CFO Agenda – Profitability and Active Overhead Management to drive Your Company to Success

Profitability is the key to driving a successful business, and how you do this will undoubtedly make or break many a CFO, with many sleepless nights trying to unlock the secrets to this success. Unless you are an NFP (Not for Profit) business you get up in the morning, get dressed, and off to work to play your part in driving success and delivering sustainable profits. And so, the cycle continues …

However, this cycle can easily become broken via a large variety of means, for example; new competitors, threats from competitor product innovation, customer migration, poor quality product manufacture, reputational risk and customer dissatisfaction, macro environmental impacts i.e. have you heard of Brexit?

As a Director and CFO of Merlin Consultancy (Global) Ltd I would like to provide you with insight and tools ‘as your extra pair of safe hands.’ These blogs will provide you with ideas and thought inducing opportunities for how a CFO can play their part to risk mitigate the aforementioned cycles. However, the focus today is on cost control and specifically overhead management within your company.

From our experience the curse of overheads in any business can generally follow a life cycle which trends the following six stages;

  • High overhead to sales ratios in the initial year of start up
  • Overhead focus and maximizing returns post start up
  • Sales focus takes priority as the business matures, and the business tackles opportunities and threats
  • Leaving overheads to their own devices to accumulate and spread like a disease across the company
  • Sales start to plateau and the business settles into a planned trajectory.
  • Immediate realisation that overheads are too high, out of control, or that Macro threats mean that you need to cut your cloth accordingly and all aspects of the business addressed

This may resonate with CFO’s who have often grappled with fellow execs over wage constraints, marketing budgets, premises decisions, travel & entertainment levels, procurement decisions etc, which have seen all of these, and more, increase to unsustainable levels or to levels that are completely out of cinq with sales volume and business activity.

Fast forward to 2019 and it’s time to cut the clutter and spread of the overhead disease and drive them back down to a level commensurate with business activity and to a cost which beats your sector competitors and gives you that competitive edge again. I know that many CFO’s are still grappling with ongoing regulatory environment demands, planning for/assessing Brexit, and trying to deal with a myriad of other challenges. I know, because we are actively helping clients with these very demands too.

I’ve used and can recommend various tools and methodologies which are available to help get more control on overheads and understanding their absorption across your business. Many of my clients have adopted these with fantastic results, so for starters;

Understanding your cost base and driving down overheads

Good discipline is needed across the following;

  • Engagement and Communication of the company’s priorities:  When everything is a priority, nothing is a priority.  Communicating and driving from the top down the need to control overheads is a great starter for ten. However, this needs careful thought around the messaging and delivery, and attention to tracking how this is embraced across your fellow C-Suite and senior management.
  • Clear definitions of success: Everyone in the company may agree that “delivery of a 5% reduction in overheads” may be the goal but differ on what exactly constitutes success.  KPI’s and metrics which underpin the delivery are just as important as the £ reduction itself. The KPI’s will also help you track and maintain the hard-won rewards and keep the menace that is ‘creeping overhead disease’ from returning too soon.
  • Motivation: Most people are driven by finding purpose in their work and a desire to succeed.  A small team who own the communication and KPIs for your overhead reduction programme will provide clear and constant feedback on progress towards the goals and help enable everyone in your company and culture to play their part in the immediate success, the rewards, and ongoing war against overheads.
  • Activity Based Management (ABM):  You need to quickly establish what exactly is driving your cost base and particularly your overhead consumption. A simple yet effective ABC/M model can get to the nub of the key issues quickly with typically a 70%+ confidence level. Having implemented and delivered many of these, my advice is not to expend huge efforts of time and money on bespoke Activity systems (unless already in place within your organization) at this stage. A prototype model can be built within MS Excel or similar – build time totally dependent on data availability and buy-in from your C-Suite peers. Don’t aim too high at this stage, 70%+ accuracy is more than enough to provide pointers to what parts of your business are driving the costs and overheads. Engage a third party to lead and drive this work as it’s critical that the business see the output as being independent as this will provide you an immediate ‘antibiotic’ with a step-up achieving buy-in and confidence.
  • Chart of Accounts (COA) / Trial Balance: ‘What’s not seen is not heard………’ – this truism is all too prevalent in business these days. Standard cost centre reporting often rolls up data from your COA’s and for reporting on a page reasons the ‘devil in the detail’ is hidden. Lines of overhead as reported at nominal level in your trial balance can go unmissed as they are rolled up into Management Reporting line items which often hide adverse variances and deep-rooted problems. As the saying goes, “What gets measured and reported gets managed.”  The commitment of the company to elevating certain nominal codes and reviewing these means that nothing is left to chance and you can achieve that extra ‘stretch’ to attack those overheads.
  • Use a set of SMART metrics: (will delve into these in more detail in my next blog) and link these to overhead controlling KPI’s which are simple for your peers to understand and buy-into, yet effective and easy to maintain and report on.
  • Engage an independent firm to undertake a simple and cost-effective Business Diagnostic (BD): a further blog on these, which considers your whole value chain, not just costs/overheads to be issued. From my experience of implementing/delivering BD’s these will more than pay for themselves several times over from the insightful management information (MI) you will receive and bottom-line improvements in a very short time period.

