Archive for the ‘Risk Management’ Category

Discipline #6: CFO as the Regulator of Risk

August 14th, 2009 Comments off

     In my last segment on Jeremy Hope’s book, “Reinventing the CFO”, I covered Discipline #5, or the CFO as the Master of Measurement. I had mentioned that this was one of my favorite sections of the book, and the one area I so rigorously incorporate into my day-to-day operations. Not only in a financial perspective, but in an operational perspective. Without measurement, there is no assessing the progress the company is making, not to mention the accountability that measurement can bring into the development of management goals.

     However, there is no more an important role for the CFO than as a Regulator of Risk. Assuming the role of “Regulator” needs to be more than ensuring your producing financial reporting that is compliant with GAAP or that you’ve taken the time to meet with your Sales group to ensure that there is legitimacy to a recently submitted Forecast. If this is the extent of your risk regulation activities then you’re doing nothing more than assuming the role of a Controller or Auditor. In Hope’s book he identifies key areas in the management of risk and uncertainty:


         Set the highest standards of ethical reporting and behavior

         Regularly review the key pressure points for excessive risk taking

         Manage risk across the whole organization

         Approach uncertainty with an open mind

         Provide effective feedback controls


     Regardless of the size of organization I have been involved with, I’ve always made it my business to be hands-on in the areas where I perceived a material level of risk with the company. Whether this was in the area of A/R for key accounts and the application of credit insurance, management of our IP asset base, order backlog & our outstanding P.O. commitments, legitimacy of an aggressive sales forecast, or any H.R. related issues, I was involved. It doesn’t mean that I was necessarily setting policy or managing the day-to-day in these specific areas, but I did have an understanding of what was happening in these areas and the concerns of the Managers responsible. It also doesn’t mean that we never encountered hiccups in these areas either. However, the flow of information was consistent enough that when it hit the radar we were able to act pretty quickly to mitigate the negative impact to the company.

     This is a great area of Hope’s book and it should be clear to anyone responsible for managing risk that it can’t be covered in a single chapter. But Hope brings up some great points for review. As I’ve heard discussed in the circles of Law Enforcement, the CFO “should respond to the spirit of the law rather than just the letter of the law. Governance and risk management are about more than checking off the boxes.” He also discusses the need to “be uncompromising about ethical behavior. Be the guardian of ethical standards and the last line of defense against unethical reporting.” 

     I do like these points, but again, these tend to be reactionary as opposed to preventative. Prior to my CFO roles, I was fortunate enough to work under some great CFO’s who mentored and included me in their daily regimen. They were all forward looking and instilled the need to look ahead and be wary of that which would derail the ability to meet your results; anything that would have a material impact on the financial results. Trust in nothing and always have your contingencies in place. It’s the approach that I’ve continued to incorporate in my day-to-day routine and in the development of longer term financial plans. As a “Regulator of Risk” you need to ensure that you’ve done more than just make sure your insurance policies are current. Have you done what you need to protect and ensure your results?


Thanks for reading . . . . 

Jeffrey Ishmael

Credit management – Do you know your current risk level?

May 7th, 2009 Comments off

     Working at a smaller company, there are the inherent benefits of being able to quickly adapt to changing market conditions, implement changes quicker, as well as having a more direct line of communication with your account base.  At the same time, however, there is the probable loss of information tools you may have had access to before. For our company, which is a footwear company based in the Action Sports industry, we are typically dealing with the “Mom & Pop” retailer who typically have only 1, or a few locations. Having the most current financial profile on these folks is typically unlikely, any reliance on D&B info is sketchy at best, and the possibility of credit insurance is unlikely considering the customer profile. So how do you handle the credit granting decisions with a hand like this dealt to you?

     At one of the previous companies I was at, we dealt with larger, capital-intensive projects with blue chip accounts where accurate financials were a google search away. These were also accounts that were seldom turned down by our credit insurance company Coface. Although at times I questioned the need to pay the high annual premiums to insure our credit portfolio, it would have only taken a single job to go sideways to make up for years of paid premiums. I would bet that in 18-months since I left that their credit insurance was tapped on a few occassions considering the primary customer profile was in the financial services sector. But then again, these guys were solid…right? But alas, my Coface coverage was a tool that can’t be applied to the customer profile that I am dealing with now.  On to the next move….

