Program Summary

Getting Your Arms Around Risk and Your Hands on

The Levers of Control

EXECUTIVE FORUM LeadershipSeries Speaker
Robert Simons, Ph.D.
February 13, 2002
eforum@executiveforum.net

Dr. Robert Simons is a professor of business administration and is director of research at Harvard Business School. He is a business consultant and has served as an advisor to corporations on matters of organization structure, strategic planning, and control systems. He has testified as an expert witness before State Public Utility Commissions and in U.S. Federal Court. As an accountant, Simons worked as an auditor and consultant with Price Waterhouse before earning his Ph.D. from McGill University with a joint concentration in control and business policy. He has been published in academic journals such as the Strategic Management Journal, Accounting, rganizations and Society, Contemporary Accounting Research, and Accounting Research . He is also the author of the books Levers of Control: How Managers Use Innovative Control systems to Drive Strategic Renewal published by Harvard Business School Press in 1995 and Performance Measurement and Control Systems for Implementing Strategy, which was published by Prentice-Hall in 1999.

Introduction
It is easy to forget about risk when markets are growing and revenues are up, yet it is during these boom times that your business may be at its most vulnerable. Success, in other words, should make executives nervous because it has an uncanny way of setting companies up for trouble. Avoiding risks in business is Robert Simons specialty. He has worked as a consultant and advisor to companies wanting to minimize their risk, and as amassed an arsenal of knowledge that can help organizations reduce their chances of getting into trouble. In his presentation, he talks about the types of fatal errors most often made by business; one of which led to the demise of Enron. He describes different types of risk such as the breakdown in core operating, manufacturing, or process capabilities. Simons gives examples of how companies have gotten themselves into trouble and explains how you can avoid these same pitfalls. He describes the Risk Exposure Calculator that he developed, and how it can be used to measure your organization's vulnerabilities in the areas of growth, culture, and information management and how you can score your own organizations vulnerability to risk. In the second half of his presentation, Simon describes how risks can be managed using his "Levers of Control." These controls provide solutions 1

such as understanding your organization's vulnerabilities and making sure you have the right controls in place. He describes the importance of balance with an organization, the need for effective and thoughtful mission statements and the importance of setting boundaries that don't stifle employee creativity. He describes why it is important for management to provide the necessary resources for employees to perform their jobs, and the importance of establishing a business strategy and communicating it throughout the organization. He also explains how generating debate and communications can strengthen a business and reduce its risks. The Levers of Control Robert Simons, as an advisor to highly successful organizations, found some of these companies getting themselves into highly risky positions and many were in serious danger. The excesses of the 1990s only fed this as company after company chased growth very aggressively and then started to chase profitability. Simons said that he often saw individuals making decisions that led to disaster. As an example, Simons pointed out the failure of the Enron Corporation, which he said is probably the largest business event in his career. What he wanted the audience to take away from his presentation were two things: how to be alert to the dangers of risks and how to remedy situations where there is danger. He spent the first half of his presentation on how to identify risk and the second half discussing how organizational risk can be minimized. Simons showed an overhead that listed various organizations. On the left were listed ValueJet, Kidder Peabody, Barings Bank, and Enron. On the right were National Public Radio, Proctor & Gamble, and United Way. He said that all these companies got themselves into trouble as a result of not managing their risk. The difference is that the companies listed on the left were liquidated, and the companies on the right were able to survive. National Public Radio got into trouble by sharing donor lists with the Democratic National Party for fundraising purposes. Proctor & Gamble lost $150 million as a result of management not fully understanding what was going on inside the business. United Way's failure involved scandals related to spending and misuse of funds. All of these cases led to the demise of the senior management team. Fatal Errors There are often sub-themes in these stories such as errors of omission (e.g., National Public Radio not telling its members that they were sharing their donor lists) or commission (e.g., Barings Bank in which an individual trader made a decision that ultimately destroyed the organization); incomplete management information (e.g., Proctor & Gamble making big bets on derivatives and not knowing fully what they were up to); and inefficiencies and breakdowns (e.g., ValueJet after the crash in the Florida Everglades which damaged their credibility). Managers can take steps to ensure that their organization does not make headline news as a result of fatal errors dealing with risk. First, Simons said that organizations often get themselves into trouble as a result of lack of clarity around the strategy of the business. He