Characteristics of Successful Cost/Overhead Management Programmes


The scope of the programme MUST be clear and everyone needs to fully understand what the programme is going to achieve, including their input and commitment requirement.  It’s not motivational if it’s unclear, then it’s not even useful and will certainly fail before you even get off the starting blocks. Engage a 3rd party firm to take the time and effort away and let the CFO focus on other priorities.

Leads to Action

Everyone needs to know how their actions, whether individually or as teams can help the company meet the objective of fighting the overhead disease. As a driver of the activity levers each and every C-Suite member has an impact on how quickly, and from where, the overhead disease can spread. Informing C-suite of how these levers work and their degree of impact will lead to action and acknowledgement of the problem. – this is a good place to be.


I have seen so many such programmes fail because they tried to be too complex and methodological. ‘KEEP THEM SIMPLE’ is my mantra and best advice. Yes, downstream, once the business is wholly on the same page then you can start to incorporate the shiny suits, the designer clothes, the salon haircuts, but please keep it simple to begin with. As soon as you start building in complexity then fellow C-Suites will lose interest and think it’s, ‘just another finance fad thing.’

Communicate, communicate, communicate is so important throughout all stages of the programme lifecycle. Regular working groups from across the C-suite, and C-Suite updates are essential to winning your war on overheads.

But that’s just the start.

Then it’s time to communicate throughout the company and set up monitoring systems. 

Are You Ready to Win the fight with Overheads and prevent the disease from spreading?

You know how to manage your day to day operations and are undoubtedly mired in a plethora of other priorities.  We are here to help and be ‘your extra pair of safe hands’ so please ‘click here’ if you would like to bring in the wizards from Merlin to win your war on costs and overheads.

GDPR – One Year On …

Regulation, Fines, and the Way ahead.

25th May 2018 was a momentous date in the world of data protection, and has proven to be a watershed moment in re-aligning the rights of individuals, and increasing the duties of care from those controlling, passing through, or handling personal data. The UK’s Information Commissioners’ Office (ICO) has also gained far-reaching powers and grown significant teeth in how they can now tackle and regulate data violations and breaches, as well as hundreds of additional inspectors and offices covering all of the UK to help audit and check that businesses are complying with the regulations. The duty of care on the majority of employers and businesses are no longer optional, but mandatory.

The level of high-profile cases, with significant fines being applied by ICO, has steadily increased since May 2018 and our view is that this will increasingly rise as ICO seize the opportunities now afforded to them to help improve, and deter, the previous fairly lacklustre data protection environment.

