Don’t Avoid the Checkup – Embrace the New Lease Standard

Navigate

How many times have we cancelled our dental checkup, because we are too busy? Tooth pain reminds us to visit the dentist, and he says, “you should have come sooner….”. The FASB issued a new lease standard, Leases, (ASC 842), on February 25, 2016. Are you ready to move forward with implementing the new standard or do you want to delay until the pain is felt?

The key provision of the new FASB lease standard is that lessees will recognize virtually all their leases on their balance sheet by recording a right-to-use asset and a lease liability. This includes operating leases, having previously been recorded off-balance sheet. The existing lease standard has been criticized for failing to meet the needs of users of financial statements, because it doesn’t always provide a faithful presentation of leasing transactions. The new standard proposes to provide for greater transparency in financial reporting. Companies that lease assets including real estate, manufacturing equipment, vehicles, airplanes and similar assets will be impacted.

Public company implementation dates for the new lease standard are fiscal years starting after December 15, 2018. Non-public companies must comply for fiscal years starting after December 15, 2019. Financial executives may look at the implementation dates and be inclined to focus on projects with more immediate due dates and address the new lease standards later. Financial executives can devote some time now to analyze the potential complexity of the implementation and the impact on company resources. The analysis can help a company decide when to move forward with the implementation process and avoid unnecessary financial reporting risks.

The AICPA recommends six steps to an effective implementation of the new lease standard:

  • Assigning an individual or a task force to take the lead on understanding and implementing the new standard;
  • Updating the list of all leases;
  • Deciding on a transition method;
  • Reviewing legal agreements and debt covenants;
  • Considering IT system needs;
  • Communicating with stakeholders.

At first glance, the six-step recommendation seems simple and manageable. Before we get too comfortable with its simplicity, let’s peel back the onion with a few questions. Do you have technical accounting staff available to spend quality time understanding the lease accounting guidance and determining how it impacts your company? Do you know of all your lease contracts and where they are located? Is your company public, and how do you determine whether to transition with the retrospective (requires restatement of comparative periods in your financial statements) or the modified retrospective method (does not require restatement of comparative periods in your financial statements)? Do you have debt covenants or other legal agreements limiting debt levels or requiring approval prior to incurring additional debt? Do you utilize an IT system to manage your lease records or do you use Excel or similar process? Have you discussed the impact of the new leasing reporting standards with executive management, board of directors, debt holders, or other stakeholders?

You may not have answers for all of the questions above, and as you move forward with the implementation of the lease standard, many more questions will arise. The implementation process will not be limited only to the accounting staff. Moving to the new reporting standards will be a company-wide initiative with communication and cooperation among several departments including treasury, legal, facilities management, purchasing, logistics, and fleet management, to name a few. To achieve success with the implementation requires development of a project plan including input from a wide range of functions and requires commitment from executive management.

Companies should look at the implementation as more than a compliance project and use the opportunity to create value for their company. Below are examples of opportunities for value that may be identified during the implementation process:

  • New avenues to improved communication among different departments within the company
  • Improvement of existing internal controls and processes, updates to related documentation, and communication of improvements and changes to affected parties
  • Selection of cost efficient IT solutions to track leases and to meet reporting requirements for the lease standard
  • Consolidation of lease vendors and negotiation of improved pricing
  • Termination or buy out of stale and unneeded operating leases

Companies have the opportunity to identify additional opportunities to achieve value beyond compliance. Challenging the organization to always be vigilant in identifying value-creating opportunities in all our daily tasks is critical for continuous improvement.

 

Trenegy helps companies to implement new accounting guidance and to identify opportunities for companies to create value through process, controls and system improvements.

The Accounting Rule You Need to Know Before Moving to the Cloud

Navigate

There are a number of factors our clients consider when evaluating the purchase of cloud software.  The main factors for consideration often include: system performance, security, data access and of course, cost, specifically which costs must be expensed and which costs can be capitalized.

