Huge laughs around our kitchen table yesterday evening – about risks and controls. No, really.
Two of our sons are living at home this year, working in temp jobs. One is in QA for a global biotech company, the other in Procurement for a global food manufacturer.
Both have been given system-wide and global administrator access to their employers’ core ERP and document management systems – within a week of starting, which seems pretty amazing.
The biotech company is hilariously obsessive and mechanistic about its risks and controls. [it's easy to see how compliance can chew up 25% of Pharma operating costs]
At the other end of the spectrum is the food manufacturer, which has a risks and controls culture designed by Homer [and we're talking Simpson here, not the Odyssey dude].
The risk management person finally realised what my son had sussed on his first day: that he had unrestricted access to the SAP procurement suite for their global operations. So he could invent a supplier, create a PO for any sum and then approve its payment – all without anyone else being involved.
It was the solution that the risk officer came up with that had us falling off our chairs. This company’s global procurement team works on heroics. Its processes are folklore, an oral history shared at the cigarette breaks. Where there is a process and a rule, it is usually ignored in the interests of ‘getting the job done’. (And a high proportion are temp workers, which must be another risk..).
The solution had to fit with how the global procurement team work in practice. So my son was told yesterday not to use his access for certain SAP transactions. That would satisfy the audit requirement.
Instead he has been told to share a communal username and password with four others for those SAP activities. So the risk mitigation ’solution’ rips up the only audit trail that could have proven wrongdoing. [You couldn't make it up..]
Of course, the CFO of this organization – which is a household name – no doubt sincerely believes that the company’s risk and controls are properly managed, and that will be what the auditors are saying as well.
It’s an extreme example of the unseen risks faced by organizations that neglect process rigor and so can’t connect strategy with reality.
Hear stories like this and it’s easy to believe Gartner’s prediction that ten Global 2000 companies will fail or be crippled, due to overlooked but easily detectable process defects – within the next three years.