If you are still wondering what all the fuss is about, here’s a quick recap:

What is GDPR?

The European General Data Protection Regulation (GDPR for short) is built around two key principles.

  1. Giving citizens and residents more control of their personal data
  2. Simplifying regulations for businesses with a unifying regulation that stands across the European Union (EU)

It’s important to bear in mind that GDPR applies to any business established in the EU and may apply to companies based outside of the EU that process the personal data of EU citizens in certain circumstances. This latter point is critical to appreciate for those businesses who may perceive the rules don’t apply to them if they are located outside the EU.

Separately, in case you think Brexit provides a way out of all this new regulation, think again…, the UK government has confirmed that Brexit will not affect GDPR. It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act (DPA)) will directly mirror GDPR.

GDPR overview

  • Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects on a large scale (in other words processing extensive personal information), or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO). Their role will be to ensure the company complies with the obligations under the GDPR. They’ll also be the contact for any data protection queries.
  • The above mentioned DPO can also be employed via what we refer to as a Virtual DPO – someone who undertakes the role of DPO for you in line with a service agreement without your business having to invest in employing a full time DPO. This is a service, we at Merlin, can cost- effectively offer to all of our clients.
  • GDPR may apply to any business that processes the personal data of EU citizens, including those with fewer than 250.

Serious breaches (that is, any breach which has an impact on the rights of data subjects) must be reported to the regulator (in the UK this is the Information Commissioner’s Office (ICO)). This should be within 24 hours where possible, but at least within 72 hours and the report must include information regarding what led to the breach, how it is being contained and planned next steps

  • Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their personal data and you have no other legal grounds (for example the individual is no longer a customer so your contract with them no longer gives you a legal right) to keep the data
  • Failure to comply will result in harsher penalties. Before, the ICO could fine up to £500,000 but the GDPR allows fines of up to €20 million, or four per cent of annual turnover, whichever is higher

GDPR checklist for UK small businesses

Remember, your checklist needs to take into account past and present employees and suppliers as well as customers (and anyone else’s data you’re processing which includes collecting, recording, storing and using the personal data in any way).

  1. Know your data.
  2. Identify whether you’re relying on consent to process personal data.
  3. Look hard at your security measures and policies.
  4. Prepare to meet Subject Access Requests (SARs) within a one-month timeframe.
  5. Train your employees, and report a serious breach within 72 hours.
  6. Conduct due-diligence on your supply chain.
  7. Create fair processing notices.
  8. Decide whether you need to employ a Data Protection Officer (DPO), and/or consider speaking with us about our cost-effective Virtual DPO (vDPO) services.

What constitutes ‘large-scale’ data processing?

GDPR doesn’t yet fully define what constitutes ‘large-scale’, but some examples include the processing of patient data by hospitals, travel data and transport services, and customer data by an insurance company or bank.

Hanging on to old data?

One of the key principles of GDPR is to require companies not to hold on to personal data for longer than necessary, or process it for purposes that the individual isn’t aware of. Identifying your data categories – what personal data you have, and why – will be very helpful in ensuring you’re compliant with the GDPR. We can help with templates, guidance on retention policies, staff training, guidance on what you should and shouldn’t retain, compliance audits etc.

How does the GDPR define ‘consent’?

Customer or individual ‘consent’ has been redefined and has become much tighter as a result. On top of this, requests for consent can no longer be hidden in small print but must be presented clearly, and separately to other policies on your website or communications – so no more pre-ticked boxes.

Consent may not be required for pre-existing personal data, as long as you have a legal basis that’s compliant with the current legislation (the DPA).

The principle here is that inactivity is no longer a legitimate way to confirm consent. Remember, this applies to you too, as a consumer with personal data rights of your own, and may be a welcome change!

