Governance legislation since the Great Crash of 1929 has largely been enacted in response to corporate excess. Arguably, the objective of the legislation has had more to do with reassuring the public than reducing risk.

Most authorities point to the UK Cadbury report (1992) as the source of our modern ideas of corporate governance. The Cadbury report was a reaction to the collapse of BCCI, Polly Peck and Maxwell Communications. Like much of the corporate governance legislation to follow, the resultant Cadbury Code was responding to executive excess.

Australia’s Bosch Report (1995) followed the collapse of Rothwells, Elders, Bond Corporation, Tricontinental, Pyramid and Quintex. The unfettered actions of mavericks such as Laurie Connell, John Eliot, Alan Bond, Christopher Skase are now part of corporate legend.

Governance responses to corporate disasters

Cadbury in the UK, COSO in the US, COCO in Canada, King in South Africa and Bosch in Australia, marked an end to the old boys club. Directors were made firmly accountable for preventing and detecting fraud. The 1992 AWA case in Australia lifted the stakes further in the Commonwealth countries. The ruling established that the law does not differentiate between executive and non-executive directors with all being equally liable.

Sabanes-Oxley represents the most recent knee-jerk reaction to the collapse of Enron, Worldcom, Tyco, and so on. Many feel this legislation is deeply flawed and at least one major Australian organisation has delisted from the US stock exchange rather than comply with unnecessary requirements.

The commonwealth countries have followed a different path with ‘comply or explain’ regimes of corporate governance. The UK’s Combined Code is probably the best example, and represents the maturing of the Cadbury Code following the Hampel, Turnbull and Higgs reviews.

Australia followed a parallel path with the CLERP9 reforms to the Corporations Act (2001) following the collapse of HIH and One-Tel. However, reforms have not been uniform and the resulting regulatory landscape is considered by the Australian Institute of Company Directors (AICD) to be one of the most complex in the world.

There are the ASX guidelines for listed companies, the generic Australian standard AS8000 for all companies, and applied industry guidelines relating issues such as doing business on the internet (security, privacy and spam). There is also competing and sometimes conflicting legislation at both state and federal levels. This includes the Tax Act and related accounting standards, the Trade Practices Act which is prosecuted vigorously by the Australian Competition and Consumer Commission (ACCC), environmental legislation at state and federal levels that is also prosecuted to make an example of any transgressions, the Anti-money Laundering and Counter Terrorism Act and various conflicting state legislations around occupational health and safety, bullying and anti-discrimination, and so on. The most severe jurisdiction is arguably in the ACT where directors can be imprisoned for up to 20 years for industrial manslaughter.

The legislative line is very punitive with directors and officers assumed to be guilty and needing to prove they have taken every reasonable precaution. A culture of compliance is advocated by the AICD as the best defence.

The financial crisis has regulators, governments, and the media focused on economic stimulus. However tough questions will soon be asked about what went wrong. Ineffective governance will be one of the first targets, and it won’t be just the financial sector that faces increased scrutiny[1].

Few doubt that effective governance has value, but to paraphrase Warren Buffet “the tide has gone out, and Sarbanes-Oxley for example, looks like it was swimming naked”. Investor confidence has not increased, management accountability is being called into question and the tens of billions spent by boards for compliance has not stopped or prevented the crisis.

For years, as an academic and as director, I along with many others have been pointing out the flaws of governance only for the sake of compliance.  Most governance prescriptions are a response to corporate excesses and enacted to reassure the public and few prescriptions actually improve performance or reduce risk[2].

Now the tide is out, higher levels of scrutiny must be expected. What will it expose? I believe the corporate governance of major projects will stand out as one of the highest priorities for attention.

Management of large-scale expenditures is a fiduciary duty requiring careful oversight. However a Deloitte survey of boardroom directors revealed oversight of IT projects was either “blind” (29% with inadequate information) or non-existent (16%)[3]. They warned in 2007 that the results were “tantamount to negligence” and the AICD have long reported statistics suggesting the problem is more widespread[4] (Figure 1). My own research suggests that as many as two out of three projects fail to deliver the expected benefits[5]. Increased scrutiny could reveal the real failure rate. However what might be worse in the current financial environment is to have two out of three strategic initiatives fail to increase revenue, enhance customer service or reduce cost and threaten survival.

