How to Create a Cyber Security Culture


All companies continuously face cyber security threats from both inside and outside the organization. IT departments apply very basic defenses in order to reduce the chances and consequences of a data breach. Firewalls, operating system updates, secure connections, and spam filters are all standard, but they do not address the weakest and most fragile component of any cyber security strategy: people.

Morgan Stanley’s IT department is well known for implementing world-class cyber security protection. However, in a recent security breach, data from over 350,000 customers was stolen by an employee. The SEC found Morgan Stanley responsible, citing a failure to employ “written policies and procedures reasonably designed to protect customer data.” Creating a work culture centered around cyber safety is essential. Most companies understand that better training and executive involvement are key elements in promoting cyber safety awareness. But what about the not-so-obvious actions companies can take to promote this culture? Learn more about these approaches below:

Ensure the top sets the tone.

The only way to ingrain practices that support cyber security and lower the risk of cyber-threat is to start with embedding these principles in senior executives and management. This group is responsible for setting the company culture. Consider changing compensation and incentives to include cyber security compliance points. In addition, recent studies show a direct correlation between CEO approval ratings and cyber security risk assessments. The higher the CEO approval rating the lower the cyber security risk, which analysts believe prove the theory that the happier employees are at the company, the less likely they are to cause a security breach. A company culture that fosters loyalty and happiness among employees will lessen the risk of an “inside job” in terms of hacking or using company data for malicious purposes but also, a CEO who takes cyber security seriously will influence his or her employees to do the same.

Get certified.

The ISO/IEC 27001 is the best-known standard for providing requirements to keep information assets secure. Companies are not required to implement these standards, but many companies are now choosing to take this extra step to get certified. Not only does it serve to outline standards for protecting the company, it also helps to reassure customers and business partners that their information is safe and protected. Leverage the certification to set a company-wide standard that is documented, followed, and backed by top level management. Hold trainings to ensure employees understand and follow the policies.

Create a cyber security scorecard.

The US Department of Defense is constantly under the threat of cyber-attacks. The cyber security scorecard is used as a way for the Secretary of Defense to better understand cyber security compliance and exposure. The scorecard assesses cyber security control across multiple areas: people, process, technology, facility and compliance. The purpose of the scorecard is to ensure organizations can effectively and regularly perform security assessments that highlight areas for improvement and gaps in cyber security policies. Once the gaps are detected, communicate them throughout the company and schedule trainings to specifically target and mitigate these issues.

Inventory and Protect All Networked Devices.

The technology that people wear and carry are often more powerful than they realize, so companies and employees should be aware of the associated risks. Because users rarely think about cyber security as it applies to their personal devices, they put the company in a vulnerable position to hackers when they default their devices to the least secure settings. Training around the risks is crucial to establish awareness. Publish company policies around what to do if a wearable device is stolen or put at risk and address them in employee onboarding. Put programs in place to educate employees on how a hack on their device could put the company in danger.

It is not a matter of “if” a company will get hacked, but “when.” Embedding cyber security, cyber safety, and cyber-threat awareness into an organization’s culture helps delay and minimize the impact of the inevitable. Trenegy helps companies create and implement customized strategies to reduce cyber security risks.

I Have Never Met a Perfect Person: Dealing with an Imperfect World


Standard economic theory is based on the assumption that people are perfectly rational.  In other words, people rationally weigh the costs, benefits and risks before making decisions.  But, except for my wife, I have never met a perfect person.  (I love you, honey.)

A new line of behavioral economists is proving that people make irrational decisions that are driven by biases that can be anticipated.  One such economist, Dan Ariely, summarizes this in his book Predictably Irrational:  The Hidden Forces That Shape Our Decisions:

(We assume) that we are rational… But, as the results presented in this book (and others) show, we are far less rational in our decision making… Our irrational behaviors are neither random nor senseless — they are systematic and predictable. We all make the same types of mistakes over and over, because of the basic wiring of our brains.

These irrational choices that humans make not only affect the economy, but infect every aspect of our lives.  As we studied the root causes of major business “black swan” events – from major oil spills to worldwide automotive recalls – we have identified several of these human factors that must be taken into consideration when designing your company’s operational excellence program.  Organizational structures, policies and procedures, and underlying technology tools must all recognize that humans are not always rational and build checks and balances that account for these human biases.


