Archive

Archive for the ‘Risk Management’ Category

Is Your Corporate Security Worth The Cost of a Monthly Latte?

February 18th, 2015 Comments off

I’ve had the opportunity to work with some incredibly sharp Finance folks, many of whom are able to deliver on their budgeted results regardless of what curveballs are thrown at them. Some are able to effectively deal with shades of grey while exhibiting a focus on what is best for the company. Others are rigid, run the company with an iron fist, and if not budgeted….it’s not going to be spent…no matter what. It’s the latter approach that I have seen quite often recently and it leaves me scratching my head as to the flawed logic that drives their actions.

As you can imagine, I’ve had the opportunity to watch our team deal with some of the most serious breaches, which are usually reported across most newswires. Breaches that could have easily been prevented, but are now going to cost companies a significant amount to repair, as well as have to rebuild their reputational goodwill with customers…or in some cases, spend more to offset the loss of critical IP.  In the midst of these breaches, I’ve seen companies argue whose budget will carry the cost of the response because it wasn’t part of the original plan. They sit and quibble about the lack of Budget dollars in the face of a breach where millions of records have been released or critical IP has been compromised.

Let’s back up though to a point in time prior to the breach. The Cylance team goes in and walks through our technology and displays its absolute effectiveness to the prospective customer. It is all too clear that our solution crushes the traditional antivirus “solution” and would either protect them from malware that has hit their competitors, or in the most optimal display, would have prevented the breach that had just occurred. They’re also shown the efficiency in which our platform operates and places a CPU load in the low single digits, which again, is at the opposite end of the traditional antivirus spectrum that typically has the CPU redlined under an attack. Let’s not even talk about the additional cost of incident response that have to be carried in the event of a breach, which is often in the range of $400-500/hr depending on the seriousness. Don’t like paying legal fees for frivolous actions? Try paying those fees when you know they could have been avoided for the cost of a latte…

As simple as this sounds, it really does come down to the cost of a latte…and this is no joke. Companies cater business lunches for “working meetings”, companies tend to get a bit loose in the wallet for other “business events”, but there is also the retort of “we don’t have any open spend for this area…”. So let me rephrase what you just said:  Are you saying that you don’t have any open spend equivalent to the cost of a coffee for each endpoint in your enterprise to ensure the security of your employee records, customer records, and critical intellectual property?

While I certainly don’t like surprises or unplanned spend, we are certainly operating in different times and need to be able to adequately protect the data and prior investments we’ve been entrusted with. It used to be a failed ERP implementation that might cost a CFO or CIO their job, but now it will likely be ineffective security spend and ineffective deployment that will cost jobs. When the situation has the absolute ability to effect revenues and jeopardize key data…the CFO has to be involved and do what is best for the business. Perhaps that’s something to consider when you’re sipping that latte during your transitional networking meetings…

Thanks for reading.

Jeffrey Ishmael

CFO’s & Cyber Risk: Protecting Your Performance…& Shareholders

May 2nd, 2014 Comments off

As a CFO, I can’t help but be a bit shocked at the recent article on CFO.com “CFO’s Disregarding Cyber Risks”.  In my position, and more in relation to my past positions, my involvement with IT-related activities typically centered on the ongoing assessments of our ERP platforms, annual budgets, necessary capex, and the standard operational issues. I can honestly say that cyber risks were really not part of our ongoing concerns, nor was the topic ever tabled by the rest of the senior leadership team or the Board. We also weren’t planning in an environment where billion dollar breaches were being reported in the press.

Fast forward a few years and it’s hard not to take note, and initiate an elevated level of planning, in the face of the Target breach that occurred just prior to the Holiday shopping season. I don’t care what industry you work in, any CFO should take note of a company which, in a single Quarter, revises their earnings estimates down by 25%, or approximately $250 million. How about a revision in revenue estimates that takes the topline down by almost $1 billion….in a single Quarter! Even more importantly, at the time of the revisions, the company was unable to assess the potential impact of the breach beyond the current Quarter. That event by itself should have every CFO looking over their shoulder and considering the proverbial “what if”. Evidently not…

In the recent article on CFO.com, which drew 600 responses, CFO’s ranked data privacy only 12th on their list of corporate risks. In comparison, data privacy ranked 26th on their list in 2013. While the level of importance is rising, it’s still not being given the proper level of attention. At the top of their list was legal and regulatory shifts. In hindsight, I would love to have someone provide me an example where legal or regulatory changes resulted in an immediate and material revision to earnings or revenues. These are typically changes that are discussed over extended periods and phased in, thus allowing the company and shareholders to digest the resulting changes in how the company reports its results. This is in stark contrast to waking up and realizing you’ve just compromised the privacy for 70 million of your customers in the most critical shopping time of the year.

