Category Archives: Uncategorized

Using Management Controls To Deal With An Organizational Crisis

This is a draft article written together with  Catherine E. Batt, Carsten Rohde and Leif Christensen. 


In 2008, the world was hit by one of the worst financial crises since the Great Depression in the 1930s. There are different types of financial crises, and the one in 2008 could be called a banking crisis, as it had its roots in the financial market (Claessens et al., 2012; The Economist, 2013). It affected a broad spectrum of companies, markets and institutions, but the effects were most strongly felt in financial institutions in the form of a series of collapses, bankruptcies, governmental assist programmes and subsequently new regulations and stronger compliance requirements.

Management controls are critical in supporting management decision-making as well as controlling the behaviour of individuals and groups to ensure that the organisation meets its objectives. The exact nature and content of management controls has been subject to much debate throughout the years. Here, we define management controls as systems, rules, practices, values and activities that management puts in place in order to direct employee behaviour. These can be seen as a “package” of several loosely coupled control elements (Malmi & Brown, 2008). These are:

  • Cultural controls: The values, beliefs and social norms that are established to influence employee behaviour. Include processes for e.g. hiring and ceremonies, definitions of mission, vision and values that are formally communicated, and creation of visible expressions of a particular type of culture.
  • Planning: Processes and practices for setting out the goals of functional areas, thereby directing effort, behaviour and defining the standards to be achieved. Includes long-term planning and short-term planning.
  • Cybernetic controls: Processes in which a feedback loop is represented by using standards of performance, measuring system performance and comparing that to standards, feeding back information about unwanted variances in the systems. Includes budgeting, financial and non-financial performance measurement.
  • Rewards and compensation: The processes and practices that focus on motivating and increasing the performance of individuals and groups by achieving congruence between their goals and activities and those of the organisation.
  • Administrative controls: The direction of employee behaviour through organisation of individuals and groups, monitoring of behaviour, and the process of specifying through policies and procedures how tasks or behaviour are to be performed.

The design of management controls is influenced by a number of functional areas, including the Chief Executive Officer, Chief Financial Officer, the Human Resource Manager, and the internal auditor. Management controls are critical in steering the organisation towards its objectives by ensuring the quality of information flows to managers as well as giving managers the means to influence and direct employee behaviour.

Not much is known about how these controls change in the wake of a financial crisis like the one in 2008 (Van der Stede, 2011). Even less is known about how management controls change in financial institutions after a crisis. Financial crises such as the one in 2008 are difficult to predict and respond to. However, knowing which management controls to use when responding to a crisis could be of vital importance when facing such a situation. Furthermore, banks are particularly dependent on public trust and compliance with regulatory requirements. Responding correctly to changes in the external environment is critical.

The study

To find out what happens to management controls in banks we gained access to the three largest banks in Iceland. The three banks studied are essentially new organisations built on the remnants of the old banks that went bankrupt in 2008. As there were no other similar banks in Iceland, letting the three banks be dissolved was not an option back in 2008. The three banks had to be taken over by the state and restructured, which included the layoff of hundreds of employees. Today, these banks employ a total of around 3,000 employees and constitute the banking infrastructure of Iceland.

To compare the development of management controls in these three banks, we selected and gained access to three Danish banks. These were comparable to the Icelandic banks in terms of current size of revenues and assets, non-financial variables such as the number of employees, and general business model, including retail and corporate banking activities. These three Danish banks did not experience the same level of turbulence after the 2008 crisis. In effect, the crisis was a “bump in the road” for these banks rather than a full-scale crisis. Asking the same questions and focusing on the same issues, we used the Danish banks as a “mirror” to reflect the changes made to the management controls of the three Icelandic banks in the period from 2008 to 2015.

With the cooperation of the Chief Financial Officers and the Chief Internal Auditors in the participating banks, we adapted our questionnaire themes to different managers and functional areas. In total, we conducted 26 interviews in the 6 banks with e.g. Human Resource Managers, Chief Financial Officers, Internal Auditors, Chief Risk Managers and Chief Planning Officers. The main themes explored through the interviews were the use of each management control, its relative importance, tools and methods, and how the control had changed since 2008.


In general, by interpreting the statements by the managers, it is possible to divide the aftermath of the Icelandic crisis in 2008 into three distinct phases up until 2015. The immediate aftermath of the crisis was a difficult time for the Icelandic banks. Many of the managers described this period as a time of “chaos”, “panic”, “turmoil” and “shock”. The managers reported that during this time, many employees experienced a discord between their personal values and those of the banks. Some of the banks even offered counselling and psychological assistance to their employees. After this “Restructuring” phase, the managers described a “Reinvention” phase in which for example most of the changes to management controls were implemented. This was followed by a more recent “Stabilisation” phase with a more settled business environment and operations, and what can be seen as standardised European banking practice.

Our study shows that during the “Reinvention” phase, certain management controls went through a radical redesign as a result of the crisis, while others were reconfigured to reflect new operating conditions (Dawson, 1994). In this context, radical redesign means that these controls were radically different from the controls used pre-crisis, whereas the reconfigured controls were similar but reflected different emphasis or focus. This is described below.

Cultural controls

The crisis in 2008 led to a loss of trust by the Icelandic public in the banking institution. Image surveys from that time show how the image of the banking institution deteriorated in terms of links to corruption, trust and social responsibility (Gudlaugsson & Eysteinsson, 2010). In short, the fundamental values on which the banks had operated up until 2008 were brought into question. All three banks therefore launched projects to redesign their cultural controls, including a redefinition of the basic values on which the new banks should operate.