     In consideration to all the D&B reports that I have pulled, I have found, in general, that this information is not typically reliable at the corporate level and often lags in getting the information updated. Sometimes over significant periods of time. I would NEVER make credit decisions based on Dun & Bradstreet information alone. It’s merely a single factor in the consideration of approving a new account or keeping tabs on a existing account. Ok, what next….

     I am a huge advocate of trade groups and their ability to gather and share information at more of a “street-level” application.  But from a financial perspective, I have found that trade groups within the Action Sports industry are somewhat non-existent. There’s fantastic trade groups at the Retail level, Environmental level, Manufacturer level, but I have not found one that focuses on the financial side.  Maybe an opportunity here?  I was recently contacted to become part of Footwear Industry Trade Group. The concept is in its infancy, but we went through a demo and reviewed the available tools. Really a solid approach and has great promise. However, in reviewing some of the companies they have participating, they are not in our peer group. Any sharing of information would be of no benefit to us. The companies that are currently signed up are not sold through our typical account profile. I tentatively committed to our participation in the group, but only if they successfully signed more of our peers. So what am I left with…?

      I’m left with the key element that is driving the current growth in our business and allowing us to post numbers higher than last year….the relationships that we have with our accounts and the collaborative approach we take with them.  We take a sincere approach to developing partnerships with our account base and supporting them in whatever way we need to, so long as it also makes sense for us as a business. Whether that’s international or domestic. Whether that means sending out an email myself on a past due invoice, calling them directly to discuss a paymet plan, or to just discuss their general outlook. I believe it’s that approach that has allowed us to mitigate our credit risk and realize a bad debt expense percentage that is far below industry standards.  While there’s always the unforeseen risk that might always catch us by surprise, I do everything I can to minimize that risk and maintain a keen focus on our collections activity in this environment. Do you know what your current risk levels are?

Thanks for reading. . . .

Jeffrey Ishmael

Do you have your financial diagnostic checklist?

September 25th, 2008 Comments off

As I start getting situated into a new CFO position, the first thing I do is run through a preliminary diagnostic of the processes in place, the quality of the information, and the depth of information that management has at their disposal for key decision making. As I’ve mentioned in my posts on internal audits and other control-related commentaries, I want to know what my immediate areas of risk are to the firm and address them immediately. While I have a much more comprehensive list, some of the areas listed below are those I start addressing in the early stages.

-Review of the most recent audit report for insight on potential issues.
-Skills assessment of the existing staff and their commitment levels.
-Review of current systems and the ability to extract accurate reporting.
-Review of all working capital elements and exposure to potential write-offs not recognized.
-Determine the health of current bookings and pending shipment pipeline.
-Assess any current or pending litigation issues.
-Assess the current banking relationships and determine potential issues.
-Assess the dynamic among the Executive team as well as the Board.
-Determine if overall compensation levels are in line or if there is risk to a broad-based increase.
-Review current insurance levels and confirm coverage levels are appropriate.

After reviewing the list above the first question is “Why wouldn’t these items be questioned or reviewed during the hiring process?”. In fact, they should be, but as we all know for the interview process, there’s the process of kicking the tires when you’re on the lot and actually getting a feel for the performance of your new purchase after you’ve had it for a week or two. This is not necessarily a negative situation, but sometimes the Company wants you as bad as you might want the position and you might only get that 80% view. Regardless, if you enjoy what you do and you appreciate a challenge, make the most of it and ensure that the efforts you commit are those you can be proud of and strive for nothing less than success.

Thanks for reading . . . .

Due diligence doesn’t stop at the financials. . . .

September 22nd, 2008 Comments off

This week I received my new copy of “The Deal” magazine, which focuses on all activities that are M&A related. One article that was a pretty enjoyable, not too mention dramatic read, was about the path that a Las Vegas-based company, Xyience, has taken in its path to raise capital and achieve sales goals. The name of the article, “Rumble”, followed the various paths of investor fraud and malfeasance that had occurred over the years. It also detailed the history of it’s main executive, Russell Craig Pike. The article documented the various entities that Pike had been involved with and his history of criminal fraud. The biggest question the article left me with was how on earth did this individual continue to raise investor funds and how none of the investors, atleast it appears, did any type of due diligence on the company and the executive team.

