The Role of the Business in Ensuring a Successful ERP Implementation

By Ronan O’Shea, Managing Director
Global ERP Solutions Practice Leader

 

 

 

As organizations implement new enterprise resource planning (ERP) systems as part of digitization, process improvement and platform modernization, it is becoming increasingly critical not just for IT, but also for the business units themselves, to understand their central role in the overall success of these initiatives. The implementation of an enterprise system, or any other major IT system, should never be viewed as just an IT project because, ultimately, it is a business project with business objectives.

Even when a project is supported by a strong system integrator, it is critical for business stakeholders to assume responsibility for key activities before, during and after the implementation. Failure to do so can lead to project delays, budget overruns, business disruption and low user adoption, among other things.

There are seven key responsibilities that businesses need to understand and accept in any successful system implementation. They are:

Program Management and Governance – Although most system integration firms provide project management capabilities, common gaps include oversight of internal business and IT resources, management of other vendors, and engagement with company leadership. Proper oversight requires a more robust approach, from the establishment of a project management office (PMO) structure and assignment of roles, to the establishment of a comprehensive program-wide plan and a “single source of truth” for program status.

Business Process Readiness and Solution Design – Systems integrators are usually technical experts, not business process experts. Businesses should define the vision and operational expectations of a new system with regard to each business process. Specifically, the business must ensure that the technical solution the system integrator proposes will satisfy the business process vision and future-state goals. To meet operational expectations, the business should design process models for the end-to-end future state of each business process that the new system will impact. This will help system integrators focus on blueprinting rather than designing future processes, which typically is not their core expertise.

Organizational Change Enablement – As the solution design is established, the organizational impact of system and process changes must be determined to ensure that the anticipated benefits are realized. Training alone is not sufficient. Ultimately, the goal is a change enablement plan that will raise awareness with key stakeholders, obtain their buy-in and ensure their commitment to support the changes and the performance improvement objectives of the initiative.

User Acceptance Testing (UAT) – The final and most important phase of system testing, UAT, is designed to ensure that the system does what it was designed to do and that it meets user expectations. UAT must go beyond prior functional and technical testing phases. UAT scenarios should cover all business processes end-to-end, include all critical real-life data variations and be validated by process owners.

Data Conversion – This critical aspect is often overlooked by the business, but it is one of the most critical implementation processes, and a common source of project delays. No two systems are alike, and data from one system will rarely map cleanly or directly onto a new system. Data quality issues in legacy systems can also cause delays. Realistic data is critical to UAT. The business, supported by IT, typically owns data conversion design, mapping, enrichment, validation and cleansing. Start the data conversion process early.

Data Governance – To ensure that master data and transactional data are employed appropriately and consistently throughout the organization from go-live forward, the business should develop a comprehensive data governance program that includes a framework of organizational roles, a “data dictionary,” defined metrics and documented policies.

Business Intelligence (BI) and Reporting – BI and reporting should not be left as an afterthought, with the presumption that they can be addressed after go-live.  For most users, the primary benefit of an enterprise system is ease and accuracy of reporting. Ensure that the BI and reporting requirements are fully incorporated into the design phase of the implementation and tracked throughout. The ease and flexibility of reporting is highly dependent on the quality of the architecture and design. The efficiency and integrity of the business process is dependent on the availability of information at the right time and place.

Enterprise systems can bring remarkable efficiencies and return on investment, or be massive failures – and the business, not the integrator or IT, is ultimately responsible for the outcome. For a more in-depth analysis of these and other implementation challenges, download our recently published white paper, Understanding the Responsibilities of the Business During an ERP System Implementation.

Cyber Vulnerabilities of Energy Companies’ Control Systems Can Be Addressed Safely and Successfully

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and

Michael Porier, Managing Director
Technology Consulting – Security and Privacy

 

The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.

A recent survey of more than 300 oil and gas companies found:

  • More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
  • Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
  • Only one-third of companies report that OT and IT are fully aligned in their organizations
  • Just 35 percent rate their readiness to address cyber threats as high
  • Close to half of all attacks on OT are going undetected

These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.

Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.

More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.

Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.

The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:

  • Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
  • Performing security evaluations in a test, rather than production, environment
  • Collaboration with both engineering and IT security personnel to define the scope of the review engagement
  • Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
  • Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing

Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:

  • Evaluate the key security risks prevalent in the ICS/SCADA network architecture
  • Identify the network vulnerabilities and test the connectivity to the enterprise network
  • Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure

Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security.  Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.

DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

PCAOB White Paper Calls Attention to the Risk of Material Weaknesses at Emerging Growth Companies

Last week, the Public Company Accounting Oversight Board (PCAOB) released its semi-annual white paper providing general information about certain characteristics of emerging growth companies (EGCs). The PCAOB’s white paper provides a number of observations regarding EGCs, which we summarize in a just-released Flash Report published on Protiviti’s website. In our Flash Report, we also review the implications for EGCs that report material weaknesses in their internal control over financial reporting and offer guidance to affected organizations to help them avoid or overcome such findings.

