5 Ways to Avoid Phishing and Pharming


“Give a man a fish and he’ll eat for a day. Teach a man to phish, and he’ll steal your identity and eat on your credit forever.” – A Proverb (probably)

Man has relied on fishing and farming as a means of survival for thousands of years. Fishing involves dropping a line and hook in the water and waiting for the right finned creature to swim by and take the bait. Farming takes a bit more steps and time. A farmer must plant the seed, nurture the seed, and wait to harvest the fruits of his labor.

The same concepts apply to the cyber-attack counterparts of these terms. While different in the approaches, both “Phishing” and “Pharming” have the same end goal: to trick unsuspecting people into revealing sensitive personal information, which hackers can then use to fatten their bellies or wallets. The worst-case scenario for a victim of a Phishing or Pharming attack is identity theft.


In Phishing, a hacker, or “Phisherman”, drops a line and hook in the form of an email that appears to be from a popular website or subscription service, such as Bank of America Online, for example. The email will tell the recipient, or “phish” if you will, something along the lines of, “Our system has experienced an update/change. Please log-in using the link below to verify your account information.” The Phisherman will bait this email with official-sounding language, and official-looking logos in an attempt to get the phish to bite. These emails vary in levels of sophistication, yet upon first glance, many Phishing attempts appear authentic to unsuspecting phishes.

When the phish clicks the link in the email, he is routed to a site, which may look very similar to the authentic site he is expecting. However, this site is a replica built by the Phisherman. The phish will be prompted to enter sensitive information such as usernames, passwords, and sometimes even bank account information and social security numbers. Once the phish enters this information, he has unlocked his account (and all sensitive information therein) for the hacker…I mean Phisherman. He’s been caught. Poor phish.


Just as farming is more labor-intensive than fishing in the traditional sense, Pharming takes a bit more work than Phishing in the cyber-attack world. “Pharming” was originally named as such because it allows hackers to “herd” large populations of people to fake websites with one fell swoop. The metaphor has a deeper meaning from an agricultural standpoint, which is explained below.

In Pharming, a hacker, “Pharmer” manages to redirect users from the authentic site they are trying to reach via a web browser, to another, fake site created by the Pharmer. Pharmers accomplish this by “poisoning” something called the DNS Cache of a computer, network, or server. DNS Cache is simply a stored list of previously visited websites on our computer. When a Pharmer poisons the DNS Cache, he can manipulate the settings to ensure that when a user starts typing a web address, such as “bankofa” into the address bar. The auto-filled suggestion redirects from its correct IP address to another IP address—which leads to his fake website. He is essentially planting the seeds for his corrupt websites in the DNS Cache. He “fertilizes” these seeds by convincingly replicating the log-in page of the authentic site on his fake site. And then he waits to harvest. If the Pharmer has done a convincing job of replicating the authentic website, users will be unknowingly directed to his bogus website when they type the web address into their browsers. They will log-in as usual, thereby handing over their personal information to the Pharmer. They’ve now been harvested

How does this keep happening? One statistic that may come as a surprise is that the people most likely to get phished or pharmed are high-level executives and upper managers. Now, before any execs reading this get offended, this is not to say that folks in these positions are dumb. They are being profiled, since hackers believe they have several factors working against them. Executives have money, receive many emails in a day without closely scrutinizing each, and hackers consider them to be less tech savvy.

How to Avoid the Hook and the Harvest

  1. Educate yourself.

The easiest way to decrease the likelihood of being phished and pharmed is to simply be aware that these types of attacks are a possibility. Read a few articles on basic cybersecurity here. If you are reading this, you are already ahead of the game.

2. Embrace cyber-skepticism.

The more people learn about potential hacking threats, the more cyber-skeptical they will become. This is always a safe bet. If it sounds phishy (see what I did there?), err on the side of caution. You may miss out on a free cruise to the Bahamas or $5 million from a Nigerian prince, but delete that email. Trust me, no one has ever won on that deal.

3. Train Employees.

Companies should mandate cybersecurity training for all employees in which they talk through the types of cyber-attacks and explain how to identify them before happening.

4. Do not trust email links.

Never provide information for a personal account by following a link in an email. If you receive an unsolicited email from a personal account asking for account verification, yet you think it could be authentic, call the company’s official customer service phone number—not the one from the questionable email—and speak to a human being to confirm the legitimacy. Or just go directly to the website via your browser. Navigate directly to the website via a separate internet browser, not by clicking the link in the email. If it is a legitimate request, you should receive a similar message once you log in to your account.

5. Take note of your URL when browsing.

When browsing, always pay attention to the URL of the website you are visiting. Legitimate sites will always have the name of the site, immediately followed by .com, .edu, .net, etc. For example, www.netflix.com. If you tried to log-in to Netflix but saw something like www.netflix.ad.com, or even a minor misspelling like www.neftlix.com, you can bet your DNS Cache has been compromised. Contact your IT personnel immediately so they can remediate.

