READY, AIM, FIRE – Advising the Board of One

READY, AIM, FIRE | Henshaw Vierra

When will the company and the owner be “READY”?
Lots of transactions going on:  age of bureau owners, cost of next gen software, multiple service offerings requiring different expertise in addition to current structure , cyber security of data and flows of funds transfers, regulation, and industry consolidation.

Owners get at least 5 calls a year from the big guys, and from guys who talk big.  It’s flattering, but…

Is the owner ready to take the call:  it’s an emotional experience; it isn’t the “number” that makes it right.  It’s about being ready when the right call comes.  Being ready is about knowing they have created a strong company, and knowing that they are ready to take the next step into their own future.

Owners need to ask themselves if they have built a strong company which can produce repeatable revenue growth and predictable cash flows.  Do they have a team they can count on; are their files, processes, documentation, risk management systems right?

If their company is not ready, it’s too late for the owner to take that call, but it’s never too late for them to get ready to take the right call, in the future.

How do owners know when they are ready?  It often takes two steps to know.

How do they know, as a manager, that they can run the gauntlet of due diligence?  And, how do they know, as the owner, that it’s time to convert their assets to something more liquid, or just do something else.

Selling an asset they have built from scratch is emotionally hard.  Having outsiders review details of how they built it, and how they managed it, is emotional.  The process of selling is something that owners most have not experienced.  It can be puzzling, time consuming, stressful, and fascinating.  Getting and being ready, helps.

The next big step is to find a qualified buyer

Getting ready, as a manager, is easier than “getting ready” as an owner.

There is a process.  The owner/manager should hire an inside team that knows the process of running a strong service bureau, and how to make it profitable.  Internally they need good people to manage operations; financial and cash management processes; IT operations and data management processes and regulations; customer interfaces; and, cybersecurity programs.  When the company runs well, its sales team can run well, and they can meet manager/owner revenue growth expectations.

The owner should also build an outside team to help grow the company and keep it strong.  A board of directors or advisors can be very helpful if they already have experience doing what the owner hopes to do.  The company’s outside accountants and corporate lawyers should also be part of the team and give advice in their areas of expertise.

  • The owner/manager is ready when the company’s operational out comes are predictive and not reactive.
  • They are ready when customer and employee attrition is low; operations and finance have the data to know what volumes they generate and what prices they are effectively charging; fiduciary accounts are balanced daily to the customer account level; customer files are complete and accurate; and, they use outside auditors to attest to the accuracy of the above.

Ready when the timing is right.
Many times, by the time owners have built and maintained a great operation, they, as an owner, put off any idea of selling the company, and why not?  Their business is really a necessary service for customers.  Customers long ago knew that there are advantages to them to outsource what a service bureau provides because the bureau can bring economies of scale and deeper subject knowledge of the administrative functions than they can.  These customers pay the bureau a long term repetitive stream of cash payments, at the time the bureau delivers their services.  The bureau enjoys strong positive cash flows and the owner doesn’t need to tie their Balance Sheet up financing receivables.  It’s hard to find other investments that can reward the owner as well as a well-run financial service bureau.

The owner’s decision to sell is not an easy one. It is a mistake to begin the selling process if the owner is not ready.  An out sider is foolish to try to convince them that it’s time, if the owner is “not ready”.  The owner can tell if they are not ready if they start and stop the selling process.  This activity can injure the company, its employees, and the owner.  Competitors relish the opportunity to attack customer bases and spread uncertainty.

Once the owner understands that they are “ready” to start the process, they can take aim at the future.

Ready when the timing is right.

How does an owner take AIM at the future?

The next big step is to find a qualified buyer.
A good way to find a quailed buyer is to think like one does, then seek them out.

That used to be easy.  If the owner owned a payroll business, they sold to a payroll company, hopefully running the same platform they did.  If they were an HR admin and benefits administrator, they sold to a like company because they understood the complexity of the owner’s business and had a better chance of understanding the opportunity the owner’s company represented.  Same goes for insurance brokerage, and sellers of time clocks.

