Category Archives: Program Management

Developing a five-part SAP ERM strategy

Organizations have faced an increasing number of challenges with internal processes and external supply chains in recent years, leading to a growing realization among companies that enterprise risk management (ERM) is a necessary business process in its own right. An organization should develop a sound SAP ERM structure using five key elements in the SAP solution suite, including SAP GRC and SAP Business Suite applications.

Examples of supply chain risk over the last five years can be found everywhere. The 2011 tsunami in Japan wreaked havoc on automotive companies worldwide, many of whom depended on vendors in that country. Disney left Bangladesh as a contract manufacturing base after a factory fire, and later a devastating building collapse, which Disney blamed on the government of Bangladesh for lack of regulatory oversight.

Image courtesy of University of California

At the same time, companies are giving more attention to ensuring correct transfer of internal funds internationally (known as SWIFT accounts) to meet increasing financial auditing requirements. Corporate and institutional governance boards are also taking greater steps to reduce the potential for large scale fraud and low probability, high impact risks also known as “fat tail” or “black swan” risks.

The Five Elements

SAP customers often get derailed on how to structure business process audits – such as financial audits – using the vast SAP Business Suite and GRC tools available to them. To make that happen, companies should consider five key elements to successfully build out a strong and cohesive ERM program.

To learn more about the Five Elements of an SAP ERM strategy, read my article in its entirety on


Leave a comment

Filed under Audit and Oversight, Compliance, Financial Management, Operations, Program Management, Risk Management, Strategy, Supply Chain Management, Technology

Snowden Case Illustrates Gaps in Governance Policy

While the world watches Edward Snowden and his serendipitous travels and possible end game as he faces charges of US espionage at home, the security world has been asking the same question since the Guardian made its bombshell disclosures: How did this happen?

Photograph: The Guardian/AFP/Getty Images

Indeed despite any personal views on whether Snowden is a whistle-blower, a spy, or a confused young man one thing is certain.  With a relatively low analyst role inside of the National Security Agency (NSA), Snowden had access to large data piles of sensitive information – both metadata as well as content data – on the US surveillance programs.  While the deep content data was under the auspices of US government efforts to get a handle on thwarting terrorist attacks and cyber espionage from commercial and political entities, it illustrates what can happen when large organization do not pay attention to those able to come and go from their own systems and what information they can see.

Commercial organizations have been dealing with this problem for the past two decades.  In the outsourcing shift of the late 1990s and early 2000s, American and other Western-based companies looked to offshore security, network administration, and call center services to countries with lower wage knowledge workers.  Countries like Brazil, India and China began to sprout data centers and call centers creating huge demand for trained and skilled tech workers.  While many of these workers used their positions to eventually emigrate to developed nations, many remained close to families and absorbed good-wage, local jobs with very exciting large, multinational corporations.

And that’s when the fun stopped.  Once in, unless you have multi-tiered governance and access models over all systems users, these third party offshore providers found there were ways to increase their value by siphoning off intellectual property (IP) for use with related home country industries.  Granted the vast majority of offshore information technology providers were of good repute and legitimate in their contracts and task execution.  However while working for a government contractor – a large multi-national subject to ITAR and other commercial export and technology transfer laws – the candy store was discovered not only open but unlocked.

It seems in their haste and desire to spin-0ff a large offshore company that had been created for the purpose of taking care of their systems in a joint venture, headquarters personnel of this multinational corporation became aware of unusual logs in the use and view of certain key data files.  These files related to the design and manufacture of product governed by commercial and government controls, and did not have anything to do with the core systems management processes the offshore company was now contracted to provide and maintain.  In short, network administrators had such broad access based on the definition of their user profile they could essentially view, edit, delete and copy any product related files.  This led to a large discussion and renegotiation of the service level agreement between the multinational and offshore provider. Eventually a domestic systems management services provider was contracted to take on the network care over product and manufacturing data.

