Archive

Posts Tagged ‘Risk Management’

Is Your Corporate Security Worth The Cost of a Monthly Latte?

February 18th, 2015 Comments off

I’ve had the opportunity to work with some incredibly sharp Finance folks, many of whom are able to deliver on their budgeted results regardless of what curveballs are thrown at them. Some are able to effectively deal with shades of grey while exhibiting a focus on what is best for the company. Others are rigid, run the company with an iron fist, and if not budgeted….it’s not going to be spent…no matter what. It’s the latter approach that I have seen quite often recently and it leaves me scratching my head as to the flawed logic that drives their actions.

As you can imagine, I’ve had the opportunity to watch our team deal with some of the most serious breaches, which are usually reported across most newswires. Breaches that could have easily been prevented, but are now going to cost companies a significant amount to repair, as well as have to rebuild their reputational goodwill with customers…or in some cases, spend more to offset the loss of critical IP.  In the midst of these breaches, I’ve seen companies argue whose budget will carry the cost of the response because it wasn’t part of the original plan. They sit and quibble about the lack of Budget dollars in the face of a breach where millions of records have been released or critical IP has been compromised.

Let’s back up though to a point in time prior to the breach. The Cylance team goes in and walks through our technology and displays its absolute effectiveness to the prospective customer. It is all too clear that our solution crushes the traditional antivirus “solution” and would either protect them from malware that has hit their competitors, or in the most optimal display, would have prevented the breach that had just occurred. They’re also shown the efficiency in which our platform operates and places a CPU load in the low single digits, which again, is at the opposite end of the traditional antivirus spectrum that typically has the CPU redlined under an attack. Let’s not even talk about the additional cost of incident response that have to be carried in the event of a breach, which is often in the range of $400-500/hr depending on the seriousness. Don’t like paying legal fees for frivolous actions? Try paying those fees when you know they could have been avoided for the cost of a latte…

As simple as this sounds, it really does come down to the cost of a latte…and this is no joke. Companies cater business lunches for “working meetings”, companies tend to get a bit loose in the wallet for other “business events”, but there is also the retort of “we don’t have any open spend for this area…”. So let me rephrase what you just said:  Are you saying that you don’t have any open spend equivalent to the cost of a coffee for each endpoint in your enterprise to ensure the security of your employee records, customer records, and critical intellectual property?

While I certainly don’t like surprises or unplanned spend, we are certainly operating in different times and need to be able to adequately protect the data and prior investments we’ve been entrusted with. It used to be a failed ERP implementation that might cost a CFO or CIO their job, but now it will likely be ineffective security spend and ineffective deployment that will cost jobs. When the situation has the absolute ability to effect revenues and jeopardize key data…the CFO has to be involved and do what is best for the business. Perhaps that’s something to consider when you’re sipping that latte during your transitional networking meetings…

Thanks for reading.

Jeffrey Ishmael

The Value Of The CFO As An Operational Partner…

June 11th, 2014 Comments off

For those that have followed my posts over the years, I have always been a strong advocate of the CFO not just being the financial partner to other functional areas, but a true operational partner. It was great to see the recent article in CFO.com, “Double Duty”, outlining the trends of CFO’s assuming the role of COO.

http://ww2.cfo.com/leadership/2014/05/double-duty/

While some might view additional title as a bit of a “land grab”, it really comes down to the CFO’s desire to partner with the other stakeholders in the company and provide as many tools and insights, which are aimed at increasing the financial & operational performance of the company. One of the statistics mentioned in the article was the decline of the COO role at companies, which fell from 48% in 2000 to 35% in 2013. As one person interviewed mentioned, It was a layer of management that caused the CEO to be a step removed from the business at times”. While it will not always be the CFO that necessarily assumes the COO role, it will really depend on the type of company and the how specialized the underlying COO responsibilities are. However, as I have also mentioned in prior posts, it’s critical for the CFO to be involved in the daily operations of the company in order to quantify what the developments or strategy changes will mean to the Forecast and reported financial results. It’s about working with the broader team and ensuring that the deployment of resources are appropriate to support the mission at hand and that all areas are aligned in their execution. By being involved at the operational level it’s pretty easy to see where promises are being made to customers, timelines are being communicated, and expectations placed on internal resources, and if all the parties aren’t working together….then what that will mean to the actual achievement of the Forecast.