What was also concerning about the article is that 57% of the respondents weren’t analyzing whether they had enough cyber insurance coverage or weren’t undertaking additional key activities to sufficiently mitigate the risk of cyber risk. This was not only happening at the senior leadership level, but at the Board level as well. While the public and general investing community is aware of the breaches that are reported in the press, I know I have taken an entirely different approach to my personal cyber security as a result of the work I see our team doing across a wide spectrum of industries and with companies that are very recognizable to us all.

As a CFO, if you want to ensure that all of your costs saving initiatives and EBIT performance aren’t compromised, the investment in a security solution will pale in comparison if you do encounter a significant breach…

Thanks for reading…

Jeffrey Ishmael

Proactive, Reactive, & The Need To Balance Resources…

March 13th, 2014 Comments off

As we’ve recently come off a successful Series-B fundraising effort that included our original partners Khosla Ventures and Fairhaven Capital, as well as our newest partner Blackstone, it really affirmed the delicate walk we’ve managed over the last 18-months. With the initial $15 million in funding we received we knew what our mission was and the support structure we would need to have in place to make it happen. This consideration was not just to the staffing we would need to bring on, but the systems we would have in place to support our decision making.

I still remember the amusement I had when, fresh off an SAP implementation, I was given my laptop with QuickBooks installed. While that was fine for the first few months, that certainly wasn’t going to be our longer term solution. Nor was I going to pony up the dollars for an Oracle or other similar platform. With a commitment to be surgical about our spend, we mapped out what system would be needed to support our sales efforts, service deployment, as well as our financial reporting….all of which needed to be integrated. We were trying to be as proactive as possible, but new we’d have to pivot at points along the way.  We successfully brought Salesforce.com online, and with the hire of a VP of Sales, who developed the necessary criteria to report on our bookings activities. We then integrated our services management platform, which then final rolled into our financial reporting system.

However, as the business continued to mature, we found ourselves having to react to changes that forced us to pivot. We reached a point that it was necessary to extract ourselves from an early PEO commitment and bring all of our payroll and benefits administration in house.  Although we did not originally commit to the HR module, the time had come to add this on and react to our expanding business. This obviously meant more time and more money…that precious commodity we were so diligently managing. We continued to walk the path of being proactive on the critical elements, but reactive on those that we could push until the moment we actually needed to spend and weren’t creating any risk to the business.

Our earlier decisions on whether to spend proactively or reactively were put to the test during our due diligence efforts. Our earlier efforts to invest in systems have allowed us to continue operating in a very lean manner operationally. With myself and a one analyst, we were able to manage through the onslaught of document requests, additional modeling, and review of systems to achieve the final sign offs that led to our Series-B funding. Although there were some smaller operational elements that we could have fine-tuned in advance, it was a derivative of our decision to operate in a lean manner. Those elements are obviously being addressed moving forward, but do not affect our ability to service our employees, customers, or business partners.

Even now with a fresh round of funding, we will continue our prudence with spend and walk the delicate line of when we should be proactive or reactive. While it’s always preferable to head down the path of proactive decisions, it’s not always best for the company if the deployment of those resources aren’t necessarily mission critical and have an extended window for return. The one certainty…this period of early stage growth will continue to be a target rich environment!

Thanks for reading…

Jeffrey Ishmael

Are You Managing Your Risks…& Your Expenses?

November 21st, 2013 Comments off

I often discuss the need to have strong partners for all areas of your business. While those partners may not always necessarily be the most economical, there’s the comfort that the services or product they deliver will provide the quality and protection you need so you can stay focused on the business. In the case of our company, as we have continued to expand the profile of client we are dealing with, we have had to increase our corporate insurance levels in order to meet certain vendor requirements.

Although we had previously reached coverage levels that would be sufficient for any of our clients, we were also faced with an environment of increasing risk premiums. In fact, in the October-13 edition of CFO, they cited that “the average expense that corporations incurred for risk management jumped 5% last year”.  It was pretty satisfying to proceed with our most current renewal and see a double digit decrease in our premiums while receiving more robust coverage levels. Nor did we achieve the decrease by going with lower quality insurers either as we continue to engage with A-level insurers highly recognized in the market.

It’s examples like this that become a nice testament to the quality of a network and the results they are able to deliver. Do you have the same quality and commitment within your own network? If not, it might be worth a bit of homework to harvest some of those hidden savings.

Thanks for reading.

