Risk Mitigation, Analytics and Controls

By Chris Buzz, Vice President, Finance and Services
On Center Software

Most contractors are heads-down just trying to make it through the downturn — taking on more jobs, working for less profit, trying different types of work, breaking even on jobs, reducing their workforce. Contractors are looking in two directions — one is focused on keeping the doors open — the other, looking for a path to the future. The roadmap of the future includes identifying ways to cut costs, reduce waste, lower risks, eliminate theft, retain top talent, boost productivity, and return to profitability. Let’s take a deeper look at the exposure that contractors face related to assets such as software licenses, equipment, customer data, and financial information.

There are different aspects of analyzing key assets within an organization. Risk assessment is the process of determining the degree or level to which an organization is exposed. This is typically a more passive approach and answers the question ‘Where is the company vulnerable?’ An example would include assessing through an inventory and equipment usage system. Risk mitigation is the proactive process of reducing or eliminating those vulnerabilities that put the company at risk. Not just knowing where the risk exists but taking action against that exposure. An example would be identifying the ways that a particular asset, such as a software license or client data, could be misused or stolen and then eliminating that security breach. The truth is that most companies focus on risk assessment rather than risk mitigation.

Today’s construction economy is full of business consolidation and employee’s changing employers. Identifying and tracking company assets must be a top priority. With consolidation of the books comes consolidation of the assets and knowing where devices, software, and data are located throughout this process is essential. With employees coming into and going out of an organization, it is important that when they move on, the company’s assets stay put.

The on-the-go workforce exposes the company’s assets. It is much easier to know who is doing what, on what, for what, if everyone is sitting in an office each day. But the reality is that today, construction companies put information and licenses everywhere an employee is doing work. It is often challenging just to know the basics — what is everyone working on? Which devices? Which software? Which data?
Software is loaded on a variety of devices throughout the business - from smart-phones, to desktops, to laptops, to tablets. In most cases there is very little control, analysis, or reporting done on this equipment. This lack of "control" puts the business at risk. Disgruntled employees pose a significantly higher risk to the company than external property theft. If a ‘thief’ breaks into an office, vehicle, or trailer and nabs one of the devices, a company loses an asset and stored data but it hasn’t been ‘violated.’

When an employee steals a device, software license, customer list, or sensitive information, the company sustains a double hit. First, the impact to the business bottom line is significant. Not only did the company lose precious information but the person who took the data knows the value of the asset and how to use it. Second, the company feels betrayed by an employee that was once trusted. The loss triggers a lack of confidence in the remaining employees. The immediate reaction is to lock down everything and keep it from everyone.

The best way to handle these situations is to secure the assets before a loss occurs. Looking over every employee’s shoulder isn’t feasible and it isn’t motivating. It is imperative that controls be put in place to know who has which device; is using which software; is accessing which data. With regular analytics and controls the company is protected and employees are trusted to do their work.

Analyzing and reporting on a regular/timely basis which employees use automation tools and access data records lowers the risk of intellectual property theft. With proper controls in place, the business has the ability to lock out an employee who is MIA or behaving out of line or perhaps fully disengaged and feeling ‘justified’ for their actions. These controls must allow the company to trace an asset regardless of its actual physical location (e.g., which hardware device has a specific software license on it), then lock it out or recover it. There are other positive options that occur given proper asset controls. For example, software licenses are earmarked for critical/key employees and licenses are load balanced across employees and locations.

All organizations struggle to put analytics and controls into place. Larger organizations may allocate headcount to concentrate on assessment and mitigation. Medium-sized organizations may contract with external consultants, on a periodic basis (bi-annual, annual, semi-annual, etc.) to review processes. Smaller mom-and-pop construction companies are often the organizations left most vulnerable.

These smaller shops have neither the staffing nor financial resources to dedicate to reducing risks. For this reason it is most important for them, but really for all sized organizations, that business-asset providers deliver ways to secure assets. As an example, takeoff, estimating, or customer relationship management software, at a minimum, must provide a way to track who is using the software, on which devices, and accessing which records. Taking this a step further, if the software asset is being misused or has been stolen, the software must provide a way to disable that license/user but not hinder the company’s total license pool.

Incorporating analytics and controls into the culture of the company is essential and enables risk reduction. With a comprehensive assessment and mitigation process in place not only are assets secured but an organization is allowed to focus on other project-specific business risks. These other areas include scope creep, overruns (e.g., budget, schedule, and cost), safety, site conditions, and change requests.

With software and data loaded on a variety of devices — without controls and reporting — the damage from theft is catastrophic. Risk mitigation should be reactive and proactive — passive and aggressive. Construction owners must track activities, usage, and behavior. Protecting the contractor’s property is the foundation to a secure future in business. It’s the end of the workday — do you know where your assets are?

Chris Buzz is vice president of finance and administration for On Center Software, Inc. His responsibilities include finance and accounting, HR, IT, technical support and customer training. In addition, he also serves as controller of On Center Software. Buzz has over 15 years of experience in driving process optimization, service deployment, and internal system improvements.

Associated General Contractors of America