Whether my role has been at a mission critical IT infrastructure company, Retail and Apparel, or now Security, the focus has always been on ensuring that Finance is truly operating as a strategic business partner to the other functional areas. While there was always some level of resistance in the beginning, it ultimately developed into a great relationship and one that was valued on each side. In instances where that wasn’t the case, then it was usually due to underlying agendas and actions that weren’t ultimately in the best interest of the brand or company.

My involvement from an operational aspect has also been to achieve further clarity to all the inputs contributing to the achievement of the Forecast. The worst disservice a CFO can bring to an organization is to treat the forecasting process as simply a spreadsheet exercise driven by assumptions cells that are updated to provide the desired output and then push out the changes to the rest of the company. It’s about being involved and knowing if the assumptions are achievable, sustainable, and if not in the long-term, are there operational changes that can be made to ensure they are.

Part of the value I’ve always strived to bring to a company is the implementation of both financial and operational platforms that deliver sustainable results. Results that are not the product of short-term or one-time low quality deals or internal cuts, but platforms that create longer term relationships and financial results. In the end, happy customers that are properly supported by their chosen partner…us.

One of the closing points brought up in the article, and one I’ve also always tried to see realized, is the “CEO understands that the overall risk to the company will be diminished if the CFO has some direct involvement”. If you’re ultimately striving to operate in a “company first” environment, then it’s not just the CFO that can provide this value, but every member of the team.

Thanks for reading…

Jeffrey Ishmael

CFO’s & Cyber Risk: Protecting Your Performance…& Shareholders

May 2nd, 2014 Comments off

As a CFO, I can’t help but be a bit shocked at the recent article on CFO.com “CFO’s Disregarding Cyber Risks”.  In my position, and more in relation to my past positions, my involvement with IT-related activities typically centered on the ongoing assessments of our ERP platforms, annual budgets, necessary capex, and the standard operational issues. I can honestly say that cyber risks were really not part of our ongoing concerns, nor was the topic ever tabled by the rest of the senior leadership team or the Board. We also weren’t planning in an environment where billion dollar breaches were being reported in the press.

Fast forward a few years and it’s hard not to take note, and initiate an elevated level of planning, in the face of the Target breach that occurred just prior to the Holiday shopping season. I don’t care what industry you work in, any CFO should take note of a company which, in a single Quarter, revises their earnings estimates down by 25%, or approximately $250 million. How about a revision in revenue estimates that takes the topline down by almost $1 billion….in a single Quarter! Even more importantly, at the time of the revisions, the company was unable to assess the potential impact of the breach beyond the current Quarter. That event by itself should have every CFO looking over their shoulder and considering the proverbial “what if”. Evidently not…

In the recent article on CFO.com, which drew 600 responses, CFO’s ranked data privacy only 12th on their list of corporate risks. In comparison, data privacy ranked 26th on their list in 2013. While the level of importance is rising, it’s still not being given the proper level of attention. At the top of their list was legal and regulatory shifts. In hindsight, I would love to have someone provide me an example where legal or regulatory changes resulted in an immediate and material revision to earnings or revenues. These are typically changes that are discussed over extended periods and phased in, thus allowing the company and shareholders to digest the resulting changes in how the company reports its results. This is in stark contrast to waking up and realizing you’ve just compromised the privacy for 70 million of your customers in the most critical shopping time of the year.

