GRC is the new ROI

Maybe GRC is the new ROI, maybe not, but you can’t deny that ROI is getting old.  ROI is simply a metric that measures the excess profit (or return) made by implementing (or investing in) a solution, minus the cost of the solution, when compared to not having implemented the same solution.  GRC is governance, risk and compliance, three things people outside of the executive suite are not likely to care a lot about.

ROI was the holy grail of automation for decades and it will never go away but as an engine for the tech economy it may be fading.  If a technology vendor could show how implementing technology would reduce costs somewhere in the organization, the sale was at least pending.  Unfortunately for many people, the savings were more often than not derived from reduced headcount. 

For years companies have been getting more productive by automating away jobs, but what happens when you reach the point where automation will not enable further headcount reductions (which in the real world are known by the less clinical term, job cuts)? 

Traditional business school logic says that there are two ways out of that dead end, product and financial innovation.  With product innovation companies can build new things that people want to buy; with financial innovation they can tinker with the ways they count money and the way they position themselves in the market. Product innovation is hard and often unsuccessful, especially for large companies that become set in their ways. 

That leaves us with financial or business model innovation, but as we have seen all too often, changing the business model is a Herculean task that very few companies of any size at all can pull off.  You can’t say business model innovation does not happen, but it’s rare, like Halley’s comet or, in the 20^th Century, the Red Sox winning a World Series. 

So what starts out as multiple options quickly dwindles to financial innovation which can take multiple forms too, and in the recent past, its metric has been ROI.  Nevertheless, as the foregoing argues, the ROI gravy train is running out of steam which is why I think that GRC may be ROI’s successor.

GRC is an evolving suite of solutions with a common theme — helping enterprises avoid what is euphemistically called a “loss event.”  As we have found better, cheaper and smarter ways to do business, loss events have bubbled up to become one of the big bogies on the radar screen.

Loss events come in far too many forms.  Consider these from the recent news that we’re all familiar with.  Isaiah Thomas, coach of the New York Knicks, was found guilty of a sexual harassment charge by a co-worker.  The settlement against the Knicks went into the millions of dollars.

Dennis Kozlowsky CEO of Tyco was found with his hand in the company till, costing the company millions of dollars and tarnished its reputation with the financial community.  (I was going to use Ken Lay and Enron as the example here, but did you know that because Lay died before he could appeal his verdict that the courts automatically vacated the verdict?  Quite a justice system we have, but I digress.)

Then there is what seems like a never ending saga of retail organizations who find that their IT security is second to one — the bad guys who steal millions of credit card numbers and customers’ identities in the process.

All of these loss events can and should be prevented if corporations start to use technologies that help them analyze weaknesses and implement business rules that enable them to enforce best practices in virtually every area of their operations.  Reducing loss events reduces losses and that hits — or doesn’t hit depending on your perspective — the bottom line which is why I think that GRC is the new ROI.

Ah!  If it was only that easy!

We really have only scratched the surface where risk is concerned (think about your company’s carbon foot print, for example).  Therefore we have only an imperfect understanding of the solutions, the compliance rules that enable good governance.  Out of this will come, of necessity, new job titles like Chief Compliance Officer and whole new systems, some of which are now coming to market.

ROI is forward looking and it provides answers to the what-if questions good managers always ask — if we did business differently, using different and better technology, would it be worth it?  What would the pay off be?

GRC takes that idea forward and asks how a company can proactively eliminate a loss.  It’s nowhere near as sexy as inventing the next iPod/iPhone/iDon’tKnowWhat but it addresses the need for better management and the incessant demand that companies maximize shareholder value. 

More than that though GRC implicitly says there are more stakeholders than only the shareholders.  For example, a company might use GRC in HR to help avoid a sexual harassment law suit and the “loss event” that can accompany it, but the benefit to the workers is better work environment.  Inevitably, that has the makings of better productivity and maybe even ROI.

