Defining Operational Excellence in Energy

Many energy companies are responding to the low price of oil by cutting costs and focusing on operational excellence. While this sounds good, the term “operational excellence” is translated many different ways.

BusinessDictionary.com defines operational excellence as “a philosophy of the workplace where problem solving, teamwork, and leadership results in the ongoing improvement in an organization. The process involves focusing on the customers’ needs, keeping the employees positive and empowered, and continually improving the current activities in the workplace.”

Huh?

There is confusion over the true meaning of attaining operational excellence in the energy industry. A quick look at the top five energy companies’ web sites reveals significant inconsistencies in the definition.

So what does it mean? And, more importantly, why is operational excellence important?

Trenegy defines operational excellence as: Aligning critical business processes, systems and organizational capabilities to focus the company on its core mission and outpace the competition.

This simple definition has a lot of hidden complexity. Executives typically have differing views on what outpacing the competition means. And most companies do not have processes in place to ensure continuous improvement. Worse, there is little data collected to measure and benchmark performance.

Attaining operational excellence is important to energy companies given the current economic outlook. A correctly implemented operational excellence program will allow a company to efficiently and effectively serve and retain customers with the desired margins.

Basically, continuously improving what makes an energy company money, until the organization is considered consistently the best.

So where should an energy company focus?

Energy companies can focus on continuous improvement in the following areas to achieve operational excellence:

  • Safety with a focus on injury free and incident free operations. Injury free operations ensure the welfare of employees and anyone else involved in daily operations. By involving these people in our business, we agree to send them home in as good or better shape than they arrived. Incident free operations ensure that those infrequent events that can have catastrophic results never happen.
  • Reliability such that operations are running when as required. Companies who focus on built-in quality and maintenance will ensure reliability. Reliability is measured in uptime, the time business is operating toward what makes money.
  • Major Project Execution ensures a company’s growth. It is important to retool or build upon the business through major projects – but only if properly managed to drive financial returns. Successful project execution is comprised selecting the right projects and executing flawlessly to plan.
  • Efficiency is doing what makes you money better, faster, and at a lower cost than your competition.

While it sounds easy to focus on safety, reliability, major project execution and efficiency, creating a successful operational excellence program is a bit like building a house. Starting with safety as the foundation and ending with efficiency as the roof.

This article is the first in a series of articles that will clearly define operational excellence, explain the importance to energy companies, and identify the key components. The next four articles will explain how to build an effective operational excellence program, much like building a house. In the end, the house becomes an operational excellence management system which should keep a company safe and out of the storms of financial pain.

Trenegy helps organizations manage any element of the operational excellence spectrum using a proprietary methodology.  Stay tuned for future articles on operational excellence.

Cybersecurity Compliance Q&A for the Board

Large-scale cybersecurity breaches have led to lawsuits against boards and executives, with the argument that security breakdowns should be considered a failure of members to uphold their fiduciary duties. There are no common guidelines for defining board-level cybersecurity compliance. Congress, the Department of Justice, the executive office and other regulatory bodies have all weighed in, creating confusion.

Boards can no longer ignore cybersecurity as a strategic discussion and should be aware of how companies are positioned to address critical risks. Not only is this a way to avoid personal liability, it is just good business.

How can the CIO or CISO properly interact with the board?

Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand but that level of granularity is not necessary for the board. Because cybersecurity is directly tied to overall company strategy and business operations, the board should understand how cybersecurity failure could impact the business. A “death by PowerPoint” approach to communicating with the board is less than optimal. A discussion is better.

The CIO or CISO should encourage the board to ask questions!

Specifically, board members will ensure the right level of involvement by asking questions about how:

  • critical business processes could be affected by a breach,
  • well business and IT are prepared to respond during a breach, and
  • compliance can prevent a breach.

1. How critical business processes would be affected by a breach

Most companies have a mind-boggling number of systems that can be breached. It would take days for a well-informed board member to walk through a list of the systems with IT to determine if they are properly secured. The better approach is to realize that no matter how well IT secures systems, the company will be hacked. With this in mind, board members are better off asking the following questions to ensure critical business processes have been identified and prioritized.

  • How will our customers be impacted by a breach? Will a breach in our systems lead to a breach in a customer system
  • How will critical operations be impacted by a breach? Is there an opportunity for a catastrophic situation?
  • How will our employees be impacted by a breach? Will critical private information be exposed?
  • How much intellectual property will we lose? Will we lose competitive advantage if our IP is exposed?