Groupthink occurs when the momentum of a group influences acceptance of a decision or course of action that may not have been reached by the individual members.  In groupthink, an individual may be hesitant to go against the group from fear of looking dumb in front of the crowd.  They may be thinking “the whole group seems so sure, so I must be wrong.”

In your company, traditional brainstorming exercises may be especially prone to the effects of groupthink.  That is one reason why Trenegy uses the ACEtm Methodology for meeting facilitation.  This approach alternates between convergence (group brainstorming) and divergence (outside party review) cycles to ensure the consequences of groupthink are mitigated.

Confirmation Bias

Confirmation bias is our tendency to view evidence presented to us through the lens of what we believe to be true.  Confirmation bias explains why the same economic data can be seen by the government in power to be good, while it is used by the opposing factions to prove the economy is bad.  Each group is seeing the evidence through their individual belief that their base position is correct.

Your company’s internal reporting can be easily influenced by confirmation bias.  If the definition of the data presented is not clearly understood, and how that information relates to the ultimate company strategy is not effectively outlined, people will tend to draw conclusions based on their own interpretations.  One way to mitigate confirmation bias is to seek out data that may contradict the popular beliefs in your organization and try to uncover why that is.  For example, if the conviction in your organization is that you are a safe work place, solely reporting lost time incidents may only be confirming that opinion (since those types of incidents are few and far between).  Conscious reporting of near miss events and first aid injuries may show that maybe you are not working as safely as you thought.

Normalization of Deviance

Normalization of deviance occurs when unacceptable practices become gradually more acceptable after the unacceptable behavior avoids negative consequences.  Some normalization of deviance is harmless.  The rise of “business casual” dress is a good example.  In the 1970’s President Carter called for thermostats to be raised to save energy during the energy crisis.  This led to business people leaving their ties and jackets at home.  When there were no repercussions from doing so, the acceptable dress for companies continued to drift toward what we now call “business casual.”

In some cases, though, normalization of deviance can have catastrophic results.  The original design parameters of the Space Shuttle’s Solid Rocket Booster O-Rings anticipated no blow-through of gases through the O-Ring.  But early in the Shuttle program some blow-through was observed after launches.  Although minor modifications were made to the design, over time some blow-through became acceptable to the Shuttle team.  In 1986, blow-through of gases through the Solid Rocket Boosters O-Rings of the Challenger resulted in an explosion and death of the crew on board.

The design of safety critical and reliability systems (organizational, procedural, or technological) must include barriers that prevent normalization of deviance from occurring.

Optimism Bias

Optimism bias is the tendency of humans to be overly-optimistic and developing a “this won’t happen to me” mentality.  Dan Ariely found that 95% of drivers believe they have above average driving skills (for those of you who are mathematically challenged, by definition only about half of all drivers can be above average).  This tendency can have undesirable effects.  People may put off diagnostic tests such as colonoscopies, or not wear a helmet because they believe they are unlikely to be in a motorcycle accident.

In companies, decision-making needs to guard against optimism bias.  This is particularly true in the Project Management process.   A pervasive tendency to think “this won’t happen to me” while planning projects contributes to 64% of energy mega projects going over budget, and 73% being delayed (according to a study by EY).   A robust risk identification and mitigation process can help fight this tendency to be overly optimistic.

Expectation Bias

Expectation bias occurs when we hear or see what we expect rather than what is actually happening.  Most of us have experienced this as kids (e.g., your sister was always “the good kid” so when your mother saw the broken lamp she automatically assumed you broke it even though she did, and does not believe you when you tell her so).

Although this example is harmless, expectation bias can have tragic consequences.   In the 2010 Macondo blowout in the Gulf of Mexico, the rig crews were told incorrectly that a critical test had passed successfully.  Because they believed the well was safely secured (even though it wasn’t), they failed to see the indicators of a blow out in the data they were receiving, contributing to a catastrophic blow out that took 11 lives and spilled five million barrels of oil.

When designing your company’s operational excellence programs, proper attention must be paid to these expected faults in the way our minds work.  For example, organizations must mitigate groupthink and confirmation bias by allowing cross-function interactions to occur.  Policies and procedures must guard against exceptions so that normalization of deviance does not set in.  A robust risk management process must force the organization to realize that, despite optimism bias, bad things can happen.   And technology must be in place to ensure the right information is driving decisions so that the organization is not blinded by expectation bias.