What was also concerning about the article is that 57% of the respondents weren’t analyzing whether they had enough cyber insurance coverage or weren’t undertaking additional key activities to sufficiently mitigate the risk of cyber risk. This was not only happening at the senior leadership level, but at the Board level as well. While the public and general investing community is aware of the breaches that are reported in the press, I know I have taken an entirely different approach to my personal cyber security as a result of the work I see our team doing across a wide spectrum of industries and with companies that are very recognizable to us all.

As a CFO, if you want to ensure that all of your costs saving initiatives and EBIT performance aren’t compromised, the investment in a security solution will pale in comparison if you do encounter a significant breach…

Thanks for reading…

Jeffrey Ishmael

Proactive, Reactive, & The Need To Balance Resources…

March 13th, 2014 Comments off

As we’ve recently come off a successful Series-B fundraising effort that included our original partners Khosla Ventures and Fairhaven Capital, as well as our newest partner Blackstone, it really affirmed the delicate walk we’ve managed over the last 18-months. With the initial $15 million in funding we received we knew what our mission was and the support structure we would need to have in place to make it happen. This consideration was not just to the staffing we would need to bring on, but the systems we would have in place to support our decision making.

I still remember the amusement I had when, fresh off an SAP implementation, I was given my laptop with QuickBooks installed. While that was fine for the first few months, that certainly wasn’t going to be our longer term solution. Nor was I going to pony up the dollars for an Oracle or other similar platform. With a commitment to be surgical about our spend, we mapped out what system would be needed to support our sales efforts, service deployment, as well as our financial reporting….all of which needed to be integrated. We were trying to be as proactive as possible, but new we’d have to pivot at points along the way.  We successfully brought Salesforce.com online, and with the hire of a VP of Sales, who developed the necessary criteria to report on our bookings activities. We then integrated our services management platform, which then final rolled into our financial reporting system.

However, as the business continued to mature, we found ourselves having to react to changes that forced us to pivot. We reached a point that it was necessary to extract ourselves from an early PEO commitment and bring all of our payroll and benefits administration in house.  Although we did not originally commit to the HR module, the time had come to add this on and react to our expanding business. This obviously meant more time and more money…that precious commodity we were so diligently managing. We continued to walk the path of being proactive on the critical elements, but reactive on those that we could push until the moment we actually needed to spend and weren’t creating any risk to the business.

Our earlier decisions on whether to spend proactively or reactively were put to the test during our due diligence efforts. Our earlier efforts to invest in systems have allowed us to continue operating in a very lean manner operationally. With myself and a one analyst, we were able to manage through the onslaught of document requests, additional modeling, and review of systems to achieve the final sign offs that led to our Series-B funding. Although there were some smaller operational elements that we could have fine-tuned in advance, it was a derivative of our decision to operate in a lean manner. Those elements are obviously being addressed moving forward, but do not affect our ability to service our employees, customers, or business partners.

Even now with a fresh round of funding, we will continue our prudence with spend and walk the delicate line of when we should be proactive or reactive. While it’s always preferable to head down the path of proactive decisions, it’s not always best for the company if the deployment of those resources aren’t necessarily mission critical and have an extended window for return. The one certainty…this period of early stage growth will continue to be a target rich environment!

Thanks for reading…

Jeffrey Ishmael

Are You Managing Your Risks…& Your Expenses?

November 21st, 2013 Comments off

I often discuss the need to have strong partners for all areas of your business. While those partners may not always necessarily be the most economical, there’s the comfort that the services or product they deliver will provide the quality and protection you need so you can stay focused on the business. In the case of our company, as we have continued to expand the profile of client we are dealing with, we have had to increase our corporate insurance levels in order to meet certain vendor requirements.

Although we had previously reached coverage levels that would be sufficient for any of our clients, we were also faced with an environment of increasing risk premiums. In fact, in the October-13 edition of CFO, they cited that “the average expense that corporations incurred for risk management jumped 5% last year”.  It was pretty satisfying to proceed with our most current renewal and see a double digit decrease in our premiums while receiving more robust coverage levels. Nor did we achieve the decrease by going with lower quality insurers either as we continue to engage with A-level insurers highly recognized in the market.