Answering these questions will ensure business and IT have a clear understanding of the critical business process areas that should be closely monitored for cybersecurity weaknesses.

This is the first step in fulfilling board fiduciary duties.

2. How well business and IT are prepared to respond during a breach

The second step in fulfilling board fiduciary duties is to ensure business and IT have a clear understanding of how to respond during an incident. A detailed discussion on the different tools and techniques leveraged during a breach would solve board level insomnia. Instead, the CIO or CISO should encourage the board to ask the following questions:

  • Do we have a cybersecurity response team comprised of both IT and business participants? Do they have clearly defined roles and responsibilities?
  • Has a cybersecurity response plan been developed and tested? Are there clearly defined checklists that can be used by the response team?
  • Does the response team understand how to use the response plan? Do team members have a plan for addressing unforeseen situations?
  • Is there an internal and external communications plan? Are there templates for specific communications based on what is breached?
  • When should the plug be pulled? When should all systems be shut down?
  • Is there a process for bringing the systems back on line?

While most board members may not understand the inevitable jargon some of the answers will contain, members need to have a comfort that a clear set of recovery guidelines have been developed, deployed and understood. Most importantly, the board should clearly understand when it needs to get involved.

3. How company compliance can prevent a breach

A cybersecurity breach is not the time to find out that basic compliance policies and procedures are not being followed. While IT is responsible for putting into place strong cybersecurity protection, business is accountable for compliance. Regardless of how well protected, all systems are a finger-tip click away from being breached.

The third step to ensuring the board’s cybersecurity fiduciary duties are properly fulfilled is asking questions about critical cybersecurity compliance components. These include:

  • Who owns cybersecurity? Is it internal audit?
  • Do employees clearly understand their role in cybersecurity compliance? Do they have the right training? Do they have the right reminders?
  • Does IT regularly test employee compliance? Does Internal Audit participate?
  • Is internal audit involved in testing the cybersecurity response plan?
  • Are there clear guidelines for how customers, suppliers, and employees access our systems? Are their compliance tested on a regular basis? Has legal counsel updated our contracts to ensure the appropriate cybersecurity breach liability clauses?

The answers to these questions will generate more. But most importantly, the board of directors will obtain a clear understanding of cybersecurity compliance awareness across the company.

The board’s responsibility is to ensure a company is properly prepared to operate efficiently and effectively. A cybersecurity breach can bring a company to a halt and expose all of senior management to significant personal liability. Board that rely solely on IT to provide cybersecurity protection are open to significant risk. Asking the right questions about cybersecurity preparedness not only protects board members from liability, but helps ensure a company is prepared for the inevitable breach.

Trenegy helps companies develop and deploy realistic cybersecurity strategies with a focus on mitigating risk.

The Benefits of a Spinoff and What Makes It Work

Amid low oil prices and the subsequent struggle to maintain profitability, companies are looking for more drastic ways to cut costs. Specifically, lenders and analysts want to see companies reduce their general and administrative (G&A) expenses. One way to cut costs is to spin off unique assets.

The decision to spin off assets is complex and undertaken for reasons such as increasing profitability, refining product focus or complying with regulatory requirements. The latter, regulatory compliance, has induced many energy industry spinoffs resulting from mega mergers like Halliburton-Baker Hughes.

In order for a spinoff to be successful, the new company must have a clearly defined and differentiated offering, the right people in the right organizational structure and fit-for-purpose technology.

Delivery

In order for a parent company to spin off an efficient, high-functioning subsidiary, a clear product or service delineation must be present. Precise segregation provides the spinoff a singular focus on design and service delivery. For example, a company that produces pipeline and valves would have an easier time spinning off valve production in its entirety, rather than spinning off a company based on geographic location. The delineation comes from what drives complexity within an organization, and complexity is typically derived from the product offered and how it is delivered.

Similarly, an E&P company that operates both CO2 injection and high-pressure wells could potentially benefit from only spinning off their CO2 injection assets since operating CO2 wells requires a specific skill set and specialized technology. Spinning off would allow the company to eliminate entire systems and resources specific to CO2 activities. Spinning off unique assets allows both companies to focus on core functions with the intention of improving profitability, quality and service.