Phishing and Pharming are two of the most common forms of cyber-attacks. The good news is, both are also two of the most easily prevented. Taking the basic precautions listed above can stop Phishermen and Pharmers in their tracks, then we can “just keep swimming” in secure waters.


This article has been adapted from a chapter from Trenegy’s book: Jar(gone)

 Trenegy is a non-traditional consulting firm, dedicated to help companies clarify the latest business jargon into useful terms and solutions that actually benefit your company. Find out more: info@trenegy.com.

How Your Reporting Defies Statistics — And How To Fix It


How Your Reporting Defies Statistics — And How To Fix It

In a 2014 study, psychology and statistical analysts found that people felt more confident in decision-making with fewer options. Conversely, decisions were more difficult when faced with a large number of options. The study proved the “less is more” concept for making decisions. The concept of “less is more” also applies to metrics. Imagine convoluting the decision-making process with an abundance of metrics. It is important to develop key reporting capabilities to provide a window into key business drivers while not overloading management with unnecessary reports and metrics. Management reports are essential to company success but can become a burden to everyone if the data is not captured at the appropriate granularity.

Balancing Quality and Quantity

How does a company successfully achieve the balance between quality reports and quantity of information?

Less is More

As studies have shown, oftentimes less is more. One of the key elements of building effective management reports is boiling down a large amount of information to what is critically important.

  1. Define the company goals and growth plan. A company focusing on a couple lines of business and striving to grow organically will require much more granular data into each line of business. However, a company planning to grow through acquisition, taking on new lines of business with each new acquisition, must prioritize flexibility and scalability within the reporting.
  2. Determine the biggest drivers of cost and revenue. From amongst the biggest drivers, it is also pertinent to consider which are most variable. Understanding slight variances that have significant cost effects enables companies to make strategic decisions regarding times of the year and locations, allowing the company to offer certain services to drive costs down and increase margins. Once the key drivers have been identified, get rid of unnecessary data and reports by answering the following questions:

— Will the information materially impact our results?

— Will the information captured change over time or remain constant?

— Is the information relevant to our stakeholders? Does it provide insight?

— Does the information provide predictability into future indicators of success?

Quality In and Quality Out

Regardless of the business systems being utilized, if quality information is not being entered into the system, the resulting management reports will yield false or misleading information for decision-making. The following steps can help to ensure quality data:

  1. Ensure business processes align with updated reporting requirements. For example, if a company wants to begin tracking the profitability of certain assets, field operators would be required to create asset numbers, to tag assets with the appropriate numbers, and to capture when the specific asset is used, repaired, or relocated. If new reporting metrics are identified without rolling out corresponding updates to business processes, inaccurate reporting will continue to plague the company. There are not enough systems, precautions, or automation to yield desired information without effective business processes, enforcement from management, and participation from line-level employees.
  2. Standardize input fields. Freeform or open input options often result in inconsistent data entry. For instance, one employee enters Houston, another enters HOU, and another enters HTX for a billing location. The information should all be associated with Houston, yet when filtering, the HOU and HTX will likely be left out, resulting in reporting inaccuracies. A way to mitigate this common problem is to utilize drop down with preselected data rather than free-form boxes.
  3. Utilize cross validation rules. Cross-validation filters data to prevent coding errors. For example, if wireline services are only offered in Texas, an employee who inputs their location as Colorado should not see the option to select wireline as a service.
  4. Allocate with discretion. Creating allocations for internal purposes provides little to no benefits. Practically, an IT organization may allocate their IT costs to the operating divisions. At the same time, the operating divisions have no control over the allocated IT costs. This additional information becomes meaningless to the operating divisions, and the IT costs become less visible to the organization as a whole. Allocations should be used where there is a legal or customer requirement to allocate the costs.

Management reports should present information managers need to make informed decisions. Abiding by these two simple and statistically-backed rules will give management exactly what they need — and nothing more.


Trenegy is a non-traditional consulting firm, equipping businesses to make the most of their reporting. With successful management reporting, business decisions can be simple and strategic. Ask Trenegy how: info@trenegy.com.

Performance Management: 7 Steps to Hitting the Same Target


Performance Management: 7 Steps to Hitting the Same Target

At any given time, in any office around the world, you can find a boardroom packed with different employees discussing how to improve the business. The scene will go something like this:

The Controller is convinced “the company needs to improve its Enterprise Performance Management process.”

However, the Vice President of Human Resources replies, “No, we do not need to focus on EPM. Our Corporate Performance Management system is what needs improvement.”

To which the Vice President of Finance responds, “Our CPM is fine. It just needs to be integrated. What we need is an Integrated Performance Management system.”

But that is not enough for the IT Manager who says, “You are all wrong. We need something even better. We need an Integrated Enterprise Performance Management Corporate Environment.”

The funny thing about the scenario above is that each person is basically requesting the same thing, except for the IT manager. He recently participated in a software demonstration where the consultant performing the demonstration made up a new type of Performance Management on the spot, which the IT manager repeats, because he thinks it sounds trendy.