Jeffrey Ishmael

There’s No Other Lane Than The Fast Lane…

December 5th, 2012 Comments off

If you’ve ever worked for a start-up or been associated with one, then you know there is no other lane available than the fast lane. You also know that, unlike traditional corporate environments, there’s not a clear cut segregation of duties. On your first day, after you’ve signed all the requisite paperwork, you’re given a broad selection of hats to wear…all of which need to be worn on a daily basis. In my case, I eagerly picked up hats for Finance, Operations, HR, Legal, and Purchasing. While many would scoff at having to take on functions they feel didn’t apply to them, it’s a great opportunity to help shape the foundation of the company and know exactly what levers are being put into place to pull at a later time. After spending months in the fast lane and staying head down, it’s pretty satisfying to see the efforts of the team play out with some of our recent changes and announcements.

After running stealth behind a 1-page static homepage, we launched our first revision of our website. We have some great talent coordinating the effort and the finished site is a product of that. It’s exciting to be able to actually start directing folks to the site who are constantly asking what we have been about, but until now, have been silent on our efforts. www.cylance.com

We also announced our acquisition of Skout Forensics, which is our second acquisition. Skout Forensics, based in the Washington, DC Metro Area, will be integrated into Cylance’s development team to enhance its own forensics technology roadmap and merge into Cylance’s professional services team to expand its already advance forensics capabilities.

While we’re allowing a little light to shine on our accomplishments this week, there are obviously more great things to come and we’ll continue to keep a laser focus on what needs to be accomplished.

Thanks for reading…

Jeffrey Ishmael

Cyber & Network Security: “I See Said The Blind Man…”

October 31st, 2012 Comments off

After joining my latest company, I’ve found myself exposed to a group of brilliant individuals who have a laser focused fascination for cyber security and every subtlety tied to it. For those that know my background, the natural question is how did I get pulled into this one? After my tours of duty with Quiksilver & DC Shoes, Schneider Electric, Pacific Sunwear, and investment banking, the security industry is a bit out of my realm. But then again, I wasn’t brought in for my security expertise, but for my ability to drive financial performance and create a foundation for the rest of this group to prosper.

However, it has been eye opening experience working with this group. Although all the companies I’ve worked with had extensive IT departments, as well as a focus on “network security”, this is a whole different level. Literally, on my first day with this team, I took immediate actions to tighten down my own personal information after reading a few articles that were forwarded to me. One article in particular discussed a journalist who literally had his identity wiped clean, including family pictures kept online, after his accounts were hacked. Unbelievable.

The more noticeable hindsight to me as I was discussing other companies with our team is that I don’t recall EVER receiving an email where the file was password protected. Now keep in mind that I’ve worked for a number of different public companies, as well as equity research at an investment bank, and I have NEVER received a password encrypted file. Maybe a password so I couldn’t alter the structure, but not to actually open the file. Even in my own previous approach, my idea of “locking things down” was to send any forecast or financial info out in PDF so it couldn’t be modified. I’m pretty much chuckling at that approach now in comparison to what the daily MO is here.

What is even more interesting is the approach that most corporate IT departments are taking with regards to internet access, the opening of unfamiliar links, the lack of ongoing security training, and the relative absence of putting any significant effort into this area. Most companies may not offer that much for a targeted attack, but the subsequent cost and loss of productivity is an entirely different matter. I know I’m looking forward to the continued immersion & learning about this industry. For myself, the obvious phrase that came to mind was “I see said the blind man…”, but I think I’m still relatively blind on the security front.

Thanks for reading…

Jeffrey Ishmael

Guest Blogger: Michael Dennis on Credit Issues

June 25th, 2012 Comments off

     I wanted to introduce a friend, and a new guest blogger, to the site. I previously worked with Michael during a period where he was a key member of my staff for what was a very complex business. Our company was a manufacturer of UPS systems, which involved no shortage of contract reviews, along with ensuring the collections on projects where any mishandling along the way could reduce already pressured margins. Michael not only currently works for a very notable company, but also has his own site at www.coveringcredit.com , as well as a contributing writer to www.creditmanagementassociation.org .  Thanks Michael!

“Supersize or Specialize?”

     Another friend of mine lost her job after many years when her credit department was combined with customer support and order entry and her position as credit manager was eliminated.  I honestly and sincerely don’t get it.  The skills required to be effective in the collection role are very different from the skills required to handle the order entry and customer support functions.  How do I know?  At various times, I have managed all three departments… and I never once thought:  What a good idea it would be to take an order entry representative and turn them into a collector… or… Wouldn’t it be great to cross train everyone and make one supersized Collections/Order Entry/Customer Support department!