“The CEO set up meetings where all the employees were invited. People thought the CEO was crazy, as most people were concerned with putting out fires and had no time for thinking about strategy. We counted about 700 employees at that meeting. One of the tasks of the meeting was to define new values. It was a very democratic approach and actually very good for the bank.” (Icelandic manager)

The efforts to redefine the values of the Icelandic banks were led by the Chief Executive Officers, who among other things used consultants, employee meetings and project groups to achieve the desired outcome, which was to develop radically different set of values and value based controls. This enabled the post-crisis bank to distance itself from the values and practices of the pre-crisis bank. A “clean break”, as some of the managers called it.

Administrative controls

Following the crisis, a large number of new regulations and compliance frameworks were introduced, financial control institutions such as the Icelandic Financial Supervisory Authority were strengthened and restructured, and the media took an active interest in the compliance of the banks. To cope with this, administrative controls were redesigned. In particular, managers used the organisational structure to frame and delineate the restructuring of the “new” organisation after the crash. Special restructuring departments were set up to deal with this complicated and sensitive task. Across the board, policies and procedures were made more formal. In this context, formalisation means written documentation, transparent management approval processes for new policies and procedures, internal and external reviews of compliance as well as formal training of employees in the application of policies and procedures. Finally, more resources were allocated to risk management departments, which hired more employees and took on more tasks. Currently, the risk management departments of the Icelandic banks are 5 times the size of similar departments in comparable Danish banks, although the task profile is similar.

Several managers mention how regulation, compliance and risk management have become more strategic for the banking industry.

“In a bank the focus goes straight from governance to strategic issues, whereas in a “regular” company, the emphasis goes from strategic issues to governance issues. And it is to a large extent the banking regulation that drives this development.” (Icelandic manager)

Some managers also welcome the formalisation of administrative controls in terms of increased transparency as well as documentation of rules – also from the perspective of being able to document what was done, how it was done and what boundaries have been defined.

“When you are in court it becomes easier to document what you have done regarding written administrative controls, whereas culture is more subjective.” (Danish manager)

Rewards and compensation

The report of the Special Investigation Commission put in place to investigate the collapse of the banks concluded that rewards and compensation schemes in the old banks had played a role in encouraging a certain behaviour among managers and employees (SIC, 2010). After the crisis, rewards and compensation schemes were radically redefined, both to comply with external regulations, but also to change the behavioural influence. This included changing the scope, intensity and direction of bonus schemes in the banks as well as making this internal control system open to external agency scrutiny.

“Today we are basing the bonus system on 65% for financial and operational metrics and that is more the bottom line. Then we have 35% that we call judgmental areas, and that is from 5 to 8 metrics where we are trying to stimulate responsible good behaviour. There are some areas where we have seen definite changes in behaviour, and that is concerning risk management and compliance. If you don’t meet the performance criteria within these areas, you may lose a good proportion of your bonus.”  (Icelandic manager)

Other controls

Other management controls did not change as drastically in the aftermath of the crisis. Planning processes such as budgeting have not been changed to any major extent but remain focused on the traditional annual budget cycle with variation analysis and follow-ups. A reconfiguration of cybernetic controls includes new definitions of performance with increased weight on risk and compliance.


Banks as institutions are fundamentally dependent on public trust and compliance with regulations. This legitimacy was damaged after the crisis in 2008 in Iceland. To regain social legitimacy and to demonstrate compliance with stricter regulation, the Icelandic banks radically redefined certain management controls. Cultural controls were changed to break with the values and practices of the old banks. Administrative controls were formalised to demonstrate compliance with external regulation and internally imposed boundaries. Certain controls, such as rewards and compensation and regulatory compliance practices, were opened to external scrutiny, which had not been the case before the crisis.

Some of the lessons learned from dealing with the crisis in the bank are:

  • Well-designed and implemented management controls are critical when banks respond to a financial crisis.
  • There will be a difference in change in individual management controls, depending on the magnitude of the financial crisis faced by the bank, as well as the initial design of the management control systems.
  • In a crisis of public trust recruiting a new CEO to act as a change agent should be considered.
  • Establish new organisational values from the bottom up signalling a clean break with past values.
  • Formalise new values with increased emphasis on compliance through changed governance procedures.
  • Change reward and compensation schemes to direct employee focus towards new goals.
  • Reconfigure performance measurement to reflect new emphasis.
  • Set clear policies and procedures for repetitive tasks combined with transparent governance processes to free up management attention to deal with crisis situations.
  • Strengthen the finance function, risk management, the compliance function and internal auditing in the bank with to successfully develop management controls. This includes adding management accounting capabilities.
  • Coordinate between these functions in designing and implementing changes in management controls.
  • Observe that despite increased regulatory compliance requirements, focus on business requirements has to be maintained.
  • Recognize the risk of loosing focus on core elements of management control such as action planning and budgeting.

Nothing can really prepare an organisation for a crisis of the magnitude faced by the Icelandic banks. However, some lessons can be learnt by banking institutions – and other companies – when responding to a crisis that involves loss of public trust and an immediate need to demonstrate compliance with changing requirements.


