I recently met a colleague who is CISO at a large corporation in Germany. In addition to all kinds of technical topics, at some point during the conversation we also got to talking about the administrative processes in his organization. At this point in the conversation, the colleague really vented his frustration: he told me about how inefficiently his organization had organized travel expenses.

Due to his job and the large number of locations within Germany, the colleague has to travel regularly. Before the start of each trip, a travel expense application must first be submitted, which must be approved by his direct superior and – more recently – also by his next-highest manager. The processing time varies between two days and several weeks – depending on whether the two approvers are currently available or not. This is because digital workflows that could be used to manage such processes in a lean and timely manner are unfortunately not available in the organization, or only in a very rudimentary form. It therefore regularly happens that a business trip is approved informally by e-mail and then started.

The confusion then follows during billing. Sometimes the underlying authorization is missing and “the system cannot assign the receipts without authorization.” Other times, receipts disappear and have to be uploaded a second time (fortunately, everyone who has had similar experiences keeps every receipt for several months until the respective process has been safely completed).

However, the following circumstance defies description: every single travel expense report is personally approved by the CEO of the Germany organization. Or sometimes not for several months, according to my colleague: over the course of a year, he sometimes incurs several thousand euros in travel expenses, for which he has paid in advance – and which he is allowed to chase after again and again on a regular basis. Reasons why the more expensive hotel y was booked instead of contract hotel x (trade fair time!) included.

Now the colleague has a company credit card with an extended payment term of six weeks – but it is charged to his private account. The idea is: by the time the debit is made, the travel expense report and reimbursement should actually have been made. Unfortunately, this good idea is undermined by the fact that a pro-forma approval is granted in an unprecedented form of micro-management and control fury – for which the person involved obviously takes a lot of time. I could hardly believe it at first – but after asking several times, I received confirmation that the process is exactly as described for all employees of his rank and above.

Can that really be? Does the German head of such a large organization have nothing else to do? Or is the company securing liquidity at the expense of its employees? I think this is only shameful in terms of bureaucracy and costs, but also in terms of trust and leadership. What kind of signal does it send when the top boss deals with such issues? The ranks in between lean back and think that the chief will sort it out when in doubt.

For me, this example is also one of a lack of trust, excessive bureaucracy – and a sign that the organization must be doing very well if it can afford something like this. But who knows: maybe all the outstanding debts to employees are one reason why the company is doing so well?

Tags

Share post

More articles

In the past two years, more than a third (37 per cent) of all cyber security incidents in Germany were due to employee misconduct. Hackers were only responsible for around 27 per cent of cyber...
How does the technology behind Watchdog by TEN IM actually work? Answer: we use Wazuh, one of the leading SIEM platforms on the market. Wazuh is an open source security platform designed to help companies...
Are you already familiar with our SCOD consulting service? SCOD stands for Security Consultant on Demand – and for being available to you at short notice at any time for all your information security questions....