Today it’s different.  Service bureaus may not be selling just one line of business. They may be selling a combination of human resource management products using one or more data bases.

So how do owners find a like company?  Do they sell to a financial buyer (valuation based on EBITDA and revenue growth)?   Do they sell to a buyer on a different platform and see a discount for customers lost through the system conversion?   Or do they have to sell the company in pieces?  Each piece is different, with some pieces on different platforms.  Each market piece maybe valued using a different multiple for the different cash stream which each piece produces.

The first thing a seller should consider in finding a qualified buyer is to define what the owner is selling: the whole company or pieces of the company. When they define what they are selling, it’s easier to find a buyer who understands the industry, the company, the opportunity, and the value the opportunity presents.

The second thing is to decide their preference in the type of payment they should consider.  The owner should start by requiring all or most of the payment be made in cash. Most sellers are not bankers, particularly for buyers with less than stellar credit histories or strong reputations for best business practices.  The best qualified buyers understand the industry(s), the company and the opportunity, and have the cash to make the purchase.

If an owner aims to close a transaction with a qualified buyer, Due Diligence should have begun two to three years before a deal is proposed.  There are risks which can be eliminated in time.  Beginning that process at the time a transaction is proposed can lengthen the closing process, at best.

In due diligence a qualified buyer will ask questions about the history of the company which the seller needs to have been preparing for long before the questions are asked:

  • what is the capability of the management team, what is the status of the key operations from sales to onboarding to servicing to billing, can the company safely manage the flow of fiduciary funds like taxes and other payments and distributions made on behalf of the customer and its employees?
  • Does the company have a defined organization (chart) with clear channels for command and control?
  • Does the company management use a budget and have a history of achieving financial goals they forecast?
  • What is the company’s current level of service capacity utilization?
  • Is their target market well defined? Does it match the buyer’s target’s customer base?
  • Does the seller know the status of each customer? Can the company retrieve customer data on products/services units used, and current pricing table applications? Is each customer record file complete with authorizations and agreements in place for the customer and their employees?
  • Is their IT environment running platforms which can provide the customer what they need? What is the level of capability of the IT team?  What is the capacity of the cloud/hardware?
  • How secure is the operating environment (and how do they know?)?

If the buyer sees that the seller owner has done a good job on the above for both their current customer base, and their operating systems and environment, they are in a position to look at the size and complexity of a proposed portfolio and judge its impact on their existing operations, on their current and expected capacity utilization, and on their capability to seamlessly assimilate the new customer base.

Buying assets is less stressful than selling them.  Some buyers are not as rigorous as I have indicated. They may tend to take care of many of the issues by saying that they will change everything any way, or just discount the price and increase holdbacks until they put the owner’s house in order.

Being an organized seller, and having information to show a history of best practice management, increases the probability of a good outcome for both selling and buying owner, their employees, and for their new customers.

Buying portfolios of simple clients from professionals who want to retire, but also want their customers and employers well taken care of, is a natural buy.

The Agreement
Most sales are asset sales, where sellers are liable for liabilities they created in the past, and may not be known by the buyer until sometime in the future.  The representations and warranties in the Agreement required of the seller are the most important part of the Agreement.  The seller will not realize the full value of the transaction until the representations have shown to be factual over time, and the warrantees paid up in the case of a misrepresentation.  All the activities in the years of getting ready come down to the moment of determining the degree of risk perceived by the buyer in the representations made by the seller in this document.  All the time and energy spent in getting ready comes to a point when the seller can be confident that they can make the required representations about their company because they can prove to themselves that what they represent is true.

The price for not being ready comes to light in this negotiation.  The cost to the seller for not being as ready as they could have been will be hold backs, escrow accounts, discounts, earn outs, uncertainty, and even the end of a deal with a qualified buyer.  The reward for being ready is a closed transaction with a qualified buyer, and peace of mind in a job well done.

Interest Rates Are Rising, Time to Think about “Float” Again

Time to Think about Float Again

The Crash of 2007 to 2010 took even the greatest of the money market funds down.  It taught us that due diligence and liquidity matter.