Claessens, S., Kose, M., Laeven, L., & Valencia, F. (2012). Financial Crises: Causes, Consequences, and Policy Responses Understanding Financial Crises: Causes, Consequences, and Policy Responses. Presented at the IMF Conference on the Financial Crisis, Causes and Policy Responses, Valencia. Retrieved from

Dawson, P. (1994). Organizational Change: A Processual Approach. London: Paul Chapman Publishing.

Gudlaugsson, T., & Eysteinsson, F. (2010). Áhrif Bankshrunsins á Ímynd Banka og Sparisjóða (Working Paper Series No. W09:04). Institute of Business Research. Retrieved from

Malmi, T., & Brown, D. A. (2008). Management control systems as a package—Opportunities, challenges and research directions. Management Accounting Research, 19(4), 287–300.

SIC. (2010). Report of the Special Investigation Commission (SIC) – English. Retrieved October 21, 2015, from

The Economist. (2013, September 7). The origins of the financial crisis. The Economist. Retrieved from

Van der Stede, W. (2011). Management Accounting Research in the Wake of the Crisis: Some Reflections. European Accounting Review, 20(4), 605–623.

Fjórða iðnbyltingin og viðskiptadeildir háskóla

Fjórða iðnbyltingin

Í dag upplifum við mestu framfarir mannkynssögunnar og hefur World Economic Forum nefnt þetta framfaraskeið fjórðu iðnbyltinguna (Schwab 2017). Við höfum áður upplifað framfaraskeið en það sem aðskilur fjórðu iðnbyltinguna frá öðrum er að það eru ekki bara framfarir á einu sviði. Margir fræðimenn tala um að við séum að nálgast einskonar vatnaskil (e.: tipping point) og að næstu ár munu jafnvel bjóða upp á meiri og hraðari breytingar á fleiri sviðum en nokkurn tíma áður. Dæmi um tækniþróanir sem virðast vera á næsta leiti eru sjálkeyrandi bílar, almennar vitvélar, sýndarveruleikaheimar, harðir diskar sem hægt er að græða í heila, meðferðir til lengingu lifialdurs og bálkeðjur (blockchain).

Viðskiptadeildir háskóla

Viðskiptalíkan viðskiptadeilda háskóla er fremur einfalt. Nemendur koma þar inn og tileinka sér kunnáttu, hæfni og leikni í fögum sem tengjast fyrirtækjum og atvinnulífi. Kennsla við viðskiptadeildir mótast af þeim stjórnunarsviðum sem eru í rekstri skipulagsheilda eins og t.d. stjórun á fjármálum, mannauði, markaðsmálum og nýjungasköpun.

Fjórða iðnbyltingin mun hafa margvísleg áhrif á þessa starfssemi. Upplýsingatæknin er til dæmis ein og sér að gerbreyta aðkomu að kennslu. Í raun er hið hefðbundna kennsluform í mörgum háskólum þar sem nemendinn situr aðgerðalaus og hlustar á kennara tala fyrir framan PowerPoint kynningu löngu úrelt. Það bíður margra háskóla stórt verkefni að taka til sín nýja möguleika í kennslu eins og til dæmis kennsla í sýndarveruleika, tengja kennslu við fjarkennslu í öðrum háskólum, breyta námsmatsaðferðum og tengja endurgjöf til nemenda nýjum tæknimöguleikum.


Það sem þó mun hafa mest áhrif á viðskiptadeildir háskóla er hinn mikli breytingahraði í atvinnulífinu þegar kemur að sjálfvirknivæðingu starfa, nýjum störfum sem skapast og þeim nýju og oft framandi viðskiptalíkönum sem verða möguleg með til dæmis Interneti hluta og virðiskeðju gagna. Þetta mun bera með sér gríðarleg tækifæri fyrir nemendur með viðskiptamenntun. Samtímis munu þó nemendur sem útskrifast með viðskiptafræðigráðu munu oft þurfa að endurskilgreina sig og sína kunnáttu á sínum starfsferli. Þarmeðtalið að sækja sér nýja menntun eftir því sem þeirra starfssvið breytist. Rannsóknir sýna að meðalstarfsmaður í framtíðinni mun skipta um starf 10-15 sinnum, sem í raun þýðir að starfsmaður er 3-4 ár í sama starfi.

Hvernig eiga viðskiptadeildir háskóla að bregðast við þessu?


Í fyrsta lagi að kenna breytingaskilning og þjálfa seiglu (e.: resilience). Það er að segja að skilja mismunandi tegundir af breytingum, hvernig skal bregðast við þeim, hvernig hægt er að skipuleggja viðbrögð við breytingum og hvað það krefst að takast á við erfið breytingaverkefni. Breytingar geta verið sársaukafullar og það þarf oft seiglu til að komast í gegnum þær.

Nýsköpun og frumkvöðlahugsunarhátt

Í öðru lagi verður að leggja áherslu á nýsköpun og frumkvöðlafræði. Breytingar fela í sér vegferð mót einhverju nýju. Það er því mikilvægara en nokkru sinni áður að kenna aðferðir til nýsköpunar, hæfni í að beyta þessum aðferðum bæði í skipulagsheildum og í eigin lífi. Hér er ekki (eingöngu) verið að tala um að búa til nýja vöru og þjónustu heldur einnig að síbreyta og bæta það sem þegar er í notkun (e.: continuous improvement).

Þjálfa gagnrýna hugsun.

