Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
FAQs
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
19 December 2013

Common Characteristics Of High Performing Teams

As we come to the end of 2013 I have been thinking of some of the projects that we have been working on in this time.  One area of focus for me has been been working with clients to improving their governance around security and GRC.  A key part of that work has been helping them define their target operating models, put in the right supporting organisational structures and get responsibilities and good decision making embedded in operations.

Much of this work is classical Organisational Design (OD) and there are numerous techniques and methods that can be used to assist with this.  

Part of OD that is often difficult to articulate is how to really make a team effective.

Teams have to exist within wider organisational structures and what works for one organisation won't work for another.  Budgetary, political (internal and external), & organisational factors provide constrains that have to be considered. Naturally our clients want to know what good looks like.  Having accumulated a few hundred years of industry experience among the team has it's uses.  We are very fortunate to have worked with some fantastic teams so we spent some time analysing common characteristics and behaviours that could be applied to any situation.  These can be summarised as:

  1. Retain core competency. Overall accountability for security/GRC/controls should not be outsourced. Without retained competency it is not possible to make effective decisions.
  2. Work with a partner with specialist skills to augment internal capability where required.
  3. Promote a nurturing and sharing environment.  Everyone has skills and everyone can improve.  3rd parties and contractors often don't like to share and a good environment is one where that attitude is not acceptable.
  4. Invest in internal R&D. This a great way to develop skills of a team and generate innovative ideas and solutions to our challenges.
  5. Maintain strong business engagement.  Our remit is enable the business to run in a secure and controlled manner.  That is why we do this job and not being engaged with this audience means we cannot perform our job properly.
  6. Knowing limits.  We frequently work with clients who have spent a lot of money trying to do things internally but have not invested in training or external support. Everyone has different limits but recognising them is important.
  7. Automate transactional activities.  It is often cheaper to automate than to outsource and/or offshore.  It also means that internal and 3rd party teams can focus on complex and/or value added activities.
  8. Operate strong governance over 3rd parties. Identify roles & responsibilities, embed standards, processes and procedures and operate contractual penalties for non compliance.
  9. Work with, not against suppliers.  There are several common objectives which benefit all parties when they are achieved. Good governance puts in the framework to support this and manage under delivery by supplier or customer.
  10. Last but not least, Integrate with risk management and infosec functions.  More often than not there is little to no engagement between SAP teams and risk management or infosec functions within an organisation.  The years of SAP being a silo'd application that only moves to the beat of it's own drum are over.

I would love to hear any thoughts/observations/things that I have missed.  Over to you.