In today’s high velocity business environment, it’s easy to lose sight of some basic governing principles that might be viewed as cumbersome and restrictive. Be careful, because governance principles exist to ensure the proper balance of performance and conformance when achieving business objectives. If your organization ignores your essential internal controls, it can introduce vulnerabilities that were never intended. Those vulnerabilities can then expose you to risk scenarios that could thwart your achievement of business goals. One of the key components of your governance system is policies, and this blog post is a result of my thoughts and experience in this area. Ready or not, digital transformation is here The Fourth Industrial Revolution, often referred to as the “digital transformation” age is here. Whether you are on board or not, it is certainly going to affect your enterprise sooner than later. Going digital is on the tip of nearly every business and technology leaders’ tongues today. The term itself differs by industry and organization, but at a minimum you should define its value in business terms. It is, of course, impossible for business and IT leaders to devise and pursue an effective digital transformation strategy without a solid grasp of the term itself. Here’s my definition: Any digital transformation effort should be focused on driving value. A major factor in this transformation requires new and innovative technologies that enhance user and customer experiences. However, as we extend our digital capabilities, we should also be mindful of our governance, risk and compliance structure. Now that we have evolved digitally…why haven’t we evolved our governance structures too? Of course, there are some inherent obstacles to success: resource requirements, new vulnerabilities, organizational silos, thinking this is an IT responsibility, concerns over IT capabilities and failure to consider customer/user experience (CX/UX). All of these can be mitigated by updating your governance system which focuses on the value aspects of delivering benefits while optimizing risks and resources. Time to take a look at your governance system over enterprise information and technology Digitized enterprises are increasingly dependent on I&T for survival and growth. Given the importance of I&T to support the enterprise in achieving objectives, Enterprise Governance of Information and Technology (EGIT) is an integral part of any governance framework. According to the latest release of the COBIT Framework, COBIT 2019 by ISACA, a governance system should consist of the following governance components:
You may recognize these as enablers from an earlier version of COBIT, and these are finally getting the attention they deserve. Think of these components as ingredients to a governance system. They can be addressed independently, but should be used as a collection of interconnected requirements. This helps to fully grasp how technology organizations can meet the various governance or management objectives to support a governance system. These complex interconnections between components can invalidate your efforts if you don’t understand their connections and dependencies. For example, if you make a major change to a PROCESS, then you should also look at how that affects, or is affected by, the other components. Here is an example of a client who had great intentions, but completely misunderstand how this ecosystem works: Policies are critical to the governance system One very important governance component in today’s high velocity environments is policy. Too many organizations outpace their policies when aggressively pursuing a digital posture This creates more confusion and vulnerabilities than necessary. There are many elements involved when understanding policies, these are outlined below. A principle is a clear expression of the core values of the enterprise. Principles should be limited in number and expressed in simple language. Principles influence policies and are driven by culture, legislation and regulations, standards, and most importantly, the enterprise values and vision. A policy is a statement of principles that supports the achievement of the enterprise’s goals. Policies are the communication mechanisms to convey direction and instructions and are central to enterprise governance systems. They guide organizational principles or requirements that set directional tone and can be applied to an entire organization, department or specific area. Finally, a procedure supports policies with more detailed activities. They should have an internal focus and can connect related functions and processes. Think of procedures as an established way of accomplishing the outcome of a policy. This can be through the use of processes, practices and activities. Now that I’ve reviewed some basic definitions, it’s time to look at my thoughts on how you can either establish or review your policies to ensure they are not being left behind. Step one, understand your policy “ecosystem” My quest for policy framework guidance started when I was doing a COBIT process capability assessment for a client a few months ago. They asked me to assess their policy framework maturity. This organization was in an aggressive growth phase and actively funding a digital transformation effort. They wanted to ensure that their governance framework, more specifically, their policy component, was in pace with their modernization efforts. I searched everywhere, but the only framework with any substantive guidance of this level was COBIT. Of course, there are plenty of articles and whitepapers on do’s, don’ts and good practices, but nothing solid. Based on my previous experiences and research, my first task was to determine what I call my altitudes of policy, as illustrated below:
These altitudes helped me understand where policies fit in the larger picture. Your organization may see this differently, but my advice for you is to really understand your terminology. Your ecosystem could look completely different from mine. Step 2, Understand Key Practices and activities My second task was to determine HOW I was going to set up the practices and activities within a policy framework to analyze and assess maturity. I decided to make my own guidance using the COBIT format. As you can see below, we have key practices supported by activities. I used these as a basis for my evaluation. You might think of these as control objectives. Of course, this is not an exhaustive list, but it provided a basis for my understanding of what should be accomplished. Practice 1. A policy framework is documented, approved, and enforced Practice 2. A policy lifecycle management system is approved and recognized Practice 3. Policies are communicated and distributed to all stakeholders Practice 4. Policies are monitored, enforced and maintained Practice 5. Technology is used to support the policy framework Practice 6. Each policy should meet good practice criteria Although the practices and activities identified above may need some updating or consolidation, they are a great start to determine the requirements for your policy environment and are not dependent on the size and type of organization. As far as I know, this is the first set of publicly available ”control objectives” for policy assurance in our industry today – so it’s a work in progress. Step 3, Determine a consistent approach to measuring and assessing maturity There is much confusion right now about maturity and capability models. As of this writing, I have not found a definitive resource to assist in assessing and rating the level of maturity for a policy framework. My next step was to create a maturity model for the policy component. Since my client was asking for an assessment of their policy framework maturity, I chose to turn to CMMI to help me with this. Stay tuned, that is the subject of a future blog post. Conclusion The scope of this blog post is the policy framework associated with the enterprise’s governance over enterprise information and technology, not the entire organization. What you have just read is what I believe to be the first set of potential control objectives for policy frameworks. As mentioned earlier, they may exist somewhere but I couldn’t find anything clean and concise so I made my own based on many different standards, bodies of knowledge and client needs. Look out for an upcoming blog on how to create a maturity assessment of your policies soon.