People

The spinoff’s executive team is charged with the task of maximizing productivity with the most efficient organizational structure. From the number of employees to which departments or functions will be outsourced, these decisions are often based on capacity and risk management. For example, it is less risky to outsource payroll services than industry-specific accounting functions due to the universal nature of payroll opposed to the unique nature of land, joint interest billing and revenue accounting. Outsourcing considerations depend on which functions are unique to the business and which are universal across industries. Strategic functions aren’t good candidates for outsourcing.

Organizations spinning off from parent companies will go through several iterations of change, allowing visibility into which positions are necessary and which can be combined. Once the organizational structure is finalized, invest in relocation and executive search services to ensure quality candidates and efficient hiring. Though it’s tempting to allow some employees to split time between companies, it is important to assign employees to only one organization and be willing to let employees leave with the company that is spinning off.

There will be a transition period as two separate entities are formed. It is tempting to assign transition activities to employees of the former parent company, since they are knowledgeable regarding business functions and data. In our experience, it is better to include the new employees of the spinoff in the transition activities to familiarize them with new processes and help them become independent of the parent resources.

Technology

In most cases the spinoff will be a smaller, more focused operation, which will significantly change business processes and data collection. Major technology, especially the ERP system used by the parent company, will likely be too robust or too specific to the requirements of the parent company’s structure. It is important to analyze the current system and capabilities in order to assess other available options. Smaller, more financially feasible systems are available for companies with less data and simpler processes.

During the transition period, the spinoff will most likely be under a Transition Service Agreement (TSA) for use of the parent company’s technology until the spinoff can function on its own. Commonly, TSAs are more expensive than licensing a new ERP, so it is beneficial to implement a new ERP as quickly as possible. Help from the system provider and outside consultants, in addition to sufficient support from decision makers and internal resources, will ensure a smooth and successful implementation.

Smaller systems outside of the ERP should be thoroughly assed and consolidated based on business requirements and system functionality. For example, rather than using a robust document storage system, a new spinoff can use an internal server to share files. Rationalize the specific operations systems to decide which ones can be eliminated. A recent spinoff client was able to eliminate 35% of its operational systems and reduce G&A dramatically. As a result, the parent company discontinued all licenses associated with the new company and reduced its own recurring costs.

Spinoffs provide an unusual opportunity for a fresh start. A spinoff is most successful when the assets being spun off are unique, when organizational structure and business processes are optimized for the new company, and when systems are purchased or configured to fit the new organization.

4 Ways to Improve Workplace Communication

Communication in general is hard. It’s even more difficult in the workplace because there are so many issues to navigate: multiple audiences, office politics, time constraints and employees who feel overwhelmed with meetings and emails.

Bad communication is not only frustrating; it wastes time. While comic, most employees have been involved in a call like this: A Conference Call in Real Life

Improving communication should be a priority for all employees, especially leadership. Communication is an essential leadership skill—executives set the standard for the rest of the organization.

Even incremental improvements in the following four areas will lead to better communication:

Listening

When the topic of communication comes up, the immediate connotation is speaking or writing. But relaying a message is only half the battle. The failure to listen is one of the biggest communication failures in the workplace.

Distraction-free listening is often more difficult than speaking or writing. So, how can we do a better job of complete communication?

Asking questions to insure the intended message was received improves understanding and retention. Whether in a follow-up email, passing by someone’s office or in a meeting, provide a synthesis of what you heard and ask, “Did I get everything?” This is especially helpful after a lengthy conversation or meetings where both strategic and tactical decisions are made; when the discussion jumps from why to do something to how to do something, it’s critical not to miss tasks and deadlines. By summarizing the key points, the communicator can confirm or revise the accuracy of his understanding.

Technology

Technology has drastically improved the efficiency of modern communication. Unfortunately, it also provides more than a few distractions: from early versions of minesweeper to ESPN apps, any spare second is easily consumed. While many of us consider ourselves effective multitaskers, we seldom think about the repercussions. In a study by Stanford University researchers found that multi-tasking hinders your ability to pay attention, control your memory and switch to the next task at hand.

Technology not only distracts the user, but it can distract others around her (think of that person checking his fantasy lineup in your Monday morning meeting).

A quick solution to the technology distraction is to simply get rid of it during meetings. Set a rule and lead by example: everyone silences phones at the start of a meeting and puts them away. Or designate one person to take notes and send a summary after the meeting.