There will always be the Edward Snowden’s of the world, who feel they must act on what they see or re-purpose information that is available to them.  However with greater governance and controls of information policy we can limit the availability of future Snowden’s to have full visibility of information that is not on a need-to-know basis.  We have the tools and methods available to put these governance policies in place.  In both government and commercial sectors, responsible management is needed to do so.

Leave a comment

Filed under Audit and Oversight, Big Data, Business Analytics, Cloud Readiness, Compliance, Global Trade, Information Technology, Marketing and Social Business, Mergers and Acquisitions, Operations, Program Management, Risk Management, Technology

SAP Inside Track: Align Risk Management Goals, Audits with Actions

This week I had the pleasure of attending and speaking at the joint SAP Inside Track Toronto and ASUG Ontario chapter meetings.  My presentation on the topic of Enterprise Risk Management (ERM) using the five key elements of SAP Business Suite – including a case study on internal audit management – attracted some attention.  The presentation is available now on Slideshare and will also be posted to the ASUG Ontario chapter event page.

I also took fourth in the annual “Canuck Hunt” contest at SAPPHIRE 2013.  Mark Richardson of the Ontario Chapter has a nice photo of me with my prizes orbiting in the twitterverse for reader amusement…  Thanks again Mark and the rest of the ASUG Ontario team for a great program.  See you all next week in Grand Rapids on June 27 for the ASUG Michigan chapter meeting!

Leave a comment

Filed under Audit and Oversight, Business Analytics, Compliance, Enterprise Performance Management, Program Management, Risk Management, Strategy, Technology

Can Supply Chain Visibility Save Lives?

My recent SCN blog post “Focused Brand Management via Supply Chain Visibility” has received nearly 1,000 views since it was posted earlier in the month following my interview with Markus Rosemann, Head of Supply Chain Execution at SAP during the SAPPHIRE Orlando conference.  It is provided here as an abstract to create visibility in non-technical circles so we can all consider if increased supply chain visibility can detect issues before they occur. Or kill. 

Read the full article on SCN under the Business Trends topic for Sustainability and Supply Chain.

Rena Plaza collapse (image courtesy NY Times, Reuters)

In the wake of devastating tragedies in Bangladesh and Paskistan over the past 18 months, OEMs are developing action plans and mitigation strategies to avoid collateral brand damage associated with poorly run and often dangerously unsafe external contract manufacturers.  During my recent podcast for the IXN (Episode IXN002 on iTunes) I was asked what is the top challenge facing global supply chains.  My answer was terrifyingly predictive: brand management and the impact it has on brand sales when a horrific event happens overseas.  Two weeks later, over 1,000 workers (mothers, fathers, sisters and brothers) lost their lives in the building collapse at the Rena Plaza factory in Bangladesh.  While the death toll rose, Disney was one of the first brands to pull out of the country, and the EU developed a memorandum of understanding that many appareland footwear manufacturers were voluntarily adopting.

This week at SAPPHIRE I sat down with Markus Rosemann, Head of Supply Chain Execution, LOB Solution Management, to discuss this problem.  Given the actions of the previous several weeks this issue is top of mind in supply chain operations and risk management functions inside, it was a familiar topic.

Integrated supply chain issues for brand management is a critical success factor because as Rosemann put it, “you cannot lose on this front. How you integrate with your partners is a growing need, not only the process and order level (for example, who was manufacturing on Bangladesh and what percentage of your portfolio), but also the need for the supply network to create visibility.” While this has been an issue for years, the impact on brand management today creates a new need to track and trace supplier activity so companies can protect their brand.