To survive, thrive and also to minimise the governance backlash, the first step must be to get the right information needed to govern effectively. The board bears the responsibility to set clear guidelines and expectations about the kinds of information they want to see filter up. What benefits are being targeted? [how is this consistent with our strategic priorities?] Do we have the organisational capacity to realise these benefits and what other risks are involved? How will we measure success? Do we have the right person driving the change? Are there any warning signs that the project is going off track? Are the benefits being realised? These questions seem simple but none of the directors I have spoken to had an effective process to terminate failing projects. Benefits are usually quantified (66%), but they are often overstated (27%)[6], change is not always considered (40%)[7], individuals are not held accountable (5-23%) and few organisations track benefits through to realisation (10%)[8]. Organisations do not focus on the true determinants of success.

In the absence of guidance, management has turned to so-called ‘best practice’ and focused on efficiency measures such as on-time and on-budget. Unfortunately on-time on-budget reporting was never the most appropriate focus for governance. It is certainly not enough in this new world. Only effectiveness will count because average or below-average performance will not guarantee survival. Above-average performance gained through acceptable levels of risk is the true objective of governance[9], the standard to which the board must aspire and the standard to which management must be accountable. Governance effort for compliance only, even if it is with a so-called ‘best practice’ framework, is a governance luxury we can no longer afford.

References

[1] 2009 Corporate Governance Conference: New Risk, Accountability and Leadership Challenges. Toronto 6- 7 May

[2] See related article providing A brief history of corporate governance 15 July 2009

[3] What the Board Needs to Know About IT: Phase II Findings (Deloitte, 2007), http://www.deloitte.com/dtt/article/0,1002,sid=36692&cid=151800,00.html

[4] D. Lovalla and D. Kahneman, “Delusions of success: how optimism undermines executive’s decisions, Harvard Business Review,” Harvard Business Review July (2003): 58

[5] R. Young, “What is the ROI for IT Project Governance? Establishing a benchmark.,” in 2006 IT Governance International Conference (Auckland, New Zealand, 2006)

[6] Chad Lin, Graham Pervan, and Donald McDermid, “IS/IT investment evaluation and benefits realization issues in Australia,” Journal of Research and Practice in Information Technology 37, no. 3 (2005): 235-251

[7] KPMG, “Global IT Project Management Survey: How committed are you?,” 2005, http://www.kpmg.com.au/Portals/0/irmprm-global-it-pm-survey2005.pdf

[8] John Thorp, “Unlocking Value – Delivering on the Promise of Information Technology,” in Delivering Value, 2008, http://www.isaca.org.au/modules.php?op=modload&name=News&file=article&sid=28

[9] F.G. Hilmer, Strictly Boardroom: improving governance to enhance company performance (Melbourne: The Business Library, 1993)

Executive Summary

• Following the GFC – governance practices will almost certainly be questioned
• New governance requirements are likely to be introduced
  • Historically new requirements are introduced reactively
  • There is a risk new requirements will not add value
• We should anticipate these developments
  • It takes longer for management to respond than for the board to ask
  • We should identify the key areas that need to be governed
  • We should check we have effective systems to monitor the key areas, and introduce new mechanisms where necessary
  • Governing major projects is one area worthy of attention
  • New Standards AS8016, HB280 have much to offer.

The Global Financial Crisis (GFC) will inevitably lead to higher levels of scrutiny. It is likely to expose the high rate of failure of large investment projects. The Australian Institute of Company Directors highlight the problem in a number of modules in their highly regarded Company Director Course:

• ¾ of mergers and acquisitions never pay off
• most large capital projects fail to live up to expectations
• majority of efforts to enter new markets are abandoned in a few years
• 70% of new manufacturing plants are closed in their first decade

Leading audit firms have commented that management of such large-scale expenditures is a fiduciary duty and imply that current practice, with IT projects in particular, is “tantamount to negligence” [i]. Until now this matter has not received much attention and boards have not been held accountable. The backlash following the GFC is already being felt and the lax levels of supervision are unlikely to be tolerated in the future.

Boards and their advisors are strongly encouraged to implement regimes that will increase the success rates of their investments. The six questions from Standards Australia’s handbook on the corporate governance of projects [ii] is a framework that would make a difference. In the presentation below, some of our early work is presented to suggest how the questions could be implemented in practice.

A version of this article was originally prepared for submission to the Australian Company Director Magazine. The key points were also presented at an ISACA Summit held in Sydney on 31 March 2009.

[ii] Standards Australia, HB280 How Boards and Senior Management Have Governed ICT Projects to Succeed (or Fail) (Sydney: Standards Australia,  2006)

The previous blog looked at why you would model but how do you choose or even find an appropriate modelling tool. In this short blog I do not propose to promote one modelling tool over another or even give a listing of all available tools. I am pretty certain if I tried to do that this blog would become the size of the local library! Besides others already do a better, and far more admirable, job of that than I ever can. What I can do is point you towards a few options that exist and where to find more information.

