In this exclusive interview, Ali Raza, BDO Senior Partner tells Joyce Njeri the fundamental mistakes organisations make when implementing Enterprise Risk Management systems…
SYSTEMS IMPLEMENTATION continues to be a real challenge and source of concern for many organisations.
We’ve been seeing this since the 90’s especially when organisations started implementing Enterprise Risk Management (ERM) systems. Over the last two decades we continue to see the same issues coming up over and over again.
In an exclusive interview with Accountant Middle East, Ali Raza, BDO’s Senior Partner, Technology Risk Advisory Services, is of the view that “poor quality of implementation resources, lack of business understanding, inadequate data cleansing before migration, rushed user acceptance testing and deferring resolution of critical issues till after ‘go-live’ are just a few recurring themes.” Here are the excerpts from the interview.
Q. What are the challenges you are seeing with systems implementations and how can some pitfalls be avoided?
A. In my view from what I have seen in a number of countries including the West, we make some fundamental mistakes that make the ERP journey very painful. The list can actually be very long, but some key and most common ones I have experienced are:
1. Quality of the implementation consultants, which is combination of product understanding, business understanding, technical experience, soft skills and work ethic;
2. System set up (process design) is done in isolation without a true understanding of business and its nuances;
Poor project management which is devoid of risk management altogether;
3. Weak and ineffective steering committees;
Implementation contracts too focused on “completion” of milestones and not enough on quality related attributes of the milestone; and
4. User Acceptance Testing (UAT) is a box ticking exercise.
A few years ago I was at a steering committee meeting in my capacity as an external Quality Assurance Leader. This was at a very large organisation which has been in operation for decades and therefore very traditional and paper intensive. The implementation partner presented the business blueprints and results from a recent business survey as both were formal project deliverables, requiring sign off from the steering committee. The steering committee was about to give their blessings, when I asked:
“What have we learned from the survey, and how has it contributed to the future business design and the required change management? Given that the survey was concluded after the design was completed, is there not a risk that the design has not incorporated important organisational feedback?”
It became clear that the survey was completely an isolated exercise completed for the sake of fulfilling a milestone obligation. No ‘real’ understanding of change management risks and requirements really came out of the initiative as nothing was done with the results.
The Business Blueprint is of utmost importance. Despite its criticality, I continue to see very poor quality blueprints. Almost always, I note that it lacks detailed business process design, process controls, authorisations and access design including segregation of duties.
I also typically note weak involvement of Internal Audit in reviewing these key deliverables and the project as a whole so that critical course corrections can be made during the implementation. As a result, these organisations are never really able to optimise business processes and controls resulting in unnecessary overheads from manual processes and controls that build up over time around the system. Furthermore, they end up with an environment with all kinds of security exposures exposing the organisation to loss of data integrity, information theft and fraud.
If ERP implementations have been going on since the 90s, surely implementers have learnt valuable lessons during the course of their implementations – why then do we see the same issues come up over and over again?
Having been on both sides of the fence, or actually having sat on all sides of the table – client, implementer, independent QA and internal audit; in my experience, good resources move to good companies and they are kept busy on profitable work. At the end of the day, the implementer is running a business which has to be profitable, just like the client’s organisation.
I have sat in contract negotiations with clients that squeeze implementers to the point where they barely have any margin, hence incentive left. Some walk away, and some take the plunge and immediately start finding ways to avoid financial loss through cutting corners. So, the issues start from the day the contract is signed. This is a situation that gets worse over time, and the project starts its downward spiral.
On the clients’ side, there is a perception that they made the best deal for a successful implementation, and on the implementers side the Sales people celebrate their win and handover the problem to the implementation team. At the end of the day, the painstakingly engineered situation in all earnestness is risk to the achievement of the organisation’s strategic goals.
To me, negotiation is a conversation that should be around creating value for each other given the constraints. This I believe is the only way to achieve a win/win, and the only way to go into a deal with true ‘partnership’ spirit. Too often it is a conversation about reduction in price.
In contracts, it would be nice to see a few simple but focused metrics to evaluate performance and a fair ‘carrot and stick’ arrangement for both parties. This may sound academic and may require overhead to administer, but this could change the whole approach, attitude and commitment to the project from both sides. It could actually be a shot of adrenalin to the project provided they are: clear, measurable without overhead, fair and tracked regularly (reported as part of project progress reporting).
Some basic metrics, for example could be:
- Minimum acceptable involvement of senior people with the relevant experience (resources that won the proposal for the implementer, for instance: percentage of time, full time involvement in certain tasks, on site presence etc).