Social and sentiment analysis can also play into that from a demand signal management perspective. Social plug-ins can see the sentiment analysis on brands, platform, and customer preferences. So what does this mean having a true voice of the customer in the wake of a horrific supplier event?  According to Rosemann, “that is finally changing, best margin is not the only driving force” in industries such as apparel and footwear. “This is an area that we see changing in the market place – demand patterns which are changing, and this can all be viewed inside real-time analytics. We see this as a huge opportunity to leverage the power of HANA, for massive data which can be analyzed and understood. From this, information can be pushed onto strategy, supply planning, and then sourced.  This is the real integration and opportunity for a real time supply chain.” I agree and none too soon.


Filed under Audit and Oversight, Big Data, Change Management and Leadership, Communication Planning, Compliance, Global Trade, Information Technology, Marketing and Social Business, Operations, Program Management, Risk Management, Strategy, Supply Chain Management, Sustainability, Technology

Minding the C-Suite Gap: Preliminary Results from CXO Study, Webinar Invitation

Preliminary findings of the CXO Engagement study conducted by Newport Consulting Group and the University of Oregon were released last week during the ISSP National Conference in Chicago. I highlight some of the key points from my exclusive article for Sustainable Industries Magazine.  Join us June 13 at 1PM ET for a full briefing on the study findings, registration is now open.

As we begin to crunch the numbers for our findings of the CXO Engagement Study sponsored by Newport Consulting Group and University of Oregon’s Sustainability Leadership Program, we can now begin to take a step back and gauge where we thought sustainability was falling down inside organizations and what can be done to make sustainability strategies more strategic with the help of the right people inside of the C-suite.

Over 140 organizations responded to our survey which cut across a broad swath of roles, activities, intentions and experiences. Before I get too deep into the analytics, I’d like to offer a personal word of thanks to those of you who took the time and responded. We may yet invite you to serve as interview subjects as we probe a bit deeper into some of the findings and rationale. To our knowledge this is the first time any group or institution has tried to correlate CXO behavior with perceived sustainability performance. We understand and acknowledge we are treading into new waters, and we appreciate you being along for the swim.

First, the high level numbers. There was a predominance of C-suite participants with C-level and vice president titles (38%); directors and managers represented the middle reporting management levels (41%), and the remainder were staff, project team members and consultants (21%). Participant primary job functions were dispersed across a number of areas including management (27%), sustainability/CSR (21%), operations (11%), with areas such as finance, human resources and marketing all represented under 10% levels.

Based on our preliminary findings, we can make some high-level determinations as to what is happening. This will lead over the next several weeks into a clearer picture as to why these things are happening (or not happening) inside organizations.

You can review these trends in my exclusive article for Sustainable Industries Magazine.  Join us June 13 at 1PM ET for a full briefing on the study findings, registration is now open.

Leave a comment

Filed under Audit and Oversight, Change Management and Leadership, Communication Planning, Compliance, Marketing and Social Business, Millennial Worker Shift, Operations, Program Management, Risk Management, Strategy, Sustainability

SCOR 11 Goes Closed-loop with New Release, SAP Stays the Course

This week I completed a preliminary review of the new release of its Supply Chain Operations Reference (SCOR) model by the Supply Chain Council (SCC).  My findings are published in the full version of online magazine.  Some highlights:

  • The Level 2 process “Enable” which was common across all Level 1 processes is no promoted to Level 1 status.  This in effect creates a closed-loop model for the first time similar to the Deming “Plan, Do, Check, Act” quality cycle.
  • SCOR 11 delineates certain best practices into specific areas of effectiveness.  This is very helpful for operational analysis and bench-marking using “level chart” and other similar techniques.
  • Best practice guidelines have been added to SCOR 11.

Major companies use the SCOR framework to ensure supply chain and operational consistency

SAP has long been a supporter in the area of adopting (and enabling) the SCOR framework for Supply Chain Performance Management, and has been the recipient of an Global Technology Advancement Award by the SCC in this area.  SAP Solution Manager, Stephanie Gruber says the SCOR framework is important for customer use inside their analytics environment to measure successful execution of business operations. “[Customers gain] complete visibility into supply chain performance, which complies with leading industry standards such as [SCOR] to define operational dependencies,” said Gruber.

