Time to Act
Charlie Goodrich 


Having control systems in place for your business is important. But having them is not enough.

Today's newsletter looks at the example of retailer Target and offers five suggestions for making sure your control systems are working as they should. 
I appreciate your comments. Just click "reply" to send them to me.
Charlie Goodrich 

Founder and Principal

Goodrich & Associates
April 2014 Vol. 3 No. 4
In this issue...
Whose Target Are You? Why Having and Using Control Systems Are Not the Same Thing.
Heard on the Street
About Us
Goodrich & Associates
[email protected]
Whose Target Are You? Why Having and Using Control Systems Are Not the Same Thing.

Much has been written about business control systems and their design; businesses employ them in all kinds of ways, such as:
  • Financial control systems, which assure that financial statements are correct, business transactions are properly authorized and so forth. Sarbanes-Oxley brought attention to the importance of these control systems.
  • Capital project control systems, which ensure that only projects that financially benefit the company are undertaken.
  • Systems which detect everything from chemical leaks that can become expensive environmental disasters, to quality control problems that can lead to things such as increases in scrap, rising product costs and dissatisfied customers.
And yet, with all these control systems in place, little has been said about making sure organizations use and respond to them adequately. Consider, for example, the retailer Target, which had 40 million credit card numbers stolen last year. Everyone knows that.

What is less well known, is that Target had a world class cyber security system in place, one installed less than a year earlier by CIA-funded FireEye, a company whose major clients include the CIA and the Department of Defense. The system was monitored 24X7 in Mumbai. On November 30th and on December 2nd, hackers penetrated Target's systems and then stole 40 million credit card numbers through December 15th.

But here's the kicker: Most of the alarms from the new system did go off and were noticed in Mumbai, which called headquarters in Minneapolis, which did . . . nothing. Additional alarms that should have gone off did not, because Minneapolis deactivated them during the installation.

Target finally started to react to this massive breach on December 12th , the day they were contacted by the FBI; the exodus of credit card numbers continued for three more days. According to cyber security experts, the tools used by the hackers were neither sophisticated nor noteworthy.

So, once you have good control systems in place, how do you make sure they are used? Five suggestions:
  1. Senior management must be approachable and willing to act. I worked on a bankruptcy case in which the CEO and CFO were manipulating reports sent to the bank so the company could borrow more money than allowed under the loan and that could not possibly be repaid. The controller reported this activity to the absentee owner's trusted on-site lieutenant who was chief legal and administrative officer. He did nothing and the fraud continued.

    This is not so much an issue of formal process as it is one of senior management approachability. If senior management repeatedly blows off concerned employees, these same employees will learn to say nothing, even when control systems set off alarms. In the Target example, Mumbai never went around the Minneapolis staff that ignored the problem.
  1. The Board, owners and senior management must work within the control systems put in place. Besides setting a bad example, not doing so can greatly increase the risk of bad decisions.

    For example, when I was in the car rental business, the company was effectively owned and controlled by one of the Detroit Big 3. When the CEO and CFO met the owners in Detroit to gain approval of the bonus pay-out for last year and the performance incentive plan for the current year, "Detroit" had a large, unexpected request. "Before we get started, we really hope you can take delivery of an extra $300 million in luxury cars... starting next week. Yes? Great, we don't need to review the performance plan."

    Unfortunately, having the right number and kind of cars in the right locations at the right times is the essence of running a car rental business. That year, however, and because ownership overrode the company's control processes, lots of (happy) customers paid for a compact and drove off in a luxury vehicle! The car rental company posted record losses and paid out record bonuses.
  1. What is expected is inspected. Senior management and Boards must periodically review control systems.

    The challenge is maintaining focus on control systems designed to detect infrequent but catastrophic events. For Target, cyber threats are not the core of its business, and so less attention was paid. But you can bet that if Target's control systems set off alarms about "out of stocks," high inventory, changing sales patterns, etc., the alarms would have been responded to immediately.

    Cyber threats, while rare, are potentially devastating and need to be treated as such. (A recent study by Verizon Enterprise Solutions found that retailers respond to cyber attacks at one sixth the rate of the sample average.)

    Senior management should participate in the inspection and review of important control systems, giving these systems the attention and priority they deserve. Better to ask "Why?" and "How come?" during periodic tests and reviews of control systems than after the barn door has been opened.
  1. Trust but verify. The Ronald Reagan arms control philosophy works for business control systems too. Senior management trusts middle management to run control systems. To ensure they do, senior management tests and inspects. Boards trust senior management to put control systems in place and monitor them. Then Boards verify with outside reviews that report to the Board.
  1. The right firm must review your control systems. A public accounting firm may be called in to review and audit financial statements. An environmental firm might review a company's environmental records and actions.

    But in choosing the right firm to conduct a review, and in addition to the requisite technical competence, it's critical to select a firm that works with similar-sized companies in similar industries.

    Two bankruptcy clients of mine, for example, were both $150 million revenue companies that undertook financial shenanigans that contributed to their firms' demise. Both firms had current unqualified opinions from their respective auditors. One auditor, however, was a Big 4 firm whose client base was predominantly much larger clients (too little attention was paid); the other was a local firm that was simply in way over its head.
Remember, control systems are important - that's why your company spends money on them. But having them is not enough. Learn from Target's costly mistake and make sure you are using them as well.

Heard on the Street
For more details on the story behind the Target story, have a look at this recent article from Bloomberg Business Week: "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It."

About Us
Goodrich & Associates is a management consulting firm. We specialize in helping our business clients solve urgent financial problems. Our Founder and Principal, Charlie Goodrich, holds an MBA in Finance from the University of Chicago and a Bachelor's Degree in Economics from the University of Virginia, and has over 30 years experience in this area.

To ensure that you continue to receive emails from us, please add
[email protected] to your address book today.

Goodrich & Associates respects your privacy.
We do not sell, rent, or share your information with anybody.

Copyright © 2014 Goodrich & Associates LLC. All rights reserved.

For more on Goodrich & Associates and the services we offer, click here.

Newsletter developed by Blue Penguin Development