Trenegy helps companies successfully manage any aspect of their operational excellence program using proprietary methodologies tailored to our client’s needs. We help our clients get value of out their new system quickly and relatively painlessly.  This is the fifth in a series of articles on operational excellence.

Using Platforms to Transform the Supply Chain


An effective supply chain has three key elements: market exposure to products and services, direct collaboration between buyers and suppliers, and cost efficiency. Managing these elements in a traditional supply chain model is not easy. Buyers have to actively manage relationships with a variety of suppliers and often do not have clear visibility when new products or services are offered by new suppliers. Buyers fall into a one-sided Supplier Management rhythm; working the phones and email with ‘who they know,’ as opposed to suppliers who provide the best products or services at the best price.

Today’s cloud-based platforms eliminate the old-fashioned routine. For example, consider Airbnb’s platform. The online dashboard creates value by enabling direct collaboration between home owners and renters. Cloud-based supply chain models work in the same way. Buyers use the platform space to efficiently work with a broad range of suppliers, who in turn gain access to buyers in real-time.

Platforms are creating value for both buyers and suppliers by:

  1. Increasing exposure and reducing prices

Platform business models provide a space for consumers to openly interact with producers, and vice versa. Likewise, a good supply chain platform will provide this space, and it will also offer incentives for becoming a member. As more members join the platform, seller presence becomes visible to an increased number of buyers, heightening product exposure. Then, as the network effect kicks in, elevated purchasing traffic drives down the cost of the product, allowing purchasers to obtain products at a lower cost.

  1. Discontinuing Service Level Agreements

Platforms define base compliance standards, reducing the need to manage SLAs. Standards for doing business are built within the platform itself and platform members agree to these terms in order to participate. Cloud-based supply chain platforms hold both sides accountable for meeting standards relating to shipping time, response time, annual fees, payment methods, refunds, etc. Terms and conditions will vary depending on the platform, so it is important for potential participants to consider which guidelines are important and correspond with their business strategy.

  1. Granting access to real-time information

Cloud-based supply chain management platforms place an emphasis on needs planning and scheduling. Buyers can upload inventory with pre-defined depletion notifications, allowing suppliers to bid on replacements in near real-time. Both sides have the ability to respond quickly to changes in the supply chain. If a shipment is late, suppliers can provide up-to-date tracking information.  If a shipment is extremely late, buyers can access the platform to identify what is available and when.

  1. Eliminating approved vendor lists

Because supply chain platforms ensure procurement from only ‘approved’ suppliers, the practice of managing an approved vendors list becomes obsolete. Previously, buyers invested a great deal of research and vetting into determining which suppliers were approved. Now, buyers can use platforms to filter suppliers by established company protocols and purchasing criteria (e.g., product quality, timely delivery, and supplier ratings). Most importantly, existing suppliers can be by-passed or banned based on real-time evaluation of performance.

  1. Making it easy to connect with and review new partnerships

Platform business models make it easy to shop around for potential suppliers and partners by providing direct feedback from other platform members. Similar to checking Yelp for restaurant reviews, business partners evaluate buyers and suppliers based on their experience. When your long-time pipe supplier is out of stock, there is no need to wait for inventory to be replenished. Instead, users can search for comparable products on the platform and review supplier ratings to make the best decision for current purchasing needs. References and reviews are beneficial for users looking to establish new connections or alternative options. They also help instill confidence in transacting with unfamiliar customers and suppliers.

Cloud-based platforms are changing supply chain procurement strategies for the better. With increased market exposure, easily realized cost efficiencies, and an environment for direct collaboration, platform business models are equipping buyers and suppliers with the tools necessary to succeed in supply chain management. Trenegy helps companies identify innovative solutions that streamline the procurement process. To learn more, contact us.

Leveraging Digital Pricing Solutions to Drive Revenue Growth


Dynamic pricing, or charging based on customers’ willingness to pay, was once thought of as an airline gimmick, or at worst as price discrimination. The public consciousness’ shift on dynamic pricing is best exemplified by the ride-sharing behemoth, Uber. Steven Levitt, of Freakonomics fame, recently analyzed Uber’s surge pricing model to determine the UberX demand curve. In the working paper developed with several other economists, Dr. Levitt noted that even with Uber’s demand-based surge pricing, they were leaving $6.8 billion on the table in consumer surplus. Uber’s pricing strategy may need tweaking to capture some of those billions, but the preliminary results emphatically show that customers accept and appreciate a demand-driven dynamic pricing model, and that the inflexible pricing model that taxis use is woefully outdated.