Major customers such as Coca-Cola have leveraged SCPM as the key performance driver of their supply chain monitoring and management activities.  The new release of SCPM 2.0 also allows for integration into Risk Management (RM10) for comprehensive supply chain risk management tracking.

Read the full article here.  Thanks again to Stephanie for being available for comment.

Leave a comment

Filed under Business Analytics, Compliance, Enterprise Performance Management, Global Trade, Information Technology, Operations, Program Management, Risk Management, Strategy, Supply Chain Management, Sustainability, Technology

Addressing New Conflict Minerals Requirements: Key Success Factors for Processes and Reporting

As part of our ongoing work with compliance software maker iPoint-Systems, we recently published interview findings of trends in various manufacturing industries around the Dodd-Frank Section 1502 “Conflict Minerals” provision.  2013 marks the first mandatory reporting period in the United States based on the Security and Exchange Commission (SEC) final ruling in August, 2012.  Our article looks at what some of the organizations are doing – and not doing – to ready themselves for new process and reporting activities.

As companies spent the recent year-end holidays closing their fiscal books and creating program budgets for new products and services into 2013, a small and seemingly obscure clause in one of the widest reaching financial reform acts in modern history has added concern and challenge to product manufacturers across industry segments.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 contains a small but very important section addressing so-called “conflict minerals” – referred to as 3TGs (tin, tantalum, tungsten, and gold) – harvested from the Democratic Republic of Congo and surrounding countries. The people in these areas are experiencing war atrocities, human slavery, and other human rights violations cited by the United Nations.

As such, Section 1502 of the Dodd-Frank Act suggested that this issue requires an aggressive supply chain reporting mandate. The U.S. Securities and Exchange Commission (SEC) made final rulings on this provision in late August 2012 ascribing any publicly traded company and their suppliers to “include a description of the measures it took to exercise due diligence on the conflict minerals’ source and chain of custody” and file a new SEC form SD beginning in 2014 for the 2013 calendar year. The initial reporting period for tracking compliance efforts begins in January, 2013.

Far-reaching Impacts

According to leading industry experts in the field, the effects of the conflict minerals provisions are extensive. “It’s not just whether you are a public company, in which case you for sure must report and show due diligence through your supply chain. Also, private companies and companies that are part of the US company’s supply chains will be affected, as the requirements are cascaded down the value chain. It has been suggested by the SEC that the number of companies that may contain trace elements of conflict minerals could be in excess of 280,000,” notes Thomas Bley, senior project manager for software maker iPoint-systems and participant in a number of industry work groups.

One of the challenges that make conflict mineral compliance to Dodd-Frank so encompassing is the level of trace elements of 3TGs found in most electronics components, used in everything from computers to automobiles to household appliances. It is difficult for one company on its own to trace the flow of materials in raw form back to the component suppliers, however Dodd-Frank requires even deeper due diligence to determine the actual location of the mineral smelter. Some organizations have stated publicly that obtaining declarations of conflict minerals to a level of only 40-60% is sufficient.

“That’s a risky proposition,” suggests Bley. “While there are no penalties for using conflict minerals in company products, the regulations require that a ‘reasonable country of origin inquiry’ is performed. Those companies that lag in this area risk ‘named and shamed’ by the consumer public and nongovernmental organizations (NGOs),” creating a possible impact on brand reputation and sales.

You may read the full article on the Ethisphere website.  Kind thanks to Thomas Bley, Katie Boehm, Andreas Schiffleitner  and Stefan Lenssen for their support on this project.  You may follow iPoint-Systems (@iPointWorld) and Ethisphere (@Ethisphere) on Twitter.

Leave a comment

Filed under Audit and Oversight, Cloud Computing, Compliance, Global Trade, Information Technology, Operations, Procurement, Program Management, Risk Management, Supply Chain Management, Sustainability, Technology