Once a year, you go to the doctor. You get an EKG and some other tests; the doc listens to your heart, peers into your throat, and tells you to lose weight, and you go home with a general feeling of well-being.
Why don’t you do the same thing for your company? Public companies have Sarbanes-Oxley anti-fraud law, utilities have SCADA (supervisory control and data acquisition), nonprofits often have requirements to meet to maintain eligibility for positive ratings. While small and medium-sized businesses — and especially startups — do not labor under onerous audit requirements, they should still be building an annual risk assessment into business plans.
Here are some areas all businesses should review annually, either through internal processes or with outside assistance. You can’t fix what you don’t know about. And it’s those things that will — always — hurt you.
Policies and procedures. All departments may have them, but the big three are information technology, human resources, and finance. Every year, your business changes — in big and small ways — but policies and procedures seem to live forever. Not always in a good way. Usually in a big, dusty book on the top shelf somewhere. To be effective, they need to adapt as your business evolves. This is especially true of technology where every new system, software, or online service has the potential to affect existing procedures. Are your policies keeping up with business changes? Do procedures line up with the operational environment?
Access. Best practice is to give the lowest possible access for an employee to do his job. But over time, well-thought-out access often becomes a gerrymandered mess. How? Here’s a common scenario: Someone goes on vacation and a backup person is given additional access so he can fill in. When the staffer returns, the additional authorities given to the backup are rarely removed. Advanced systems can give authorities for a specific function during specific time ranges, but for many businesses, maintaining authorities is a manual process that can be backstopped as part of the risk assessment.
Internal controls. The heart of secure and efficient financial operations, this is another place where small businesses and startups are often lax. It may be due to understaffing, or it may be a problem that grows organically over time as well-meaning employees pitch in to help and end up picking up tasks on a permanent basis. Certified fraud examiner and forensic accountant Kelly Wessel of Wessel Forensic Accounting says believing that your annual accountant review will catch fraud is a dangerous assumption (goo.gl/5SMwpJ). “It doesn’t and it is not designed to,” says Wessel, the former director of internal audit for Greenville Health System. “Internal controls protect a company from fraud. That is not what your accountant’s review of your books is designed to do.”
Think that’s not an issue for you? The Association of Certified Fraud Examiners says small businesses are at greater risk (goo.gl/As39hH) because they have a “significantly lower implementation rate of anti-fraud controls. … This gap in fraud prevention and detection coverage leaves small organizations extremely susceptible to frauds that can cause significant damage to their limited resources.”
BCP/DR. I write about business continuity planning and disaster recovery a lot so I’m not going to belabor the point. Do you have a plan for how to continue business or recover from a natural disaster (like a hurricane or tornado), an accident (toxic spill, major power outage), or a significant hack? (goo.gl/yPGr3L). Don’t worry. I’m afraid I know the answer. But consider this: Hurricane Matthew in October 2016 cost our state $64 million (goo.gl/NRjuyZ). As bad as that sounds, it dwarfs the estimated $10 billion in losses for businesses from North Carolina to Florida (goo.gl/TtD23n).
Employee management. Outsourcing of IT and HR is cost-effective, but the silos they create require more proactive intervention. When staff leave, more than payroll needs to be adjusted. IT has a significant role in making sure that access to company systems like email, customer relationship management, documents, or databases are removed immediately — even if they have left on good terms. Even promotions should involve an access review. IT and HR must work together on employee management. Reviewing those procedures should be part of your risk assessment. Former employees with access to company resources represent a potentially significant security risk. Ask yourself if you are absolutely certain that the last employee to leave your company no longer has access to any of your systems, data, or services.
Social media. Who set up your Facebook account? Or Twitter? Or Instagram? Social media platforms are social systems evolved into marketing and communication platforms for businesses and brands. But at their core, they still revolve around individuals. So the nice marketing staffer who set up your Facebook account may still be the administrator. Recently, I’ve had clients who lost control of their social media accounts because no one currently on staff was an admin. Whoever set up your account is the owner, NOT you. Access to those accounts should be reviewed on a regular basis to ensure they are current. Even if you aren’t using them today.
Employees. Want to know if a procedure is being followed? Just ask employees how they do something. Too often risk assessments/audits/annual reviews are clinical processes with lots of documents dropped off in a conference room and a group of serious-looking people poring over them. That is certainly an important part of the process, but not the end.
There is no substitute for walking around, seeing what people do, and talking to them about why they do it that way. Sometimes it’s a training issue, but sometimes they have found a better way. That’s something you may want to add to keep the policies and procedures vibrant and useful.