Time

Time is essential to communication in two ways:

  1. Timing. When communication takes place, and
  2. Duration. How long it takes to get the information across.

Communication in the workplace often lacks discipline in both aspects. In many companies, meetings without a clear purpose are considered the norm. The problem with agenda-less meetings is more than a lack of direction— they often run much longer than necessary.

To keep meetings focused and efficient:

  • Set an agenda with time commitments and send it out beforehand.
  • Ensure that necessary contributors will be there.
  • Set clear outcomes for the meeting and add them to the agenda.
  • Assign someone the role of timekeeper to help you stay on track.

Meetings aren’t the only place where time is a factor. Studies show that the average corporate email user receives 100+ emails a day and deletes half of them. Only CC people on emails when their input or approval is truly necessary.

Select the communication forum based on the audience and the message. If it is short, informative and can be clearly communicated, an email is efficient. However, if the message involves problem solving, background information or differences of opinion, a meeting might work better.

In either case, limit the audience to the necessary parties. Label emails as “Informative:” or “Action Requested:” to ensure proper responses. Before meetings, send background information and an agenda.

Preparing and planning meetings, presentations and even email can be time consuming. While it’s tempting not to prepare, the repercussions of poor communication aren’t worth the time saved on the front end. Take the lead in building good communication skills in your workplace.

The Three T’s of a Cybersafety Program

This article first appeared on Peter Purcell’s blog, Tech and the Business of Change at CIO.com.

The most effective safety programs are a result of employee awareness. The more aware, the less likely it is that employees will hurt themselves as they perform day-to-day activities in a dangerous environment. Effective cybersecurity strategies employ the same focus on end-user awareness. IT can only do so much without end users taking responsibility for how they access the Internet and respond to emails.

It is relatively easy to set up firewalls, update operating systems and deploy antivirus software. Unfortunately, there is little to stop an employee from clicking on an infected link or incorrectly responding to a phish or spoof without completely disconnecting end users from the Internet. Disconnecting from the Internet would bring business to a halt. IT has to work with business to plug the vulnerability gap caused by software “between the ears.” Cybersafety should have no less a focus than any other safety program.

There are three components to an effective worker safety program which can be directly applied to increase employee cybersafety awareness:3Ts of cybersafety

1. Training

All employees should have mandatory Cybersafety training. Just as plant employees are taught to wear safety hats, shoes and glasses, end users should be taught about strong passwords, safe Internet use and detecting possible phising or spoofing emails. IT is responsible for developing or acquiring relevant training materials and working with business to ensure training is deployed across the company.

Clearly communicating the importance of training is critical. While OSHA provides a strong external driver for safety training and compliance, there is really no equivalent body enforcing cybersafety. Key business leaders should kick off training sessions with clear emphasis on the importance of cybersafety compliance. Otherwise end users will ignore what is being covered in class by surfing websites they should be avoiding.

Keeping employees engaged throughout training is important. Duplicating the excitement of learning how to use an extinguisher to put out a real fire can be difficult. There are materials that create slot-machine like flashing screens and annoying beeping sounds when a computer is infected with a virus or a phishing link is clicked. Allowing employees hands on experience with these materials ensures the proper level of engagement.

2. Telling

Most plant breakrooms have a variety of safety posters on the walls. Entrances highlight how many days the since the last reportable injury. Bathrooms have urine hydration charts to ensure employees know when they need to drink more water. Meetings start with a safety minute that covers a broad range of topics from fire alarm muster areas to brief descriptions of safety violations and subsequent consequences. These constant reminders and materials are intended to keep a high level of employee safety awareness.

IT should work with business to duplicate messaging and materials to keep a high level of cybersafety awareness. The marketing or human resources departments can help develop programs that can be shared across the company. Posters with messages such as “Don’t be a phool, don’t get phished” or clearly show what a spoof email looks like should be liberally spread in break areas. IT could work with the Health, Safety and Environment (HSE) department to expand the safety minute to remind end users of cybersafety.

The most important repeated message is the simplest. If anyone has a question about a website, link or email, contact IT immediately. IT should work with the business to quickly address real or perceived lapses in cybersafety.

3. Testing

Employees will be more diligent about cybersafety if there is a perception of being monitored or tested. IT should develop a series of phish and spoof tests to determine compliance. Clearly communicate the results via emails which no one reads or by postings in break rooms. Increase compliance rates by creating competition between departments to see who has the lowest fail rates.