Fair processing notices

It may sound complicated, but a fair processing notice is about giving people clear information about what you’re doing with their personal data. Your fair processing notice should describe:

  • why you’re processing their personal data (the purpose), including the legal basis you have, such as consent (check the ICO’s privacy notices page for more information)
  • the categories of recipients you may be sending the personal data to (customer, employee, supplier, etc)
  • how long you’ll be holding onto the data (the ‘retention’ period’), or the criteria used to determine these time periods

You’ll also need to notify individuals of the existence of their personal data rights.

I employ fewer than 250 people. What should I do?

Being a small business doesn’t mean you fall out of the GDPR scope. It’s recognised that small businesses have fewer resources and pose less of a risk to data protection, so there may be more leniency by the ICO in relation to any non-compliance.

However, you’ll still want to ensure you’re compliant with the principles of the GDPR. This is because your business must still comply if it’s involved in regular processing (which includes collecting, storing and using) of personal data. It’s easier to follow the GDPR and get compliant, than to spend time figuring out how you can avoid complying, especially if you’re working without legal guidance.

It’s also important to note that even if your company falls under one of the exemptions, if you’re contracting with a larger company that conducts large-scale processing you may also be subject to the harsher end of the GDPR’s regulation.

Aside from the law, responsible data handling is a basic principle of good business upkeep. If you’re a one-person band but aware that your records are a bit all over the place, have you thought about how you’d explain a breach to your trusted customers?

GDPR consent – how do I get consent from my customers to use their data?

Consent is a key concern tackled by the GDPR and an area in which is still quite open to interpretation..

GDPR consent checklist and principles (at-a-glance):

  • Check your consent practices and existing records. Refresh where necessary
  • Offer individuals genuine choice and control
  • Where using an opt-in, don’t rely on pre-ticked boxes or default options
  • Explicit consent means a very clear, specific statement of consent
  • Keep your consent requests separate from other terms and conditions
  • Be specific, granular, clear and concise
  • Name any third parties who will rely on the consent
  • Make it easy for people to withdraw consent (and tell them how)
  • Keep evidence of the consent (who, when, how and what you’ve told people)
  • Avoid making consent a precondition of your business services
  • Consent should put individuals in control, build trust and engagement and enhance your reputation

What are the GDPR penalties?

The GDPR toughens up penalties already existing under the DPA. These existing penalties include:

  • Maximum fines of £500,000
  • Prosecutions, including prison sentences for deliberate breaches
  • Obligatory undertakings, where your company has to commit to specific action to improve compliance

With the introduction of GDPR, these penalties got heavier.

Businesses in breach are liable to a dramatic increase in fines, with penalties reaching an upper limit of €20 million or four per cent of annual global turnover, whichever is higher.

Insolvency will be a real risk for non-compliant businesses as a result of these fines. But bear in mind the possibility that individuals can also sue you if they suffer as a result of your data management. This could be for material damage or non-material suffering, such as distress.

The Way Ahead

Since May 2018 more and more businesses like yours have woken up to just how much GDPR can actually benefit them and deliver real, tangible opportunities and competitive advantage in the marketplace.

GDPR will only continue to make the headlines and evolve, therefore, you should ensure you fully understand the business implications, ensure you are always undertaking Data Protection Impact Assessments (DPIAs), undertake regular GDPR compliance audits, you’re your SAR’s process, and have ready access to a DPO for friendly advice and help at all times.

Did you know that Merlin can offer all of these, and that in virtually all cases the cost of GDPR compliance audits will be recovered through data process re-engineering, improved and more targeted Management Information, cost savings, staff compliance and training, and the reassurance that your business has demonstrated that it has remedial plans in place for ongoing GDPR compliance to help alleviate potential breaches and fines.

More importantly, use GDPR to make data work on your behalf, using it in strategy and forward planning. We work at executive level and can help you realise the risks and potential involved with your data.

For a confidential chat to discuss your specific needs, contact Partner/CFO Director Doug Moodie directly, and see how we can help your business flourish in the world of GDPR.