City Intelligence
Monday, June 29, 2009
Assessments Critical
One of the most over looked needs in technology is assessing the organization. Too often we just rush forward in our efforts to implement the latest and greatest technology without taking the time for the introspection and self discipline imposed by an assessment. An assessment is more than just asking how to implement a new technology; in fact it should be done even when we are not considering new technology. An organizational assessment of a technology involves investigating the technologies, the people and the processes in relationship to the needs of the business in general, or in response to a specific business requirement.
Technologists are often rightly and appropriately excited by technology and want to be involved with the leading and bleeding edge, but too often this technology eagerness causes companies to begin to implement without regard for whether, when and how these technologies are appropriate for the business. Using an assessment allows the organization to consider the broader ramifications to the organization of a technology implementation. The assessment will look at the people in the organization, considering their skills, relationships, and temperaments. The assessment will look at the affects of the new technology on existing systems and data. The assessment will look at the ability of the greater organization to adapt to and adopt the technology. And, perhaps more importantly the assessment will look at whether the technology is a cost effective way of supporting the business. In the extreme, bringing on the wrong technology can kill the organization. A prime example is an Internet company which decided that they needed the latest and greatest ATM networks, and SUN servers in their datacenter. At the same time, they neglected to maintain sufficient band-width to the Internet core. As a result their customers experienced slow connections and tended to find other alternatives. Brought in too late, I wasn’t able to prevent the expense, but when the bank repossessed the expensive equipment, we re-implemented on Linux boxes with faster service.
Another key point when technology organizations need an assessment is prior to restructuring and reorganizations, or when they are preparing to change key leadership within the organization. Too often, organizations rush to make changes, or to put a leader in place without first understanding what the underlying issues in the organization are. The result is that the changes add to the chaos rather than resolving it, or that the organizations hire a leader for what the organization used to be, or for what they perceive the organization to be, rather than for what the organization really is. This can result in miscommunications and frustrations both for the new leader and for those who hired them. Too many organizations hire a CIO when what they need is an IT manager or perhaps a director. Too many organizations hire someone with specific skills in their current star technologies rather than those with skills that complement their problem areas.
Assessments are also critical when a company is considering a purchase or investment of another. Mergers and acquisitions are notorious for their failures resulting from integration failures, but when the companies are in the due diligence stage we find them spending millions or reviewing financials, looking at customer bases, and analyzing markets. The extreme was one company I was called in for an assessment, after the acquisition. While the company had been bought for its leading edge technology, no one had looked at the technology prior to the sale. After the sale, what I discovered was that all of the technology was either obsolete – some rather extremely – or engineering prototypes which were being sold to customers and generating support costs that far outweighed their revenue.
Periodic assessments are also important for technology organizations. The fact of the matter is that technology is not static. There are constant changes and improvements going on in virtually all aspects. At the same time, technology skills degrade. Not only does the technology knowledge base change, but technologists forget how those skills they don’t have the opportunity to make use of. This means that it is a constant battle of training, hiring and practicing to keep technologists up to date, and ensure that the technology in the organization meets its needs. This also means that it is extremely difficult for an organization to properly assess itself. Most often, no one in the organization will have the skills and perspectives required. We see this happen to whole industries as well, where the mantra becomes – “our industry has special needs and does things different.” Yes it’s true, your industry by remaining insular has fallen behind and has special needs, but the good news is that those needs have already been met in other industries and all it takes is cross pollination of experience.
Technologists are often rightly and appropriately excited by technology and want to be involved with the leading and bleeding edge, but too often this technology eagerness causes companies to begin to implement without regard for whether, when and how these technologies are appropriate for the business. Using an assessment allows the organization to consider the broader ramifications to the organization of a technology implementation. The assessment will look at the people in the organization, considering their skills, relationships, and temperaments. The assessment will look at the affects of the new technology on existing systems and data. The assessment will look at the ability of the greater organization to adapt to and adopt the technology. And, perhaps more importantly the assessment will look at whether the technology is a cost effective way of supporting the business. In the extreme, bringing on the wrong technology can kill the organization. A prime example is an Internet company which decided that they needed the latest and greatest ATM networks, and SUN servers in their datacenter. At the same time, they neglected to maintain sufficient band-width to the Internet core. As a result their customers experienced slow connections and tended to find other alternatives. Brought in too late, I wasn’t able to prevent the expense, but when the bank repossessed the expensive equipment, we re-implemented on Linux boxes with faster service.
Another key point when technology organizations need an assessment is prior to restructuring and reorganizations, or when they are preparing to change key leadership within the organization. Too often, organizations rush to make changes, or to put a leader in place without first understanding what the underlying issues in the organization are. The result is that the changes add to the chaos rather than resolving it, or that the organizations hire a leader for what the organization used to be, or for what they perceive the organization to be, rather than for what the organization really is. This can result in miscommunications and frustrations both for the new leader and for those who hired them. Too many organizations hire a CIO when what they need is an IT manager or perhaps a director. Too many organizations hire someone with specific skills in their current star technologies rather than those with skills that complement their problem areas.