It’s examples like this that become a nice testament to the quality of a network and the results they are able to deliver. Do you have the same quality and commitment within your own network? If not, it might be worth a bit of homework to harvest some of those hidden savings.

Thanks for reading.

Jeffrey Ishmael

There’s No Other Lane Than The Fast Lane…

December 5th, 2012 Comments off

If you’ve ever worked for a start-up or been associated with one, then you know there is no other lane available than the fast lane. You also know that, unlike traditional corporate environments, there’s not a clear cut segregation of duties. On your first day, after you’ve signed all the requisite paperwork, you’re given a broad selection of hats to wear…all of which need to be worn on a daily basis. In my case, I eagerly picked up hats for Finance, Operations, HR, Legal, and Purchasing. While many would scoff at having to take on functions they feel didn’t apply to them, it’s a great opportunity to help shape the foundation of the company and know exactly what levers are being put into place to pull at a later time. After spending months in the fast lane and staying head down, it’s pretty satisfying to see the efforts of the team play out with some of our recent changes and announcements.

After running stealth behind a 1-page static homepage, we launched our first revision of our website. We have some great talent coordinating the effort and the finished site is a product of that. It’s exciting to be able to actually start directing folks to the site who are constantly asking what we have been about, but until now, have been silent on our efforts. www.cylance.com

We also announced our acquisition of Skout Forensics, which is our second acquisition. Skout Forensics, based in the Washington, DC Metro Area, will be integrated into Cylance’s development team to enhance its own forensics technology roadmap and merge into Cylance’s professional services team to expand its already advance forensics capabilities.

While we’re allowing a little light to shine on our accomplishments this week, there are obviously more great things to come and we’ll continue to keep a laser focus on what needs to be accomplished.

Thanks for reading…

Jeffrey Ishmael

Cyber & Network Security: “I See Said The Blind Man…”

October 31st, 2012 Comments off

After joining my latest company, I’ve found myself exposed to a group of brilliant individuals who have a laser focused fascination for cyber security and every subtlety tied to it. For those that know my background, the natural question is how did I get pulled into this one? After my tours of duty with Quiksilver & DC Shoes, Schneider Electric, Pacific Sunwear, and investment banking, the security industry is a bit out of my realm. But then again, I wasn’t brought in for my security expertise, but for my ability to drive financial performance and create a foundation for the rest of this group to prosper.

However, it has been eye opening experience working with this group. Although all the companies I’ve worked with had extensive IT departments, as well as a focus on “network security”, this is a whole different level. Literally, on my first day with this team, I took immediate actions to tighten down my own personal information after reading a few articles that were forwarded to me. One article in particular discussed a journalist who literally had his identity wiped clean, including family pictures kept online, after his accounts were hacked. Unbelievable.

The more noticeable hindsight to me as I was discussing other companies with our team is that I don’t recall EVER receiving an email where the file was password protected. Now keep in mind that I’ve worked for a number of different public companies, as well as equity research at an investment bank, and I have NEVER received a password encrypted file. Maybe a password so I couldn’t alter the structure, but not to actually open the file. Even in my own previous approach, my idea of “locking things down” was to send any forecast or financial info out in PDF so it couldn’t be modified. I’m pretty much chuckling at that approach now in comparison to what the daily MO is here.

What is even more interesting is the approach that most corporate IT departments are taking with regards to internet access, the opening of unfamiliar links, the lack of ongoing security training, and the relative absence of putting any significant effort into this area. Most companies may not offer that much for a targeted attack, but the subsequent cost and loss of productivity is an entirely different matter. I know I’m looking forward to the continued immersion & learning about this industry. For myself, the obvious phrase that came to mind was “I see said the blind man…”, but I think I’m still relatively blind on the security front.

