Busy-work or Good Governance?
Governance is a word that is bandied around frequently these days, but we realized that the scope of what people mean by using the word governance is quite broad. Allow me to define what I feel is the correct interpretation of what governance is.
Governance is a system used in organizations to ensure that the organization fulfills its purposes and reach its goals and objectives. Nothing less and nothing more!
You may say, but is it not about compliance?
Well, let me put it this way: do you think we will reach our goals and objectives if we don’t comply with the necessary legislative or fiduciary compliance requirements?
Surely not; we will run into problems very quickly and fail (or at least fail partially) in our goal to fulfill our purposes and achieve our strategic objectives.
The next person would say yes, but governance is about having the correct controls in place, and indeed, we will not disagree, but even that is a misleading statement.
Controls are normally used to ensure the right things happen and the wrong things don’t. The question we need to ask here, the right things for whom?
YOUR ORGANISATION — yes, the specific organization is the obvious answer.
HOWEVER, if I look at the controls implemented by most organizations, people in the organization have absolutely no idea if the controls applied and implemented are ‘the right thing’ for their specific organization.
Even though the idea of doing the right thing is logical and frameworks like COBIT even provides some rudimentary tools to find out what is right for your organization in the form of the Goals-Cascade, people just don’t get the implications of this statement.
Why do we say they don’t get it?
Because they don’t do it!
They don't take the time to find out if controls are the right thing and (back to the definition of governance) ensure that controls help the organization fulfill its purposes and reach its goals and objectives.
The problem — a significant disconnect between organizational goals and objectives (which surely is the most important reference of what is right for the organization) and controls implemented in most organizations.
The reason for this phenomenon is quite simple; it’s very challenging to puzzle out what is the right thing is, given the specific strategy of the organization and the organization’s specific context (internally, market and macro).
Another popular view developed because of this exercise’s difficulty; if we implement industry best-practice, we should have good governance, right?
Well, actually, NO — that is an incorrect assumption!
Have you ever wondered why something is considered best practice?
Think about it for a moment; it’s because it is proven within a specific industry or context. That means that many others must have done this and say it works, yes?
You should also agree that best practice is defined broadly — it’s a catch-all if you said yes. I can confirm this because I have spent considerable time contributing to developing frameworks and standards in my life. Let's face it, something new never becomes best practice (you need considerable evidence that this has worked before, right). Therefore, by definition, best practices are Old (even though proven) ideas!
Wow, is that really what we want to do? Implement a bunch of old ideas in the hope that it will magically solve your problems — the biggest of which is that you don't know or bothered to understand your specific context, or even worse, purpose and strategy?
Do you want to implement board guidance blindly and cover for all eventualities, even those we will never face?
How is that ‘good governance?
We are trying to make this point here; governance is not equal to compliance to, or about, only applying best practices!
Best practices are there as a guide and a teacher when you face a problem and want ideas on how to solve the problem to work for your organization.
Good Governance is about understanding what the organization aims to achieve and doing everything possible to help them do it, with the least effort, at the lowest cost, AND with the necessary amount of controls — which is also as little as possible to get the job done!
If you agree with our definition of governance, you should also agree that a pragmatic approach best serves the interest of your organization.
If you don't — well, I suppose you can always continue to do things that do not matter, wastes valuable organizational resources, and increase the level of compliance fatigue in your organization — the choice is yours.
p.s. People often ask me how much control environments can be simplified while still providing good governance and demonstrating full legal compliance? This is an educated guess — but based on my experience a good target to work towards!
Wait for it!
60% or more!
Yes, more than 60% of the controls in your organization are either outdated, ineffective, not necessary, busy work, copy and paste from somewhere else (so no relationship to your purpose or goals), a waste of organizational resources, and a total waste of time!
Your GRC team is not doing their work if they don't make it easy for the organization to comply with applied controls. Change the success metrics for the team to the following:
· How many controls were removed because they were unnecessary?
· How many controls were simplified?
· How many controls were removed because it was impossible to measure compliance (therefore ineffective)?
· How many controls were made part of normal operations and specifically automation of processes and procedures (if it’s part of the way the system works, you will have 100% compliance)
· Can you provide evidence of compliance (real data but opinions) for all controls?
· How many controls were removed because root-causes of problems were addressed — and therefore, the control (which was always supposed to be an interim measure ) could safely be removed?
· Can you explain for every single control you have in place what risk it addresses and how that relates to the organization’s activities or goals and objectives? (This one is magic, it catches all the BS controls out!)
· How any controls were changed and updated because they were standing in the way of providing value for customers or good service to customers?
· What is the level of compliance to the set control regime? (Hint, it needs to get better every year if the GRC team is doing their job well!)
I know that many will not like this article- but CxO, if you are serious about surviving the digital future, you need to stop doing things that do not matter and focus on that which does!
Have fun simplifying your control regime and, as a consequence, provide better Enterprise Governance, better services, and products, become more productive and profitable!