Assessments are also critical when a company is considering a purchase or investment of another. Mergers and acquisitions are notorious for their failures resulting from integration failures, but when the companies are in the due diligence stage we find them spending millions or reviewing financials, looking at customer bases, and analyzing markets. The extreme was one company I was called in for an assessment, after the acquisition. While the company had been bought for its leading edge technology, no one had looked at the technology prior to the sale. After the sale, what I discovered was that all of the technology was either obsolete – some rather extremely – or engineering prototypes which were being sold to customers and generating support costs that far outweighed their revenue.
Periodic assessments are also important for technology organizations. The fact of the matter is that technology is not static. There are constant changes and improvements going on in virtually all aspects. At the same time, technology skills degrade. Not only does the technology knowledge base change, but technologists forget how those skills they don’t have the opportunity to make use of. This means that it is a constant battle of training, hiring and practicing to keep technologists up to date, and ensure that the technology in the organization meets its needs. This also means that it is extremely difficult for an organization to properly assess itself. Most often, no one in the organization will have the skills and perspectives required. We see this happen to whole industries as well, where the mantra becomes – “our industry has special needs and does things different.” Yes it’s true, your industry by remaining insular has fallen behind and has special needs, but the good news is that those needs have already been met in other industries and all it takes is cross pollination of experience.
Monday, June 15, 2009
Keeping Internal Audit IT’s Best Friend
Many technology leaders fail to realize that Internal Audit is Information Technology’s best friend in the corporation. Internal Audit is highly effective at promoting IT’s successes, adding emphasis to IT’s requests for funding, ensuring a record of compliance, and providing inputs for future planning. With these potential benefits it is essential that IT cultivate the friendship with internal audit and avoid creating an adversarial relationship.
In the corporate world it is challenging for a support organization such as Information Technology to receive the kind of recognition that comes easily to departments which exceed sales targets, which produce record numbers of widgets, or which bring on board important new customers. While smoking an internal audit will never achieve the same level of recognition it can produce a steady record of success and help instill confidence in the organization. Those other departments also find it easy to justify their expenditures – hire 4 sales people and achieve five million in sales, or spend $2 M on a marketing campaign and increase sales by 20%. IT expenditures are often much more challenging to justify. How do you quantify the returns of a backbone upgrade? Or new firewalls? The easy way is with a report from internal audit.
When external auditors or accreditation bodies come around, it’s almost guaranteed that something will go wrong - a report will be missing, or one of the required checks will not be performed. If this is all there is to the story, then it isn’t going to be pretty on the report. But, on the other hand, if Internal Audit records show a history of the action, it’s only an occasional incident and the effect on the final report won’t be nearly as severe.
So with every thing to gain, how do we keep internal audit in our corner? The keys are: be open and honest with the audit team; negotiate the timing and scope of internal audits to expand it to cover your concerns; create an atmosphere with your team that encourages good relations with the internal auditors; and seek rapid feedback to prevent surprises.
Being open and honest helps prevent an adversarial relationship from developing. It keeps the internal auditor from being suspicious and starting to hunt for issues.
Negotiating the timing and scope ensures that audits are happening when you want them, and when they will provide the least stress, and therefore the greatest cooperation with the audit team. In addition, negotiating the scope allows the opportunity to expand coverage to areas that you are concerned about. The statement you make by saying “I suspect there are some issues in this area, let’s go find them” goes a long way to establishing IT as a team player in the company and one who is more concerned about getting things right than covering their hides.
Finally, good relations and rapid feedback work to help keep down surprises. Internal audit has no intention of creating any more surprises than you do. Surprises make them look suspicious to others in the company as well, and surprises on an external audit make them look like they are not doing their job. External audits are always going to find something to write about, but if that is something that IT and Internal Audit have already presented the impact is minimized. And if it is something that has been specifically left unfunded, then the issue isn’t left with IT and internal audit.
In the corporate world it is challenging for a support organization such as Information Technology to receive the kind of recognition that comes easily to departments which exceed sales targets, which produce record numbers of widgets, or which bring on board important new customers. While smoking an internal audit will never achieve the same level of recognition it can produce a steady record of success and help instill confidence in the organization. Those other departments also find it easy to justify their expenditures – hire 4 sales people and achieve five million in sales, or spend $2 M on a marketing campaign and increase sales by 20%. IT expenditures are often much more challenging to justify. How do you quantify the returns of a backbone upgrade? Or new firewalls? The easy way is with a report from internal audit.
When external auditors or accreditation bodies come around, it’s almost guaranteed that something will go wrong - a report will be missing, or one of the required checks will not be performed. If this is all there is to the story, then it isn’t going to be pretty on the report. But, on the other hand, if Internal Audit records show a history of the action, it’s only an occasional incident and the effect on the final report won’t be nearly as severe.