Though the term “Performance Management” is used often, its full meaning is not typically understood. The meaning is only exacerbated by consultants who seem to frequently create a new “type” of Performance Management (e.g. corporate, enterprise, integrated).

It is logical to think that each of the references made about Performance Management efforts are all related to the same project, right? Not necessarily. Here are how the uses of the term Performance Management overheard in the boardroom actually translate:


Which translation of Performance Management is correct? Actually, none of them is exactly right or wrong. Each translation is partially correct, because each department, or source, uses the term Performance Management to mean what is specific to their function. Each translation is only a portion of what Performance Management really stands for. What exactly is Performance Management then?

Stated simply: Performance Management is the action of measuring actual results against specific targets or goals.

The Performance Management process for a company consists of the following key steps:

  1. Visioning: defines the direction for the company
  2. Goal Setting: establishes performance targets to track and measure progress
  3. Strategic Planning: creates long-term plans tied to the company’s vision
  4. Business Planning: consists of the tactical planning required at a business unit level
  5. Analysis: identifies progress toward goals and changes business drivers
  6. Forecasting: provides an ongoing outlook of expectations versus goals
  7. Measuring Success: measures toward strategic objectives and peers
  8. Rewarding People: recognizes and rewards employee performance based on performance incentives

The overall Performance Management process can be an integrated, continuous process as depicted by this lifecycle diagram.

PM graphic

Looking back at the various ways the different functions of a company use the term Performance Management, it is clear each translation is only part of the story. Too often Performance Management is used to describe goal setting or rewarding people. These are only two components of the entire cycle.

It might help to describe not only what Performance Management is, but also what it is not…


To better understand how the Performance Management process is used, let’s assess a non-business related application: winning a race. For someone with sights on winning a 5k, the performance management process would look something like this:

  1. Vision: Winning the annual Turkey Trot 5k
  2. Goal Setting Targets: Week 1: 5 Miles, Week 2: 7 Miles, Week 3: 10 Miles, finish 5k in 21 minutes or less
  3. Strategic Planning: Monthly mileage plan, monthly time/mile avg. plan
  4. Tactical Planning: Daily calendar marking long-runs, track work, and rest days
  5. Analysis: Comparison of training times to targets, comparison of total training mileage logged to targets
  6. Forecasting: Modifying monthly/daily plans based on analysis
  7. Measuring Success: Comparison of training targets to actual results, comparison of race results to target and peers
  8. Rewards: Pumpkin pie with whipped cream for achieving training targets, non-stop boasting to annoy family members for winning the 5k

The individual training for the 5k did a good job of using the Performance Management process to drive actions toward a desired result. Driving actions toward a desired result should be the objective of every company.

Performance Management is a crucial process for effectively managing and guiding a business. However, it is important to think of the process in its entirety. Maybe the IT Manager was right from the beginning: Performance Management should be an “integrated enterprise performance management corporate environment (IEPMCE).” Trademark filed.


This article has been adapted from a chapter from Trenegy’s book: Jar(gone)

Trenegy is a non-traditional consulting firm, dedicated to helping companies evaluate the efficiencies of their business processes and align their actions toward defined KPIs. We translate business jargon into useful terms and solutions that actually benefit your company.

Find out more: info@trenegy.com

Blockchain Defined: 5 Myths or Facts?


Blockchain Defined: 5 Myths or Facts?

How often do we hear of a new technology claiming to change the world as we know it? Remember when the Segway was going to transform how cities would be designed? Or Theranos was going to revolutionize the medical industry and prevent disease? Or the utopian Hyperloop would transform travel between cities?

Today, we are hearing how Blockchain is going to revolutionize the world. “Blockchain will be the next internet,” or “It will completely change the financial industry,” or “It will replace ride-sharing platforms.” Is this hype or reality?

What Is the Blockchain?

First, let’s understand what Blockchain is. Blockchain is a new technology architecture, enabling secure and direct transactions between people. A transaction can be a simple exchange of money, a sequence of rhythms, or signatures on a real estate contract.

Today, most transactions are performed (and guaranteed) through a centralized clearing house or governing organization. The central clearing house or governing organization collects fees along the way. Visa or MasterCard collects purchase transactions from consumers, charges a fee, and distributes the remainder to the merchants. Similarly, music companies collect acoustic creations and distribute it to consumers, collect the fees, and then distribute what is left over to the artists. These “centralized clearing houses” or “middle men” are often considered an annoyance to the suppliers (merchants and artists). Credit card merchant fees eat into already razor thin merchant margins. Artists feel as though there are not getting a big enough piece of the pie.

Imagine if the merchants and artists decided to transact without the “man in the middle.” Nordstrom exchanges shoes for fur pelts instead of central bank issued dollars. Jay Z sells 99 Problems directly to the millions of consumers. It would be the Wild West all over again!