Oracle open World: 30 and Counting

They pulled out all the stops at Oracle Open World last week to unveil a whole lot of advanced and interesting business technology.  It was the thirtieth anniversary show but the emphasis was clearly about the future, not the past. There was lots that was not CRM related — though from my provincial perspective I can barely understand why — and I will leave it to the rest of the world to figure that out.  There was certainly enough that was CRM to keep me busy. 

Full disclosure, I was not there but over the last few months I have received briefings as much to prepare me for writing this as to solicit my advice, opinions really, about their direction.  Now I feel like the secret mission is over and I can write freely.

One of my general impressions is that after a long quiet period it seems like Oracle is coming out firing all its guns at once.  There was lots of Fusion to talk about as well as Oracle’s approach to CRM and Grid computing and a new take on CRM that has strong Web 2.0 underpinnings. 

Where to start?  I am not going to review what was announced but instead provide a little analysis on a couple of ideas.

The first idea is Grid computing.  Lately there has been a lot of talk about the merits of single- and multi-tenant architectures.  The multi-tenant model is the one that came through the early testing by fire and won the on-demand war, or at least the first on-demand war. 

Ten years ago single tenant went by the name of facilities management which essentially outsourced operations but left the expenses.  Oracle never gave up on the single tenant idea and Grid computing seems to be a way to say it doesn’t matter.  Grid computing supports both and provides solutions in a more hospitable (read non-client server) way than it once did.  Oracle claims, rightly so, that there are situations where customers simply cannot accept a multi-tenant architecture for legal and security reasons — think about a bank sharing space with a foreign company in a multi-tenant system.

I think this approach is likely to cause the on-demand community to further evolve its offerings and architecture or risk being shut out of some big and lucrative opportunities at a time when enterprises are coming to accept the on-demand message.  With its Grid announcement Oracle is effectively saying, “Is it on-demand you want or multi-tenancy?”

Good question.

Closer to home, Oracle is tackling some interesting ideas in good old CRM.  As we’ve been seeing from events like Sales 2.0 and blogs and discussion groups dedicated to asking what CRM 2.0 is, Web 2.0 (I think that’s enough 2.0’s for now) ideas are making their way into CRM.  Briefly, Web 2.0 ideas cover a lot of ground but the concept is about applying social networking to the challenge of communicating with and selling to customers.

One particularly slick idea in the Oracle arsenal involves applications that do everything from analyzing a territory and picking out likely prospects to helping users select content and strategize its delivery to the most promising prospects.  It either sounds like Buck Rogers or 1984, depending on your world view but regardless, it is very high powered.

Of course, in an event like this there is a lot of emphasis on the future to the extent that you may not always be sure of what is a real product or what’s in the pipeline so, for example one Oracle generated document said, “Oracle also will provide the Oracle Sales Library, which can essentially act as an index of a company’s best sales tools, such as presentations and RFPs.”  I assume that means soon. That’s a cool thing but it would be incorrect to think that everything Oracle was talking about was bleeding edge or leading edge.  Other companies such as Kadient and maybe Savo already offer solutions like this one, for example.

Here’s how I would net it out.  First, Oracle is taking on-demand computing seriously in a way I have not seen before and that should be good.  Second, integration is important to Oracle in ways that were not in evidence before.  The Oracle Application Integration Architecture is a good proof point.  Third, Web 2.0 is coming to Oracle in part to enable the company’s enterprise customers to better develop, integrate and pursue business processes that have been limited by what even Oracle’s Ed Abbo, SVP of Product Development, called “fragile” business processes in his keynote.

Oracle has hedged its bets in lots of ways.  With a plethora of new and farsighted ideas the company doesn’t have to be clairvoyant or right one hundred percent of the time to be successful.  They’ve made some shrewd bets and now they have a portfolio of new technologies some of which could become home runs. 

On the flip side though, as much as you might like a lot of what you saw and heard, at least some of the ideas have been around and other vendors, who may not have Oracle’s marketing budget or industry clout, have been delivering some of these goodies for a while.  So this conference might simply mark a time when Oracle woke up and brought to market its versions of cutting edge solutions and therefore “legitimized” some spaces and ideas that have been slowly gaining traction. 