     I don’t disagree that creating a larger combined department would enhance the customer’s experience when placing an order, asking a question, or requesting assistance for the simple reason that more people working generally means shorter waits and quicker responses.   That is certainly good for your customer.  However, I cannot imagine how combining job functions could possibly improve collection performance for the company for all of the following reasons:

•           Not everyone is cut out to be a collector, but this Supersized department assumes that individuals will be equally adept at collections as they are in their other roles

•           The economist Adam Smith wrote that specialization leads to greater efficiency.   Creating generalists, which the Supersized department requires, is the opposite of specialization.

•           Expecting most if not all the employees trained in customer support to become effective collecting outstanding debts is unrealistic.  Why?  Because collections is not for everyone and given a choice, I believe that most people will spend more time helping customers and less time calling for payment.

•           The skills needed to manage a Supersized department are different than the skills required to manage the collection process.

•           By eliminating the credit manager’s position this company apparently overlooked a very basic fact.  The credit manager’s biggest value add involves establishing appropriate policies to monitor and manage risk before orders are released, not in managing the collection team.  Unless credit limits and credit terms are set appropriately and credit risk is managed proactively, the chances of collections improving as a result of this departmental merger and the layoff of the credit manager are somewhere between (a) highly unlikely and (b) it’s never gonna happen!

That’s my opinion anyway.  What’s yours?

Michael Dennis’ Covering Credit Commentary. Michael’s website is  www.coveringcredit.com.

Due Diligence: Sometimes Even The Best Miss….

February 10th, 2010 Comments off

            One of the things that I love about what I do is the opportunity to continue learning, whether that’s during the course of my day:day activities, or through the actions of others….good or bad. One area I have a real interest in is that of acquisitions and the manner in which they structure and strike their deals. What’s even more interesting is how those same folks approach the due diligence process. For some, it’s about speed, trying to capture 90% of the key data, and hedging the other 10% in one form or another. For others, it’s about a slow and methodical approach, turning over every rock, and scrutizing every report, employee, past employee, vendor, and service provider. I’ve seen both approaches….and I’ve seen them both fail as well.

            In a recent dinner conversation with someone in my network, we were discussing a recent acquisition and the manner in which the due diligence was conducted. The entire due diligence process lasted all but a handful of weeks before the investors came rushing in. What was unfortunate about the situation is that the corporation had a real estate loan that was not reflected on the balance sheet, and the mortgage payment that was being made was reflected as a lease payment. A further unfortunate discovery was that the building was purchased only in the last handful of years when real estate was approaching a fully valued scenario and is now valued significantly less.

            Unfortunately, in the haste to conduct the due diligence, it appears the reviews went no farther than system generated financial statements, banking records, and reconciliations of vendor payables.  Yes, there was a review of stated assests, but only those reflected on the balance sheet. Although it was likely that there was not any ill intent in the actions of the incumbent owner, it was an unfortunate discovery. The omission on the balance sheet was, in further review, likely attributed to the fact the during the 10+ history of the company, there was never a CFO or other key financial figure. Keep in mind that the investor group leading this effort were seasoned professionals and had generated significant wealth in their execution of prior transactions.

            So how do you avoid such a predicament in your own future transactions? It goes without saying that the itemization below is not an exhaustive view of approaching an acquisition, but merely a start to analyzing every element of the situation…

·         Who are you really dealing with…have you conducted background checks on key stakehoulders?

·         Have you run a full credit review / D&B on the corporation to identify all loans, liens, and other considerations?

·         Are there reconciliations available for all material balance sheet items? Reviewed?

·         Has the existence of all material assets on the balance sheet been confirmed?

·         Have a review of banking statements, vendor purchases, A/P balances, and A/R balances confirmed figures reflected within the income statement?

·         Have all tax returns been submitted on time & correspond to the income statement?

·         Are there contingencies built into the agreement to hedge against any unforeseen risks, unknown off-balance sheet liabilities, or any other non-reported liens?

            Like I said, this isn’t even close to an exhaustive list, which should ultimately be an extensive punch list of data to review, forecasts to be developed and riddled with considerations, and ultimately, considerations given to the respective cultures and other intangibles. Truly a complex jigsaw puzzle to consider….

 

Thanks for reading . . . .

 

Jeffrey Ishmael

Core Competencies vs. Key Inputs: Manage your risk….

October 19th, 2009 Comments off

            Last week I had the opportunity to attend a panel discussion on growth strategies in the current economy. The panel was comprised of key executives from US Bank, Mission Hospital, Apria Healthcare, and Toyota. All on the panel discussed what they had done over the last 12-18 months to reduce operating expenses, improve working capital positions, or in the case of Mission Hospital, revise their M&A strategy in the acquisition of a local hospital. One interesting point that was tabled by a few on the panel was the general point of reducing expenses or portions of their operations that were not a “core competency”. However, I’m not so sure companies really give the appropriate consideration to assessing “core competencies” and the contributions that certain portions of the operation contribute if not viewed as a core competency.