But wait, what if there were a means to facilitate the direct exchanges without the Wild West, in a controlled and secured environment? Herein steps the “Blockchain Revolution.” Blockchain provides the security and structure of a centralized clearing house while allowing for the direct exchange of goods or services between a supplier and a consumer. Blockchain is a distributed technology where there is no central technology hub (well, sort of). Consumer and supplier information is maintained locally on distributed computers. And the beauty of Blockchain is the way it copies and stores data between the distributed computers. Certain information is shared between the consumers and suppliers, while information other remains private. Furthermore, the Blockchain technology proposes to be more secure than the traditional centralized model.

A simple way to explain the Blockchain technology is the game of “go-fish.”  The Blockchain is the deck of cards, and the block is a single card.  Each player is a “node” in the Blockchain, the dealer is the “wallet provider,” and the cards each player holds are a unique sequence of blocks. Each player’s hand is held privately until someone wants to validate a transaction. The first player reveals one block of information,  “Jimmy, do you have a 7?” Jimmy validates the transaction with a “match” by handing over his 7 of hearts to the first player. The block has now been added to the first player’s chain.

Myth or Fact? Blockchain is completely decentralized

The most popular example of Blockchain technology is the Bitcoin currency. The transfer of the Bitcoin currency is conducted directly from the consumer to the supplier. The money is not transferred through a central bank or clearing house. However, it is somewhat deceiving to say Bitcoin is completely decentralized. The transactions are decentralized, yet the management of the currency exchange rates, the software applications, and people managing the exchange are centralized. For example, Coinbase is the digital asset broker facilitating the exchange of Bitcoin. They are headquartered in San Francisco, where they manage the trading, software, and support of the exchange. Therefore, claiming Blockchain is decentralized is not completely true.

Myth or Fact? Blockchain eliminates transaction fees

The adage “there is no such thing as a free lunch” applies for Blockchain. The Blockchain’s flagship Bitcoin is not free. To purchase Bitcoin, one would need to engage a brokerage firm such as Coinbase. The brokerage firms charge a transaction fee when purchasing Bitcoin. Exchange rate arbitrage results in additional “fees” when trading Bitcoin. Blockchain applications require someone (aka “wallet providers”) to build and support the software intelligence. The building and maintenance of the Blockchain applications require people to be involved who wish to get paid for their work. Someone must pay the piper.

Myth or Fact? Blockchain will turn the banking industry on its heels

Whether you are a fan of our current banking system or felt that the bailouts were frivolous, the banking industry is going to change with Blockchain technology. Yet, the banks need to look at Bitcoin and Blockchain separately. Many of the traditional banks are keeping a vigilant eye on Bitcoin and researching how Blockchain can be used. Large banks can leverage Blockchain technology internally to become more efficient and ultimately to reduce the fees they charge merchants and consumers. For example, the banks could collaborate to replace the traditional ACH (automated clearing house) with Blockchain technology. Reducing bank fees and improving efficiency will lessen the attraction of the Bitcoin movement. The big unknown is how regulators will respond to Bitcoin.

Myth or Fact? Blockchain will replace the internet and other platforms

If robots replace humans, then who is going to make the robots? A Blockchain application will need to use the internet to communicate. Therefore, without the internet, Blockchain developers have no means to communicate or transact. Claims that Blockchain will supplant Uber and Lyft by allowing people to directly interact for ride sharing is far-fetched. The ride-sharing companies value-add is the interface and software application for matching drivers and riders. The need to support a software application for requesting a ride doesn’t disappear with Blockchain. However, the ride sharing companies may decide to change the architecture of their applications to a distributed Blockchain architecture.

Myth or Fact? Blockchain will completely transform other industries

Blockchain is a more likely candidate in industries where friction exists. Friction exists where “the man in the middle” is taking a large portion of the fees. Friction exists where there are numerous parties involved in a simple transaction, causing delays. Imagine a platform where music is exchanged directly between the artists and consumers with Blockchain technology? Imagine buying property where the purchase agreements are authorized by the title company, bank, agents, attorneys, sellers and buyers simultaneously?

In sum, Blockchain technology will help certain industries become more efficient while it will transform others. The reality is, Blockchain technology will be a nice complement to existing platforms and the internet. While the distributed nature of Blockchain technology has security benefits, the scalability of the Blockchain remains an unanswered question.


Trenegy is a non-traditional consulting firm, dedicated to help companies clarify the latest business jargon into useful terms and solutions that actually benefit your company. Find out more: info@trenegy.com.

Robotic Process Automation: What Is RPA Really?


Remember the movie Wall-E? Wall-E is instantly loveable as an innocent and hard-working robot who just wants a friend. Arguably the cutest protagonist ever, he ends up saving planet Earth and all the humans who have no idea they need to be saved.

However, cute as he may be, he does not distract from the chilling depiction of future humans — big, fat blobs practically glued to hovering chairs who rarely look away from the floating screens in front of their faces.