Due to the recent updates of standards for intangible asset accounting, the rules for which costs can be capitalized and expensed are no longer as clear-cut as they used to be. The presumption a company can capitalize costs incurred with software implementation activities no longer holds true under every circumstance, or type of contract, when it comes to cloud software.

At the beginning of 2016, the Financial Accounting Standards Board (FASB) threw an Adam Wainwright-style curve ball to companies which are evaluating or have purchased cloud computing software. You can read the full update to the Accounting Standards Codification (ASC) 350-40, Internal Use Software here.

However, the update created somewhat of a gray area around whether a cloud computing agreement represents a purchase of software or a purchase of services.

The update states depending upon the specific language of a cloud computing contract, the purchase costs may be viewed one of two ways:

  1. as the purchase of a software license
  2. as the purchase of a service

In order to be deemed as a purchase of a software license the cloud computing contract must explicitly denote the customer is paying for the transfer of a license required to operate the software.  Otherwise, the contract is viewed as a purchase of services.

If a contract is viewed as a purchase of services, then the costs must be accounted for like any other service contract, which means all costs must be expensed when the service is performed.  The only opportunity to capitalize these expenses on the balance sheet is to book the costs as a prepaid asset and amortize them as the prepaid (software) services are used.

Being forced to expense all costs associated with purchasing and implementing new software poses a significant hurdle to potential buyers of cloud computing software. If the contract is considered a purchase of services, then implementation costs related to the software – which can often times reach seven figures – must also be expensed. The potential for taking an immediate hit to the income statement for such a large dollar amount is more than enough to give many companies pause when evaluating cloud software.

As such, many cloud software providers have also taken steps to simplify the process by moving from software service subscription fees to offering contracts based on software licensing fees. An arrangement which includes a software license is considered “internal use software” and accounted for as an intangible asset. Under the internal use software designation, the typical expense vs. capitalization rules apply and companies are allowed to capitalize and then amortize implementation costs accordingly.

New Accounting Rules Cheat Sheet
With many cloud software vendors offering either a subscription based or license based contract, it is important for perspective buyers to understand the impact to the software’s total cost of ownership. In some cases, a subscription or service-based contract may have a lower total cost of ownership. Some clients may choose to go with the service contract to lower the total amount of cash going out the door, versus other clients which may choose to pay more for a license-based contract in order to absorb the costs on the P&L over time.

To avoid any surprises with accounting for cloud software costs, we advise our clients to obtain a clear understanding of the pricing model from every perspective cloud software vendor and to take a total cost of ownership approach when making any software decision.

Trenegy assists companies in selecting and implementing the right technology solutions. For additional information, please contact us at: info@trenegy.com.

 

Integrated Business Planning: Gimmick or the Go-To Method for Doing Business

Navigate

Companies whose doors have been open for any longer than 5 minutes know teamwork is important. Each company has their own methods for maintaining communication and teamwork. Sales and Operations Planning, or S&OP, is a perfect example. S&OP is the process by which Sales and Operations work together to create one plan for a specific timeframe. Sales provides projected revenue, and Operations provides their expected production. It is a game of supply and demand and predicting equilibrium. The end product is a forecast that aligns with executives’ strategic objectives and serves as a performance measurement tool.

The inventor of S&OP, Oliver Wight, tells us there is a new concept which improves upon even the most tightly run S&OP organization. The process is Integrated Business Planning, or IBP. According to many skeptics, IBP is simply a marketing gimmick to re-brand S&OP. However, Wight confirms Integrated Business Planning was not introduced to announce the invention of a new process, but rather to reveal the considerable changes to an existing one. The focus of S&OP has shifted toward gaining a better understanding of external factors and aligning all internal functions, not just Sales and Operations.

In the new world of IBP, Sales, Operations, Logistics, HR, Finance, Marketing, and Pricing are all working toward the same goals. Some examples of the ways IBP improves upon S&OP include:

  • Stronger financial integration
  • Improved product & portfolio review
  • Addition of strategic plans and initiatives
  • Improved pricing decision-making
  • Enhanced scenario planning and risk visibility
  • Improved trust within the leadership team

IBP starts with implementing a process which works best for the company. If a company has been operating a run-of-the-mill S&OP process for twenty years, a change management plan to shift to IBP could be exactly what the company needs to take business to the next level. By making improvements to the traditional S&OP process, the company uses cross-functional data to make business decisions, set targets together, and commits to achieving the strategic plan.