urged everyone to ask the following questions: is it clear how their organizations create customer value and how does their businesses differentiate products and services from their competitors? Many companies, Simons said, cannot easily answer these questions. If that is the case, the organization risk level rises because strategy not only determines what we are trying to do, but also what we are trying not to do. Different Types of Risk According to Simons, there are different types of risks within an organization. The first risk he described was risk found in operations that can result in a breakdown in a core operating, manufacturing, or process capability. This type of risk is what happened with ValueJet where a quality failure resulted in a crash. Simons used Fidelity Investments as another example of operational risk. Several years ago there was a system breakdown that prevented Fidelity from being able to report earnings for the end of the day. A junior person within the corporation got the idea to report earnings from the previous day thinking that no one would notice. People did notice and the resulting publicity jeopardized the organization's reputation and trust, which is crucial to success in the investment arena. "What are the choices in your business that could expose you to operations risk?" Simons asked. Simons then discussed risks associated with asset impairment. The risk of asset impairment is the deterioration in the value of an asset because of a reduction in the likelihood of receiving future cash flow from the asset. In other words, if an asset will not return future cash flow then the asset losses value. Examples of this on the public side include Mexico in 1994, Russia in 1995, and Argentina today. Enron falls into this category as well because what led to the death spiral of Enron was a write down of assets held in partnerships that were worthless. People did not see this coming, and as a result they lost confidence in the core business. Assets can also become impaired through intellectual property rights. Some of the most valuable companies in our economy today are not driven by physical assets, but are driven by intellectual, knowledge-based assets. Physical impairment is another type of risk to consider. These risks include catastrophes such as the September 11th attack on the World Trade Center and Pentagon. The terrorist attacks have caused many companies to rethink the type of backup facilities that are needed to ensure continuity in terms of catastrophic failure and breakdown. A fourth risk to consider is competitive risk. The concerns here are changes in the environment that could impair the business's ability to successfully create value and differentiate its products or services. Sources of competitive risk include potential new entrants to the market, buyers and customers, substitute products or services, suppliers of inputs and resources, and rivalry among existing competitors. Franchise Risk The most important risk, however, is franchise or reputation risk, because this is the one that leads to the death spiral. Franchise risk is important because it can result in the value of the entire business eroding due to a loss of confidence by critical constituents.

"What choices could expose your business to franchise risk?" Simons asked. The key to franchise risk is that it usually results in a breakdown from operations, asset impairment, or competitive risks described above. As an example, the breakdown in operations risk at ValueJet resulted in a franchise risk. The savings and loan crisis several years ago is an example of asset impairment risk resulting in consumers losing confidence in the industry in being able to protect their assets, which led to a run on the banks. Apple computer is an example of competitive risk. People are questioning whether Apple can sustain their business. As a result, most people are choosing the Windows platform. "In each of these cases, we see a death spiral that becomes very difficult to manage our way out of," Simons said. Risk Exposure Calculator The risk pressure points often come from individual actions. People make decisions everyday that can put an organization at risk. As a result, Simons developed what he calls the Risk Exposure Calculator that can help management assess their exposure to risk in the areas of growth, culture, and information management. Using a five-point scale for each pressure point (1 being low, 5 being high) managers are asked to rate their organization's growth in the areas of pressures for performance, rate of expansion, and inexperience of key employees. Under culture, they are to rank their organizations based on rewards for entrepreneurial risk taking, executive resistance to bad news, and level of internal competition. Under information management, they are to rank their organizations for transaction complexity and velocity, gaps in diagnostic performance measures, and degree of decentralization decision-making. The paradox in risk is not that a company is growing or is successful; rather it is the factors for growth when added together may add up to a collective and cumulative set of pressure points that might ultimately be destructive. It has been his experience that most high performing companies are almost always high-pressure environments with clear goals and expectations for performance. External pressures on these companies demand that they perform well. Demanding goals are set for management and management pay is typically linked to performance to ensure that management will respond with all their energy and enthusiasm. Sometimes these high-performance goals can work against a company. For example, wrong decisions are often made when managers are pressured to succeed at all cost. Simons illustrated his point by describing a successful company whose management falsified its accounting records to meet their bosses' expectations and the expectations of Wall Street, which resulted in more than $500 billion in over reporting. Rate of expansion is another risk of growth. Areas to be concerned with include the growing demand for products and services; increases in production volume; strained resources; inadequate infrastructure; and errors and breakdowns. Simons told how American Express tried to compete with MasterCard and Visa by launching the Optima Card. Unlike the American Express card, their Optima card customers were not required to pay off their monthly balances. The card