Those who survived were by in large chastened by a near death experience.  They now long for the 5 to 10% of total revenues that “float” and higher interest rates brought them.  Rates are rising slowly.  It’s time to start watching the signs and learning about where to invest funds.  You will find that the environment has changed.

What happened to the markets as a result of the crash?
The Fed got serious about regulating shaking banks and mortgage companies who used “boiler rooms” to sell poor quality paper to money market funds.  The also dropped interest rates to zero by buying government paper and mortgages, and we know that as interest rates fall, the price of fixed rate paper goes up.  High grade paper is now that unsustainable high prices, which will drop very quickly when the Fed starts to both sell their fixed rate holdings and push rates high enough to encourage investors to come back into the market.  Today those investors, like you, have mountains of cash sitting on the side lines waiting to get a decent return.

What happened to money market funds as a result of the crash?
Many went out of business.  Some drove away customers who had to wait months to get their funds back.  Some left because regulators said they needed more capital and better business practices if they wanted to play again.  The industry changed.  Prior to the crash almost all money market funds promised immediate payment on demand to return $1 for each $1 invested.  When the crash came many found that when they went to sell fixed income paper, they could not get a dollar for it.  Market prices had fallen and they could only get 90 to 95 cents on the dollar.  The difference wiped out their capital, and money market share holders lost money.  If the money they had invested was tax money, for example, they had to make up the difference by using their own capital and lines of credit.  President Bush stepped in and said that the Government would “insure” that no money fund would fail.  His action saved the market.

The surviving money funds, with a push form their regulators, changed the way they did business.  Today you can invest in money funds which invest only in government paper.  From them, they promise that they will pay back a $1 back for each $1 invested.  Because they deal only in high grade government paper, investor will get paid a lower return, but get better liquidity, lower risk, and lower management fees than money funds which do not promise a $1 for $1 exchange value.  A new group of money market funds will reprice the net asset value (NAV) of the portfolio of fixed instruments they hold, at least daily, much like equity and bond mutual funds do today.  Investors in these money funds will be subject directly to moves in the interest rates and general bond markets.  If rates go down, they make money.  If rates go up, they will lose money.  If you have a tax account with $10 million which is invested in an NAV money market fund on the day the Fed raises interest rates 25 basis points (as promised), you lose.  If interest rates today are 2% below normal, and the markets “revert to the mean”, you are on track to lose much more.  Your losses will come out of your cash flow, working capital, savings…

Some of you will make that bet, no matter what I say.  Most, I hope, will act more prudently.  The markets are stacked against the speculators at this time.  If rates stay low, you will earn nothing from your float but the meager “compensating balance rate” your bank will pay you to buy down your bank service charges.  If rates go up your income goes up (depending on the credit quality of the paper you are buying, and it’s duration), but the value of your position will go down in an NAV fund.

You should avoid this risk by using highly rated and ethical money market funds; managed by experienced managers with good track records who will return to you $1 each invested $1.

It’s time to do your homework, to select strong and well managed money market funds, and to start moving funds out of very low returns on your banks compensating balance earnings credit, and into qualified money market funds which will return all your principle at your request for liquidation.  Your investment advisor can help you on the phone or online.

Regulation on the Horizon, Cybersecurity a Threat Now

Regulation on the Horizon, Cybersecurity a Threat Now

Fintech:  computer programs and other technology used to support or enable banking and financial services

Banking:  a bank is a financial institution that accepts deposits from the public and creates credit.  Due to their importance in financial stability of a country, banks are highly regulated in most countries.

HCM:  Human Capital Management brings together payroll services, talent management, human resources management, time and labor management, and benefits administration.

(attribution for these definitions: google, the company that “does no harm”)

Regulation:  a rule or directive employed in controlling, directing, or managing an activity, organization, or system, and maintained by an authority and having the force of law.

The three financial service segments listed above have many good and bad things in common.  At their most basic level they all deal with third party flows of funds, and with important corporate and personal data through activities and systems which, if done well, bring great value to customers and providers alike.  If done poorly, recklessly, and/or through fraud can destroy people, companies, and financial systems.