It is a little eerie to see what could happen once technology progresses to a point where humans are rendered completely useless. Self-driving cars, automated customer service representatives… And let us not forget actual robots — such as the ones at Amazon that fulfill orders — are becoming more common.

“Robotic Process Automation” (RPA) is one of the latest crazes that claims to revolutionize the way companies operate, with promises to slash company’s overhead costs while instantly increasing efficiency. RPA uses technology as a substitute for human behavior within an organization’s business processes, or more simply a “robot” that can do a human’s job. It sure sounds cool, but after further digging, unfortunately, it is unworthy of all the hype.

RPA’s roots can be traced back to Business Process Management (BPM) software. Originating about twenty years ago, BPM’s focus was to improve and optimize a company’s business processes. BPM software companies essentially were classified into two groups:

  • A larger group focused the business process in its entirety with the intent to optimize, standardize and streamline from beginning to end.
  • A smaller group looked to differentiate themselves by automating business processes using technology to cut out the human element.

Unfortunately for the smaller group, their innovation did not catch on. They could not compete, and were gobbled up by the larger companies.

Why did BPM automation fail? One would think most companies would jump at the chance to replace a human with a robot, instantly cutting overhead costs and increasing efficiency. Truth is, the automation was nothing more than software that recorded an employee’s clicks and keystrokes as they performed a task in their system and then mimicked those clicks when prompted.

Now, we look at RPA. Is it new? Is it different? No. The software vendor Blue Prism invented the term Robotic Process Automation recently with the intent to eliminate the need for Business Process Outsourcing (BPO). However, all they really did is slap a new name on the same old BPM automation to make it sound innovative and new.

What RPA Is…

  • “Software robot” that mimics clicks within a system
  • Automation of repetitive tasks
  • Set of rules applied to a business process

What RPA Is Not…

  • A physical robot that actively completes a series of tasks
  • A revolutionary way to cut overhead costs and increase efficiency
  • Smart enough to use human reasoning to determine patterns and analyze data

RPA in Business

It is not to say that automation does not have its place in a business. For example:

  • Interactive Voice Response Systems (IVRS), aka most companies’ customer service help desk automated recording
  • Optical Character Recognition (OCR) for converting scanned docs into editable data within a system
  • Amazon’s physical warehouse robots used to fulfill orders

Think about a company’s back-office functions: accounts payable, accounts receivable, quality and claims, accounting, etc. Based on what RPA really is can a robot actually perform the tasks required from those functions? Consider the accounts payable (AP) process. An invoice comes in, must be matched to the purchase order and goods receipt document, and then it can be entered/posted as a transaction that hits the accounting books. It seems easy enough to automate unless you have seen an AP clerk actually perform this task.

Back-office functions cannot be fully automated, because exceptions are common and mistakes made on the front-end would be missed.

There is the rare but perfect scenario where a company makes a purchase and receives the exact items and quantities they purchased with no shortages or damages. But wait, there’s more. When the company receives the invoice, the vendor has billed for exactly what was purchased and received, and even the taxes were calculated correctly.

But let’s get real. Typically, goods are received in partial or multiple shipments and differences in price and quantity are frequent. Not to mention all the rules that apply when calculating tax depending on how a company plans to use a product, who and where they purchase from, where they ship the product, etc. Also, do not discount the fact that a lot of back-office employees often catch mistakes made on the front-end. Bottom line: if business processes were always executed in their perfect scenario, they probably could be automated easily. But in reality it would be too complex and therefore pointless to mechanize functions with various exceptions and one-off scenarios.

As for a company’s business processes, rather than trying to automate them, spend the time to evaluate why each step is necessary. If a process is so repetitive, easy and mindless, why would it take a significant amount of time to complete? Is there a better way? A good rule of thumb is to always evaluate the business process first before adding or implementing any sort of technology. Just because a company could pay for a robot to do a task, why should they if the task is stupid in the first place?

Despite all the articles and rumors flying around that robots are the new humans, have no fear. Even if a robot could do your job, it is unlikely that you would be completely replaced. Fortunately, the prophecy of future humans as shown in Wall-E is not something to lose sleep over just yet.


This article has been adapted from a chapter from Trenegy’s book: Jar(gone)

Trenegy is a non-traditional consulting, dedicated to help companies evaluate the efficiencies of their business processes and integrate time-saving automations when practical. Find out more: info@trenegy.com

What is Enterprise Risk Management – and Do You Need It?


When risk threatens a company, it does so holistically. Much like the anaconda, which swallows its prey whole, risk doesn’t waste time with a nibble here and a nibble there. It devours a business.

Just ask Saudi Aramco. When they were hacked in 2012, Aramco was forced to halt all computer-related activities. In an instant, the trillion-dollar company started doing business at the speed of paper. For any other company, this would have been certain bankruptcy. Arguably the most valuable company in the world, Aramco was able to recover, but it took five months.

Or ask Wells Fargo. The company was fined nearly $200 million in 2016 when deceptive sales practices resulted in employees creating accounts without customer permission.