So with every thing to gain, how do we keep internal audit in our corner? The keys are: be open and honest with the audit team; negotiate the timing and scope of internal audits to expand it to cover your concerns; create an atmosphere with your team that encourages good relations with the internal auditors; and seek rapid feedback to prevent surprises.
Being open and honest helps prevent an adversarial relationship from developing. It keeps the internal auditor from being suspicious and starting to hunt for issues.
Negotiating the timing and scope ensures that audits are happening when you want them, and when they will provide the least stress, and therefore the greatest cooperation with the audit team. In addition, negotiating the scope allows the opportunity to expand coverage to areas that you are concerned about. The statement you make by saying “I suspect there are some issues in this area, let’s go find them” goes a long way to establishing IT as a team player in the company and one who is more concerned about getting things right than covering their hides.
Finally, good relations and rapid feedback work to help keep down surprises. Internal audit has no intention of creating any more surprises than you do. Surprises make them look suspicious to others in the company as well, and surprises on an external audit make them look like they are not doing their job. External audits are always going to find something to write about, but if that is something that IT and Internal Audit have already presented the impact is minimized. And if it is something that has been specifically left unfunded, then the issue isn’t left with IT and internal audit.
Labels: audit, internal audit, IT audit, Management
Monday, June 8, 2009
Creating Effective Compliance
One of the great trends of the last few years has been the attempt to increase effectiveness through the creation of compliance standards. These standards, either mandatory or voluntary attempt to codify the use of “best practices” and other guidelines into organizations to the point where they cannot fail to be effective. All too often however, the approach has the exact opposite effect. Instead of creating effective organizations, the application of compliance criteria creates a bureaucratizing effect and stagnation within the organization. To overcome these effects we need to look deeply at the purpose of the compliance regime, and see how it applies to the business to determine an approach for implementation that increases, rather than decreases effectiveness.
All compliance regimes, ISO, SOX, 21 CFR, PCI, HIPPA have a core purpose in mind when they are created. That purpose may be to increase security, to enhance privacy, or to encourage openness or consistency in the business. Based on that principle the authors of the specific guidance have chosen particular details which to them embody that purpose. The rest is a description of how they can recognize the result. What the authors have not done, and perhaps cannot do for various reasons, is provide clear guidance as to how those details should be translated to a particular circumstance. As a result, all to often the compliance regimes take on the flavor of rigid mandates with diminishing relevance which introduce inefficient practices.
Instead of viewing the compliance documents as a strict list of mandated actions, effective implementation demands that we first seek to discover what the core purpose is that the tasks are trying to accomplish. In this mode we view the lists of tasks, not so much as a simple rote exercise, but rather as the authors’ attempts to communicate the core purpose. Then once we uncover that core purpose, we can explore how it applies to the current organization and functions. When this is done, we may find new relevancy in the given list, or we may find that the purpose is already, or needs to be accomplished through some other method.
Having either discovered the relevancy of the given lists, or having discovered existing or alternative means of accomplishing the core purpose, we are now ready to implement a compliance that is effective and adds to the effectiveness of the organization. As a part of this we need to document how we are accomplishing the core purpose and what that means in terms of our organization. This not only helps us clarify our understanding, but it also provides any evaluators a means of casting their evaluation into the same focus,
All compliance regimes, ISO, SOX, 21 CFR, PCI, HIPPA have a core purpose in mind when they are created. That purpose may be to increase security, to enhance privacy, or to encourage openness or consistency in the business. Based on that principle the authors of the specific guidance have chosen particular details which to them embody that purpose. The rest is a description of how they can recognize the result. What the authors have not done, and perhaps cannot do for various reasons, is provide clear guidance as to how those details should be translated to a particular circumstance. As a result, all to often the compliance regimes take on the flavor of rigid mandates with diminishing relevance which introduce inefficient practices.
Instead of viewing the compliance documents as a strict list of mandated actions, effective implementation demands that we first seek to discover what the core purpose is that the tasks are trying to accomplish. In this mode we view the lists of tasks, not so much as a simple rote exercise, but rather as the authors’ attempts to communicate the core purpose. Then once we uncover that core purpose, we can explore how it applies to the current organization and functions. When this is done, we may find new relevancy in the given list, or we may find that the purpose is already, or needs to be accomplished through some other method.
Having either discovered the relevancy of the given lists, or having discovered existing or alternative means of accomplishing the core purpose, we are now ready to implement a compliance that is effective and adds to the effectiveness of the organization. As a part of this we need to document how we are accomplishing the core purpose and what that means in terms of our organization. This not only helps us clarify our understanding, but it also provides any evaluators a means of casting their evaluation into the same focus,
Labels: effectiveness, evaluation, HIPPA, ISO, SOX, standards
Archives
Subscribe to Posts [Atom]