- Deliverables/design/document review time by the organisation
- User Acceptance Test – first wave of test results (number of passes and fails)
Do you think that key IT initiatives and investments have the right level of leadership and guidance behind them? What are you seeing in the Industry, whether it’s a systems implementation or any other strategic initiative?
In my experience, I do see ‘C’ level involvement and commitment towards such strategic IT initiatives. However, having said that, I see ‘Business’ projects being run as ‘IT’ projects, with more of IT leadership making business decisions and not enough involvement of decision making from the other function leaders of the business.
I think it’s good that IT takes stewardship, but key decisions related to, for example: work practices and procedures, information (like, integrity, protection etc), governance, risk management (segregation of duties, accesses etc) require deeper involvement of the operations/business people.
Governance is an interesting area, especially now with Cobit 5 where accountability and responsibility for ‘non IT’ personnel is clearly shown. In my view, information governances which encompasses IT governance is an integral part of corporate governance, which is the Board’s responsibility. Therefore, Boards must have members that have a deep understanding of the governance requirements to protect one of the organisation’s most valuable assets – IT. I believe the industry will start seeing much better information governance standards once it is well understood and pushed down from the Board.
A small example which illustrates the point of board involvement and also business decisions in IT led projects is around Information protection/security. There has been a lot of attention on network security, access management, vulnerability assessment etc. Added to this, we are now seeing a lot of risks as a result of cyber security threats.
Numerous organisations are taking measures to assess their IT weaknesses and are taking steps to make their networks more secure. However, from the vast number of companies I have worked with in Abu Dhabi and Dubai, very few have actually addressed the most basic aspect of information protection. That is, knowing what level of protection is required for which information (physical and electronic).
Data classification which is fundamental to information governance is missing in a vast majority of organisations I have worked with. Data classification cannot be done by IT alone. It is the various functions of the business that have to identify and determine the classification, which IT should embed in networks, servers, storage and applications. Boards must provide the necessary leadership to enable this and ensure that their organisations are aware of what to protect and are providing that protection accordingly.
Does that mean that these organisations are vulnerable to attacks related to information theft and cyber-crimes, and are not protected?
I think that’s a very general statement which I don’t fully agree with; however, my point is more to do with ‘protection’ rather than ’fault’. The focus here is an appropriate tailored protection (sustainable, scalable, robust and efficient) against risks, rather than what is wrong. You can spend a lot of money in procuring a highly secure infrastructure, or you can optimise your spend and increase robustness by focusing on what really needs to be secured, the degree to which it needs to be secured and how it’s secured.
It’s also important to recognise that whichever path you choose, the effectiveness will boil down to employee behaviour and their orientation to risk, protection, resilience and recovery. Hence my point about ‘putting the cart before the horse’. I am seeing a lot of attention on tools and gizmos, rather than getting the fundamentals right first. In my view, bringing in tools and using the implementation as a catalyst, tends to create more of a problem than a solution. While this may vary from organisation to organisation, I would lean more towards getting the basics right first – risk based focus, policies, people, processes and procedures; and then bring in the tool to automate.
On the subject of cyber security, critical infrastructure such as SCADA (supervisory control and data acquisition) and Industrial Automation systems in my view need equal, if not more attention than corporate IT systems. The newer SCADA systems can now talk to other IT systems and be hosted on TCP/IP networks, resulting in a significant shift of their risk profile.
Traditionally, SCADA and Industrial PLCs, networks, hand held terminals etc have been managed by Plant Operations and not IT. However, with the convergence and consequent change in risk profile, it is now imperative that risks and vulnerabilities of such critical assets are assessed and managed proactively. The technology available now allows operations process control from a tablet or smart-phone. The focus on SCADA systems and networks now is perhaps more critical than corporate IT systems.
What kind of clients is BDO working with in the area of IT Risk Advisory?
We love working with businesses that have a clear vision of how they build their competitive advantage, and are either exploring ways in which Technology enable this, or constantly ‘tweaking’ Technology for more value and better enablement. We are passionate about helping these visionary businesses succeed and help them make the best possible use of technology while proactively managing technology risks. Therefore our focus is more on how to do things better and manage risk better, rather than pointing out what is wrong.
We have a very large number of Mid-Market clients and a rapidly increasing number of large organisations in the UAE. We are not afraid to show businesses a better way of achieving their objective through better use of technology. Above all, if we don’t believe that our client will benefit by more than the fees they pay us; then we will not start the project. BDO is only interested in making a real difference.