Banks have been regulated by societies for three thousand years; sometimes well and to the benefit of their citizens.  Sometimes poorly to their citizen’s dismay and ruin.

Fintech and HCM will be regulated, but are not yet.  Unregulated they run the risk through negligence, fraud, poor architecture, or insufficient protection (from attach, breech, and failure) to protect customers and third parties from harm and loss.  In a civil world, much of the regulation would come from internal safe and sound policies and practices.  We, unfortunately do not live in a civil world.  Good behavior needs to be reinforced by a governing authority and the force of law.

Regulation will come, but you can and should prepare for it.
Great vision and values for a company are fundamental to self-regulation.  No vision, no values.  No values, no ethics.  No ethics, no morals.  No morals, no rules, no responsibility; everything is fair game.  No responsibility, more regulation!

Great vision, values, strong internal business practice, and regulation by third parties takes some of the fear and threat out of business.  Loose controls of customer tax and benefits payments add risk to service providers.  Strong rules, controls, and audits decrease those risks to the provider and to the system of funds flows in the country.  They decrease the possibility of errors and fraud.  That’s good because to most fintech and HCM companies the flow of funds they handle vastly exceeds the capital owners, shareholders, and even their insurance companies have to deal with a major system failure.

Have I got your attention?  If I have, send me an e-mail saying “you have my attention fear monger!”

My fear of inattention to cybersecurity threats is even greater than my fear of flow of funds risks outlined above.  We know how we should control funds flows.  We greatly underestimate the risks of gathering, storing, using, and protecting data and flows of data.

New York State is focusing on things that I fear in data flows and cybersecurity.  They are passing banking regulations that frankly sound like good business practice, and which I hope will become the standard of care in the fintech and HCM world, and, your own company’s standard of care and good business practice.  They are focusing on business (banks) and their owners (members of the Board of Directors and senior management).  We can learn from their activities and focus.  Some of the areas of focus:

  • Written cybersecurity programs
  • Written cybersecurity policies and incident response plans
  • Continuously trained cybersecurity personnel
  • Limited access privileges

Cybersecurity programs refer to:  identification of cyber risks, policies and procedures to protect data, detection of cybersecurity events, responsiveness to events to mitigate fallout, recovery restoration of normal operations.

Cybersecurity policies and incident response plans include:  information security policy, data governance rules, access controls, business continuity and disaster recovery plans and resources, capacity and performance planning, systems operations, systems and network security, systems and network monitoring, systems and application (including Report Writer) and quality assurance, physical security, customer data privacy, vendor and third- party service provider management (think API’s and third party software), risk assessments and incident response (internal and external).

Third Party personnel management programs include:  identification and risk assessment of third-parties, third-party cybersecurity work and practice standards, due diligence processed used to evaluate the adequacy of third-party cybersecurity practices, and periodic assessment.

Additional requirements:  annual penetration testing and vulnerability assessments, on-going existence of audit trail systems, limitations and review of access privileges, written application security procedures, annual risk assessment of the confidentially, integrity, and availability of information systems, adequacy of controls, and how identified risks will be mitigated or accepted, multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access, monitoring of authorized users, encryption of all nonpublic information held or transmitted.

The lists have been produced by Astech Consulting, a firm I have known, advised, used, and respected for years.  You can review what they do for their clients and for you at

The price for being prepared in terms of time, effort, and investment is moderate.  The cost of neglecting these best practices can be the loss of your company and numbing lawsuits.  The consequences of failure are so important to how we do business in the future is so high, that these financial services will be regulated.

Best to be ready.  Best for your customers, for you and for your business.

Cyber Security

Cyber Security | Henshaw/Vierra Management Counsel, LLC

The Words Which Must be Spoken and The Actions Which Should Be Taken

I have long harped that cyber security is a problem and that because the HCM community deals with critical financial and personal data, and large flows of funds that serious players should look at highly regulated industries and see what they and their regulators are doing to clean up their act.

