Controls have very real benefits for an organization by improving security, availability and integrity while managing costs. Getting to the point where a sustained positive control environment exists takes very real effort. For controls to be implemented successfully in an organization, there are some essential elements that must be factored in:
Tone at the Top -- First and foremost, the upper levels of the organization must support the control environment and not ask or imply that the practitioners bypass them. A carefully constructed set of controls can be irreparably damaged by the actions of senior management.
Understandable -- The control environment and associated policies and procedures must be clear. They must both be applicable and legible to the parties reading them.
Add Value -- As important as tone at the top, the practitioners must see the value of the controls. The controls must not be arcane and bureaucratic. They must be seen as adding value both to the organization as well as to the individuals.
Proactively Communicate -- Simply writing policies and procedures is not sufficient. They must be communicated to the organization -- not just IT, but to all relevant stakeholders of each policy or procedure. Furthermore, the communication must move from simple awareness to true understanding.
Training -- In situations where communication isn't enough, training is a must. Sometimes the training involves how to actually implement the new policy or procedure. Other times, training may be needed to ensure the recipient(s) comprehend the new policies and procedures.
Regular Review -- Policies and procedures must be regularly reviewed to ensure that they continue to reflect reality.
Audit -- There must be routine audits to ensure that what is documented is being followed. Variances could mean that training is needed or that the process needs to be revised.
None of this is meant to suggest that controls are more important than adding value. The fact is that IT and management must balance controls so important risks are managed appropriately. A control framework should not impede business, but support it.
At the same time, everyone must understand why the controls are necessary and what the function of each control is. "Just do it" doesn't do much to further understanding. All it does is create another perceived layer for bureaucracy. Take the time, provide the rationale and drive home as many direct benefits to the stakeholders as possible -- not just in IT, but outside of IT as well.
Policies and procedures alone do not create a control environment. Management cannot simply buy a set of policies and procedures and expect IT to follow them. There is far more to the creation of a positive control environment than that. This article listed a number of critical success factors to consider, but the fact is that each organization is unique and they need to understand what is needed to create and sustain a control environment. The effort is significant and the journey begins with the tone at the top.