Aldrei fyrr hafa jafn margir hagsmunaaðilar í viðskiptalífinu reynt að hafa áhrif á hegðun og hugsun okkar og aldrei hefur það verið jafn mikilvægt að vera gagnrýninn á þessi áhrif. Gagnrýnin hugsun er hins vegar ekki eitthvað sem við fæðumst með fullbúna. Hana þarf að móta og þar gegna rannsóknir í viðskiptadeildum lykilhlutverki. Þær snúast oft um að komast að því hvað virkar og hvernig í skipulagsheildum. Eins og með fréttaflutning er líka hægt að tala um falska vitneskju eða “fake knowledge”. Það er mikilvægt að nemendur læri vera gagnrýnin á vitneskju útfrá t.d. hver hefur búið hana til, hvernig hún er búin til, í hvaða samhengi og hvað er hægt að nota hana í. Skrif á lokaverkefnum í grunnnámi og í meistaranámi miðast til dæmis að því að þjálfa þessa hugsun.

Auka víðsýni

Stafræning heimsins ber með sér að landamæri, tungumálahindranir og tímabelti missa mikilvægi sitt og kunnátta, hæfni og leikni í viðskiptafræði verður hnattræn. Viðskiptadeildir verða að skapa möguleika á því að nemendur geti tileinkað sér víðsýni sem gengur þvert á menningarheima, atvinnugreinar og dreyfikeðjur. Þetta verður að gerast með aukinni samvinnu við erlanda háskóla og fyrirtækja, sem gefa nemendum möguleika á að tengjast inní nám og starfsemi í alþjóðlegu samhengi.

Á morgun er í dag

Viðskiptadeildir og reyndar háskólaumhverfið í heild sinni stendur frammi fyrir stórum áskorunum á næstu árum. Það er mikilvægt að viðskiptadeildir bregðist við og taki til sín mögileika og áskoranir fjórðu iðnbyltingarinnar. Röskun (e.: disruption) á atvinnugrein er nefnilega ekkert sem einskorðast við bóksala, leigubíla og hótel. Háskólar geta líka átt á hættu að verða skildir eftir í örri þróun útboðs annara skipulagsheilda en en háskóla á nýjum námsleiðum og aðferðum.

Hinn íslenski fjármálastjóri: Einkenni, umhverfi og verkefni

Ný grein í Tímarit um Viðskipti og Efnahagsmál.

Þessi grein byggist á rannsókn sem var gerð árið 2008 og aftur árið 2014 m.a. á einkennum og verkefnaáherslum fjármálastjóra í 300 stærstu fyrirtækjum á Íslandi. Báðar rannsóknirnar náðu yfir 60% svörun sem þykir mjög gott meðal stjórnenda. Niðurstöður eru m.a. þær að íslenskir fjármálastjórar fylgja almennt sömu þróun í áherslum og hlutverki og í öðrum löndum. Það er að segja meiri áhersla er lögð á greiningar, ákvarðanatökustuðning og innanhúsráðgjöf en bókhald og uppgjör. Af öðrum niðurstöðum ber að nefna að fleiri konur eru fjármálastjórar í íslenskum fyrirtækjum en á Norðurlöndunum, rétt undir helmingur fjármálastjóra stærri fyrirtækja hefur verið ráðinn á síðustu 5 árum og skortur er á þekkingu á mörgum aðferðum og stöðlum stjórnunarreikningsskila og innra eftirlits (management accounting). Greinin í fullri lengd er hér

Making the Invisible Visible: Calculating the Total Costs of Occupational Accidents

With the publication of the 2014 report “Estimating the cost of accidents and ill-health at work: A review of methodologies” by the European Agency for Safety and Health at Work, there has been renewed interest in the effects of occupational accidents on company finances. But what is the bottom line effect of occupational accidents and why is it so difficult to measure?

In management accounting we talk about direct and indirect costs. Direct costs are costs that can be traced directly to a cost object (i.e. something we want to know the cost of) but indirect costs cannot be traced directly to a cost object. The ability of managers to discern between direct and indirect costs is dependent on the design of the accounting system where the focus is usually on tracing uses of hours and materials to the products and services, which the company trades.

If occupational accidents are seen as cost objects, managers cannot see how much they cost because most of the costs associated with occupational accidents are indirect costs. That is to say they can not be traced directly to occupational accidents because accounting systems are not set up to trace costs directly to occupational accidents. Nor should they. But this means that managers are often flying blind when it comes to the true cost of occupational accidents.

In a project involving nine companies in Denmark some years ago we developed a method for calculating the total costs of occupational accidents. This method – which we called the Systematic Accident Cost Analysis (SACA) method – is based on well-known management accounting method called Activity Based Costing. It focuses on identifying the activities that either emerge or are affected by the occupational accident. It then measures the use of resources and costs of these activities to get the total cost of the accident.

In the companies we analyzed with this method we found six types of costs associated with the consequences of occupational accidents.

  1. Costs due to the absence of the injured employee: Includes e.g. payment of sick pay and payment of supplementary sick pay.
  2. Communication costs: Includes e.g. formal communication to employees, staff, and general management as well as informal communication between employees.
  3. Administration costs: Includes payroll administration, administration regarding health and safety regulations and reporting requirements, follow-up activities and meetings.
  4. Costs of prevention initiatives: Includes e.g. purchase of machine components and training initiatives.
  5. Operation disturbance costs: Includes e.g. training of replacements, revenue loss, co-workers overtime, and production reductions.
  6. Other costs: Includes costs such as e.g. fines and gifts to injured employee.