A potential benefit of IBP over traditional S&OP is the ability to develop trust with suppliers and customers by including the strategic pricing equation in the planning process. IBP allows companies, and in turn, their suppliers and customers, to depend on reliable pricing and available to promise (ATP) numbers. Trust can only be established when people deliver to expectations. Pricing is a key player in IBP, as are ATP dates. Price is the translation between units and dollars enabling a common language.

Still not sure about the difference between traditional S&OP and IBP? It would not be surprising if the term IBP faded away and the term S&OP remained, but regardless, the concepts of IBP are the new gold standard. Whether a company has employed traditional S&OP processes for decades or is starting from scratch, it is important to apply the latest model. Why settle for a thing of the past when the future is much brighter?

Companies investing in IBP will notice a behavioral shift. For potentially the first time, the entire company will be moving toward the same set of strategic objectives. Ultimately the company will be able to provide a higher level of customer service, improve lead times, increase profit, and enjoy a positive impact on the bottom line.

Trenegy has years of experience helping companies to achieve their goals through integrated business planning. Please contact us at info@trenegy.com for more information.

 

 

Cyber Hygiene – How to Clean Your Online Presence

Navigate

In 2000, Chinese hackers  began a 9-year hacking assault on telecommunication giant Nortel. The hackers used remote access and automated software to generate a large number of password guesses to eventually break the credentials of seven executive team members. The hackers successfully obtained critical reports, research and development materials, employee emails, and strategic information. Unfortunately, Nortel’s top executives neglected to secure their network and eventually declared bankruptcy in 2009. As Nortel disintegrated, Chinese telecom Huawei grew, with some speculating “Huawei’s rise was at the expense of Nortel.”

Nortel’s downfall raises awareness of the devastating consequences that are the result of a cyber-attack. However, there is a growing tendency to generalize cyber-attacks as simply “cyber-attacks,” leaving us numb to the term rather than educated. This makes all cyber-attacks seem like nebulous boogeymen. In fact, there are many different types, and taking these threats seriously is the first step in preventing them.

types of cyber attacks

Everyone must evaluate their online behavior and become hyper-vigilant about their cyber hygiene, the measures taken to ensure one’s “health” and safety online. Cyber hygiene begins now, with improving passwords, enabling two-factor authentication, installing anti-virus software, and routinely scrutinizing potential online threats (like the ones mentioned above).

Business leaders must invest time and money into their organization’s cybersecurity strategy by first training employees to maintain good cyber hygiene. Many executives and board members remain hesitant to spend millions on cybersecurity. However, cyber-criminals take $400 billion per year from companies, with much of that theft going undetected. Technological solutions are simply not enough to prevent a cyber-attack. Making employees aware of the threat is crucial.

Three things companies must do to immediately implement an adequate cyber hygiene program:

  1. Set tone at the top
    1. Executives are responsible for setting the company culture – when they support a cybersecurity initiative, the company follows
    2. A CEO who takes cyber security seriously will influence his or her employees to do the same
  2. Make cybersecurity a part of the office conversation
    1. Discuss cybersecurity measures regularly – learn from Nortel’s mistakes and make employees aware of the dangers
    2. Create a best practices document with instructions for changing passwords every 90 days, updating anti-virus software and other apps, protocols for downloading 3rd party apps on work computers, etc.
  3. Understand and limit access
    1. Know which employees have access to workstations and keep this information up-to-date (expired accounts are targets for hackers)
    2. Minimize attack exposure by limiting access to only those who need it

Personal cyber hygiene is equally as important. Business and personal information are intertwined, and it is nearly impossible to untangle the spider web when a cyber-attack occurs. Many people manage their work and personal lives on the same smart device. Protecting one’s cell phone is just as important as protecting one’s work computer. It is essential to know what apps are on smart devices, what personal information they require before downloading, and what the potential risks are in having those apps. Scrutinizing emails for suspicious activity on phones and home computers is also important. Essentially, any cybersecurity strategy employed in the workplace carries into the home and impacts personal devices.