A cyber-attack affects much more than the IT department. False sales affect much more than the sales department, and misleading balance sheets affect much more than the finance department. Just ask Enron.

Risk Management is an area where company executives often struggle with the question: “How good (or great) do we need to be at managing our risks? Do we need a professional level Enterprise Risk Management (ERM) program in place, or do we just need to buy corporate insurance and hope for the best?” For most companies, the answer is somewhere in between.

So what is ERM?

“Enterprise Risk Management” ERM is a strategic discipline where the full range of risks are managed in a unified governance program. Sounds sophisticated, so let’s dissect the words…

  • Strategic discipline means the program is important enough to say, “If we do not do this, the company will fail.” For example, a strategic discipline of most department stores is great customer service. If a high-end store provides poor customer service, people will stop forking over hundreds of dollars for a shirt, and the store will lose customers.
  • Full range of risks means every risk in the entire company. Company leadership will shake the organization down from top to bottom and identify all risks. This is a difficult task. Which risks must be addressed and which ones can be sustained?
  • Unified governance program uses a team of employees to govern the management of risks. This program includes processes for tracking how well each part of the company is managing, mitigating, and controlling each of the individual risks. For example, a department store manager may be required to report back to an “ERM Group” on the store’s ERM compliance. The ERM report would include compliance and actions taken to mitigate and control employee turnover, loss prevention, parking accidents, fraud, weather, building maintenance, safety, and customer service risks.

ERM Culture

Basically, ERM is a big deal, and implementation requires discipline, time, and collaboration.

ERM is not for every company. Very few companies have adopted a full ERM program as defined above. ERM requires a complete culture shift in an organization. Every major decision in the organization contains a structured thought process for assessing risks and potential outcomes based upon the enterprise risks. ERM can hamper the entrepreneurial spirit in a company and significantly slow decision-making. Therefore, before considering stepping into the ERM world, consider how it will impact the culture of the organization.

Companies should remember one of the main purposes of ERM: to create value for the company and its stakeholders by identifying and responding to risks, either negative or positive (opportunities).


COSO Framework

Companies seeking to establish an ERM program have the opportunity to choose from a variety of frameworks to help structure the implementation. One of the most prevalent is the COSO ERM framework. Following the Enron scandal and the Sarbanes-Oxley Act, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published Enterprise Risk Management – Integrated Framework. COSO ERM was an expansion of the previously published COSO Internal Control – Integrated Framework. The COSO ERM framework was designed to be used by businesses to help define the strategy, identify and manage risks, and ensure attainment of their goals.

The COSO framework is highly regarded as the most all-encompassing ERM framework. The most recent framework to be published was the RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, which was developed by Steven Minsky. This framework focuses on the key areas of efficient and continuous enterprise risk management. The bottom line is, organizations should tread lightly into the ERM implementation process and consider the costs and benefits associated with an ERM program.


This article has been adapted from a chapter from the author’s book: Jar(gone)

Trenegy helps companies design and implement internal controls frameworks to mitigate risk from both inside. and outside of the organization. Whether you recently became a public company and need a controls framework built from scratch or are trying to maintain a stable control framework in an volatile market, our focus is on providing your organization deliverables and strategies that can be used long after we are gone. Find out more at info@trenegy.com

3 Cost-Effective Ways to Improve Field Customer Service


Oilfield Services Companies who survived the downturn did so by cutting costs and lowering the price of services to retain customers. With oil prices on the rise and stability returning to the industry, oilfield service companies must remain competitive to regain the lost revenue during the downturn.

Producers are demanding more from service providers. The increased producer demands include improved information, consistency and responsiveness.

  1. Information

Capturing and measuring customer feedback is key to continuing to provide the highest level of service. The following steps can be taken to collect and measure customer reviews:

  • Define key satisfaction metrics, such as overall service experience and likelihood of returning for repeat business.
  • Determine how to consistently capture the established metrics. Consider presenting measures to the customer upon service completion.
  • Drive home the notion that feedback should be captured by field personnel for every customer, every time.

Once quality metrics are established, service organizations should set clear guidelines and assign responsibility for documenting customer feedback. Any deviation from standard processes will cause the data collected to be unclear. Perform regular analysis on customer feedback. Analyzing the data is arguably the most important step to identifying trends, areas for improvement and new service opportunities.

The final step is to set expectations for acting on the feedback received. Regional and niche service providers have the clear advantage here – they tend to be more flexible and work harder to improve service provided to compete with industry giants. Allowing the business to see how customers view the services they were provided, encourages all levels within the business, from Management to field hands, to take ownership in remediating negative feedback.

  1. Consistency

Service organizations should have a single point of contact as the face of the company throughout the customer experience. Lacking a single source of contact leads to heightened customer frustration. Multiple rounds of relaying the same information before connecting with the appropriate individual does not earn a positive customer service rating. Providing a designated account manager helps to create a hassle-free customer experience.