The simple concept of due diligence shouldn’t just stop at the financials, but should extend to all aspects of securing resources for your organization. One of the areas that I put in every effort to ensure integrity is in my personal network. Everyone manages their network differently, but I put a significant effort into my LinkedIn profile and the contacts that I keep. There is no one person that I add to my network that I haven’t met with directly or that shares multiple points of contact directly within my network. I also want to make sure that I follow the work of my contacts and the levels of service they provide if I make a recommendation. And these efforts are just for service referrals. When it comes to funding activities, I would advocate nothing less than a complete background and reference check. Know who you are doing business with, their history of success, and their reputation.

Looking at investing in a business, purchasing a business outright, or entering into a strategic partnership? You should know exactly who you’re going to be risking your reputation and funding on. After all, due diligence doesn’t stop at the financials . . . .
Thanks for reading. . . .

Jeffrey Ishmael

Quality Control…or is it Quality of Controls?

September 17th, 2008 Comments off

It’s a bit disheartening to continue reading about so many instances the last few days of internal fraud carried out at both private and public companies. There’s no need to look any farther than to see examples in the last few day, which include American Intl. Pasta Company (fraudulent reporting), Hilfiger ($19m embezzled), and Quest ($10m “questionable” transfer). As a Finance professional who has worked at both smaller and larger entities, the biggest question I have is what were the levels of audit / control that were supposed to be in place and why didn’t they detect this activity sooner? It’s an easy question to ask but we don’t need to look any farther than some of the most recognized institutions, which have some of the most stringent controls, for examples of controls gone bad. Do you recall the collapse of that English banking institution formerly known as Barings as a result of the futures trading and wiping out the banks reserves entirely? How about more recently, Jerome Kerviel of Societe Generale and his 7.2 billion Euro loss on his futures trading?
Whether public or private, every company needs to have these levels of control in place to detect potential mis-dealings by employees. And it’s not going to be found just within the Finance department. It’s going to be found in Purchasing, Marketing, Logistics, and every other functional area of the organization. It’s not just going to be in the form of embezzled funds, but in inappropriate relationships, kickbacks, or even something as elaborate as a shell corporation, which I discovered had been set up by a country manager at our Mexican subsidiary. The foundation for having these controls is not just the documentation of certain processes. It needs to start at the top of the organization and putting in place an environment of control that communicates to employees what their span of authority is. Defining what their decision making limits are, and if pending decisions are outside of those limits, what the escalation process is for approval.

Within the scope of a SOX framework, it outlines the need for a “suitable and recognized control framework”. There are a number of segments that comprise this framework, but from overall view, there key areas to address. These areas include, as discussed, a Control Environment, Risk Assessment, Information / Communication, and Monitoring. Now, as I’ve mentioned with all my posts, this is only meant as a summary and not an exhaustive commentary. Our ultimate goal as Finance professionals should be the ability to generate company financials that are free from error and allow the key players in the organization to make informed business decisions. To generate information that can be trusted and relied on in the growth of the business. Only after we have managed to deliver this, as a functional area, can we fullfill the remainder of our role as an advisor on other corporate matters.

It would be easy to spend a week discussing the topic of internal controls, structuring an internal audit, and the follow-up activities of such an audit. Not quite possible here. The intent here is to have you consider the topic, whether it’s appropriately addressed within your organization, or that maybe it’s in need of a refresher due to material changes in staff, market, or regulations. What is the Quality of your Controls?

Thanks for reading . . . .

Internal Audits & a review of Information Systems

August 28th, 2008 Comments off

In my last few posts about the internal audit process I reviewed the approaches that were applied to the Finance/Control and Sales/Marketing areas. Equally important, perhaps the most, was the review of the Information Systems. For my time at MGE, I had actually found system uptime and the quality/consistency of data to be some of the best at any company I had worked with. I had not encountered any issues with security breaches of info, nor had I heard any horror stories.

This was one area of the audit that we had any differences of opinion regarding the findings of the auditors and the processes that we had in place. It finally came down to an “recognition” of their findings as opposed to agreement. We also found ourselves in a position in which one finding in the North American audit was the direct result of directives from our headquarters in France not to implement specific action plans. Some of the findings of the auditors included:

1. No comprehensive Disaster Recovery plan. This was the interesting one since we had such a plan in each of our capital budgets for the previous two years and were told by our headquarters that there was no room for this in the Budget. Well….I guess there would be now. The auditors were looking for defined system recovery requirements, storage and data locations, emergency procedures, along with a recovery framework.