was successfully launched, but quickly ran into problems as a result of management's inexperience in managing long-term credit debt. As a result, American Express had to write off hundreds of millions in bad debt because they were not equipped to handle the debt collection issues associated with a payment plan system. The third pressure point having to do with growth is the inexperience of key employees. A fast growing company usually means bringing in a large number of new hires that may result in hiring employees that are not as experienced, that do not share the same values, and that may result in a lack of background checks being performed. To illustrate his point, Simons told the story of a Harvard graduate hired as a trader on the government-trading desk at Kidder Peabody. This man had no experience but was very convincing. He was also creative and was able to find a way to trade bonds that, at first, looked very profitable. The loophole that made him look successful, however, ultimately led to the destruction of the firm. Culture Pressure Point The first pressure point of culture is that individuals are rewarded for entrepreneurial risk-taking. The risks here are that management is focused on attracting creative people and motivating and rewarding them for new initiatives. The problem is that these creative employees are rewarded if they succeed, but it is usually the organization that must pick up the tab if there is a catastrophic loss. Executive resistance to bad news is the second pressure point of culture. Employees at Kidder knew that things were not as they seemed on the government-trading desk, but they were either beaten back or were let go from the organization when they raised their concerns regarding the Harvard trader that was hired. Signs of risk of executive resistance to bad news include early warning danger signs at lower levels, low tolerance for dissent, and the shoot the messenger syndrome. The third risk due to culture is the level of internal competition as a result of competition for bonuses and promotion, zero-sum game, private information, and gamble to increase short-term performance. Internal competition encourages employees to gamble with company assets to bolster short-term performance for their own reward. Information Management Risks The first steps in evaluating risks due to information management involve transaction complexity and velocity. In this area, management should be aware of high transaction volume and processing speed, complex transactions, and inadequate infrastructure. Using the Kidder Peabody example, the trading person they hired for the government-trading desk was able to convince management that the government was just a big, dumb customer and that allowed him to earn hundreds of millions of dollars through complex, high volume trading, Simons said. It took management a long time to catch on to his scheme, and by the time they did, it was too late.

The second step in evaluating information management risks involves understanding the gap in diagnostic performance measures. Managers should be asking themselves, if they have adequate risk indicators? Management should be keeping a close eye on their legacy systems and be concerned if there is a lack of system integration. The final step in evaluation information management risks is looking at the degree of decentralized decision-making. Innovative, fast moving, wellmanaged companies tend to decentralize decision making because they want their people to be close to the customer, and eliminate or minimize bureaucracy. The flip side is that this results in less oversight and it allows management to act with fewer rules, which increase the risk of someone doing something stupid. The question management should ask themselves is, "do your systems have the ability to aggregate risk exposure going forward?" Facing Temptation Simon described the problems associated with Enron and asked the following questions: "Why do people do these things? Would any of us make some of the mistakes that were made at Enron? Were the people at Enron evil?" What this comes down to is that everyone faces temptation in their lives. There are pressures placed on people for performance and there are opportunities. What often influences a person's decision is rationalization. "We have to convince ourselves that what we are doing is not really bad," he said, "because none of us want to wake up in the morning and look in the mirror and say, `I'm a bad person.'" The danger is being able to build a rationalization for our actions. The most common rationalization is that most people think they will never get caught. Another way people rationalize their actions is that they convince themselves that what they are doing isn't hurting anybody else, or they believe that everyone else is doing it. These are some of the ways people rationalize the performance pressures that are placed on them. Simons asked the audience to rate their own organizations using his Risk Exposure Calculator. Organizations scored between 35 and 45 points are considered to be in a danger zone, organization that scored between 21 and 34 point were labeled as being in a caution zone, and organizations that scored between 9 and 20 points were said to be in a safe zone. Those who scored their organization in the safety zone should be asking themselves if their organizations are taking enough risk. Companies that do not expose themselves to some risk may be placing themselves at risk as a result of not setting high enough standards for employee or company performance. Controls The most important points in examining an organization is asking yourself "Are you aware of your organizations' risks and do you have the right controls