Finishing off Phishing

I was looking forward to writing more on Sales 2.0 this week.  Selling is something that I am keenly interested in but it will have to wait for another time.  I must have ADD because a call from a client set me off in another direction.

My client called to talk about phishing and what they are doing to combat it and help their customers.  I am sure you already know that phishing is a technique that attempts to get unsuspecting Internet users to hand over sensitive information such as bank account and credit card numbers.  The thieves or cyber pirates who conduct phishing attacks use the account numbers to steal money and sometimes whole identities.

At first blush it sounds like a good thing to take on phishing on behalf of your customers and you could even say it is noble.  Nevertheless, a little reflection made me think this nobility was like the charge of the Light Brigade — noble, but also doomed.

I went to my files and dug up a column I wrote in 2005 about spyware and adware — back then those were the problems of the day. These rogue programs took over browsers and redirected them; they also inserted new start pages and sent a continuous stream of information about where a person has been in cyber-space back to a central group that harvested the information.  Eventually, the free market figured it all out and the firewall was born and became standard equipment for PCs.

Individual action in the face of a problem like this — a free market approach — has a place but it is not always wise for any single company to take on such a diffuse threat.  The problem with this approach is that it is at best temporary.  Like any arms race one side reacted to the threat and the problem went away only to spring up in a different form.  The solution did nothing to dislodge the notion that rogue groups could roam the cyber frontier extracting information from people for nefarious aims.  As a result, the spyware and adware problem morphed into something more serious, phishing.

In social science there are numerous examples of how when small crimes or activities on the edge of being crimes are left alone they breed a complicit environment where it is easier to perpetuate a larger crime.  The most famous law enforcement effort I am aware of involved the NYPD adopting a zero tolerance program for small crimes like people hopping the turnstiles in the subway to avoid paying.  When zero tolerance kicked in, the incidence of all manner of small crimes went down as well as larger crimes too.

Back to spyware and phishing.  What was needed at the time — and is needed today — is legislation that makes it a crime to steal a person’s confidential information the way phishers do; zero tolerance for cyber piracy of any kind.  There is a bill, the Identity Theft Enforcement and Restitution Act making its way through congress right now co-sponsored by Senators Leahy, Specter and Durbin (http://ga3.org/campaign/cyber_crime/forward/ibuwbi32077jm7bk) that might do some good and I recommend you look it up.

Perhaps more important to getting something done today is the Anti-Phishing Working Group (APWG) (www.antiphishing.org) which tracks and reports on phishing and offers some solutions to help protect individuals.

Some of the information that comes out of APWG is not that encouraging and according to them, phishing attacks are on the rise.  In July of this year (the most recent statistics I can find) there were 30,999 unique phishing sites identified and 126 different brands were compromised.  That means brands like PayPal, Anazon, Bank of America and other high volume on-line transaction oriented businesses.  Also included in this list are most of the get rich quick emails you get these days from the national lottery of some foreign country and people seeking help to launder a few million dollars they happen to have lying around.  The good news, average life expectancy of a phishing site was 3.6 days, an all time low. 

One of the most difficult parts of fighting phishing is that it’s a bit like the carnival game where you smack an alligator head only to see another spring up elsewhere.  It takes almost no time to launch a phishing site and operators can move them from one unscrupulous or dumb ISP to another in the blink of an eye.  With a typical phishing site up for less than 4 days it is hard to eradicate the problem.  It’s also why adding a site to a blocked senders list doesn’t work well.

APWG advises people to never fill out forms on-line when invited to do so even if the invitation seems to come from a trusted vendor.  Moreover, vendors have more or less adopted a policy of not sending out email asking customers to do so, therefore a clear tip off that a phishing scam is up is the invitation itself.

If you get phished, follow the simple directions from the APWG site:

Create a new mail to reportphishing@antiphishing.org.

1.      Drag and drop the phishing email from your inbox onto this new email message

2.      In Netscape drop it on the ‘attachment’ area

3.      Do not use "forward" if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to outlook: in that case forward is the only solution.

