Consider Outcomes before Benchmarking Internal Controls

When it comes to financial controls, it’s not about ROI. Effective benchmarking depends on clear outcome expectations.

Following my recent presentation at a conference of financial executives, a member of the audience asked “What is the typical cost of a program for internal control over financial reporting processes?” He continued, “Is there a way to benchmark these costs?”

Good question, and one that certainly can and should be asked about the full range of compliance and internal control processes across the enterprise.

We have a great guide on our site called the OCEG Metrics and Measurement Guide (MMG) which provides a ton of good information on how to measure an internal control and/or compliance program of any type. That said, there are some important things to remember.

Benchmarking. An often-uttered word. One that indicates we are serious executives. That we are doing what it takes to optimize our programs. But how does it really work and what does it really do for us?

The concept of benchmarking is great, but before we can benchmark we need to define the outcomes that we hope to deliver. By way of example, when evaluating call center metrics, the starting point is understanding customer satisfaction (or some similar indicator). Without this top-level indicator of the outcome we hope to generate, it is impossible to evaluate other indicators such as cost. In a vacuum, spending $100 to resolve a customer problem is superior to spending $200 to resolve the same customer problem. However, the “vacuum” does not exist. If the $200 resolution delivers 95% satisfaction and the $100 resolution delivers 50% satisfaction, most executives would choose the former.

So what does that mean for us? As financial professionals, we must define the outcomes that we hope to achieve through our internal control programs, as well as indicators of success. Only then can we even begin to benchmark our costs, cycle times and other program attributes in a meaningful way. To engage in a benchmarking effort without taking the time to first establish clear outcome expectations is putting the cart before the horse – the time and resources spent will be wasted.

While every organization is unique and therefore pursues unique objectives, most organizations strive to achieve growth, profitability, total shareholder return, and key value drivers such as workforce productivity, quality, customer loyalty, and innovation. In the same way, each of our programs for internal financial control will be unique and should strive to achieve unique objectives, but every program should deliver on these universal objectives:

• Promote business conduct in-line with business objectives
• Prevent noncompliance and weaknesses
• Prepare the organization to deal with noncompliance and weaknesses when (not if) they occur
• Protect the organization from negative consequences
• Detect noncompliance and weaknesses earlier rather than later
• Respond to noncompliance and weaknesses more quickly rather than slowly
• Improve the program so that similar noncompliance and weaknesses are not repeatedly encountered
• Reduce losses due to noncompliance including fines, penalties and investigation costs
• Enhance the culture so that, even in the absence of controls, the workforce is inclined to do business within defined boundaries of conduct

Now, undoubtedly, I will get a few emails (mostly from consultants) noting that the benefits of implementing a strong program of internal controls go beyond the outcomes listed above. Fine. Shareholders will be thrilled if our programs deliver more. But at the end of the day, if we cannot demonstrate that our programs deliver on the universal outcomes above, we need to get new day jobs.

Once we have a firm understanding of whether, and the degree to which, our programs are achieving top-level outcomes, we can discuss whether we have optimized the outlay of financial and human capital. In addition, we can thoughtfully analyze whether process improvement (e.g., reducing the cycle time to discover noncompliance of a particular type) is worth the investment.

Benchmarking: Are We Winning the Race or Just Keeping Pace?

Marathon runners say, “Plan the race, and race the plan.” You need to know what your objectives are and what obstacles you must overcome to develop the right plan of attack. How have others tackled the course? How many hills are there? How fast are your competitors? Is your goal to win, to set a new record or merely to cross the finish line with a personal best time? Only when you answer these questions and more can you determine how to set your speed and decide which runners to pass or pace yourself against.

It all comes down to objectives and obstacles – knowing what they are and how to achieve the first while avoiding the latter. The same applies to the race we are in every day – the one where we seek to meet our company’s objectives, while the obstacles are too many to mention. Just like the runner, we have to stay on track, but for us the boundaries of the course are compliance requirements and standards of conduct that are not always clear. In this race, it is increasingly difficult to judge our own performance or determine where we stand in the field of competition.

There is a lot of talk about the importance of benchmarking – comparing our performance to that of others or against established standards. Critics complain that benchmarking is often poorly done – comparing data that is calculated only because it is easy to collect and not because it measures anything meaningful, or using data that is not truly comparable.

These criticisms are valid. How should we define what to measure and benchmark? How do we know that terms in a benchmarking survey mean the same thing to different respondents? Results have little value if the metrics do not help us evaluate and improve our actions. This happens if survey respondents interpret questions differently or do not organize their information in ways that allow for true comparison.

These problems can be largely avoided, reducing the cost and enhancing the value of benchmarking, when participants use a business process framework that establishes a common vocabulary and standards of performance. Benchmarking can be very valuable when everyone is interpreting the questions the same way and answering with information that is maintained in the same format and language.

Just like the runner, we need to evaluate our own performance and be aware of how our competitors and peers are doing if we want to achieve our goals. Not every company strives for record-setting results every time out of the box. Sometimes our objective is as simple as improving slightly over last year’s performance. In either case, keeping our eye on the field and being able to evaluate what is going on around us is essential to success.

Beware of the Big Stick Carried by the Government

Beware of the big stick carried by the government. Its called the False Claims Act and contract and environmental managers have long known that they can’t just sign the myriad of required certifications to the government without risk of organizational and personal prosecution. You can’t just cross your fingers and hold your breath, hoping no one notices if your certified statement isn’t true. In many instances, the penalty for admitting a compliance failure or weakness up front may be small, but the cost of filing a false statement or false claim (a false statement tied to a government payment) can be huge. Now, Chief Compliance Officers and other GRC executives are learning it the hard way.

The complaint filed this week against Christi Sulzbach, who was the Associate General Counsel and Corporate Integrity Program Director at Tenet Healthcare Corporation (Tenet) makes that point loud and clear. Sulzbach is alleged to have signed and provided to the Government declarations that falsely stated that to the best of her knowledge and belief, Tenet was in material compliance with all federal program legal requirements, despite her allegedly having received legal opinions to the contrary. The government also alleges that these false declarations allowed Tenet to bill Medicare for millions of dollars in claims that it was not legally entitled to receive.

It’s just a signature on a standard required clause, right? WRONG. It’s a signature that now is exposing Ms. Sulzbach to hundreds of millions of dollars of potential liability PERSONALLY, even after Tenet has settled with the government for more than $920 million dollars.

I used to jokingly call the Chief Compliance Officer job the “designated scapegoat,” but cases like this one highlight the importance of taking the job seriously. Understand what government contract laws and regulations apply to you and your organization. Use a consistent approach to manage compliance. Don’t sign things that put your personal reputation, assets and possibly even freedom on the line – unless you have undertaken the necessary investigations to know that what you are saying is true. Don’t assume that no one checks. Don’t step into the line of the swing of that big stick.