The main conclusions were quite interesting and included:

  1. Indirect (i.e. hidden) costs of occupational accidents could vary from 2% – 98% depending on accident characteristics and the activities incurred as a consequence of the accident.
  2. Calculating occupational accident costs can illustrate and visualize the value created by the Occupational Health and Safety (OHS) department by preventing accidents and thus avoiding costs.
  3. Accident costs vary between companies and depend on accident type, wage structures and policies, OHS management system scope, and production process vulnerability.
  4. Smaller companies had on the average higher accident costs per accident than larger companies.

Preventing occupational accidents makes sense from a moral and legal perspective. But the project showed that prevention also makes sense from a company financial perspective. Lets say a mid sized production company has 5 occupational accidents a year showing a direct cost of 30.000 Euro on average per accident in the accounting system in sick pay and compensation. A SACA analysis showed that only 30% of the occupational costs are direct and thus visible in the accounting system. The total annual cost of occupational accidents is thus 500.000 Euro. This company in its most recent annual report disclosed a profit margin of 10% – i.e. how much of the revenue was left when all costs have been subtracted. This means that the company would have to sell for 5.000.000 Euros to generate enough profit to cover the costs of occupational accidents. In other words, if the accidents had been avoided, 5.000.000 Euros on the top line would have counted towards increasing the bottom line and the value increase of the company.

The SACA report (in Danish) is available by sending an e-mail to pallrik(at) and an English description of the method is available in this article.

Changes in internal controls in Icelandic companies 2008 – 2014

We are currently in the reporting phase for our research on changes in management accounting practices of Icelandic companies since 2008. A part of this research focuses on what characterizes the development of internal controls and weather the developments observed can be characterized as increasing or decreasing maturity of internal controls in Icelandic companies. This is currently being written for an academic publication, but here are a few highlights.

The data is based on two questionnaire surveys of internal control design and application carried out in 2008 and in 2014. The two surveys asked the same questions about internal controls in both years where we used the COSO framework as a guide for developing the questions as well as the ISACA internal control maturity framework. The population was in both years the 300 largest companies in Iceland and the response rates were 61 and 63 percent respectively.

The survey in 2008 was carried out months before the worst financial crisis in the history of Iceland hit the country. Although this was not the intention at the time, the 2008 survey documented management accounting practices – including internal control – in Icelandic companies at the end of the fastest expansion phase in Icelandic business history. The survey in 2014 was carried out after 6 years of financial restructuring, IMF interventions and general environmental turbulence and uncertainty. The comparison between these two data sets gives us some idea of what happens to management accounting practices when elements in the external environment suddenly change.

The below table gives an overview of some of the results from the internal control part of the survey.


Companies answering “Yes” in 2014

Companies answering “Yes” in 2008

Are internal controls of average or high importance?



Have internal controls been documented?



Has internal control processes been reviewed and approved by top management?



Is there in place a risk assessment and response plan for events that could threaten company objectives?



Have external auditors have advised on internal controls?



Are internal controls reviewed regularly to ensure alignment with risk and control conditions?



The results show that internal controls have developed significantly in the period after the crisis hit the companies in 2008. The management control literature concludes in general that behaviour orientated management controls become more flexible and result based with increasing levels of environmental turbulence. Our research  indicates however that accounting type, information focused controls seem to become stricter, more formalized and more activity centred. This tells us that management control system studies cannot  as such generalize findings for one part of a management control system to another. The study concludes that external disruptive events like a financial crisis spurs companies to increase the maturity of their internal controls.


Performance indicators and systems used by Icelandic CFOs

Extract from a paper presented at Manufacturing Accounting Conference, 11-13 June 2014, Copenhagen Denmark by Pall Rikhardsson, Throstur Olaf Sigurjonsson, Audur Arna Arnardottir, School of Business, Reykjavik University

The use of performance measures and performance measurement frameworks has increased significantly in recent years regardless of company type or industry. Performance measures are defined here as measures used to support decision making by managers and thus do not include e.g. externally oriented financial measures. The type and variety of performance measures in use has been researched in various countries and linked to different variables such as the external environment, performance measurement frameworks, and management characteristics. However, this has not been researched to any extent in Icelandic context. This was the focus of a study carried out at year-end 2013 by a team of researchers form the Reykjavik University. We surveyed 82 CFOs in large Icelandic companies and asked them about their use of performance measures in various categories and the characteristic of their performance measurement systems. The companies surveyed covered a wide spectrum in size, ownership structures and industries.

Iceland is a small western society, with good access to top-level managers for data gathering, and with strong educational system on all levels. Iceland was one of the countries that was hit the hardest by the financial crisis in 2008 with the 3 largest banks collapsing, a subsequent intervention by the International Monetary Fund and a host of court cases, bankruptcies and political and regulatory changes in the years following. Iceland is therefore interesting in this context as environmental uncertainty has been relatively high surrounding and following the collapse, which could have impacted on the design of Icelandic companies performance measurement systems.

We asked about the use of in all 59 different performance measurements. These are shown in the list below. We also asked about what information systems were used to collect, process and report the performance measurements.