It is time to be more cautious on the internet. Technology has come a long way and the most reliable security guard for your information is you.

Kaizen or Just Bringing in Lunch?

Navigate

Kaizen has been hailed as a quick ‘cure all’ for any ailing business problem. Companies like Toyota, Bacardi, and Nestle use Kaizen in their businesses. Yet for some companies, the go-to approach is to lock employees in a conference room with the  hopes of arriving at a better solution before they are released. Is Kaizen the panacea it claims to be, or simply an excuse to bring in lunch?

In Japanese, “Kaizen” means  “improvement.” Dissecting its Kanji reveals “change” (Kai) is “good” (Zen) – more or less. The Kaizen approach focuses on small improvements under the theory that over time, these small changes could result in massive benefits to a business.

The concept of “Kaizen” was first introduced during World War II under a United States program called “Training Within Industry,” or TWI. The TWI group encouraged small, incremental improvements over transformational changes. Eventually, W. Edwards Deming (the management consultant responsible for TWI) was recognized by the Emperor of Japan for introducing the concept of Kaizen to the Japanese workforce.

A typical Kaizen master leads the room through six steps, including:

  1. Establishing the reason for the workshop. Why are we here? What is the scope?
  2. Understanding the current “state.”
  3. Serving boxed lunch.
  4. Developing a future “state” vision.
  5. Creating a timeline and ownership for each step.
  6. Recognizing everyone’s participation with a ribbon

Kaizen is commonly used in manufacturing companies since the concept is an essential part of “lean manufacturing;” and is associated with the Toyota Production System (TPS). The TPS is well-known for defining standards of eliminating waste in production and unnecessary stress in the workplace. However, any industry, any job function or process, can benefit from Kaizen.

Kaizen is most beneficial when:

  • It is seen as a proactive approach to identifying incremental improvements
  • There is a shared mentality that the current state can always be improved upon
  • Continuous improvement is embedded in company culture
  • It is supported by upper management
  • Employees have an outlet to submit Kaizen suggestions

The main drawback to a Kaizen event is “groupthink.” Basically our minds become influenced and confined to the ideas generated in a group. The loudest person in the room generally drives the conversation. The Harvard Business Review describes the benefits of convergence and divergence well: in a group session, individuals need some time to brainstorm ideas on their own before coming back to the larger group. Once the group is reunited the individual ideas are discussed and narrowed. The process continues until a solution is achieved. We find that when people feel they have a direct impact on company change, they are more likely to participate in and advocate change.

Because Kaizen is based on the idea of continuous improvement, it is most effective for small, incremental changes. Standardizing templates for Accounts Receivable or updating a work ticket are great challenges for Kaizen to address.

For more complex business problems or if “groupthink” becomes an issue, there is a different approach: the ACE Method. ACE (which stands for accelerate, collaborate, and execute) is a workshop that effectively finds solutions for anything from brainstorming a new company logo to a complete overhaul of the company’s bid to bill process.

Trenegy developed the ACE Method to address problems quickly. A typical workshop lasts about two weeks and a clear roadmap for action is developed in that time. To combat “group think,” ACE employs a trained moderator to encourage that there are no bad ideas. Even a thought that seems unhelpful initially could spark a brilliant idea in another participant. ACE uses convergence and divergence, as the Harvard Business Review advises, to brainstorm ideas and improve upon them.

Think of Kaizen as a way to tackle the small issues and ACE as a way to tackle larger challenges, like mergers. Both methods have their advantages. And both are worth far more than just a free lunch!

A New Frontier: Securing the Internet of Things

Navigate

The IoT is a new frontier. Projected to surpass 50 billion objects by 2020, with the potential to boost the global GDP by $142 trillion, the Internet of Things offers private consumers the ability to create app-controlled “smart homes” and offers businesses unprecedented access to real-time operational data monitoring, collection and analysis. With the rapidly-evolving, demand-driven industry of IoT devices, technologies are being introduced faster than they can be protected.