Many field service companies experience customer dissatisfaction after receiving an invoice with surprise or incorrect charges. A field services organization found the clear majority of disputed invoices were attributed to pricing inaccuracies. The company underwent a standardization initiative to set contract terms, pricing agreements, and customer guarantees up front, before work is performed. This initiative resulted in a significant decrease in the number of disputed invoices received and improved collections. This standardization also improved the SOX controls environment and reduced external auditor fees.

Another method to boost customer ratings is striving to deliver the highest quality service. Producers who have a negative service experience are likely to spread the word resulting in a bad reputation in the market. Incentivize employees with direct customer interaction to maintain service quality. Include these employees in feedback review sessions to help enforce accountability for service delivery.

  1. Responsiveness

Producer complaints often times point to inadequate or late communications. Get ahead of the curve and train your organization to communicate all updates – big and small – to the customer. Updates may include service delays, crew and equipment changes, or additional service needs. In this arena, over-communication is always the best solution.

Consider employing a platform business model to keep producers connected to critical data, such as contact information, quotes, field tickets and invoices. A west Texas drilling company utilizes a platform of this nature, which serves as a customer self-service portal enabling both parties access to shared data. With a self-service option, customers can login to retrieve real-time job and billing information, which limits the time service providers spend addressing basic customer inquiries. Being transparent and sharing information improves producer confidence in the service provider.

Don’t settle for the status quo – differentiate as an oilfield service provider. Act on customer feedback, reduce the number of dissatisfied customers, and maintain connectivity with existing customers.


Trenegy is a non-traditional consulting firm proven to help companies manage changes in processes, systems, and controls – no matter the economic environment. Find out more at info@trenegy.com.


The Gig Economy: Gigster Impact on Corporations


On Mondays and Fridays, Beth drives for Uber, picking up and dropping off traveling professionals at the airport. On Tuesdays and Wednesdays, she meets with some professionals (whom she met through Sortfolio) at a coffee shop to discuss her design recommendations for their new websites. If she feels like it, she can do someone a Favor by picking up a coffee and delivering it down the street. On Thursdays and Saturdays, she hangs picture frames and assembles IKEA furniture through TaskRabbit (now, IKEA) – or she just hangs out with her kids. Beth does not have a full-time job. Is Beth lazy? Is she uneducated? Maybe, or maybe she has just chosen a different lifestyle – a more flexible approach to work.

What is it?

The Gig Economy, or the Sharing Economy, is an economy comprised of short-term, temporary work contracts or freelance work. The gig economy “gigsters” perform a specific task and leave. The gig economy is commonly misconstrued as a way for workers with a full-time job to make extra money, but that is not always the case. Uber, Postmates, Favor, and TaskRabbit are platform companies known for building the companies on the gig economy. Many of the contract workers on the platforms hold various contract-based jobs across various platforms. A recent study by Brookings Intuition shows the gig economy is growing faster than traditional payroll employment with freelancers currently make up 34% of the workforce. The gig workforce is made up of more than just pay-per-service workers; many technical professionals including lawyers, accountants, and engineers are participating in the gig economy.

Why is it growing?

The continued advancement of technology will drive the expansion of the gig economy, as companies and individual workers are able to easily connect over platforms. With the growth of technology-based education, individuals can easily access specialized training to become experts in various industries, business processes or subject matters. Platform businesses are leveraging technology to connect specialized white-collar professionals with large corporations. Companies are looking for people who have the targeted experience the company can use to solve specific problems. Designers, marketing staff, and IT specialists are common roles that can be filled on a freelance basis.

Millennials prefer flexible schedules to allow them to fully experience life, travel and family. Having seen the Baby Boomer parents trade family and life experience for a paycheck, most millennials are opting for seemingly less rigid opportunities. Traditional career advancement came in the form of a promotion which meant more responsibility and money. The gig economy offers advancement by leveraging online learning opportunities and turning knowledge into immediate cash. The more knowledge and “stars” a freelancer earns on the platform results in more money. Flexibility is winning, and the rigid career ladder is not worth the trouble.

How can it benefit my company?

Even large companies can benefit from leveraging the gig economy. Platforms give companies access to a larger talent pool to provide targeted expertise. For example, a talented tax professional is hired as a full-time employee. The tax professional may spend four hours per week focused on providing the high valued expertise for the company. To fill his work week, the remainder of the tax professional’s job includes more mundane paper work. The tax professional commands a high salary regardless of what other work he is assigned. The result: the company is paying more and the tax professional is bored with the mundane work. Fast forward to the gig economy… The company hires a less skilled administrator for half the salary to handle the mundane tax paperwork and crowdsources a freelance tax professional when needed. The freelance tax professional may charge double for his four hours per week, and he can leverage his experience across several companies increasing his flexibility and his return. Both the company and the tax professional win.

Is the gig economy a fad or a real trend?

