output of each block is checked against the experience of the next as to its value and impact.

So why aren’t we doing this already?

Seems straight forward, but this isn’t an approach adopted by many organisations, mainly for two reasons;

  • Change is difficult – it can be hard for individuals and organisations to embrace change.  But if we are to improve, then change we must.
  • Capacity – Interviewing 100+ employees that comprise a single cross-departmental process is time consuming. It can get very complex and analysing all the interactions can be beyond a single auditor to collect, analyse and report. We must look to tools which enable us to achieve this.

Digitising risk and compliance

In summary, using block chain technology and experiential audit techniques allows us to digitise audit evidence and translate the importance of this in terms of risk to cross-departmental process outcomes. 

About the author: Ian Rosam from HPO Risk Solutions is focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Categories
Science & Insights

What is an audit? What is objective evidence? How do you audit culture?

Auditing mechanistic and organic systems. What objective evidence do we really need?

There are two types of system, mechanistic and organic or social.  Mechanistic systems can be predetermined, and people have no choice but to comply, drive out variation, focused on outputs & are managed by SPC, Six Sigma, KPIs etc.  When we audit these types of systems objective evidence is clear and while we audit we look for ways of improvement to help produce better results.

Organic or social systems cannot be predetermined or modelled, they are complex interaction of human behaviour (culture) in the ‘here and now’ where people have choice, from which risk and results emerge.  It is focused on outcomes and managing variety by its nature.  What then is the objective evidence in this living world?  Of course, nothing is ever totally mechanistic or organic, the audit art is to understand this mix.

The methods for mechanistic auditing are will established.  Start with a defined process or procedure, follow this and ask questions to auditees about what they do and collect objective evidence to show they comply and are effective and look for improvements and risks.

Collecting objective evidence in organic systems

The gathering of objective evidence in an organic system is more of a challenge as it is created at the time the human interaction takes place and cannot be predetermined.  Often the details are not written down – they just happen as part of everyday live, they are not remembered accurately and of course the auditor cannot witness every interaction.  But it gets more complicated.  We could quantity the number of interactions, lets say there are 50 people who interact 100 times a day i.e. 500 interactions and then work 30 days in a month so 15,000 data points available for audit assuming the auditor could be there all the time. 

But each interaction varies in its degree of effectiveness, to a greater or lesser extent, this is the qualitative nature of the objective evidence. This is isn’t necessary in mechanistic auditing as the behaviour expected is predetermined and there is no choice but for people to comply.  Auditors in effect just check this compliance and make comment.

So, in an audit of the real world we need to quantify qualitative data and thus reveal the objective evidence needed.  Part of this is not to establish what people do (mechanistic) but the impact or outcome of what they do on others and then the business outcomes as a whole.

Critically as mentioned above nothing is ever totally mechanistic or organic, the audit techniques needed are based on the nature of what you are auditing.  

A new approach

What is happening is that we are trying to audit organic and living systems using the same mechanistic techniques which is inappropriate as by their nature the systems are different.  Its, like comparing chalk and cheese.  Maybe the reason for this is that we, as humans, do not have the mental capacity to collect 15,000 data interaction points, understand / place a value on the qualitative nature of each point and then a value on its effect on business results and compliance.  Hence HPO RS Vista.

Given that culture is a social interaction we can enhance our auditing understanding by borrowing techniques more akin to social science.  One such approach is Ethnographic which in overview is the study of group behaviour over time.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Categories
Science & Insights

Cultural Analysis and artificial intelligence

The importance of measuring cultural analysis

Have you ever noticed that following poor business performance such as Deepwater Horizon, Staples and Wells-Fargo for example, that subsequent investigations always reveal that the cultural and behavioural conditions must have existed for the poor performance to emerge and become a reality?

By the time poor performance appears on a KPI, graph, or any form of traditional big data, it is too late.  The impacts can only be managed be they, damage to brand, business results or compliance failures.  As an analogy, it is like driving a car by looking in the rear-view mirror.

Of course, the same dynamic is happening all the time, 365 days year in every organisation in every sector across practically every product or service supplied – an ongoing uncontrolled business risk.

But what if we could measure the impact of how people behave and from this determine the risk to poor performance before it becomes a reality!!!

But how can we capture what is currently invisible?

This requires a different approach simply because traditionally KPIs and numbers could not be produced from events that have yet to happen, no matter how deeply that lag-data is mined. Understanding what is visible is easy – understanding the invisible is much more difficult but quite straight forward.

What is needed is an approach that puts numbers to the impact or outcome of how people behave, quantifying what is currently invisible to expose the level of risk that behaviour poses to the business.  Culture is truly a lead indicator of risk, this time, akin to driving the car by looking through the windscreen!