For individual consumers, IoT security breaches have the potential to violate privacy, steal personal information, and generally terrorize unsuspecting people by manipulating their home devices. On the industrial or business side of the IoT, the threat of a hack presents far more widespread consequences. Unsecured IoT devices present a perfect opportunity for hackers to wreak havoc by compromising operational and/or safety data being tracked by IoT devices, causing a Distributed Denial of Service (DDoS) incident for customers (like the October 2016 Internet Outage), and accessing, compromising, or ransoming financial systems and data by using connected IoT devices to infiltrate the corporate IT firewall. It is becoming increasingly clear to private consumers and businesses that more focus needs to be dedicated to securing the IoT.

  • Manufacturers and consumers have focused on “ease of use” over security- The vast majority of IoT devices are designed with “ease of use” as the first priority, which traditionally means security must take a back seat. In the name of “ease of use,” many of these devices do not require a username and password reset at the time of setup, relying instead on a manufacturer-provided default username and password. These devices will remain actively connected to the internet without additional credential input indefinitely. These default settings are about as secure as having no password at all.
  • IoT Devices often fall outside of the Corporate IT Cybersecurity Structure– IoT devices are typically categorized as Operational Technology and therefore, managed by Operations departments. They are often excluded from the corporate IT strategy. When employees connect unsecured IoT devices to company-provided workstations, they inadvertently provide a direct portal for hackers into a company’s secured IT environment.
  • Physical Security is often impractical – In traditional IT security, physical security is one of the basic tenants. IoT Devices may be spread all over the world, on oil rigs or remote sites, making isolation impossible. By nature, IoT devices are easily accessible, residing in common operational areas of businesses, or common living areas of homes.
  • There is currently no “McAfee” equivalent– The average internet user knows that it would be reckless to leave a computer vulnerable without the protection of anti-virus software. However, this type of software has yet to be developed for most IoT devices. This means that not only are most of these devices unprotected—but that they are also unmonitored. Devices could be hacked, and the end user would never know unless the hackers make their presence known. A potential solution would be for each manufacturer to develop security software for its own devices. But the IoT is made up of thousands of devices by thousands of manufacturers, and these companies do not have the expertise, nor the motivation, to develop this kind of software.

Inevitably sufficient security measures will be developed, but these developments will take time. Until then, here are several ways consumers and companies can keep hackers at bay:

  • Set Strong Usernames and Passwords – The easiest way to secure IoT devices is to change from the factory default credentials to a strong, unique username and password. Some devices are difficult to change, and some offer no credential change functionality. If a device does not appear to offer a credential change option, contact the manufacturer to be sure. If in the market for a new IoT Device, the ability to change credentials should be a critical measure when choosing between products.
  • Bring IoT Devices under the responsibility of IT– While Operations will remain the primary end users of Industrial IoT Devices, the security of these devices must be included in the corporate IT cybersecurity structure. Whenever possible, bring IoT devices behind the corporate firewall and ensure that IT tracks and deploys any updates provided by device manufacturers.
  • Educate employees/users about IoT Security – As in general cybersecurity, the greatest defense against hacking is a well-educated user base. By informing employees/users about the threat of IoT hacks and how they can prevent them through proper device setup and use, companies can minimize the risk of a hack occurring.
  • Prioritize increased security features– End user demand will drive manufacturers to improve security features and software companies to develop an anti-virus program for IoT Devices. As long as consumers continue to purchase devices with no regard for their security, manufacturers will continue to produce status quo. If currently-owned devices offer insufficient or no security features, consider upgrading to newer, more secure options. Consumers should continue to voice their security concerns in the marketplace, and when in the market for new IoT devices treat cybersecurity as a top priority.

As the technology community begins to unravel and understand the concept of protecting vast amounts of personal data, IoT users must remain vigilant about securing their own devices. Increasing dependence on internet-connected objects makes securing them a top priority. While alluring, the new frontier of the IoT could leave many people very vulnerable.