The range of Business Process Modelling tools is vast and as varied as the possible applications that they can be used for. Some are focused on pure business process and some more attuned to IT functionality. As the old adage says, “Different horses for different courses”. Tool selection depends firstly on what you want to do and secondly on the amount you are prepared to spend. Prices can vary from free to a million dollars or more! Ouch!

In general cost is proportionate to capability. If it is your desire to only produce basic models on how your business functions then costs for that level of software would be significantly lower. If, on the other hand, you want to have models that allow you to simulate or record business processes in real time and produce a current and active dashboard of your business in real time, expect to pay a bit more.

What suits a smaller company with a turnover of less than a million dollars a year is going to be vastly different from the big corporate that turns over in excess of $200M per year. Luckily BPM tool vendors provide tools for all markets and requirements.

For some smaller businesses, and sometimes even larger ones, all that is required is MS Excel or MS PowerPoint. For something a little more complex MS Visio is more than adequate.

A further aspect to consider is that if the models are to be used to develop systems and/or workflow in IT then it would be handy for the tool to have Business Process Modelling Notation (BPMN) language capability.

To find out about some of the options just look up BPM tools on the internet. Ooops, lots isn’t there?

Don’t despair. The internet is a great way for finding details on any number of tools but would obviously be time consuming. There is a couple of better ways:

1. Look up Gartner or Forrester Groups on the internet. Both of these companies have already done the hard work and produce overviews on the most of the up to date tools available each year and where they sit in relation to each other. See www.gartnergroup.com or www.Forrestergroup.com
2. The second, and by far the easiest, is to ask a BPM consultant. They might not be across all available systems in the world but they will most certainly be aware of what is available in your area and, most importantly, what would suit your situation. After all isn’t that what you are trying to do?

In the end it is what you are going to use the tool for that is the most important aspect of all.

I have one word of caution: If you are looking at spending good money on purchasing a BPM tool then you also need to make a commitment to maintain and update the models as necessary to keep them current with your business.

So what is a modelling tool and how does it work? Why would I pay big dollars just to draw pretty pictures that I may or may not use again? Why can’t I use PowerPoint, Visio, Excel? The answer to all these questions and more comes back to one thing, “Why do you want to capture your processes?”

Most people are familiar with the term process mapping which is, in a nutshell, the sequencing of a number of tasks in a diagram to produce the end result that we call a process map. Historically this is represented by using two dimensional mapping tools such as Excel, PowerPoint or even VISIO. The resulting ’picture’ is a representation of the tasks that go to make up the process and that is all. Often the output is used briefly, if at all, and then ends up on the bottom of someone’s drawer or lost in the great black hole of documents on their hard drive. Sound familiar?

Business modeling is the sum of so much more. A common definition of modelling is:

“the capture, documentation and analysis and design of the structure of business processes, their relationships with the resources needed to implement them and the environment in which they will be used”

What this means in plain English is that business process modelling (BPM) models the process tasks and their interaction with the environment (e.g. office, customer), systems (IT stuff!) and resources (e.g. people, organisations, and product)

Modelling enables the viewer to understand the relationships between different processes, data, IT systems, people and skills. It captures and aligns with business objectives, products and services and records risks and regulatory requirements. It even allows and assists IT developers to design or improve systems to better support the business.

The above is all very nice but why would I want to ‘model’ rather than ‘map’ my processes? Good point. If all a business wishes to do is to gain an overview of the tasks involved in a particular process then all you need is a mapping tool. You probably already have access to one of these if you have Microsoft or Apple software. Mapping tools are also easily downloaded from any ‘open source’ supplier on the Internet.

If, however, you really need to understand all the components, relationships and interactions of a process then you need a modelling tool.

Process modelling takes things to a much higher level. A model is a ‘living’ document. It introduces rigour and standardisation (models are based on a common methodology). It enables analysis of relationships and data and can even be used as a base for simulation and rapid process engineering. In short it enables you, or anyone else, to gain an understanding of how your business operates.

So questions you need to ask yourself if you are considering capturing your business processes:

• Do I need an understanding of how my business operates?
• Do my business processes align with my business strategy and key performance objectives?
• Are my processes aligned to and support outcomes to my customers?
• Are my systems working effectively to support my business?
• Is my business complex and/or operating in a complex environment?
• Do I have enough/too many staff to carry out the day to day running of my business?
• Are my staff often involved in ‘workarounds’ or frequently fixing errors?

If you answered yes to any, or a number, of the above then it is worth looking at a modelling tool to support your business.