Thanks for reading…

Jeffrey Ishmael

Guest Blogger: Michael Dennis on Credit Issues

June 25th, 2012 Comments off

     I wanted to introduce a friend, and a new guest blogger, to the site. I previously worked with Michael during a period where he was a key member of my staff for what was a very complex business. Our company was a manufacturer of UPS systems, which involved no shortage of contract reviews, along with ensuring the collections on projects where any mishandling along the way could reduce already pressured margins. Michael not only currently works for a very notable company, but also has his own site at www.coveringcredit.com , as well as a contributing writer to www.creditmanagementassociation.org .  Thanks Michael!

“Supersize or Specialize?”

     Another friend of mine lost her job after many years when her credit department was combined with customer support and order entry and her position as credit manager was eliminated.  I honestly and sincerely don’t get it.  The skills required to be effective in the collection role are very different from the skills required to handle the order entry and customer support functions.  How do I know?  At various times, I have managed all three departments… and I never once thought:  What a good idea it would be to take an order entry representative and turn them into a collector… or… Wouldn’t it be great to cross train everyone and make one supersized Collections/Order Entry/Customer Support department!

     I don’t disagree that creating a larger combined department would enhance the customer’s experience when placing an order, asking a question, or requesting assistance for the simple reason that more people working generally means shorter waits and quicker responses.   That is certainly good for your customer.  However, I cannot imagine how combining job functions could possibly improve collection performance for the company for all of the following reasons:

•           Not everyone is cut out to be a collector, but this Supersized department assumes that individuals will be equally adept at collections as they are in their other roles

•           The economist Adam Smith wrote that specialization leads to greater efficiency.   Creating generalists, which the Supersized department requires, is the opposite of specialization.

•           Expecting most if not all the employees trained in customer support to become effective collecting outstanding debts is unrealistic.  Why?  Because collections is not for everyone and given a choice, I believe that most people will spend more time helping customers and less time calling for payment.

•           The skills needed to manage a Supersized department are different than the skills required to manage the collection process.

•           By eliminating the credit manager’s position this company apparently overlooked a very basic fact.  The credit manager’s biggest value add involves establishing appropriate policies to monitor and manage risk before orders are released, not in managing the collection team.  Unless credit limits and credit terms are set appropriately and credit risk is managed proactively, the chances of collections improving as a result of this departmental merger and the layoff of the credit manager are somewhere between (a) highly unlikely and (b) it’s never gonna happen!

That’s my opinion anyway.  What’s yours?

Michael Dennis’ Covering Credit Commentary. Michael’s website is  www.coveringcredit.com.

Restructured? Reassessing Your Risk & Coverage Profile.

September 24th, 2009 Comments off

            Over the last 2-years, there’s not a single person in my network that has been immune to what has transpired with the economy, both domestically and globally.  Some have been fortunate, as we have, to experience growth, in a sector that has been heavily hit and seen many players eliminated or significantly downsized. The efforts to adjust to these changes have been to scrutinize every revenue and expense stream within the company and determine where changes can be made. One of these areas, Insurance Expense, can be a pretty significant area depending on the industry you find yourself working in. From the area of workers compensation, to product & general liability, to health, it can be significant. However, the focus should not lay solely on the quotes provided by your agent at the time of renewal and what a new agent might be able to save you.

 

            If you’ve either seen a significant decrease in the scope of your business, or lucky enough to grow, then what you should really be doing is diving into the different elements of your insurance coverage to determine if that coverage is appropriate for the company.

 

More specifically:

Ø  Was your policy initiated many years prior, in a period where coverage was provided to you as a new entity?

Ø  Have you seen a major change in your employee count and the scope of activities that they are involved with?

Ø  Has the company undergone a significant change or expansion in the supply chain or the amount of product moved?

Ø  Does the current liability umbrella provide enough coverage for where the company has progressed to?

Ø  Do you have coverage for your Directors & Officers? Is it sufficient for the scope of business?

Ø  Do you have the proper levels of Employee Practices Liability for the company & is it commensurate with the risks of your industry?