Not every firm is Uber. However, any company can rethink their pricing strategy to drive revenue. The development of powerful price optimization and management (PO&M) tools has provided our clients with top-line growth. Using a digital PO&M solution allows companies to automate and facilitate the Inquiry-to-Order process, creating actionable data about purchasing behavior. As a result, PO&M is a hot trend. Unfortunately, the immaturity of the market is leading to consistent pitfalls in implementations. We at Trenegy have consolidated the struggles and pitfalls we often see into four key considerations that organizations must read before purchasing:

Understand Complexity and Timing

Implementing the right PO&M solution is a complex undertaking. Most firms have experienced the challenges of implementing ERP and other EPM solutions, and often those challenges are exacerbated by a lack of planning. Similarly, PO&M implementations require a robust planning phase to prepare the data integration and the underlying algorithms which enable dynamic pricing. The firms that achieve the least amount of value from their digital pricing solutions are the firms that expect it to be “plug-and-play.” Because of the solution’s complexity, companies must invest in training, change management, and defined roles and responsibilities to roll out a PO&M tool effectively.

Know Your Data

The process of streamlining and cleansing data required for pricing analytics is often the most pain-staking and time consuming activity of an implementation. Ensuring this is done correctly prior to go-live is paramount. All of our manufacturing and distribution clients have similar issues with their master data. Common pain points include: ERP data that does not align with business intelligence data, sales team price lists on outdated Excel spreadsheets that do not match contracts in the contract database, or budgeting tools that have different product roll-ups than the S&OP tool. Because PO&M systems pull from a variety of sources, key rationalizations must be made during the project’s design phase:

  • What data, and at what level, does the PO&M system need?
  • Which sources have this data and will it be integrated?
  • Have you reconciled the source data at all levels?

 Design a Strategy

Our clients seek a PO&M tool because their current cost-plus, absorption, or contribution margin pricing strategy isn’t capturing enough value. Dynamic pricing is a powerful business concept that can help grow revenue by up to 10%, but purchasing a PO&M solution without a defined dynamic pricing strategy is like leaving the engine out of your Uber LUX sports car. What drives the tool is the consensus between finance, sales, and operations: what will they charge for each SKU in each region while accounting for key dynamics like supply/demand, customer base, and sales promotions? All of these factors develop the algorithm that is the foundation of the PO&M solution.

Manage the Organizational Impact

Effectively implementing a standardized pricing strategy and solution relies on change management initiatives. Throughout the project, the team must develop clearly defined roles and responsibilities, process flows, and policies to align the customer-facing functions. After the tool goes live, the sales and marketing groups need to work together to leverage their capabilities to generate greater revenue.

Trenegy has assisted a number of companies with implementing effective pricing systems. For additional information, please contact us at:

4 Keys to Automating the S&OP Processes


Manufacturing companies’ ability to compete oftentimes hinges on meeting customers’ delivery expectations. Customers want the product when they want it, and delivery failures result in customer attrition. With the introduction of platforms connecting producers to consumers, moving from one supplier to another can happen overnight.  Unfortunately, customer product demands are difficult to predict.  Customer unpredictability requires manufacturing companies to closely manage the balancing act between material requirements, production capacity and inventory levels.

To address the predictability challenges, manufacturing companies must have a robust integrated business planning process aligning sales, operations and finance.  In many organizations, the Sales and Operations Planning (S&OP) process is disjointed and cobbled together with various spreadsheets and emails.  Companies can leverage technology to innovate and streamline the S&OP process. An S&OP platform can automate processes across sales forecasts, demand planning, materials planning, network optimization and financial planning.

Keep in mind, processes must first be standardized and organizations aligned before investing in a technology solution in order to realize any real benefits. Before starting an implementation, consider the following:

Know where you stand today. Business functions operate in silos and have unique processes, systems, success metrics, and terminologies.  Understanding the current state and identifying pain points within the process is key.  For example, the sales organization speaks in “dollars” and the plants speak in “units.” This means that the pricing process must be well-defined to interpret what sales is saying versus what the plant must produce.  Assess the current processes across the supply chain, then determine actionable steps for improvement. Automating an ineffective process will not yield greater effectiveness. Be realistic about the current state and develop a plan to implement the desired future state.