After the first two or three rounds of tests, companies who are heavily regulated may even start logging failures in HR employee files. Companies with significant liability associated with cybersecurity penetration should consider a direct impact on bonus or overall employee evaluation rankings.

Either way, employees should have a clear understanding they are being monitored and tested. Compliance will quickly follow in this situation.

IT may have difficulty convincing business that a cybersafety program should be treated the same as other HSE programs. However, the risk and liability associated with a cybersecurity breach is high. IT can work with legal counsel to clearly understand the impacts of HIPAA, FISMA, HR1770 and recent Justice Department rulings on a company’s liability associated with a cybersecurity breach. To be compliant, business and IT will have to work together to address the main weakness in any cybersafety program.

Corporate Compliance Gets Personal

In November 2015, The Department of Justice (DOJ) appointed Hui Chen as the new corporate compliance expert. As the DOJ increasingly creates new laws pertaining to proper business conduct and corporate compliance, Chen’s role is to provide transparent interpretations of these laws to company leadership. She will also provide guidance to the DOJ regarding the existence and effectiveness of any compliance program’s measures to “detect and prevent future wrongdoing.”

The recent increase in government oversight of compliance programs leaves Boards of Directors searching for best practices in fraud prevention. To mitigate company sentencing, organizations must establish a strong compliance program, ensure employee cooperation, and deploy proper testing of said compliance and cooperation.

Compliance Programs

The scrutiny of compliance programs has escalated. The DOJ seeks out well-designed programs that are applied throughout the organization and that actually work. What combination of tactics ensure an effective and well-designed program?Compliance Infographic

Compliance programs must use clear vernacular and be published in writing with easy company access. Upon clear written program establishment, organizations should conduct trainings to properly communicate and explain the documented program. Training hosted by compliance leaders with stature and respect elicits avid listeners prone to uphold program terms. Trained employees should then be liable and incentivized for
maintaining lawful working practices.

Employee Cooperation

DOJ compliance oversight is taking a new focus on individuals, not solely on the programs themselves. Strong compliance programs with non-compliant employees are as useful as no compliance program at all.

How does a company measure employee cooperation? Both leadership and employees must ethically handle conflicts of interest within and outside the workspace.

Cooperation with government and corporate laws are inherent to employee cooperation. When an employee lives outside of deemed lawful conduct they must accept reasonable punishment with intent to act lawfully going forward.

Testing and Mitigation

The testing of compliance programs and employee adherence to these programs is the final key to avoiding corporate punishment. Companies can ensure strong programs and employee cooperation through several methods: guiding principles, risk assessments, and hiring assessments.

Guiding principles are the overarching strategic principles guiding how the compliance program will be structured, governed and operated in the future. By documenting guiding principles, the business is able to easily maintain their purpose and objectives for the compliance program and the overall corporation as a whole. Often, change of leadership or processes leads to decisions and changes that are outside of the predetermined principles of the program. Guiding principles aide compliance programs in delivering ultimate value and impact and ensure that it accommodates future state business requirements.

Risk assessments help an organization to identify highly regulated areas of the business. Processes and procedures should be documented for these highly regulated areas in an effort to identify high-risk departments or people. Risk assessments outline potential threats to an organization, the likelihood of the risk occurring, and a proper response to the risk. This provides the organization an opportunity to react quickly to opposing situations with little impact on the business. The Department of Justice monitors not only the breach of compliance programs, but the organization’s response and mitigation tactics. But how does an organization recognize a department or individual as high risk?

A human resources hiring assessment outlines hiring prerequisites and gives way to where higher risk roles exist departmentally. If an organization does not have stringent enough background checks or requirements prior to hiring an employee, this employee could be at risk for illegal behavior within the organization. This can also be viewed departmentally. A department manager that does not enforce a strict hiring practice with lawful employee requirements could evolve into a department employed by high-risk individuals likely to break compliance program rules.

The Department of Justice has increased their enforcement and regulation of compliance programs. By implementing a strong compliance program, ensuring employee cooperation, and deploying proper testing and mitigation of these programs, organizations will be prepared and equipped for DOJ regulation.

Fundamentals of a Successful Project Manager

When it comes to planning for a major initiative, such as a merger integration or ERP implementation, a lot of time and effort goes in to determining the proper project management methodology, defining team roles and responsibilities, creating and maintaining project plans, providing status updates to executives, etc. And rightfully so. All of these tools are necessary to see the initiative through to completion.