Making Connections: The Internet of Things

Navigate

There is a lot of confusion surrounding the term, “IoT.” It sounds like something from a Sci-Fi movie. However, the world has been consumed by the Internet of Things for quite some time. People carry it around in their pockets, wear it on their wrists, or use it each day to get work done. At its most basic level, the Internet of Things (or IOT) is simply a network of internet-connected objects capable of sending and receiving data. The Amazon Echo, FitBit, smart thermostats like NEST, smartphones, and laptops are a few easily recognizable examples.

The International Data Corporation estimates the IoT currently has 13 billion connected objects, and that number is projected to surpass 30 billion objects by 2020. This substantial growth suggests the IoT will drive major changes in every industry. Executives must understand why and how to use the IoT in order to maintain a competitive advantage.

Why use the Internet of Things

It is difficult to imagine a time when a person might require an internet-enabled toaster. Yet in 1990, a toaster became the “first” IoT device. This toaster was merely an experiment, but it highlights an important concept. Just because something can be connected to the internet does not mean it should be connected to the internet. Companies considering IoT opportunities should think first about the advantages connectivity provides.

There are two main reasons to invest in IoT:

  1. Monitor remotely
  2. Collect data in real-time

Smart sensors, the nucleus of IoT, allow users to monitor people, processes, and systems from anywhere in the world. For manufacturers seeking a better understanding of their supply chain, using the IoT makes a lot of sense. Sensors provide more accurate delivery estimates and real-time changes in inventory. This added visibility detects if shipments have been tampered with and mitigates damage risk. End-to-end data can be used to assess weaknesses, identify opportunities, and establish a more efficient supply chain.

How to use the Internet of Things

Data-driven devices give companies insight to processes and operations like never before. IoT allows users to extract enormous data sets and summarize them into actionable analytics. There are four distinct types of data analytics:

  1. Descriptive Analytics – What happened
  2. Diagnostic Analytics – Why it happened
  3. Predictive Analytics – What might happen in the future
  4. Prescriptive Analytics – What to do about what is happening

Companies use IoT data to lower maintenance costs, predict equipment failures, and improve business operations. B2C companies can better understand their target market by analyzing data collected from IoT devices used by their customers.

The Industrial Internet of Things (IIoT) allows manufacturing and energy companies to leverage big data to drive future action and business strategy. The IIoT is essentially the point where traditional information technology (IT) and operational technology (OT) come together. IIoT applications use smart sensors to track inventory (as supply chain managers do) and gather data on condition-based predictive maintenance. IIoT will have a significant effect on how Operational Excellence is defined and achieved in the next decade.

Implementing the Internet of Things

The Internet of Things will continue to revolutionize the way of doing business across every industry, but the transition will not be easy. Companies who choose to implement the IoT will face many challenges. They will encounter resistance to change from their own organization, their vendors and their clients. There will be obstacles to overcome from a security standpoint, including physical security and cyber-threat. The companies will need to be flexible as best practices, standards, and regulations evolve. Organization structures will change, processes will be re-designed, and budgets will be re-allocated to support the IoT. While there are advantages to adoption, companies should look to outside resources for assistance in change and implementation management.

How to Create a Cyber Security Culture

Navigate

All companies continuously face cyber security threats from both inside and outside the organization. IT departments apply very basic defenses in order to reduce the chances and consequences of a data breach. Firewalls, operating system updates, secure connections, and spam filters are all standard, but they do not address the weakest and most fragile component of any cyber security strategy: people.

Morgan Stanley’s IT department is well known for implementing world-class cyber security protection. However, in a recent security breach, data from over 350,000 customers was stolen by an employee. The SEC found Morgan Stanley responsible, citing a failure to employ “written policies and procedures reasonably designed to protect customer data.” Creating a work culture centered around cyber safety is essential. Most companies understand that better training and executive involvement are key elements in promoting cyber safety awareness. But what about the not-so-obvious actions companies can take to promote this culture? Learn more about these approaches below:

Ensure the top sets the tone.