Top Technology Challenges for Internal Audit: Results From Protiviti’s IT Audit Survey

By Gordon Braun, Managing Director
IT Audit

 

 

 

Process automation and digital transformation are near the top of most corporate agendas, and the IT audit function has never held a more crucial role. The results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.

I had the opportunity, along with my colleague David Brand and ISACA director Ed Moyle, to discuss the results at length in a recent webinar. You can view an archived version by registering here. In the meantime, I wanted to give you a quick rundown of the top technology challenges expressed by respondents, and how those challenges compare with the previous year’s results.

No surprise on the top tech challenge: Nearly all organizations are struggling with data privacy and cybersecurity. It’s an area where boards want assurance — even with an understanding that assurance can never be 100 percent, regardless of the amount of money spent. The challenge for IT audit, therefore, lies in determining the right amount of IT audit time and focus to be dedicated to cyber risk and ensuring coverage is in alignment with the risk appetite and priorities of the organization. Though cybersecurity is always a business issue, the risk is typically assigned to IT. IT audit’s effectiveness in this area is strongly related to the experiences and discreet knowledge that the IT auditors in the group bring to the audit. There continues to be a strong push for education and for using the right tools, frameworks, approaches and resources; all are critical elements to ensuring IT auditors to stay in front of the cyber risks they are auditing.

Emerging technology (automation, digitization, cloud, etc.) remains a top challenge for IT auditors, though not ranked as high as last year. Effective IT governance in the face of emerging tech remains a goal for many organizations, and those that ignore it or get it wrong are going to struggle. IT auditors can help their organizations in this area by challenging the effectiveness of IT governance from both a design and operating perspective — this healthy and critical evaluation of the  alignment between the business and IT is required in today’s environment. In organizations with enterprise risk management (ERM) functions, there may be a natural overlap in interest between IT governance and ERM and IT auditors are well-positioned to seek out this partnership to share and receive perspectives from the ERM group.

Infrastructure management, regulatory compliance, and budget/cost concerns all moved up the list this year — a risk triumvirate that I think contributed to the return of third party/vendor management as a top-ten challenge, after dropping below the top ten last year. Infrastructure management and third-party vendor management are closely related as organizations increase reliance on infrastructure as a service (IAAS) and software as a service (SAAS) providers in an attempt to reduce their IT footprint. To ensure maturity in third-party risk management and ease related challenges, IT audit should be involved in the early stages of significant infrastructure projects, evaluating the processes and controls around third-party vendor management, ensuring upfront due diligence activities are completed, and reviewing service level agreements (SLAs) and contracts before they are signed. There are a number of efforts in the market to provide IT auditors with more avenues for assurance for these relationships – an area I fully expect will continue to see growth.

Missing from this year’s top-ten list is big data — a surprise, to say the least. In all my conversation with colleagues, big data remains a top priority, and is closely tied to many of the other top ten challenges. Its absence on the list, in my opinion, has more to do with the temporary elevation of other priorities, and a growing familiarity with the features, risks and benefits of big data, rather than any lessening of focus. Big data also looms large in this year’s Internal Audit Capabilities and Needs Survey, so the conversations around it are certainly not over.

Last, but certainly not least, staffing and skills cut across every other top technology challenge mentioned. Although it dropped slightly from last year’s ranking, it remains a top-five challenge — a reflection of the critical need for internal audit functions to hire and train tech-savvy auditors capable of understanding IT risks. This is particularly relevant for addressing the top challenge of cybersecurity, where expertise is key to gaining the cooperation and trust of IT. Co-sourcing, or even outsourcing of IT audit, can provide that expertise without straining internal resources. Each organization must decide on whether and how to augment its skills based on its specific level of reliance on technology.

Clearly, there is much to unpack from this year’s IT Audit survey results, and we will continue to analyze the findings and track progress in how companies address them. For the full ranking of challenges and a more in-depth analysis, visit our 6th Annual IT Audit Benchmarking Study page.

 

The IPO Market Appears to Be Heating-up – Are You IPO-Ready?

By Steve Hobbs, Managing Director
Public Company Transformation

 

 

 

If the past month is any indication, the lull of 2016 is in the rear view mirror and we’re headed into an uptick in the IPO market. As more well-known and highly anticipated companies are going public, there are rumors of who might be next. With that said, history has shown the public offering windows opens and close quickly, and in order to take advantage of a healthy market, when IPOs tend to fare best, companies must be prepared when the market is ready. Below are several points on getting a company IPO-ready:

Prioritize. When the market is hot, it’s easy to want to ride the wave. But, trying to skip ahead or take shortcuts could put an IPO at risk. Conversely, shifting full focus to IPO readiness activities can cause the day-to-day business to suffer. In cases like this, working with partners to help prioritize activities and plan the IPO can be a good decision as it frees up time for management to focus on the business while keeping all strategic initiatives in sight.

Set the tone.  As every C-suite executive knows, major transformations, like launching an IPO and operating in the public realm, require a great deal of both internal and external communication. Public companies operate in a fishbowl of disclosure and regulatory compliance. Therefore, executives need to set a positive tone early on to ensure that every single person in an organization – not just the functions at the center of an IPO – is aware and supportive of the process. The executive team must promote a compliance infrastructure not just as a system of controls, but as a tool for growth and scalability.