The project manager (PM), while often involved in planning, is ultimately responsible for successful execution. But no matter how carefully frameworks and plans are put together, when the starting gun goes off, a certain level of chaos is inevitable.

So how does a PM maintain control, ensure project success and maybe even retain his/her sanity? Focusing on the basics and establishing core fundamentals is a good place to start. Below are some suggestions, in no particular order, that have worked well for successful project managers.

(Author’s note: Some of the fundamentals listed have been proven to work. Others made the list assuming the inverse of what did not work most certainly should work. You get the point. Enjoy.)

Manage Your Time First

  • Be selfish about reserving time for performing your tasks. If you aren’t, you’ll find your team members will be more than happy to consume your calendar.
  • Learn the signs of stress and figure out a couple of ways you best relieve it. Then do it. Is it running? Go for a run. You think you don’t have time, but you’ll actually get more accomplished if you manage stress and stay healthy.
  • Tackle the day’s most arduous task first. It will consume your thoughts all day if you don’t.

Maximize Your Day

  • Mornings can be the most useful. Take advantage of the calm before the day’s storm to catch up, organize your thoughts and plan for the day.
  • Prepare to miss lunch. Keep a stash of granola bars, yogurt, or other snacks around to get you through a long day.
  • Come to terms with unread emails in your inbox. You know the priorities at any given time, thus prioritize reading and replying to emails accordingly. Get the rest from your team meetings – even if you have to endure hearing, “I sent you an email…”

Practice Good Managerial Skills

  • Get to know your team members. Understand their differences and what motivates them as individuals.
  • Give your team the necessary autonomy to take ownership of their roles and work streams. If a team member doesn’t step up to the plate, have a conversation about why. Likewise if a team member is taking on too much work or overstepping boundaries.
  • Solicit frequent feedback from key team members. Ask what’s working well and what isn’t. But it’s not enough to ask. Listen and make changes based on their responses.

Understand that the end of a project will be the most hectic. Remind your team of each project milestone that has been met. Keep a list of preferred food delivery vendors, and your corporate Amex, nearby at all times.

Good luck.

How to Revitalize the IT Steering Committee

This article first appeared on Peter Purcell’s blog, Tech and the Business of Change, on CIO.com.

Benjamin Franklin is quoted as saying: “Guests, like fish, begin to smell after three days.” It typically takes less than three meetings for the relationship between business and IT to suffer the same fate within an IT Steering Committee (ITSC). The euphoria of creating an ITSC with quotes heralding a time of new IT/business teamwork to support growth and change is quickly replaced by indifference and apathy.

Why is this? Why does the business quickly become disengaged in ITSC meetings? Unfortunately, the ITSC meetings quickly devolve, with the CIO doing most of the talking while participants are focused on answering emails or taking advantage of the time by napping. If this is how your meetings are going, it is time to reinvigorate the ITSC.

There are three simple activities to revamp the ITSC and renew the IT-business relationship:

1. Update the guiding principles.

This is a one-time exercise that helps reengage the business. Work as a team to develop or update guiding principles for how projects are identified, selected and prioritized. The guiding principles need to ensure clear, two-way communication so that IT is not just an “order taker.” IT needs to be able to ask why a project is necessary and make suggestions for alternative solutions that could be more cost effective. On the other hand, business needs to be in a position to turn down IT suggestions for implementing new, unproven technologies that may not add value. This helps keep both organizations from succumbing to the urge of chasing the newest, shiniest ball.

Additional principles around how to develop and approve IT operational budgets are also critical. While the CIO can take the first stab at updating the guiding principles, the ITSC members should provide input before final approval. This ensures buy-in from all participants.

The updated guiding principles should be clearly communicated across business and IT so there is no confusion when projects are identified, evaluated, approved, prioritized and executed.

2. Let business do most of the talking.

The key to maintaining the right level of interest and participation is to talk about major upcoming business initiatives and the possible impact on IT. Do not dive into technical solutions immediately! If an IT need is brought up, probe to determine how much research business has done to identify a solution. Focus on exhausting process or organizational solutions to solidify an IT need.

Once the IT need has been identified, create a combined business/IT team with responsibility to work through the requirements, system alternatives and recommendations before the next ITSC meeting. Create a realistic business case with a well thought out budget so the business lead can present the results of the team’s effort.