By 2020 50% of workers will participate in the gig economy. With technology continuing to improve, companies who ignore the gig economy may not be as competitive in the fight for talent. Companies should understand the unique values the core workforce and the gigsters each bring to the organization. The core workforce sustains competitive leadership and culture to the company while freelancers bring specialized knowledge when it is needed. Balancing both forces of workers is important for companies capitalize on the opportunities provided by the gig economy.


Trenegy is a non-traditional consulting firm dedicated to helping industry professionals take advantage of the changes and trends in the economy. We translate business jargon into useful terms and solutions that actually benefit your company. Find out how more: info@trenegy.com and jargone.trenegy.com.

Energy: The Continued Race to IPO and the Hurdles to Clear


Earlier this year, many Oil and Gas companies were racing to IPO in an effort to capitalize on the crude oil price rise. Companies were looking to raise cash to complete two major objectives:

  1. Eliminate debt caused by the downturn
  2. Expand assets to increase capacity for the upturn

These companies made a strong strategic move to grow and mitigate the growing debt and competition risk. However, with change comes new compliance risks which must be mitigated. Public companies require a new compliance burden around Internal Controls over Financial Reporting (ICFR). Most companies have a few years to prepare for these burdensome Audits, thanks mostly to SOX 404(c) and a PCAOB interpretive release 2007; however, management is still required to self-certify the effectiveness of their internal controls. SOX 404 is something many companies put off, forcing their CFO to certify ICFR are in place without any genuine confidence. With oil prices recent volatility, Oil and Gas companies need to be prepared for sudden price hikes that could push their public float, assets, and/or revenue over the SOX 404(c) threshold requiring an ICFR external audit. Companies can mitigate the SOX 404 burden by understanding their internal control risks and ensuring the new controls do not slow down efficiency.

Prior to an IPO, Oil and Gas companies must understand what SOX 404 specifically means for them. An IPO is not the time to be blindly confident in ICFR, but rather a chance to uncover and address potential weaknesses. Here’s what companies need to know to help identify and mitigate their control risks:

No more auditor safety net – O&G Companies that still lean on their auditors to uncover deficiencies could get hit with an ICFR deficiency. Per COSO 2013, public companies are now responsible for their own internal control risk assessments and proactive monitoring of control effectiveness. More simply, companies are now responsible for their own asset cycle counts, inventory counts, account reconciliations, controls, etc. How can a company take control without their auditors? Perform a COSO 2013 Risk Assessment to map out their controls matrix and identify their areas of risk.

Covering more than the activity level controlsActivity level controls are often the controls that every CFO thinks he/she has covered. From a process standpoint, this is often true. However, the key difference between private and public processes is the required documentation needed to ensure controls are in place. Leverage the risk assessment to map out all the key controls in process flows. Each key control needs documentation to test and to confirm that it happens successfully. Examples of documentation include written approval, meeting minutes, system audit trail, email chains. Pick what makes the most sense for your company and begin documenting.

Insufficient roles and responsibilitiesMost private O&G companies run very lean on the compliance side and, therefore, have some omitted roles and responsibilities that need to be filled. Utilize the risk assessment to identify these areas early and to assign roles and responsibilities to experienced professionals. Making early steps towards ensuring a strong tone at the top and governance structure.

Overlooking IT – IT is typically not a popular department for most private O&G companies, and is often overlooked in risk assessments. Focus on securing your financial systems. This means confirming a strong infrastructure is in place to prevent unauthorized data changes and documenting a segregation of duties matrix to ensure users cannot make any unauthorized transactions.

Spending time on the above tasks will go a long way to confirming a company’s transition to the public sector is smooth and less burdensome.

Implementing COSO 2013 framework to support a proper ICFR can be a time-consuming process and can quickly get out of hand if the wrong approach is taken. Here are some best practices when rolling out ICFR for Sox 404:

Control Design

  1. Leverage the Risk Assessment’s key risks when deciding where to design internal controls.
  2. Each key risk should have controls that are both prevention and detection controls. Relying too heavily on one over the other can cause greater risks.
  3. Define the key processes and map out each key control so that the team will better understand the whole process, ensuring efficiently designed controls.
  4. Ensure that all controls are designed with an expected output or evidence that can be tested.
  5. Quality over Quantity is the most important factor when developing a controls framework.

Control Operation

  1. Training, Tone at the Top, procedural documents, process flows, and narratives all help to certify each control has strong operational effectiveness.
  2. Assign Control owners and have them confirm whether they performed their control each month.

The above best practices will ensure a properly developed controls framework that will not over-complicate or hinder process efficiencies. As oil prices continue to stabilize we should see more and more O&G companies IPO in effort to reduce debt accumulated over the last 2-3 years. The companies who IPO need to understand the ensuing compliance risks and mitigate those risks in the most efficient way.

Trenegy is a non-traditional consulting firm experienced in designing, implementing, and testing successful controls frameworks. Learn how Implementing Internal Controls can be smooth and straight-forward. Find out more: info@trenegy.com