in place?" To get a better handle on understanding an organization, Simon asked the following five questions that are based on his book the Levers of Control: 1. Have senior managers communicated the core values of the business in a way that people understand and embrace? 2. Have managers in your organization clearly identified the specific actions and behaviors that are off-limits? 3. Are diagnostic control systems adequate at monitoring critical performance variables? 4. Are control systems interactive and designed to stimulate learning? 5. Are you paying enough for traditional internal controls? Finding the Balance In the second half of his presentation, Simons focused on finding the balance between innovation and control. The pendulum, he believes, is clearly going to swing toward control and compliance as a result of the Enron disaster. As a result, it is going to be a challenge to find a way to march forward learning lessons around risk while at the same time recognizing that businesses need to keep growing, innovating, and experimenting, he said. The starting point is learning the basic tension between growth, profit, and control. Firms in the past have focused on growth with little talk about profit. Then there became a huge awakening that resulted in a shift to being profitable. "It is no accident that the Enron failure occurred during this time of heightened scrutiny of profitability," Simons said. "And this is why they have taken risks with company assets to create profit that is not sustainable." Simons predicts that organizations will now enter an era where the focus will be on controls. This is backwards, he said. Organizations should first build a control infrastructure. Once the infrastructure is in place, then management can push people hard on profits because the controls are in place as a safety net. After a business is making money it should then push people to grow the business. "It amazes me how many companies forget this very basic progression," he said. The Three Tensions How can an organization be innovative, meet customer needs, show continuous improvement, empower its employees, customize its products and services while at the same time have controls in place to keep things on track, have no surprises, and standardize its operations? There are three tensions that allow management to achieve this goal. The first is top down direction versus bottom up creativity that depicts senior management at the top and strategy implementation at the bottom. In this model, senior management is responsible for formulating strategy and passing that information down through the organization. It is the people close to the customer who are responsible for implementing it. Simons next showed Nordstrom's organization model, which is an inverted pyradmid. It depicts customers at the top, sales manager second from the

top, department managers third from the top, store managers, buyers and merchandise managers fourth from the top, and the board of directors at the bottom. With this model, everyone who creates value for the organization is at the top and everyone below is there to support those above. Strategy often comes from people close to the marketplace. At Intel, for example, one doesn't have to go back many years to remember that it was a commodity producer of computer memory products. Over time they migrated to a focus on high coprocessor products. This happened as a result of junior engineers and middle managers making choices to maximize value. Those actions, over time, led to continuing experimentation that resulted in initiatives that could not be stopped. The solution is that we need to figure out how we can do both top down direction while utilizing bottom up creativity. Opportunity vs Time The second tension is unlimited opportunity versus limited attention. Simons believes that there are unlimited opportunities for businesses today and that it is important for them to make wise decisions and not try to tackle every opportunity that arises. The scarce resource is management time and attention. The third tension has to do with people and self-interest versus the desire to contribute. Organizations go to great lengths to find great people who want to contribute and make a difference, but once hired, these newly hired employees are placed under enormous pressure to perform, and employees who do not meet management expectations are terminated. Performance pressures within an organizations should be examined. Are the resources that employees need to achieve their goals being given to them? Is management asking them to perform so many tasks simultaneously that it is difficult for them to build momentum on critical projects? Does management make it risky to challenge the status quo? Removing Roadblocks If management can eliminate these roadblocks and let people rise to their potential, argues Simons, then there is almost no limit to what employees can achieve. To remove these roadblocks, Simon suggests using some of the techniques described in his book Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic Renewal . The management control levers are a formal, information based system on how you build information around your business. It is also about how management can use this information, and how information is used to maintain or alter patterns. The first question is how does one create value for customers? The second question is how does one differentiate products and services from competitors. With those questions in mind, one should ask how well their organization does communicating core values to support that strategy. As a management team, it is important that the organization understand the risks inherent in that strategy and can communicate those risks clearly and