The rules and regulations are beginning to pile up: federal, state, and local; governments, regulators, industry guidelines.  Some are helpful. Some are expensive to implement.  More are finally coming.  Some have teeth in them which could cause banks and clearing houses to impose restrictions on their customers, including cutting access; some are more than implying that non-compliance and certain cyber security breaches, particularly by insiders, could constitute fraud.  Courts and insurance companies are beginning to reconsider how they need to respond to data holders liability for breeches, mishandling of data, and quality of security taken to assess responsibility and levels of harm.

Here are some policies and practices that are coming to the fore, and may help focus your attention:

  • Written Information Security Program
  • Incident Response Plan
  • Acceptable Use Policy
  • Account Access and Password Policy
  • Clean Desk Policy
  • Patch Management Policy
  • Portable Device Policy
  • Remote Access policy
  • Threat Protection and Monitoring Policy
  • Vendor Due Diligence Policy
  • Disaster Recovery Plan and Protocols (and testing)
  • Anti-Money Laundering Policies and Procedures

Some of these policies focus internally on the company.  Some deal with issues that frankly are new to the industries many companies use daily but over which they have little or no control.  How secure a customer’s employee mobile device is when they sit in a coffee shop using public wi-fi to access data on your servers and move funds around is one that haunts me, daily.

The Vendor Due Diligence Policy involves HCM companies in many ways: their vendors are vendors through them to their customers, they use a variety of vendors to deliver their services from regulated banks to a wide group of unregulated and lighted vetted API linked partners.  If one is only as strong as their weakest link, 360 due diligence seems pretty important, and still seldom seriously used.

I attended a technology conference recently.  It was not the first time.  The difference was that for years the conference was small, had young people gathered around electric plugs in the hall way, and the great event of the week was having a security agency put the most secure software they currently had in a room with the participants and timed how fast it took to break the code.  Never more than 40 minutes.  This time there were five times as many people, half people who were looking for better people, developers, software, and merger candidates.  A sense of urgency is beginning to fill the air.

I think that the cyber problem may very well start to be addressed as the process audits that the banking industry primarily started are driven through the system to service providers.  Historically, the first couple of steps were pretty meaningless. Remember the SOX 1 auditor who came in an asked you what you did, reviewed whatever you gave them, and then gave you a gold star when they saw that you did what you said you did, whether it was complete or not?  The second step began to actually set some templates which were not based on what you did, but what you should be doing.  That was better.  The next steps will be much better.

Many companies are running penetration tests.  It’s good, but not enough.  Running tests on legacy systems tell companies things they may or may not want to know.  They may not but get specific enough on details, in many case, to find all the weaknesses.  Few companies have wanted to even try to fix the problems.  But processes are getting better now.  Automation is here to the scanning existing code, new as well as legacy. It is improving security and the performance levels.

But, companies need to go further to protect against new types of attacks.  Hackers work 24/7 to exploit systems to expose information or shut down systems.  Audits need to be broader and deeper, and the audit results need to be reviewed for accuracy and findings need to faced and fixed.  The fixing gets to be more interesting as companies move control of their IT environment into the cloud where they have little or no direct control, but still bear the liability for loss of data or access, identity theft, etc.

We are making progress.  The conference showed me that more companies, owners and boards, regulators, and key process providers are getting involved.  I am seeing a lot more resources coming into the market place.  The cyber security industry is undergoing great change.  More and better tools are being developed.  Large amounts of data can be scanned.  Systems can be scanned for abhorrent behavior very quickly to isolate issues and focus remediation efforts.  However, I want to see more developers and their sponsors get involved and do all they can to increase protection; more insurance companies defining their coverage better; and, more courts getting involved in enforcement actions.  Participants need to get the message that their cyber table manners need to get better fast or they may be too risky to be part of the future.

As independent businesses, you can now find ways to act, policies to consider and put in place, and to build a cyber team so that you and your customers are better positioned to compete in the new cyber environment.