So what’s the bottom line for CRM?  Just this:  You can’t build a futuristic on-demand economy if transactions can be counterfeited by pirates.  Attempts by individuals or even individual companies are doomed to fail because these attempts are simply battles in an arms race.  Phishing is bad enough — I for one don’t want to see what comes next.

It’s time for companies to stop hiding and thinking the problem will go away.  It’s time for companies to stop worrying that to admit there is a problem will lead to customers thinking the Internet is unsafe.  It is unsafe and most people already know this.  It is time for all of us — individuals and companies — to band together and demand laws that will protect us when on-line. 

The Leahy, Specter and Durbin bill is a good place to start.

Sales 2.0 (Customers 1.0, Vendors on deck)

Ok, I get it.  I went to the Sales 2.0 conference in San Francisco last week and there was a lot to like about it.

In my career I have seen some major back and forth changes in selling and I have to say that these changes relate more to what is being offered than who we are selling to. 

Every sales person knows (or ought to) that there are times when you make appointments to take orders and there are other times when you work very hard for small results.  When you are taking orders, hard work is almost irrelevant and many neophyte sales people have made small fortunes selling whatever the market had an insatiable appetite for at the right moment.  At other times you can work like a dog and seem to lose on a technicality.

The whole Sales 2.0 proceeding and its content reminded me of the period from about 1989 to 1995.  Back in the last century, that was the time when the mini-computer market fizzled out but the client server market had not yet ignited enough to sustain significant growth in the tech sector.  All that ended in 1995 when Windows 3.0 was released.

During the ‘89 to ’95 stretch sales junkies talked a lot about methodologies and about the changing sales environment.  We got strong doses of “strategic selling” and “solution selling” so that we could convert from order takers to consultative selling machines.  It worked too, sort of, but I have to say life got better after ’95 when we could all go back to taking orders for things like ERP and CRM — the monster client-server applications of the day.

What happened at the end of the mini-computer boom was that there was nothing much that was new to sell or buy.  Customers sat on their wallets, we had a recession and we tried very hard to sell into a buyers market. 

I think we’re at a similar point today.  As I have said before, there are lots of very similar products on the market fielded by competent companies and the result is that we work hard and look for small advantages.  People — buyers — haven’t changed much if at all, it’s just human nature.  What has changed is that the last time this happened we were all still using spreadsheets to track customers and deals but today we have SFA and CRM. 

So it was not very surprising to hear from keynote speakers like Geoffrey Moore whose best selling “Crossing the Chasm” came out in 1991 or Michael Bosworth whose Solution Selling methodology was in high demand back then.  What has changed — and what I think Sales 2.0 is at least partly about — is that we now have automation to support some very good ideas about selling in buyers markets.

Where I have a small difference with the whole Sales 2.0 trend is that it so far lacks a discussion about the end-to-end sales process.  There were a lot of small vendors selling point solution products at the conference and most of them are pretty good applications too.  Unfortunately, none of these vendors have taken it upon themselves to band together to produce an integrated offering that might appeal to one or more vertical markets.

In my view it would be smart for these vendors to in loose associations to state explicitly that their combinations work well in an integrated process for XYZ vertical market and complement products from vendors A, B and C.  That would take a lot of confusion out of the buying process.  In contrast, imagine what a buyer in say, financial services, thinks when walking into a room full of vendors all claiming to solve his or her business problems.

I know many vendors would not want to put themselves into a situation where they explicitly say what situations they are good at because it implies that they might not be right elsewhere.  However, the evidence is pretty clear that over a long period of time and different economic environments, the vendors that say “no” once in a while are the ones that succeed.  That’s especially true for emerging vendors too.

So my take away from the conference is that it was pretty good — more than 400 people attended and the organizers plan to make this a regular thing.  If I was scoring this I might say Sales 2.0 absolutely, human beings (buyers) get a 1.0 because they haven’t changed at all and the vendors are still coming up to bat.  They haven’t changed and that’s where we need to see some movement both to embrace the many new technologies and to bring better focus to their applicability.