Tuesday, April 14, 2015

Governance Mapping: How to Do it Right

It makes sense to have governance processes that are more lightweight, continuous, and that focus more on results and adapt to changes rather than static plans.

Many think corporate governance is the best part of a strategic plan that eliminates bureaucracy. Sound Governance is part of eliminating risk and doing the right thing, so it is a framework and the standards of conduct expected of the board, the company in the marketplace. The strategy is why the governance model was changed, now how does that fit into the ongoing digital strategy of the company? Do you agree that the mapping process can be the starting point to begin governance in an organization?

Analytics: The starting point to a governance initiative is the stakeholder needs analysis followed by clarifying the organization's value proposition. You should not confuse governance with compliance! Sometimes there is no clear process owner, or the processes are heavily siloed, so documenting processes as the start to GRC may not have the required level of senior buy-in, to result in a successful risk management business response. Pegging it to a regulatory objective or perhaps corporate objective could ensure a stronger entry point for a top-down success. Simplistically, processes originate from the business desire to do work, improve value and margins, etc. Start with those intentions and their relative importance, and exposure has strong ties to the business.

Integration: The value proposition of good governance, brand, and compliance should be integrated within and across operations not siloed off in a box. For the mapping process to be the starting point to begin governance in an organization, it will take some time as process mapping is a long process. Governance can begin with frameworks and policies to be put in place, depending on the nature, scale and complexity of the organization, understanding one's risks and conducting Risk Assessment remains the core exercise before any controls are put in place in the overall context of GRC. Risk Assessments evaluate activities that pose the risk to the regulatory objectives, which is then followed by controls need to address them. Mapping assists in assessing what additional system and controls you need compared to what you already have in order to mitigate those risks. The regulatory compliance mapping phase is about defining requirements and tying them back to an "authority document." Once that is done for one area of concern, then the organization can start to define where requirements overlap.

Convergence: There are sub-components of corporate governance such as IT governance that needs to be well mapped and even converged into business governance as well. IT governance is a self-defined framework used by the business to judiciously authorize and manage information technology investments and resources to produce value in support of business goals and objectives. IT Governance is the framework that defines 'who has to do what and is accountable for' in order to provide the best IT services for supporting business strategies and operational efficiency. It is the role of visionary CIOs who can skillfully manage the dynamic balance between governance and innovation. Also, one should remember not all control factors for the business lie within the organization; the market forces in which the organization operates has influencing forces on the need for innovation and directly challenges governance. Also, continual innovation in enabling technologies of IT makes it even more challenging for the CIOs to adopt the change that often needs throwing away the old governance models and the chargeback mechanism and bring in the new one.

Agile governance: What does it mean to "relax" governance? Does one throw out all the rules? Doing so exposes one to the risk of catastrophic mistakes, although one could argue that governance often does not actually protect you from that because governance usually focuses on the risks that people are well aware - and avoiding mistakes that they will not make anyway. Often the transitional periods are painful for the adoption of changes and old governance models may be counterproductive. There are often disruptive processes or technologies that need some relaxation of the old governance models during the changeover. It makes sense to have governance processes that are more lightweight, that are more continuous, and that focus more on results rather than detailed plans. Don't hold projects to ROI projections - or even to a promised cost. In fact, don't even think in terms of projects. Think in terms of investment streams: areas in which projects are funded, and project the ROI of those. And instead of having a portfolio board meet once a quarter, have it meet more often, and address more tactical issues, such as interdependencies across the projects. Be more accessible, create less paper, fewer plans. Track intangibles such as "are the business areas pleased about IT's progress?" Instead of creating big plans with detailed cost projections, create lightweight roadmaps that list the project investment areas and the high-level goals for each.

Although risk management is an extremely important component of governance, risk management is not what governance is all about. Governance mapping helps to identify interdependencies and streamline governance processes. Think big (holistically) and small (focus), think lightweight (agility), think incremental, and most of all, think about how can GRC be delegated and even automated when possible.


Post a Comment