Thinking About a Board of Directors

Thinking About a Board of Directors

Is it time for you to consider forming a Board of Directors?
Starting your own Company, for most, was not the job for a committee.  For most founders, it’s the work of one and maybe a couple of partners, taking risks because they are convinced that they can serve customers better than the known competition.  It’s making decisions with partial information and a small budget.  It’s long hours for weeks, months, and even years.

Along the way, the founder may find help from an accountant, a lawyer, and a banker who can provide some practical help for specific issues, but there is little risk sharing going on in many conversations.  Casual advisors can be helpful, share war stories, and empathize.  But when markets are disrupted and hard decisions about “the next five years” come up, the founder falls back to the Board of One.  They get lots of general advice, but not always about what goes bump in the night.

Why think about a Board?
Board can be helpful in providing strategic direction, expertise and advice, oversight, and accountability.  The business of providing services to enhance the management of human resources is going through disruptive change.  Successful owners of businesses in the space need more knowledge and background in more disciplines than ever before.  The pace of change requires making decisions about personnel, location, e-business, software, systems management, compliance, human resource management segments (payroll, HR, benefits, insurance…), funds transfers, mobility, cyber security (physical, software, networks), third party vendors, customers, employees of customers, working capital requirements and business finance, possible mergers and acquisitions, and the list goes on.  It’s a lot to think about for the Board of One.

So why expand the Board and not just continue on with a trusted advisor?  Long term trusted advisors and business partners can help, and if you have one, use them.  If you don’t, an expanded Board may help in three ways.  Members can broaden the founder’s knowledge base and experience level, they can ask important questions about the future of the company and founder investments, and they can deepen the commitment level of its members to the company, the founder, and the family.

  • Duties of the Board
    • To advise company management
    • To challenge Board peers, founders, and management by asking thoughtful, direct, and relevant questions
    • To provide the owners with strategic direction in thinking and planning about “what’s next”
  • Board Composition
    • Individual members need to bring specific skills and have demonstrated qualifications to serve
    • Individual members need to be independent, and bring diverse points of view
    • Individual members must be willing and able to trust each other and contribute to a productive Board environment
  • Terms of Service
    • The Board should have set limits on terms of service
    • Set quarterly meetings, mandatory personal attendance
    • The Company should pay the members a meeting fee plus expenses

Consider a Board to help broaden the company’s customer service, expansion into new markets and market segments, plan for the future competitive market place, and to help in succession planning.  As I look at Human Capital Management companies in terms of the skill sets needed in addition to the drive, risk taking, and common sense that successful founders bring to the table. I can list subject matter expertise in payroll, HR, benefits administration, insurance, channel and sales development, technology and IT, compliance, and security as areas for consideration.  In addition, other issues the founder will face in the next five to eight years could be system conversions, mergers and acquisitions, replacement of management teams, succession planning (particularly the evaluation of family or long term employee candidates) can be helpful depending upon the founder’s situation.  Successful candidates for the Board can add to the founder’s background in several of these areas, and make a difference.

  • Questions Boards should ask, that owners seldom ask but should
    • What are core assumptions that drive current strategy?
    • Are we really meeting Company Goals and Objectives?
    • What are the “disruptions” likely to face our industry and our company?
    • Are we in the right business? Are we the right owners for our company?  How do we position our company best to create value?
    • Do we have the right leadership, competence and capabilities, and capital in place to execute our current strategy?
    • Do we have the right tone at the top of the organization to achieve our goals?

What does the founder need to consider when considering a Board?
Board is a committee, but a good Board can be small.  As few as two outside members can work.  As many as five can be helpful.  A good Board member should be independent and willing to speak up.  They may not always agree with the founder. But, the Board works best when all its members can respect each other’s point of view and the contribution they make to making the company better.

There are hard decisions to be asked and answered about management, direction, capital spending, succession, and the disposition of the company in some cases.  The founder must be willing to listen, and to take advise.  The Board knows that it works on behalf of the management, employees, and customers of the company, but for the shareholders.  The founder is often the primary, if not the only, shareholder.

It might be time to review the Board of One, and consider building a Board of Directors.