Roles within the organization will change. To effectively implement and utilize a S&OP tool, everyone involved in the S&OP process should understand their individual role and accountability. Undefined roles and responsibilities lead to duplication of effort and multiple versions of the truth. The plant receiving one forecast from sales and yet another version from the demand planners will experience confusion and second guessing.  Developing a RACI (Responsible, Accountable, Consulted, Informed) model for each step in the S&OP process is a great tool to align roles.  Clarifying how each individual contributes to the S&OP process and fostering collaboration across teams are essential to success.

Data is everywhere. Identify authoritative data sources and clearly define data inputs, calculations and outputs. Most companies with a manual S&OP process have data stored in multiple systems, spreadsheets, servers and hard drives. With data coming from multiple sources, companies spend the majority of the time validating the data, leaving little time for analysis.  Demand Planners plan production at a more product SKU level, and finance forecasts production at a product line level.  The two versions are rarely reconciled or shared between operations and finance. This creates a tedious and time consuming task, leaving little time for analysis. Before implementing an S&OP tool, the team should design a data model that aligns the company’s sales, financial, supply, and operations planning process and requirements.

Build consensus among key stakeholders. It is difficult to argue the benefits for implementing a platform for S&OP process automation.  Sales, finance, operations, supply, pricing, marketing and product management teams must be aligned, given the cross-functional nature of S&OP.  Establishing who will be accountable for the S&OP implementation isn’t always easy. Organizations need top management from commercial, finance and operations commitment to be aligned.   This includes aligning project objectives.  A good exercise to start the S&OP implementation, includes developing S&OP Guiding Principles. The Guiding Principles set the tone for the implementation and give all functions a clear understanding of the path forward.  Any disagreements will be resolved by the Guiding Principles for the project.  With executive leadership in place, buy-in from key stakeholders and the rest of the team in place, the S&OP process can succeed.

While technology can automate and simplify the S&OP process, processes, data, organization roles and expectations must be aligned across the business.

A Practical Guide to Transfer Pricing Policy Design and Implementation


Guest author David North, Corporate Controller at L.S. Starrett Company, provides a detailed look into transfer pricing policy design:

From what we see in the news media, transfer pricing is a tool used by unscrupulous corporations to “rig the system” of global trade as they’re caught paying single digit tax rates on enormous profits.  Such stories dominate the business headlines and political rhetoric only because scandal sells and because the business news media give disproportionate coverage to the world’s very few extremely large corporations.

For the rest of us the situation is the opposite – a threat of confiscation rather than a temptation to exploitation.  Only the giants can afford departments of full-time experts to design and maintain international tax and treasury strategies involving shell companies to act as “coordination centers” around the world.  The rest of us couldn’t possibly talk to national governments, let alone negotiate special tax treaties.  Instead we struggle to establish and maintain a transfer pricing policy that might protect us from double taxation and even when that’s achieved, the operational obstacle caused by the remedy is often worse than the problem it was meant to cure.

For all but the giants, designing and implementing a transfer pricing policy that’s acceptable to tax authorities without impeding the ability to do business is a tough challenge…

Click here to download the Transfer Pricing Do It Yourself Guide.

7 Signs a Difficult Person is Preventing Progress


The root cause of project delays, failures, and missed deadlines is often traced back to a single cause: a difficult (or insert adjective here) person.  Difficult people get in the way of progress.  They contribute to a workplace environment saddled with major time wasters: lengthy meetings discussing minutiae, circular arguments, tangential debates, non-productive discussions, and let’s not forget the ancillary meetings dedicated to getting a “difficult person” focused appropriately. Before we know it, a project lags behind schedule.

Although difficult people have seemingly good intentions, their work style is toxic. Below are the obvious signs of difficult people and recommendations for coaching them toward progress:

  1. They frequently remind others of their tenure (or lack thereof) with the organization.  Statements like, “I have been here for 20 years, so….” or “I have only been here for 4 months…” are typically followed with excuses for not taking action.  While it’s often essential to utilize one’s expertise in decision-making, a better way to mention it would be: “Based upon my experience with our company (or other companies), we could consider…”
  2. They wait for others to make decisions. Declaring, “If only management would decide what we should do…” is a hallmark of inaction. Oftentimes, difficult people will involve as many other non-decision makers as possible and lure them into the conversation as a deflection tactic. Instead, the difficult person should be direct and express any suggestions or concerns they have. They should say, “I am going to take a recommendation to management for feedback.” Engaging the final decision maker moves things forward.
  3. They find others in the company to be annoying. Difficult people might say, “Everyone else here acts like (fill in the blank) …” Statements like these suggest that the real problem is in the mirror. When faced with conflicting attitudes, a better response is, “I must be doing something wrong. How can I help others succeed?”.
  4. They are overbearing in meetings or they choose not to participate at all. “I have to take over every meeting!” or “I have nothing to say because they won’t listen!” indicates that true collaboration is not valued.  It is important that difficult people ask questions, encourage others to provide a perspective, and honor the cooperative forum.  If this is an issue, ground rules for meetings, such as “silence is agreement,” are critical to forward progress. Opting for smaller in-person meetings, instead of conference calls can also keep meetings concise and focused.
  5. They believe they are smartest people in the room. When a difficult person says, “Nobody understands my recommendations…” it’s usually a failure to provide better explanations or the recommendations are really bad ideas. A better approach to decision-making is to encourage others to ask questions and collaborate.
  6. They believe their requests go unanswered. “I email requests out to the team and nobody ever responds!” is a common attitude of difficult people. They may attribute this to their intimidating intellect, but a complete lack of response is likely a problem with how their message is delivered. Requests should include at least two of the following: (a) what’s in it for the recipient, (b) a personal touch of kindness, and/or (c) an explanation of the purpose of the request. It is important that, when able, people should refrain from emailing and engage face-to-face.  Engagement helps build a more collaborative environment and people may share more information face-to-face versus email.
  7. They do not consider their co-workers as confidants. “I cannot trust anyone in this place…” is a statement no one wants to hear in a healthy work environment. Building trust is a worthy investment in the company’s culture.  When trust is lost, it is important to address it and understand it in order to repair it. Taking the time to coach difficult people to engage with others helps to eliminate untrustworthy behaviors.

Using these coaching points can help a difficult person discover how a few communication techniques can make a world of a difference in project success.

4 Methods to Revolutionize Your Cybersafety Program


The year the internet fell apart. Cyber-analysts and researchers often declare 2014 as the “Year the Internet Fell Apart” due to a series of high-profile hacks on Sony, J.P. Morgan Chase, and Apple’s iCloud. In 2015, cyberattacks on Ashley Madison, Anthem, and the FBI were front-page news. And now in 2016, political hacks have really taken center stage with the DNC’s email breach, the hack on election systems in Illinois and Arizona, and Guccifer’s “October Surprise” threat of releasing Hilary Clinton’s private server emails. 2016 will be remembered as the year cybersecurity was exposed as an ever-evolving game of cat and mouse. And we have just realized that we are the mice.

While most breaches in the news come from the worlds of retail and geopolitics, other industries cannot and should not ignore the threat of cyber-attack. Everyone is under attack. In fact, healthcare, manufacturing, and financial services companies have the highest incident rates. And for any company, elaborate software alone will not prevent a hack or data breach. Why? Because 91% of all targeted cyberattacks rely on “social engineering” to persuade employees to reveal confidential company information. Below are Trenegy’s 4 methods to help you build a more comprehensive response to the growing cyber onslaught.

  1. Revise your Attack Radius

The main fault of many cybersecurity programs is that Finance and Operations leaders inaccurately believe that the IT guys can block out the hackers by themselves. But cyber criminals will attack ALL employees, not just your experienced IT staff. In a comprehensive cybersecurity plan, the Attack Radius extends to any system that can access sensitive data, as well as the people who could access those systems. It is also critical that the ownership of the cybersafety program rests on an executive-level leader (i.e., Chief Risk Officer or Chief Information Security Officer). This confirms that the cybersecurity initiatives are whole-company initiatives, not solely IT-related ones.

  1. Rethink “Cybersafety” Awareness Training

There needs to be an intense focus on bringing awareness to the methods used by hackers and the company policies and procedures for addressing the following types of social engineering schemes:

  • Phishing – Email with malicious links. These can be individually targeted or sent as a mass email blast.
  • Pretexting – Pretending to be someone else to gain confidential information.
  • Baiting – Deceiving someone with a fake incentive (“You’re a winner. Download now!) or a threat (“You have viruses on this device.”).
  • Quid Pro Quo – Asking for secure access in exchange for providing something.
  • Tailgating – Following someone into a secure physical location, usually one requiring a unique ID card for access.