 

            Conversely, if you’ve been unfortunate enough to see a significant decrease in the size of the company, are you over-insuring the company and paying too much in insurance expenses?  How many vendors are you having to deal with and can you effectively manage your insurance portfolio? Do you know what your areas you might be lacking in your current coverage?  In such a litigious environment, the cost-benefit of proper insurance coverage cannot be over emphasized. Although this area can represent a large expense for the company, this risk of a lawsuit or other event that exposes the company will be multiples of what your actual expense is. 

 

            If you have a good insurance partner, then there are also ways that you can decrease your expense exposure with respect to internal education programs, safety programs, and other employee involvement. There are also opportunities to look at deductible amounts, although this will not have as drastic an effect as the increase or decrease in your overall coverage amounts. Do you know where you stand on your insurance portfolio and scope of coverage?

 

Thanks for reading . . . .

 

Jeffrey Ishmael

Credit management – Do you know your current risk level?

May 7th, 2009 Comments off

     Working at a smaller company, there are the inherent benefits of being able to quickly adapt to changing market conditions, implement changes quicker, as well as having a more direct line of communication with your account base.  At the same time, however, there is the probable loss of information tools you may have had access to before. For our company, which is a footwear company based in the Action Sports industry, we are typically dealing with the “Mom & Pop” retailer who typically have only 1, or a few locations. Having the most current financial profile on these folks is typically unlikely, any reliance on D&B info is sketchy at best, and the possibility of credit insurance is unlikely considering the customer profile. So how do you handle the credit granting decisions with a hand like this dealt to you?

     At one of the previous companies I was at, we dealt with larger, capital-intensive projects with blue chip accounts where accurate financials were a google search away. These were also accounts that were seldom turned down by our credit insurance company Coface. Although at times I questioned the need to pay the high annual premiums to insure our credit portfolio, it would have only taken a single job to go sideways to make up for years of paid premiums. I would bet that in 18-months since I left that their credit insurance was tapped on a few occassions considering the primary customer profile was in the financial services sector. But then again, these guys were solid…right? But alas, my Coface coverage was a tool that can’t be applied to the customer profile that I am dealing with now.  On to the next move….

     In consideration to all the D&B reports that I have pulled, I have found, in general, that this information is not typically reliable at the corporate level and often lags in getting the information updated. Sometimes over significant periods of time. I would NEVER make credit decisions based on Dun & Bradstreet information alone. It’s merely a single factor in the consideration of approving a new account or keeping tabs on a existing account. Ok, what next….

     I am a huge advocate of trade groups and their ability to gather and share information at more of a “street-level” application.  But from a financial perspective, I have found that trade groups within the Action Sports industry are somewhat non-existent. There’s fantastic trade groups at the Retail level, Environmental level, Manufacturer level, but I have not found one that focuses on the financial side.  Maybe an opportunity here?  I was recently contacted to become part of Footwear Industry Trade Group. The concept is in its infancy, but we went through a demo and reviewed the available tools. Really a solid approach and has great promise. However, in reviewing some of the companies they have participating, they are not in our peer group. Any sharing of information would be of no benefit to us. The companies that are currently signed up are not sold through our typical account profile. I tentatively committed to our participation in the group, but only if they successfully signed more of our peers. So what am I left with…?

      I’m left with the key element that is driving the current growth in our business and allowing us to post numbers higher than last year….the relationships that we have with our accounts and the collaborative approach we take with them.  We take a sincere approach to developing partnerships with our account base and supporting them in whatever way we need to, so long as it also makes sense for us as a business. Whether that’s international or domestic. Whether that means sending out an email myself on a past due invoice, calling them directly to discuss a paymet plan, or to just discuss their general outlook. I believe it’s that approach that has allowed us to mitigate our credit risk and realize a bad debt expense percentage that is far below industry standards.  While there’s always the unforeseen risk that might always catch us by surprise, I do everything I can to minimize that risk and maintain a keen focus on our collections activity in this environment. Do you know what your current risk levels are?

Thanks for reading. . . .

Jeffrey Ishmael