In today’s competitive environment, enterprises are under enormous pressure to focus valuable resources on initiatives that provide value. The inherent issue with most approaches is that the methods used to determine organizational priorities are often flawed by focusing on compliance as a primary navigation aid. A “compliance only” focused program can have a huge effect on performance. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation.
A solution to this narrow approach is to prioritize efforts using multiple perspectives to offer a balanced approach to determining priorities, allocating resources and, ultimately, providing value. As in travel, you need to have a good fix on your coordinates – location, altitude, heading and speed – before determining future moves. Where most companies go wrong is in choosing only one of these perspectives. Just like using a GPS to help you navigate, you should use more than one guidance system to help you focus efforts.
Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial – hence, the GPS analogy. GPS satellites help locate a position on the ground based on their time and position. The GPS receiver communicates with multiple satellites, and therefore determines a precise location on the ground. Decisions around funding, assurance, improvements and compliance are all areas in an enterprise that require resources, and should not be determined with only one signal. The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.
Using these multiple guidance systems will drastically improve your chances of success. These four GPS signals can include: 1) Goals cascading, 2) risk scenarios, 3) pain points, and 4) regulatory and compliance (see figure 1).
Figure 1—Using Multiple Perspectives to Prioritize Efforts
Guidance System 1: Cascading goals
I believe that one of the best-kept secrets in our industry today is the goals cascade. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals and enabler goals. The enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can map that goal through the cascade and determine which processes are critical to its success. The model is already done for you in COBIT, where there is a set of tables that map each of these levels.
Guidance System 2: Risk scenarios
An IT risk scenario describes IT-related events that could lead to a business impact. COBIT 5 for Risk contains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities and their effects on overall business objectives. This process results in the risk register and provides valuable information for informed decision-making. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points or guide mitigation responses.
Guidance System 3: Pain points
Pain points are those areas that need little effort to identify. Use pain points as perspectives from which efforts toward the governance of enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and create a sense of urgency and support. The COBIT 5 Implementation Guide identifies some common pain points associated with enterprise IT and maps these pain points to specific processes in COBIT.
Guidance System 4: Legal/regulatory/compliance requirements
No organization can be 100 percent compliant with everything. Synchronize this with your risk management process to determine the right response to each requirement. Some requirements are legally required and must be adhered to, but what level of adherence is the most appropriate?
Aligning your satellites
Each of these guidance systems should result in a very clear list of high-interest areas. Devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified. These results can assist in scoping assurance activities, allocating and prioritizing resources, and ensuring business/IT alignment.
The enterprise exists to create value for its stakeholders. Realizing benefits while optimizing risks and resources requires more than one perspective, or ‘guidance system,’ to fully understand what is required. This post has identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.
Editor’s note: Mark Thomas will deliver a keynote session on using multiple guidance systems for the governance of enterprise IT at the GRC Conference 16-18 August in Dallas, Texas, USA.
Mark Thomas, CGEIT, CRISC, President, Escoute LLC
[ISACA Now Blog]