The only way to ingrain practices that support cyber security and lower the risk of cyber-threat is to start with embedding these principles in senior executives and management. This group is responsible for setting the company culture. Consider changing compensation and incentives to include cyber security compliance points. In addition, recent studies show a direct correlation between CEO approval ratings and cyber security risk assessments. The higher the CEO approval rating the lower the cyber security risk, which analysts believe prove the theory that the happier employees are at the company, the less likely they are to cause a security breach. A company culture that fosters loyalty and happiness among employees will lessen the risk of an “inside job” in terms of hacking or using company data for malicious purposes but also, a CEO who takes cyber security seriously will influence his or her employees to do the same.

Get certified.

The ISO/IEC 27001 is the best-known standard for providing requirements to keep information assets secure. Companies are not required to implement these standards, but many companies are now choosing to take this extra step to get certified. Not only does it serve to outline standards for protecting the company, it also helps to reassure customers and business partners that their information is safe and protected. Leverage the certification to set a company-wide standard that is documented, followed, and backed by top level management. Hold trainings to ensure employees understand and follow the policies.

Create a cyber security scorecard.

The US Department of Defense is constantly under the threat of cyber-attacks. The cyber security scorecard is used as a way for the Secretary of Defense to better understand cyber security compliance and exposure. The scorecard assesses cyber security control across multiple areas: people, process, technology, facility and compliance. The purpose of the scorecard is to ensure organizations can effectively and regularly perform security assessments that highlight areas for improvement and gaps in cyber security policies. Once the gaps are detected, communicate them throughout the company and schedule trainings to specifically target and mitigate these issues.

Inventory and Protect All Networked Devices.

The technology that people wear and carry are often more powerful than they realize, so companies and employees should be aware of the associated risks. Because users rarely think about cyber security as it applies to their personal devices, they put the company in a vulnerable position to hackers when they default their devices to the least secure settings. Training around the risks is crucial to establish awareness. Publish company policies around what to do if a wearable device is stolen or put at risk and address them in employee onboarding. Put programs in place to educate employees on how a hack on their device could put the company in danger.

It is not a matter of “if” a company will get hacked, but “when.” Embedding cyber security, cyber safety, and cyber-threat awareness into an organization’s culture helps delay and minimize the impact of the inevitable. Trenegy helps companies create and implement customized strategies to reduce cyber security risks.

I Have Never Met a Perfect Person: Dealing with an Imperfect World

Navigate

Standard economic theory is based on the assumption that people are perfectly rational.  In other words, people rationally weigh the costs, benefits and risks before making decisions.  But, except for my wife, I have never met a perfect person.  (I love you, honey.)

A new line of behavioral economists is proving that people make irrational decisions that are driven by biases that can be anticipated.  One such economist, Dan Ariely, summarizes this in his book Predictably Irrational:  The Hidden Forces That Shape Our Decisions:

(We assume) that we are rational… But, as the results presented in this book (and others) show, we are far less rational in our decision making… Our irrational behaviors are neither random nor senseless — they are systematic and predictable. We all make the same types of mistakes over and over, because of the basic wiring of our brains.

These irrational choices that humans make not only affect the economy, but infect every aspect of our lives.  As we studied the root causes of major business “black swan” events – from major oil spills to worldwide automotive recalls – we have identified several of these human factors that must be taken into consideration when designing your company’s operational excellence program.  Organizational structures, policies and procedures, and underlying technology tools must all recognize that humans are not always rational and build checks and balances that account for these human biases.

Groupthink

Groupthink occurs when the momentum of a group influences acceptance of a decision or course of action that may not have been reached by the individual members.  In groupthink, an individual may be hesitant to go against the group from fear of looking dumb in front of the crowd.  They may be thinking “the whole group seems so sure, so I must be wrong.”

In your company, traditional brainstorming exercises may be especially prone to the effects of groupthink.  That is one reason why Trenegy uses the ACEtm Methodology for meeting facilitation.  This approach alternates between convergence (group brainstorming) and divergence (outside party review) cycles to ensure the consequences of groupthink are mitigated.