Scale your infrastructure. The internal infrastructure of the company must be able to support and withstand the transformation requirements of going public. With new requirements and regulations, companies need to review their financial reporting applications and systems to identify and correct scalability issues.

Think cybersecurity. IT security should not be an afterthought to growth. Organizations need to scrutinize their IT systems for readiness and security, particularly when selecting and implementing an enterprise resource planning (ERP) system. We now hear almost daily of major cyberattacks against public companies. When customer data and/or company IP are at risk or actually compromised, shareholders and regulators take notice.

Learn from others. The basic requirements for transforming a company from private to public rarely change. A new legislation or new requirements might pop up but, at the end of day, every CEO who has taken their company public has a similar story to tell – one of hard work, sleepless nights and serious commitment to the goal. It’s important to take the time to hear these stories from the frontlines, understand what CEOs and CFOs say they wish they had done differently, what they could have avoided, or what wasn’t worth the trouble. To this end, I invite you to join us at our upcoming webinar with executive Vice President and CFO of GOGO, Norm Smagley, who will be sharing his stories from the frontlines.

To learn more, also check out our IPO FAQ guide, available for a free download here.

Answer Fundamental Questions and Beware of Overconfidence Before Moving to the Cloud

By Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

For any business, migrating to the cloud is an essential step in the digitization journey. The baseline cloud benefits, such as reduced costs, greater efficiency and enhanced customer service, are important objectives to strive for, of course. The latter is especially attractive to consumer products and services companies. But there are many considerations, in addition to the benefits, that businesses must keep in mind when shifting to the cloud if they are serious about achieving true digital transformation.

To begin with, companies must have a thoughtful — and even an aspirational — strategy behind any cloud migration project if they are to realize measurable value from it. Protiviti’s white paper, Cloud Adoption: Putting the Cloud at the Heart of Business and IT Strategy, emphasizes this key point: Executives need to recognize cloud adoption as a strategic business issue, not an IT issue. To ensure that such a move will enable true business and IT transformation, executives must have clarity on what they expect the cloud to accomplish for the organization. They also need to understand their digitization priorities within their specific industry and regulatory contexts.

Consumer products and services companies leading the cloud race

Cloud adoption is accelerating across all industries, but for consumer products and services companies the pace is quicker. According to Protiviti’s latest annual Technology Trends and Benchmark Study, nearly two in three companies today are now focused on investing in cloud adoption. For consumer products and retail companies that participated in the study, that number is 80 percent. These businesses also reported that they are currently focusing on and investing in digitization.

Interestingly, despite being on the forefront of cloud adoption, consumer products and services companies don’t appear to be overly concerned about risks that may accompany such a dramatic move. Executives from these businesses who responded to the Executive Perspectives on Top Risks for 2017 survey from Protiviti and North Carolina State University’s ERM Initiative did not cite the following as a top five risk for their industry, even though it was fourth on the overall list of top risks in the survey:

Rapid speed of disruptive innovations and/or new technologies may outpace our organization’s ability to compete and/or manage the risk appropriately, without making significant changes to our business model.

On the surface, this finding seems positive: Consumer products and services companies believe they have a handle on this top risk. However, it might also be a signal of overconfidence. And overconfidence is a risk in and of itself, and could potentially undermine the success of any digital project. To help those feeling confident test their preparedness, a recent issue of The Bulletin suggests that executives ask themselves the following questions:

  • Directionally, do we know as an organization where we’re going and why?
  • Are we prepared for the journey we are undertaking?
  • Do we possess the ability, will and discipline to cope with change along the way?

Pondering these questions can help organizational leaders think more critically about their goals, the risks associated with the changes they want to undertake, and whether they fit within the risk appetite of the company. Answering these questions will also help them to think more critically about what to move the cloud, how and when, to realize the most value for the company.

For example, back-office operations are often overlooked as potential candidates for cloud migration in favor of more customer-facing functions. This oversight could result in the business missing out on some significant benefits, like building greater resiliency into its core operations. The inverse is another common mistake: Rushing to migrate a back-office function and then realizing, too late, that the legacy technology supporting it can’t be cloud-enabled. Yet another pitfall is jumping on the cloud bandwagon before properly considering privacy, security or compliance issues.

Even more questions to consider

In addition to the “soul-searching” questions above, organizations should seek to answer some other key questions to help them develop their cloud strategy:

  • Why should we adopt the cloud?
  • What are the business needs, and what are the outcomes we expect?
  • What are the use cases?
  • What portions of the business should we move to the cloud, how, and when?
  • Which cloud model is most appropriate for this initiative and for our organization (e.g., private, public, hybrid, or multi-cloud)?
  • What is the economic and operational value proposition?
  • How would this project impact IT’s approach to its current business model?
  • What vendors should we work with?

The bottom line of this discussion can be summed up in a word: preparation. Well-placed confidence, clear business-driven goals and a well-thought-out strategy will position organizations to execute their cloud migration project successfully, achieve the desired value from them, and be another step ahead in their digital transformation journey.