The importance of training employees on how to identify and avoid these threats can be just as financially important as training employees on how to maintain the organization’s l physical assets. In addition to a robust awareness training program, Trenegy believes in the power of the Cybersafety Minute, a CRO/CISO sponsored minute at the beginning of meetings that provides consistent awareness about the state of the organization’s cybersecurity.  

  1. Remodel Risk Assessments

The testing of controls is traditionally a reactive practice. For example, pervasive testing of Internal Controls over Financial Reporting came about as a response to SOX. And testing of Environmental, Health and Safety controls is driven as a response to EPA regulation. We often find organizations that effectively test cybersecurity controls do so only because they have had several breaches in the past. Cybersecurity controls do not receive the proper testing focus because the risks are not correctly assessed. Creative hacking calls for creative preventative measures. Many organizations will outsource annual penetration testing, but since most hacks rely on the vulnerabilities in human nature, standard “pen testing” is grossly incomprehensive. In performing the risk assessment, the CRO/CISO should sponsor testing that has an internal employee attempt to socially engineer other employees. It is unlikely that any cybersecurity risk – technical or social – will not be rated the highest threat level.

  1. Rework Incentives

It can be hard to draw the connection between a mysterious email and the loss of company millions. But ensuring employee compliance with a cybersecurity program is key to that program’s success. Incentives, like cash rewards for completing a cybersafety training, can drive positive behavior and encourage engagement. Involving cybersecurity in performance evaluations and day-to-day training helps people understand, on an individual level, how they can make an impact on the company’s large scale cybersecurity program.

Settling the Top-Down vs. Bottom-Up Budgeting Debate


As a company expands and matures, leadership will eventually lose control over the Planning, Budgeting, and Forecasting (PB&F) process. Over time, different regions and functions will develop unique and siloed processes that provide the CFO budgets with varying levels of depth and flexibility. The CFO’s attempt to corral the process by notifying the organization that their group at HQ is now running the show inevitably launches the Top-Down(TD) vs Bottom-Up(BU) civil war.


Effectively navigating the evolution from a pure BU to a pure TD approach is nearly impossible. Replicating the old ways with a TD process that budgets at the same level, even with allocations, presents well-documented challenges. Cost center owners disengage from the process because they do not feel like their input is valued, functional leads don’t fight for a potentially profitable project because they fear “Corporate,” and the finance guys in the ivory tower forecast inaccurately because “how would they know what goes on here in the field/plant/etc.”

Strategic Top-Down Target Setting

Predictably, the answer to the TD vs. BU debate is somewhere in-between. Instead of overhauling the current Bottom-Up process, the organization can leverage it and still give the CFO the control he or she covets by implementing Strategic Top-Down Target Setting. The CFO typically does not care that 401k expense is budgeted to stay flat, or that marketing expense is budgeted to rise 50 basis points. The CFO cares about top-line growth, margins, and cash flow. The finance organization can control these in the budgeting process without strangling the different regions with peanut butter spread allocations. Within the firm’s planning tool of choice, Finance will set various Key Performance Indicators (KPIs) that the current planning teams must achieve. Common budgeting KPIs are:

  • Gross Margin
  • DSO, DPO
  • Inventory Turns

The Strategic Top-Down method generates the typical benefits an organization receives from the pure TD process (e.g. reduced cycle times, improved accountability, and removing personal interests), while allowing the different functions or regions of the organization to build their budget in the way that best works for them. As challenging as it may be for Finance to give up planning revenue growth down to the basis point, it is far more effective to work with the different commercial groups to set market and product growth expectations, instead of holding them to profitability metrics.

This budgeting strategy can also drive creative pursuits of revenue-generating activities and operational efficiencies to meet the KPIs set by finance. For example, instead of conforming to a headcount maximum, a commercial region is able to increase team size to meet new sales initiatives, while continuing to grow revenue in line with Finance’s margin targets.


This process pushes the decision-making to the teams that will have to live and operate under the budgets. Importantly, the teams must trust the targets they have been given. They cannot feel like they are building up to meet margin targets pulled out of thin air. Cross-functional teams should present a strategic vision annually that includes:

  • Commercial/Sales groups presenting their expected market and product growth
  • Operations presenting expectations for inventory, manufacturing efficiency, and commodity price fluctuations
  • Finance presenting pricing and foreign exchange expectations

By maneuvering these levers, the CFO and his FP&A team can effectively set their revenue growth, margin, and cash flow expectations without the numerous reiterations that result from a pure TD or pure BU process.