• ⇤
• ⇽
• ≡
• ⇾
• ⇥

are audit reports all about marketing

the journal of Michael Werneburg

twenty-seven years and one million words

I am writing a dissertation on the impacts of implementing an enterprise risk function at service organizations. Specifically, those service organizations that provide technology services to regulated industries such as finance, insurance, or health. As part of the study, I conducted a survey of six service providers across North America. I recruited service providers that had already obtained a service audit report such as an SSAE16 SOC-2, or were in the process of obtaining their first. The breakdown of these survey-takers is as follows:

Here, I use “ISP” to mean “infrastructure service provider”. These are cloud hosting providers. I used the more usual term “ASP” to mean an application service provider. These are providers of management systems where the users work at regulated organizations (banks, hospitals, what have you). I included two firms that had yet to complete their audit—but were moving in that direction—in order to get their insights into the view from the thick of things. In both cases, these firms had already attained some sort of qualification such as ISO 27001 or PCI-DSS.

In designing the survey, I decided to look at three things:

• Just what did the companies have to do, in achieving their audit report?
• How effective was their effort?
• What were the impacts on their organization from everything they accomplished?

I made an effort to get the opinions of the risk practitioner who had worked on implementing the risk management function at each firm. In looking at the first question, I inquired into what I called a risk-centric initiative of process improvement. Each firm reported having undertaken such an initiative, in which processes across the firm were reviewed and refined with an eye to risks.

The second question dealt in “change management” or project management activities.

In this post I’ll be writing about the final point: on the impacts to the organization.

Impacts to service organizations

I asked my six respondents to provide the rating of impact from “strongly negative” to “strongly positive”. Six impact categories were: 24 criteria across seven categories.

• Execution of internal process
• Management of uncertainty
• Change readiness
• Client services
• Sales
• Marketing

The seventh category was a more nebulous category, in which I tried to gauge the impact to things like “cross-departmental co-operation”, and “degree of fit” of processes. These are terms from Michael Porter’s writing on competitive advantage. So I’ve retained that name in the breakdown of results below, in which I’ve provided the average impact rating across the 24 criteria in their seven categories.

In summary, the strongest impact ratings were in marketing and sales, while the least impact was reported in the management of uncertainty and the “competitive advantage” category. In effect, the opposite of what “getting through an audit” is supposed to be all about.

This is why I was studying the subject. Because when we at PortfolioAid performing our own risk-minded process overhaul, I began to hear feedback about the impact to our interactions with our clients, and I wanted to know if this was a common experience. I have to admit, I wasn’t expecting the consensus among risk practitioners to be so strong, or the very strongest impact had been on marketing criteria such as “Defining the capabilities that differentiate your value proposition” and sales criteria such as “Smoothing sales to regulated clients.” This unaltered quote from one the survey taker drives it home:

"I cannot underscore enough the competitive and marketing advantages. While the impact on the business as a whole has been positive, it is really the marketing and competitive component that has made the process worth the effort."

So, in a sense our management team spent those two years struggling with difficult and esoteric things like building consensus on operational objectives and processes, or developing better ways for processes to span functional divisions. But at a higher level, we were also building a stronger brand, and restructuring the company’s value proposition in order to pave the way to new sales. And what had been reported at PortfolioAid was in fact going on at other service organizations.

Understanding it all

When an organization behaves in a certain way, that behavior forms impressions of the organization in both internal and external stakeholders, be they employees, clients, partners, or suppliers. This impression is confirmed with every interaction. I’ll dip into “the literature” for an explanation.

As Ted Matthews and Andris Pone write, “because every stakeholder interaction either adds to or detracts from your brand, you’ve got to deliver at every touch-point.” In improving the certainty of reaching the organization’s objectives, a risk management function has several things to offer such a vision of brand. This goes beyond the immediately obvious activities that are traditionally considered “risk management”, such as defending the brand from high-profile financial or reputational losses. Less theatrical and less obvious day to day activities are closer to the point: those that improve the consistency of everyday internal processes. “Delivering at every touch-point” requires removing uncertainty from the processes by which the organization obtains results; by being consistent. Matthews and Pone concluded that being consistent is the number one rule of branding. Joan Magretta, expanding on the works of Michael Porter writes that consistency is effective when a service provider keeps its brand consistent while remaining free to innovate on how it delivers. This allows for rapid improvement to activities, which in turn reinforce the organization's brand.

So in a sense, even though it looks like a two year program of refit internal processes with risk management methodologies, yes in the end it is all about “marketing”. And that’s good.