2. Lack of segregation / out of date access rights. This was an area that I had addressed in an earlier post regarding access to Finance info. While we had addressed this issue within the Finance department, there was not the follow through to address this on a greater company-wide basis. This was a valid point but ranked lower on their priority list.

3. Lack of formal IS procedures. Another interesting one since they were looking for a set of KPI’s to be implemented to measure the performance of this group. It came down to the fact that we did not use their KPI’s. We had a fairly extensive list of indicators that we used to measure everything from system uptime, storage performance, user service requests, to project management.

4. Platform access rights. We had a single individual who had access rights to both the Production and Development environments within a certain software application. It was a little difficult to get around this since we only had one person who had an expertise in this platform and were not going to make additional investments in the platform moving forward. Point noted….

As I had mentioned in earlier posts about the internal audit process, this continued to be a very valuable process to help identify potential areas of risk. Fortunately, there continued to be very few surprises as we progressed through this project. I would highly suggest to any Senior Finance professional coming into an organization to read the last internal audit report, or conduct one if one has never been undertaken. Know where your risk is and how your career could potentially be impacted.

Thanks for reading . . . .

When Audit teams and Sales staff collide….

August 18th, 2008 Comments off

In my last commentary on Internal Audits, I went into an overview on the segment concerning Finance & Control. When it comes to this group, internal audit exercises are rather straightforward and generally not intimidating. But how do you coordinate this same exercise for a group that’s not used to being questioned and are accustomed to generally running in a fairly independent fashion, like the Sales department? Answer, very carefully and with a bit of handholding. Again, like the Finance portion of the audit, this is only intended as a brief overview and there was a much more comprehensive approach behind the scenes.

Although the intended scope of review for this department was not going to be the least bit exhaustive, it did mean that Sales personnel were going to be questioned on protocols and that their approach was going to come under some level of scrutiny. With regards to the auditors, they were going to key some of the following topics:
1. Efforts & action plans to achieve synergies with the parent company.
2. Project margin tracking was in place to achieve the original commitments.
3. Sales personnel bonus plans were definitely structured and approved.
I knew that the first couple parts were not going to be much of an issue, but once you start questioning Sales folks about their bonus plan you know there’s the potential for fireworks.

As we went through the various topics, we began to dig into more detail about how higher value jobs were being quoted and how the change orders on those jobs were being charged to the customer, or in some cases, how they weren’t. Fortunately, we had already implemented a new reporting structure prior to the audit that had us tracking the margin progression of every job over a specified value. We would track every progression in the job to the point that if we encountered even 50bp of margin change by the completion of the job we could bridge every element contributing to that change. For the better or the worse….

The delicate balance in this portion of the audit was working with the Sales team, who were instinctively working in the best interests of the customer and meeting their goals, and the Audit team, who was only focused on whether protocols were being followed, regardless of the outcome. We encountered some very short tempers but were able to work through it once each party understood the motives of the other. Not that the Audit team really cared…..
The valuable perspective for this part of the audit was that you had one group who worked in multiple shades of grey, and the Audit team who only worked in black and white, and how do you generate a productive outcome? We did so by educating all parties involved and making sure that all parties were working towards the same outcome – Making sure the company continues as a growing and profitable entity while mitigating risk.

Thanks for reading . . . .

Internal Audit – Finance & Control

August 14th, 2008 Comments off

In my last posting about embracing the Internal Audit process, I spoke to the value this exercise can provide to any current or new Finance leader. For the audit that we had gone through after the close of purchase for the final minority share of our business, we performed a comprehensive review on six key areas of our operations. I outlined these areas in my last post, and today, will go into a little more detail on the area of Finance & Control. It’s still best to keep in mind that this was an audit that spanned approximately 8-weeks so even a more specific overview is still a summary at best and the level of underlying detail is much greater than what is represented here.

As far as our review of the Finance area, the goal was to assess the adequacy of our primary Finance & Accounting processes, Credit management, and our application of Group Accounting principles. To break this review down a little further, we were going to run through some of the following steps:
1. An analytic review of our financial statements along with our external auditor reports.
2. A review of our systems and processes that supported our financial reporting.
3. Reviews of our delegations of authority.
4. Our compliance with Group Accounting principles.
5. Invoicing, Credit, and Cash management.
6. Assess the valuations of our balance sheet reserves.
7. Reviews of our fixed assets and associated valuations.
8. Reviews of employee expense reports.