consistently within the organization. It is also important that management understands the critical performance variables, and monitors them appropriately. The final variable is monitoring the competitive environment to limit critical uncertainty. Laying a foundation is key to the success of the business strategy. In order for the business strategy to succeed, it is important to have in place transaction efficiencies and safeguards. For example, there should be checks and balances to ensure that assets are secure and the accounting records are accurate. Other internal controls such as structural, staffing, and system safeguards should also be in place. Structural safeguards address segregation of duties, levels of authorization, access to valuable assets, and the need of an independent internal audit of functions. Staff safeguards encompass ensuring that there is adequate expertise and training, sufficient resources, and that employees are rotated in key jobs. System safeguards should examine the completeness and accuracy of record keeping, the relevance and timeliness of reporting, the adequacy of documentation, and the restriction of access to information systems. Mission Statements Simons then turned his attention to some levers of control that are strategic such as mission statements. As an example of a good mission statement, Simons displayed the credo of Johnson & Johnson. This company has spent a great deal of time creating and modifying their mission statement. When Simons asked the president of the company why they invested so much time and effort into their mission statement, his response was "they invest as much as they do because we strongly believe that if we do this well we make more money." Johnson & Johnson has been at the top of the list in terms of financial returns in the tumultuous and competitive health care industry, and are always on Fortune magazine's short list for most admired companies. Johnson & Johnson has worked very hard to create pride and commitment. People who are proud of their organization work harder, are committed, and are more passionate. "Are you doing enough in your business to create pride?" Setting Boundries In developing a mission statement one should keep in mind that it is better to tell employees what they cannot do as opposed to telling them what they can do. Telling employees what they cannot do provides clear boundaries to behavior that is off limits while at the same time does not put limits on their entrepreneurial spirit, innovation, or creativity. This is one of the most important principles of management. Some other boundary setting systems to consider include a list of groups that an organization will not accept donations from, codes of business conduct, and codes of professional ethics. "If reputation is a key asset in your business, then you need to be very careful that you have got good codes of business conduct," Simons said, "If those codes of conduct are written correctly, its like the 10 Commandments. They don't tell people what to do, they tell people what not to do." Boundaries also need to be set for business

strategy. "If strategy involves choice, and if you really trust your people to be creative, tell them what we are not going to do," Simons said. Setting Strategy Automated Data Processing (ADP) is the largest payroll processing company in the country paying 25 to 30 million Americans every pay period. ADP sticks to a simple, one-page strategy that lists the businesses and opportunities they will not invest in. Their strategy states that they will not invest in any opportunity where they cannot be number one or number two within five years or will not generate 15 percent consistently on their investment or where they cannot standardize their products. ADP is a success story. It has the longest run of unbroken, double digit earnings per share increases of any company traded on any U.S. stock exchange, Simons said. The last time he checked, they were up to 176 quarters of double digit earnings per quarter. The choice ADP has made is between growth and profit. They are not as big as they could have been if they had pursued a different strategy, but they are very profitable and it is by not accident, Simons said.In addition to setting boundaries, it is also important to measure certain things such as the budget, profit plans, human resources, and inventory. Simons encourages people to set a target, measure periodically, and get variance information to correct shortfalls. Simons also encourages the use of the balanced score card for measuring financial, internal business, customer, and innovation and learning perspectives. Companies that need most to rely on control systems are those that are innovative and who are trying to bring new products to the market place like Johnson & Johnson. Conclusion How good a job has management done in getting commitment for the purpose of the organization? Simons asked in summation. Have enough resources been devoted to making people feel proud and committed to the business strategy? Has the company done as good a job in staking out the competition to limit their risks? And finally, does management have a plan in place to stimulate debate and dialog to help create learning for tomorrow? "Our job as managers is to communicate the core values and mission of the organization," Simons said. The following questions are designed to help you grasp and apply the lessons learned from Robert Simons presentation. Applications Points 1. Why is it important for people within your organization to be able to answer the following questions: How does my business create value for its customers? How does my business differentiate its products and services form its competitors? 2. What choices could expose your business to operations, asset impairment, competitive, and franchise risks? 3. What would your organizations numerical risk value be using Simons' Risk

10

Exposure Calculator? 4. What risks are your organization facing in the areas of growth, culture, and information management and how can these risks be managed? 5. What can you do to control the risks within your organization? 6. Why are the five questions based on the Levers of Control important in analyzing your company's risk? (Hint: the five questions deal with core values, behaviors that are off-limits, critical performance variables, learning, and internal controls.) 7. Why is it important for your company credo or mission statement to provide inspiration and direction? 8. What are the four major elements of the balanced scorecard and why are they important to the success of your organization?

11