Click here to read more about have how we achieve this with HPO RS Vista. Its an enhanced audit and assessment method and via a cloud-based platform that measures corporate culture.  It uses blockchain technology to audit the crowd to remove value judgments and report data across a range of reporting groups. Therefore making visible what is often invisible so that risks can be managed.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.

Recent Posts

The new norm – impact on internal auditing

The new norm – impact on internal auditing

Covid-19 has accelerated the need for change. We’re likely to face extensive remote working, with ...
Regulatory focus on behaviour and outcomes, are you ready?

Regulatory focus on behaviour and outcomes, are you ready?

The forever Regulatory focus on behaviour and outcomes increased even more following Andrew&# ...
Focusing internal audits to improve performance targets and compliance

Focusing internal audits to improve performance targets and compliance

The UK National Health Service have concluded that having targets for target sake doesn’t improve ...
Categories
Science & Insights

Blockchain or crowd based auditing, what is it?

Enhancing audit techniques using blockchain

Exposing risk to compliance and performance management using blockchain based auditing.

Colin Rosam talks about blockchain auditing and how HPO RS Vista it can help uncover the risk of non compliance and performance as part of your auditing strategy.

About the author : Colin Rosam is an experienced sales professional working in and leading sales teams. Focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Categories
Science & Insights

Audit – The challenge of using non-auditors as auditors

Have you ever asked an employee to audit another team?  If so, this is what you may be experiencing and
the challenges they be facing.

The audit schedule for the year ahead looks daunting, lots
to do, but too little resource.  Hiring
additional heads has been suggested but this takes time and crucially budget
which the boss suggests will be difficult to secure, so either as a short term
or long time measure the business turns to trusted employees to carry out
audits.  They are usually;

  • Trusted and capable within their own departments
  • Believe they have the time to carry out the role
  • Volunteered, there’s no bonus or tangible reward
    for helping
  • Not skilled or knowledgeable in the department
    or process they are auditing

While its great the business can call upon its workforce to
support it in a time of need, there are pitfalls to this approach.

  • Volunteers often lack the authority to challenge
    department heads leading to confrontation or the department head rail roading
    the auditor.
  • They are not responsible for the consequences of
    a poorly carried out audit. 
  • If not sufficiently praised or rewarded, It
    could be seen as drain on their time. 
    They may have other pressures in their day to day job which they should be
    focusing on.
  • They can be trained to carry out the audit but
    are trained to spot the risks and opportunities?
  • Some won’t handle the responsibility or
    pressure, passing what the should fail as they believe its what the business
    wants.

But there is another way to audit, introducing RS Vista.

RS Vista is a cloud based assessment tool that leverages the power of blockchain to assess business culture, the risk to compliance and business performance. 

RS Vista can quantify qualitative data and automatic analysis provides detailed insights into where risks to exploitation are emerging, not based on what people say is happening or, reported as KPIs but what is really happening inside your business right now.

  • Doesn’t use questions, surveys or visible
    scoring methods – not interested in what people say is happening or what
    is written, only the outcome or impact of how people behave, i.e. the real
    world.
  • Using block chain to understand complexity.
  • Reduces the need and cost for human involvement
    – providing risk profiles, greater insights and analysis beyond the human being
    to deliver this practically.
  • Restricts human value judgments – removes
    inbuilt bias to improve result accuracy and reduce cost.
  • Quantifies qualitative data – making what
    is often invisible and intangible both visible and tangible so management is
    possible.
  • Recognizes organic and mechanistic business
    system thinking – meaning that we base solutions on sound academic rigor.

RS Vista is already helping many businesses develop their auditing strategies by collecting evidence what is actually happening and signposting areas of risk for the auditing teams to target.

About the author: Ian Rosam from HPO Risk Solutions is focused on helping organisations digitise risk & compliance by leveraging the power of cloud, block chain and AI tools to optimise business and compliance performance.

Categories
Science & Insights

Risk Management, System, culture & compliance

An understanding of how mechanistic and organic systems influence the design and implementation of a compliance, performance & risk management systems.

This article uses academic rigour to explore that interplay to ensure audit and assessment is effective. As a result business culture such as performance and compliance management risk can be managed. Click here to view.

Behavioural indicators / outcomes are forward looking risk indicators.  Audit reports, results, surveys and KPIs are backward looking, no matter how much big data is collected they are not truly predictive.

About the author: Ian Rosam from HPO Risk Solutions is the creator of unique intellectual property to measure risk and business culture to business and compliance management outcomes. A system thinker, author and facilitator supporting the implementation of ERM and Management systems. Ian has worked in many different industry sectors.