This was certainly not a simple review and necessitated extensive time to pulling documents and reviewing our processes. Further, each one of these process needed to be assessed a risk-weighting that determined what degree of risk it posed to achieving our results and generating accurate reporting. There were three distinct levels of risk depending on what “Findings” were associated with each area. A “Finding” could either be quantified through it’s potential impact to results or qualified through a breach of corporate policies or guidelines, or the ability to impact the reputation of our corporate parent.

Again, since we had already been operating under the umbrella of our corporate parent for a number of years, we had already embraced their guidelines and reported our results according to Group Accounting principles. Therefore, our preparation level was already very good with respect to this audit. Any anxiety levels aside, it was a process that should be embraced by any Finance leader that is new to the organization and needs to uncover potential areas of risk.

Thanks for reading . . . .

How accessible is your Finance data?

August 13th, 2008 Comments off

It seems like a bit of an odd question at first considering we typically work under structures of system permissions, protocols, and how often user profiles should be audited. The key phrase here is “should be”. It’s very easy to become somewhat complacent and rely on written procedures that are in place and the assumption that they are being followed. I was doing some pretty extensive work on some forecasting files, which unexplainably, I could not find during my next session. These were in folders that I constantly worked in and allowed limited access to only a few individuals. I was now unable to locate and needed to know what happened and who was in the files last. For all I knew, I might have mistakenly saved them to a new location….

I ended up finding the files after only minimal effort, but what I found in the process was more disturbing. I requested from our IT group a list of individuals who had general access to the Finance drive and then the permissions that were granted to each one of those individuals. Keep in mind that we only had approximately 30 people in our Finance department. What I got back was a list of about 70 people that had access to our drive! Are you kidding! It didn’t take long to see that a number of these individuals were no longer with the company. There was also a population of folks that had transferred to other functional areas in the company. Most of those that had transferred had not recently accessed the data. Regardless, this had to be immediately corrected.

Our IT group, that same morning, received a corrected list of individuals that should have access to the Finance drive and the changes were implemented immediately. There were some updates to permissions, but these were relatively minor. Lesson learned. Although we had specific protocols in place, they were not always being followed as directed. We also learned that we had to increase the level of communication between HR and IT, and in a much more formal manner. I have always incorporated a certain level of paranoia into my daily routine in regards to identifying risk. This was one more confirmation of that approach. So I ask the question – “How accessible is your Finance data?”

Thanks for reading . . . .

Internal Audits – embrace & value the process.

August 7th, 2008 Comments off

While I had always participated in the internal audit process and provided my portion of the contribution, I’m not sure I really appreciated the process until I was the person actually leading the Finance team and responsible for everything that happened “under my watch”. During my time with MGE, it was decided by our parent company, Schneider Electric, that they would be purchasing the remaining portion of our company and converting us to a wholly-owned subsidiary of their $13 billion conglomerate. At the close of the transaction, Schneider sent in a full team to conduct a comprehensive internal audit on our process, documented procedures, and potential areas or risk.

The audit was not going to cover just the Finance department, but encompass every area of the organization. This was going to be an 8-week process that was going to cover Inventory & Logistics, Sales & Marketing, IT, as well as Human Resources. Their main objective was to assess the potential risks within each one of these areas and rate those levels of risk according to their importance and the ability to potentially have a material effect on our financial results. We also wanted to determine what levels of internal control and monitoring we had in place to deal with the risk, and if necessary, propose recommendations to correct either the situation or our ability to follow the risk.

Since we had always had a very good relationship with Schneider Electric there was no significant anxiety of the proposed audit, but this effort was much more comprehensive than previous audit engagements. We were hosting individuals from Los Angeles, Chicago, and Paris, along with occassional visits from external auditors Mazars and Moss Adams. Perhaps there was no significant anxiety since we had always operated our entity with a high level of control and accountability. Ultimately, our audit concluded and in a very satisfactory manner with some areas that were noted for improvement and a timeline for follow-up and modifications.

This is obviously a process that can be addressed in much more detail considering this was an 8-week engagement, which I will in future posts. I will spend more time discussing the audit engagement for each area. The most significant takeaway was the additional insight that it gave us into our organization and receiving an unbiased view of our operations. For any new CFO, this is a critical step to go through and assess what the strengths and weaknesses are for the organization and what the areas of risk are for you in the execution of the company’s financial goals. An area that certainly shouldn’t be left to chance & is well worth the 4-8 weeks that you might invest.

Thanks for reading . . . .