Confirmation Bias

Confirmation bias is our tendency to view evidence presented to us through the lens of what we believe to be true.  Confirmation bias explains why the same economic data can be seen by the government in power to be good, while it is used by the opposing factions to prove the economy is bad.  Each group is seeing the evidence through their individual belief that their base position is correct.

Your company’s internal reporting can be easily influenced by confirmation bias.  If the definition of the data presented is not clearly understood, and how that information relates to the ultimate company strategy is not effectively outlined, people will tend to draw conclusions based on their own interpretations.  One way to mitigate confirmation bias is to seek out data that may contradict the popular beliefs in your organization and try to uncover why that is.  For example, if the conviction in your organization is that you are a safe work place, solely reporting lost time incidents may only be confirming that opinion (since those types of incidents are few and far between).  Conscious reporting of near miss events and first aid injuries may show that maybe you are not working as safely as you thought.

Normalization of Deviance

Normalization of deviance occurs when unacceptable practices become gradually more acceptable after the unacceptable behavior avoids negative consequences.  Some normalization of deviance is harmless.  The rise of “business casual” dress is a good example.  In the 1970’s President Carter called for thermostats to be raised to save energy during the energy crisis.  This led to business people leaving their ties and jackets at home.  When there were no repercussions from doing so, the acceptable dress for companies continued to drift toward what we now call “business casual.”

In some cases, though, normalization of deviance can have catastrophic results.  The original design parameters of the Space Shuttle’s Solid Rocket Booster O-Rings anticipated no blow-through of gases through the O-Ring.  But early in the Shuttle program some blow-through was observed after launches.  Although minor modifications were made to the design, over time some blow-through became acceptable to the Shuttle team.  In 1986, blow-through of gases through the Solid Rocket Boosters O-Rings of the Challenger resulted in an explosion and death of the crew on board.

The design of safety critical and reliability systems (organizational, procedural, or technological) must include barriers that prevent normalization of deviance from occurring.

Optimism Bias

Optimism bias is the tendency of humans to be overly-optimistic and developing a “this won’t happen to me” mentality.  Dan Ariely found that 95% of drivers believe they have above average driving skills (for those of you who are mathematically challenged, by definition only about half of all drivers can be above average).  This tendency can have undesirable effects.  People may put off diagnostic tests such as colonoscopies, or not wear a helmet because they believe they are unlikely to be in a motorcycle accident.

In companies, decision-making needs to guard against optimism bias.  This is particularly true in the Project Management process.   A pervasive tendency to think “this won’t happen to me” while planning projects contributes to 64% of energy mega projects going over budget, and 73% being delayed (according to a study by EY).   A robust risk identification and mitigation process can help fight this tendency to be overly optimistic.

Expectation Bias

Expectation bias occurs when we hear or see what we expect rather than what is actually happening.  Most of us have experienced this as kids (e.g., your sister was always “the good kid” so when your mother saw the broken lamp she automatically assumed you broke it even though she did, and does not believe you when you tell her so).

Although this example is harmless, expectation bias can have tragic consequences.   In the 2010 Macondo blowout in the Gulf of Mexico, the rig crews were told incorrectly that a critical test had passed successfully.  Because they believed the well was safely secured (even though it wasn’t), they failed to see the indicators of a blow out in the data they were receiving, contributing to a catastrophic blow out that took 11 lives and spilled five million barrels of oil.

When designing your company’s operational excellence programs, proper attention must be paid to these expected faults in the way our minds work.  For example, organizations must mitigate groupthink and confirmation bias by allowing cross-function interactions to occur.  Policies and procedures must guard against exceptions so that normalization of deviance does not set in.  A robust risk management process must force the organization to realize that, despite optimism bias, bad things can happen.   And technology must be in place to ensure the right information is driving decisions so that the organization is not blinded by expectation bias.

Trenegy helps companies successfully manage any aspect of their operational excellence program using proprietary methodologies tailored to our client’s needs. We help our clients get value of out their new system quickly and relatively painlessly.  This is the fifth in a series of articles on operational excellence.