Recently we hosted a well-attended webinar on the topic ‘Governance: A tool for Growth’ by Alicia Perez Director of IS Audit. With a number of inquiries coming in, we decided to sit down with Alicia one more time to bring you this 2 part fireside chat on what makes Governance so important. In case you missed it, you can read part 1 of this conversation on our blog.
What about volatile Industries where things are constantly changing?
- Review has to happen more frequently, access to good data quality insight becomes critical to increasing the speed of decision making.
- If you’re operating in that space, the business has to be designed to be nimble to quickly respond to changes. We could talk for hours on this, even terms of a mindset and culture that is necessary for this
Where does this portfolio fall in your strategic management?
AP: “The strategic planning process is an executive responsibility but it must take tactical input and cascade throughout the organization. What usually happens is your executives takes on the strategy, your operational managers and senior managers take on the tactical plan and your line managers are going to drill that right down to somebody’s individual work plan. Similarly, with risk, executives/the board define the risk appetite and then each division inherits that to determine what initiatives can go into their portfolio. If you want to do something that’s outside of that then you’re going to need special approval to do it. Internally we use that same risk appetite as a basis of reviewing processes and procedures and highlighting the areas where we’re operating outside of our risk tolerance because risk tolerance means that this is the amount of risk I am comfortable in undertaking to get where I want to go; nothing is risk-free.
Something that it’s probably the most difficult for internal auditors to appreciate is this: we tend to be more conservative in our thinking but it is the business’s prerogative to understand that visibility is just as critical to governance. If it is that we’re going to make this decision, stakeholders must know how they are going to get behind it before we can execute. Certainly, things are different in a regulated environment these companies can’t just jump up and say we’re going to do something risky and new because there’s just too many people depending on them to continue to provide services. However, if you’re thinking about small companies there is definitely a lot more latitude in terms of the amount of risk you take on and how quickly you can transition.”
What is a step by step process for small businesses who can’t afford that kind of risk?
Ok, let’s start with just assessing where you are today let’s have a conversation about what you want to do, who are you, what business are you in. some people find themselves in the ‘whatever business makes money right now’ business, but that doesn’t work well long term because it negatively impacts your resource development. So, let’s first define what business are we in and where we want to be in the next 3-5 years. Once we have that defined, let’s build a plan of what are our plans are in year one, what initiatives need to be undertaken and all the sub-supporting projects that need to be completed.
What kind of people do we need to get it all done? How many of those people do we have now? What does our development plan look like if we were to develop our staff to be those people? How steep a learning curve are we anticipating and how much time is it going to take? Can I just buy those resources elsewhere? lots of companies are opting for outsourcing now simply because sometimes the skill set is just too difficult to maintain or too expensive to maintain in-house.
Measuring & Managing
An important factor to determine is how do I know when I get to my target state, how do I know what it should look like and what can I measure to see if I’ve gotten there. Alright, so if that’s where I’m going and that’s what that looks like, what do I incrementally do over the next 3-5 years so I can see if I’m getting to where I’m supposed to be? Sometimes we think we need to take on everything now and we really don’t have a strategy to move from where we are to where we want to be, and I think that’s probably one of the saddest things when you see a small company with good ideas, good people, and a desire to be great but are just misguided, you just cannot take on all these initiatives at once.
Now you have a budget, you’ve had a good year and you’ve been very diligent in building up this money to expand your business and because you’re not so knowledgeable with the space you’re not aware of what’s available in terms of technology or solutions which are the quick steps you can take to transition. Then you get trapped into a sales pitch you acquire some technology or acquire some solution, you hire a consultant and then one year down the road you have gone through 70 percent of your initial budget and you are nowhere near where you expected to be.
Get Good Help Early
It is critical to partner with the right people or the right company that has already been in the space long enough to know what they’re doing. Remember, vendors are there to make money so they’re going to give you the best sales pitch and if you’re not sure what you want they will sell you what they have, and sometime after you’ve bought into it, you then realize you can’t return it. You’re stuck with it, and there are too many organizations kind of limping along with solutions and systems that are not fit for their environment or budget.
You describe Governance as being very structured, incremental and organized. What is the Importance of discipline to this process?
AP: “Being great comes at a cost, and in most instances, it is not a product of chance. Key stakeholders must be committed to value-creation (and the definition of value varies by industry and company) and ensuring robust structures are in place to prioritize value creation and maintenance. I don’t believe there is a workaround discipline but accountability frameworks help to ensure the requisite discipline is maintained in the execution of business affairs.
I want to make a point of doing governance in an agile context. Governance doesn’t mean slow or incremental versus transformation. It is simply a reliable vehicle to get us where we wish to go. It is possible to have good governance in an agile environment that requires us to be more lightweight in terms of documentation which goes back to the original point I mentioned at the very beginning – if we don’t need it, don’t produce it. Which is one of the fundamental benefits of agile – we waste a lot of time and give governance a bad name by doing unnecessary things. If your only value is to check off an audit report, go back again and look for real value because real auditors are concerned with creating value and preserving that value, so the activity should do one of those two things.”
What is the value of acknowledging incremental success?
AP: “That’s what agile ensures: from each sprint, there is at the very least a minimum viable product, a minimum testable product that we can say is a result of our efforts. We then either test it on the market or pass it to someone else to review, but it keeps people engaged. Sometimes we burn out on very long projects all because it just drags on and on. So if you have very small victories along the way it does foster better engagement.”
How Important is it that an executive remains as the champion and true owner of a project?
AP: “Good question and a lot of points can come out of that. Firstly, executives must remain executive and strategic. I say that because the minute an executive gets bogged down in the operational stuff you lose your perspective and become lost in the weeds. You want executives to always hold their heads up and keep the big picture in mind and that’s what we’re depending on them to do. You’re a manager because you have problem-solving skills, that’s why you’re hired – to solve problems. That being said, all initiatives do not need executive ownership. This can and should be delegated, depending on the strategic nature of the initiative. Delegation however, does not relieve the executive team of their oversight responsibilities.
On a side note – we tend to think that only the executive level has ownership, but in a truly efficient company there’s ownership everywhere, it must be a culture of ‘if it comes to me, I handle it, I don’t hand it off.'”
Why do you like Governance so much?
AP: “It’s the bedrock for the achievement of great dreams and aspirations.”
ABOUT THE AUTHOR: Alicia Perez, B.Sc, CISA, CGEIT
Alicia Perez is a Certified Information Systems Auditor with over ten (10) years in the field of business assurance and IT Audit Alicia speaks from a place of technical competence and hands-on experience; she has been integrally involved in a wide range of projects at varying degrees of complexity and has interacted with audit minds in almost every industry throughout the Caribbean.