Customer & Service performance
Market share
Sales volume
Customer satisfaction
Customer retention
Reputation and image
Sales & Marketing performance
Account management
Public relations
Marketing campaigns
Media use
Finance & Accounting performance
Budget variances
Operating profit
Return on investments
Return on assets
Cost development
Contribution margin of products
Contribution margin of customers
Contribution margin of company
Cost of goods sold
Labour cost
Material cost
Indirect costs (overhead)
Manufacturing, Purchasing & Maintenance performance
Production volume
Labour Productivity
Machine productivity
Material usage
Setup efficiency
Supplier performance
Outsourcing partners performance
Product or service quality
Facility maintenance
Operating asset maintenance
R&D and Innovation performance
New product introduction
New product design
Patent generation
Supply Chain, Inventory & Logistics performance
Inventory turnover
Inventory value
Order fulfillment
Warehouse management
Information Technology, e-Business and Social Media performance
IT availability
IT service levels
Social media use
Company web site impact
Human Resources performance
Employees satisfaction
Employee skills
Employee training/education
Employee loyalty/turnover
Compliance, Governance & Legal performance
Regulatory compliance
Governance standards compliance
Risk assessment and management
Internal audit and control
CSR, Sustainability and Health & Safety performance
Occupational safety
Employee health
Climate change
Waste management
Human rights
Code of conducts compliance

The figure below shows the importance attributed by Icelandic CFOs to financial and non-financial performance indicators on a scale from 0 (not important) to 3 (very important). It seems that Icelandic CFOs are well aware of the importance of non-financial indicators although financial indicators are rate as more important.


Among the 82 firms surveyed, the number of total performance measures used ranged from 14 to 59 measures. The average performance measurement system (shown in the figure below) contains about 11 out of 13 financial measures (81%), and 29 out of 46 non-financial measures (63%). The most frequently used non-financial sub-category were Human Resource measures (83%) also with the highest mean importance rating of 2.08. Customer & Service performance measures (77%) with mean importance rating of 1.89, and Compliance and Governance (76%) with mean importance rating of 1.87. All responding companies use a combination of financial and non-financial measures and all seem to use a high number of the measures asked about, with the exception of R&D and innovation where only 31% of the companies indicated those kinds of measures being in use. It thus seems that the average Icelandic performance measurement system uses a relatively large number of different indicators both financial and non-financial.


The most important financial indicators are operating profit, sales revenue, variances, labor costs and company contribution margin. ROI, ROA, material costs, indirect costs, and customer contribution margin are not given as much importance.

We also asked about what information systems mainly support the processing and reporting of performance indicators. The answers from the 82 CFOs are shown below.


It seems that Icelandic CFOs – like their counterparts in other countries – rely heavily on Excel as a tool for processing and reporting performance information measures with almost 90% of the companies using Excel for this purpose. Microsoft BI (which is a combination of SQL, Excel and (sometimes) SharePoint) seems to be most widespread of the BI vendor’s solutions with Wise (an Icelandic BI solution) and Cognos following.

When asked about how performance measures are communicated to managers a rather strange picture emerges as shown below. While self-service and dashboards are relatively widespread there is still much use of the good old paper report and e-mail distribution of reports with almost half of the companies using printed reports and more than 80% sending reports by e-mail to managers.


In summary it seems that the respondents use varied financial and non-financial performance measures extensively. Looking at similar studies from the US and from Europe the impression is that Icelandic companies use performance measurement systems with more variety of performance measures and give more importance to non-financial measures. If this is true then a possible explanation – applying contingency theory – is that the crash of 2008 has prompted managers to develop more comprehensive performance measurement systems wowing never again to be caught unawares like many companies were during that time.

Looking at the information technology used in performance measurement a more schizophrenic picture emerges. Icelandic companies use similar technology as other companies and have relatively more focus on e.g. dashboards end end-user self service than studies from abroad show. But also seem to place much emphasis on printed reports and e-mail distribution of (Excel) reports.

The Data Wars

Talking to a BI manager the other day I saw that there might be a war brewing in many companies – well, maybe not a war but a competition. It’s the competition between various analytical information suppliers.

Centralized IT departments have had a long standing monopoly on implementing and operating the systems necessary for delivering high quality analytical information for decision makers. They still do. However, technological advances in integration technology, data analytics and data visualization is eroding the platform on which this monopoly is based.

IT departments are more often than not internal cost centers charging for their services. When managers need to gather data, clean it, merge it, process it and present it, it will cost them money. The IT department will guarantee that the data is as valid, reliable, accurate and complete as humanly possible. But this comes with a price tag that some managers are unwilling to pay. It also takes time to ensure that the data is of a quality that conforms to the aims and standards of the IT department.

Today, other departments are acquiring the means to process and analyze data as well. Accounting departments, risk analysis departments, internal control departments, logistics departments, and planning departments are all engaged in gathering data, processing it and presenting it for decision makers. These departments have access to databases, can integrate data to some extent and prepare it for presentation and analysis.

These departments are capable of servicing their own managers with ad hoc “good enough” data gathering and analysis at a much lower cost than the IT department will charge them. They are also capable to supply other managers in the organization with analytical services at a lower cost than the IT department. This data and analysis might not based on the data quality processes performed by the IT department, might use departmental tools (read: Excel) and based on the access levels to databases this department has. But to many managers the result might seem “good enough” and give them the information they need.

Is this a problem? Or is it a natural step in the evolution of the “democratization” of data and end-user empowerment? I think it at least merits a thought regarding the future structuring of IT departments and the services they offer. Top heavy IT departments with cost performance requirements, fixed cost markups, and rigorous complex administrative procedures seem out of sync with the development of the analytically savvy end user, user friendly integration and analytical technologies and increased access to data.