Going through this exercise as an ITSC helps prevent unnecessary IT spend. A new marketing and sales program may not require a multimillion-dollar CRM system. Something as simple as modifying existing reports could suffice.

3. Ditch the boring operational reports.

Be careful when it is IT’s turn to share. Nothing drives a business person on the ITSC to start emailing from their smart phone faster than a jaunt through a series of uptime reports. Adding a series of technical acronyms only makes it worse, pushing most to start thinking about lunch.

Instead, spend time sharing upcoming operational activities that could have an impact on business. Consider the audience and the metrics that are important to them. How does your activity impact those projects, decisions, timelines and budgets?

One example of a meaningful conversation is upcoming upgrades that could create operational system downtime. Work with the business to coordinate schedules to reduce the chances of major shutdowns. Upgrading the GL during the middle of year-end close is probably a bad idea.

Rejuvenating the ITSC is only slightly less difficult than getting rid of the stench of rotten fish. However, a smoothly functioning ITSC is critical to having IT and business work together as a team to support growth and change. Getting the two working together just takes a little elbow grease. Just remember to add bleach to get rid of the fish stench.

Making a List and Doing it Right: The Power of the Checklist

A checklist is often seen as a user’s guide that creates robotic employees, mindlessly carrying out tasks. That is wrong. A checklist is not a sign of weakness nor does it indicate a lack of expertise. A checklist is designed to act as a reference in high-risk situations requiring controls because no one is perfect 100% of the time.

A high-risk situation can occur in any process, from maintaining critical aircraft equipment to generating accurate financial statements. Failure in each could lead to catastrophic consequences. A checklist of critical policies could prevent an aircraft from crashing or improperly reported income on financial statements.

When designed and implemented correctly, a checklist can reduce errors in the workplace that range from miniscule to disastrous. Companies wishing to take advantage of checklists should follow in the footsteps of the aviation industry—one of the first industries to fully utilize the power of the checklists.

Carefully consider audience, content and design when creating a checklist.

Consider the Audience

Designing an effective checklist requires a clear understanding of two things: end-to-end processes and all of the people involved in those processes. Understanding the end-to-end process is easy. Information can be gathered through basic observation and interviews. However, creating a checklist without direct input from the end users will miss steps and could end up being worse than ineffectual—it could actually create problems.

A pilot’s checklist that doesn’t include coordination with air traffic control, flight attendants and ground personnel would create chaos. The same is true of checklists that monitor high-risk business processes or a company’s internal controls.

Communication throughout the processes is key to developing a checklist that everyone will use. End-user training should not be the first time employees hear about new procedures.

Define the Right Level of Detail

The level of detail can quickly ground a checklist before it takes off. A checklist that is too vague or too detailed will either be misunderstood or overwhelming. A checklist needs to be both precise and simple. The right level of detail ensures repeatable success.

There are two basic types of checklists. The first is called a do-confirm. Once a task is complete, the user references the checklist to confirm that the steps were done as intended. In this scenario the user is acting upon experience and the checklist is a simple reminder. For example, a supervisor may review a process to ensure proper segregation of duties occurred before a journal entry was posted in the system.

The second type of checklist, read-do, is for rare or more critical events when steps may be unfamiliar and, if skipped, can be costly or harmful. Considering the criticality and familiarity of events will help organizations decide on the right type of checklist.

Personnel should be performing self-testing on a regular basis to support a robust internal controls environment. A COSO framework-based checklist can be used to ensure proper evaluation of internal controls.

Determine the Optimal Structure

The organization and structure of a checklist is critical. A good checklist will have 5-9 major points. If there are more than nine items, the list will seem too lengthy to use. If there are fewer than five points, the user may not have enough information.

The second key to mapping out a good checklist is locating and placing the pause points. This is the moment when users stop to reference the list, whether to confirm their recent actions or to see what steps are next. Deciding when and where to put the pause points is almost as critical as the content itself. If there are too many pause points, the checklist will not flow. If there are too few, and the likelihood of missing steps will increase.

The aviation industry started a phenomenon when it championed checklists in the workplace. Pilots use checklists daily because they work and help prevent potential disasters. The same can be said for internal control checklists, as a misstatement or audit note may have significant negative impacts on the business. In extreme situations, this could include depressing stock prices or overhauling current management.