 

            One specific example I have in mind was part of a preliminary restructuring effort that was put into play when I was working with MGE. There was a very heavy initiative by our global management team to further improve our EBIT results. This was in preparation for a final valuation tied to the purchase of the last outstanding portion of our company. We were being tasked with reducing our operating expenses and eliminating those that were not part of our core competency, which was viewed as the manufacture and service of UPS systems. For all intensive purposes, we primarily handled final assembly and testing of those systems.  At the time, our company owned & operated a transformer manufacturing facility only a few miles away.  It was determined that this was something that was not part of our core competency, was product that could be outsourced, and should be sold. If you are familiar with a UPS system, you then know how critical a component a transformer is.  Regardless, after identifying the buyer and going through all the valuation and due diligence steps, the operation was sold.

 

            Fast forward 2 years.  As part of a North America EBIT development plan, there were 5-key areas that we decided to focus on to not only improve an already admirable EBIT result, but to identify areas of risk to our EBIT. One of those was the sourcing and purchasing of transformers. It was confirmed by outside consultants, and in agreement with earlier objections to sell the operation, that there was significant single source risk with transformers, and if our one supplier source were to have any type of disruption in delivery, would immediately impact our results. If this one small company had a fire, decided to engage a new larger customer, or perhaps drop our company, that it would significantly affect our ability to deliver on orders that we already had in place. Further, it was determined that the window to bring a new manufacturer online could be as much as 6-12 months.

 

            Ultimately, the debate is not about simply identifying your core competency and focusing on just that. It’s about appropriately identifying the key / critical input and making sure that in your decision-making you are not eliminating a portion of your operation that will put the company at risk. While it might seem that the concept of core competency is pretty black & white, you can’t overlook the necessary considerations to key inputs and their effect on executing your core competency. Do you have the appropriate contingencies in place to ensure your mitigating any revenue risk? More importantly, have you taken the time to really identify what your critical inputs are and that you have supplier contingencies?

 

Thanks for reading . . . .

 

Jeffrey Ishmael

Restructured? Reassessing Your Risk & Coverage Profile.

September 24th, 2009 Comments off

            Over the last 2-years, there’s not a single person in my network that has been immune to what has transpired with the economy, both domestically and globally.  Some have been fortunate, as we have, to experience growth, in a sector that has been heavily hit and seen many players eliminated or significantly downsized. The efforts to adjust to these changes have been to scrutinize every revenue and expense stream within the company and determine where changes can be made. One of these areas, Insurance Expense, can be a pretty significant area depending on the industry you find yourself working in. From the area of workers compensation, to product & general liability, to health, it can be significant. However, the focus should not lay solely on the quotes provided by your agent at the time of renewal and what a new agent might be able to save you.

 

            If you’ve either seen a significant decrease in the scope of your business, or lucky enough to grow, then what you should really be doing is diving into the different elements of your insurance coverage to determine if that coverage is appropriate for the company.

 

More specifically:

Ø  Was your policy initiated many years prior, in a period where coverage was provided to you as a new entity?

Ø  Have you seen a major change in your employee count and the scope of activities that they are involved with?

Ø  Has the company undergone a significant change or expansion in the supply chain or the amount of product moved?

Ø  Does the current liability umbrella provide enough coverage for where the company has progressed to?

Ø  Do you have coverage for your Directors & Officers? Is it sufficient for the scope of business?

Ø  Do you have the proper levels of Employee Practices Liability for the company & is it commensurate with the risks of your industry?

 

            Conversely, if you’ve been unfortunate enough to see a significant decrease in the size of the company, are you over-insuring the company and paying too much in insurance expenses?  How many vendors are you having to deal with and can you effectively manage your insurance portfolio? Do you know what your areas you might be lacking in your current coverage?  In such a litigious environment, the cost-benefit of proper insurance coverage cannot be over emphasized. Although this area can represent a large expense for the company, this risk of a lawsuit or other event that exposes the company will be multiples of what your actual expense is. 

 

            If you have a good insurance partner, then there are also ways that you can decrease your expense exposure with respect to internal education programs, safety programs, and other employee involvement. There are also opportunities to look at deductible amounts, although this will not have as drastic an effect as the increase or decrease in your overall coverage amounts. Do you know where you stand on your insurance portfolio and scope of coverage?

 

Thanks for reading . . . .

 

Jeffrey Ishmael