Continuous monitoring and auditing: The difference

For some years continuous auditing and monitoring has been the subject of number of articles and white papers mainly from academia, consulting and accounting firms. Deloitte, PwC and KPMG have for example published excellent whitepapers on continuous auditing and monitoring.

However, looking at other sources and reading debates about continuous monitoring technology, there seem to be various definitions of what continuous monitoring and auditing are and how they can be used. Sometimes they are even used interchangeably as if they are the same thing.

Continuous monitoring is a management tool. It is uses information technology to – in real time – review functional or business process performance and effectiveness to ultimately improve decision-making. It is based on governance and risk assessment processes and enables managers to detect deviations from targets, errors and risks sooner than would be possible with manual control procedures. Continuous monitoring can be applied at the transaction level to e.g. monitor data transactions and at a process level to e.g. monitor delivery processes and production processes.

Continuous auditing is a tool for internal auditors mainly and to some extent external auditors to continually gather audit evidence to support auditing objectives and activities. This means collecting data on processes, transactions and accounts to establish compliance with regulation, procedures and policies. The aim is ultimately to minimize the cost of control and compliance as well as increase the effectiveness of audit activities compared to audit objectives. There are several different types of CA technologies such as embedded audit modules, ghosting and monitoring control layer that also can be utilized by external auditors.

Currently there are different CM and CA technologies on the market either as part of popular ERP systems or as stand-alone solutions. ERP market leaders such as SAP and Oracle are integrating monitoring and auditing technologies in their solutions and stand-alone solutions from ACL, CaseWare and Expectus can be integrated in a variety of solutions and industry settings.

The CA and CM technologies are fast becoming more sophisticated, the integration easier and the interfaces more user friendly. This will mean more diffusion of CM and CA approaches to e.g. small and medium sized companies and NGOs. It will also mean that real time control will become even more prominent than it is now. It also means that external auditors might have to re-think parts of their business models and the actual business value of auditing hours sold.

Semdu ekki af þér þegar þú kaupir upplýsingakerfi!

Eftir að hafa nýlega kynnst samningamálum milli fyrirtækja og upplýsingatæknibirgja á Íslandi um kaup og innleiðingu á stærri upplýsingakerfum, slær það mig hversu ólíkt þetta íslenska umhverfi er frá því sem ég hef kynnst annarsstaðar í Evrópu.

Gott upplýsingakerfi getur gefið fyrirtækjum samkeppnisforskot með því að minnka kostnað við vörukaup og sölu, styrkt tengsl viðskiptavina við fyrirtækið, auðveldað samninga við vörubirgja, aukið ánægju viðskiptavina osfrv. Í dag eru mörg fyrirtæki með samtengd upplýsingakerfi þar sem t.d. sala, innkaup, birgðahald, viðskiptamannabókhald, þjónustustjórnun, búðarkassar, innheimta,  osfrv. fer fram innan sama kerfisramma. Dæmi um slík kerfi er Dynamics AX, SAP, Oracle, Dynamics NAV ofl.

Svona upplýsingakerfi eru blanda af vöru (hugbúnaði) og þjónustu þar sem kerfið þarf að innleiða í fyrirtækinu með ákveðnu ferli. Kerfi geta verið nokkuð mismunandi, það geta verið fleiri uppsetningarmöguleikar á kerfinu, og birgjar geta búið yfir mismunandi þekkingu og reynslu.

Við kaup á þessum kerfum þarf því að velja á milli kerfa og birgja. Þar sem kostnaður við innleiðingu getur hlaupið á tugum eða hundruðum milljóna þarf að undirbúa þessa vinnu vel. Val á milli kerfa og birgja á að byggjast á greiningu á þörfum fyrirtækisins og svo á tilboðum frá birgjum, sem sýna hvernig þeirra upplýsingakerfi og þjónusta mun mæta þessum þörfum. Fyrirtækið þarf því að búa til útboðsgögn sem gera birgja kleift að koma með sem nákvæmast tilboð og gerir kaupanda kleift að velja á milli tilboða á hlutlausum grundvelli.

Eftir að kerfi og birgjar hafa verið borin saman er farið í samningaviðræður við þann birgja sem hefur komið með hagkvæmasta tilboðið mtt. verðs, innleiðingaráætlunar, áhættustýringar, virkni kerfis og uppsetningar.

Slíkir samningar þurfa að taka á þáttum eins og skilgreiningum á hugtökum, samsetningu á kostnaði, borgunaráætlun, árangurskröfum til birgja, kröfum til uppsetningar og innleiðingarferla, prófunum á kerfinu, þjálfun starfsmanna, hvert á að leita ef menn verða ósammmála, hvað á að gera ef skil dragast á langinn, hvort hægt sé að sekta birgi, tímaframlagi fyrirtækis, kröfum til kunnáttu birgja, uppsagnarákvæðum osfrv. Þarna er um að ræða langan lista af atriðum sem verður að ræða og semja um „á meðan allir eru vinir” og áður en byrjað er á verkefninu.

Svo virðist vera sem þrennu sé ábótavant á Íslandi þegar að kemur að þessari tegund samninga.

