As we come to the end of 2013 I have been thinking of some of the projects that we have been working on in this time. One area of focus for me has been been working with clients to improving their governance around security and GRC. A key part of that work has been helping them define their target operating models, put in the right supporting organisational structures and get responsibilities and good decision making embedded in operations.
Much of this work is classical Organisational Design (OD) and there are numerous techniques and methods that can be used to assist with this.
Part of OD that is often difficult to articulate is how to really make a team effective.
Teams have to exist within wider organisational structures and what works for one organisation won't work for another. Budgetary, political (internal and external), & organisational factors provide constrains that have to be considered. Naturally our clients want to know what good looks like. Having accumulated a few hundred years of industry experience among the team has it's uses. We are very fortunate to have worked with some fantastic teams so we spent some time analysing common characteristics and behaviours that could be applied to any situation. These can be summarised as:
- Retain core competency. Overall accountability for security/GRC/controls should not be outsourced. Without retained competency it is not possible to make effective decisions.
- Work with a partner with specialist skills to augment internal capability where required.
- Promote a nurturing and sharing environment. Everyone has skills and everyone can improve. 3rd parties and contractors often don't like to share and a good environment is one where that attitude is not acceptable.
- Invest in internal R&D. This a great way to develop skills of a team and generate innovative ideas and solutions to our challenges.
- Maintain strong business engagement. Our remit is enable the business to run in a secure and controlled manner. That is why we do this job and not being engaged with this audience means we cannot perform our job properly.
- Knowing limits. We frequently work with clients who have spent a lot of money trying to do things internally but have not invested in training or external support. Everyone has different limits but recognising them is important.
- Automate transactional activities. It is often cheaper to automate than to outsource and/or offshore. It also means that internal and 3rd party teams can focus on complex and/or value added activities.
- Operate strong governance over 3rd parties. Identify roles & responsibilities, embed standards, processes and procedures and operate contractual penalties for non compliance.
- Work with, not against suppliers. There are several common objectives which benefit all parties when they are achieved. Good governance puts in the framework to support this and manage under delivery by supplier or customer.
- Last but not least, Integrate with risk management and infosec functions. More often than not there is little to no engagement between SAP teams and risk management or infosec functions within an organisation. The years of SAP being a silo'd application that only moves to the beat of it's own drum are over.
I would love to hear any thoughts/observations/things that I have missed. Over to you.