Í fyrsta lagi eru ekki til staðlaðir samningar frá óháðum aðila um kaup á svona upplýsingakerfum á Íslandi. Hér er um að ræða staðla sem fyrirtæki geta notað við samningagerð við birgja og þá treyst því að samningurinn taki á öllum nauðsynlegum atriðum. Dæmi um svona samninga eru t.d. K01, K02 og K03 samningsstaðlarnir sem gefnir eru út af Digitaliseringsstyrelsen í Danmörku. Ég heyri að fyrirtæki á Íslandi eru að reiða sig á uppsetningar á samningum frá birgjum eða uppsetningar frá öðrum samningsverkefnum. Þetta þýðir að annaðhvort er samið út frá samningsformi birgjans, sem þá er að öllum líkindum hliðhollt birgja mtt. krafna og ábyrgðar, eða það verður að aðlaga t.d. fjárfestingarsamninga eða þjónustukaupasamninga að flóknum uppsetningar og –innleiðingarverkefnum. Þessu er hægt að líkja við að semja um húsbyggingar með því að nota samninga um bílakaup. Þetta eykur hættuna á að mikilvæg atriði komi ekki fram í samningnum og séu ekki rædd í byrjun verkefnis.

Í öðru lagi – ef tekið er mið af sumum þeim samningum sem hafa verið notaðir við kaup á upplýsingatækni á Íslandi – virðast íslensk upplýsingakerfi vera svo sérsök að það er ekki hægt að ábyrgjast að þau virki þegar þau eru tekin í notkun. Gallar í uppsetningu geta til dæmis ekki verið birgjum að kenna og birgjar takmarka ábyrgð sína við tæknilega virkni kerfisins. Eftir að hafa tekið þátt í sölu og innleiðingum á kerfum annarsstaðar í heiminum, þar sem birgjar taka mun víðtækari ábyrgð, er erfitt að skilja að uppsetning og innleiðing íslenskra upplýsingakerfa skuli vera svona frábrugðin reglum um slíka innleiðingu í öðrum löndum. Þetta eykur hættuna á því að fyrirtæki fái afhent kerfi sem ekki uppfylla þær kröfur sem gerðar voru í upphafi og verði að borga birgja aukalega fyrir að fá kerfið til að virka. Þessu má líkja við að það sé byggt hús þar sem gleymist að setja í glugga og kaupandi verði að borga byggingarvertakanum aukalega fyrir að lagfæra það.

Í þriðja og síðasta lagi virðist vera hefð fyrir því á Íslandi að fyrirtæki borgi einfaldlega það sem innleiðing upplýsingakerfa kostar án þess að hafa miklar forsendur fyrir upprunalegum verðútreikningum, samræmi í verkáætlunum og forsendur fyrir verktímum. Þetta er kallað innleiðing eftir tíma og efni (time and material). Það hefur því ekki verið samið um t.d. markverð (e. target price) í upphafi eða áætlanir gerðar um hvað eigi að að hafast ef birgir fer fram úr áætlunum á verktíma; hvort eigi að lækka tímaverð, beita dagsektum eða endurskipuleggja verkefnið. Það virðist vera litið á það sem náttúrulögmál að þessi verkefni fari fram úr áætlun – oft margfaldlega fram yfir upprunalega kostnaðaráætlun – og að fyrirtæki einfaldlega borgi brúsann. Þetta jafngildir því að semja um húsbyggingu, áætla lauslega tímaáætlun og tímaverð og svo byrja á verkefninu. Svo þegar koma upp breytingar, tafir og nýjar áherslur (sem alltaf á sér stað í svona verkefnum) verður að bæta við tímum og senda auka reikninga. Markverð, tímaáætlanir og breytingar á tímaverði eru hvatningakerfi sem fyrirtækið getur notað til að halda í við kostnað og breytingar í verkefnum.

Ofangreint má eflaust – eins og margt annað á Íslenskum markaði – rekja til smæðar markaðarins. Það er ekki um marga birgja að velja og ef það er lítil samkeppni hefur það áhrif á hvernig hægt er að semja við birgja. Svo virðist sem mörg íslensk fyrirtæki haldi tryggð við sama upplýsingatæknibirgjann í langan tíma og hugsi ekki um að gefa öðrum tækifæri til að spreyta sig þegar velja á nýtt kerfi. Innleiðing stærri upplýsingakerfa einkennist einnig af þekkingarmisræmi sem skapast milli fyrirtækis og birgja þar sem fyrirtæki velur og innleiðir svona upplýsingakerfi kannski 5-10. hvert ár.

Nokkur góð ráð:

  1. Láttu óháðan aðila gera þarfagreininguna.
  2. Settu upp stöðluð útboðsgögn.
  3. Láttu fleiri en einn birgja bjóða í verkefnið með fleiru en einu kerfi.
  4. Notaðu staðlaða aðferð til að bera saman birgja og lausnir.
  5. Tryggðu að samningsformið sem notað er sé jafn hliðhollt fyrirtæki og birgja.
  6. Tryggðu að samningurinn taki á öllum þeim atriðum sem taka þurfi á mtt. innleiðingar á þessari tegund upplýsingakerfa.
  7. Tryggðu að ábyrgðarákvæði séu skýr og sýni hvað það er sem birgir á að skila af sér og hvað það er sem kerfið á að geta eftir skiladag.
  8. Tryggðu að verðákvæði séu skilgreind sem markverð og það séu ákvæði um hvað eigi að gerast ef birgir fer frem úr áætlun.
  9. Hafðu í huga þær forsendur sem liggja að baki því verði sem gefið er upp í tilboðinu.
  10. Notaðu samninginn í innleiðingarferlinu til að vaka yfir skilum, hegðun og frammistöðu birgja.