Certainly, perceptions of practitioners play a large role, but so too does the tone from the top and pressures placed on the organization. If groups fail to understand the pressures that cause people to bypass the rules, then no amount of policies and procedures will make any difference.
Carefully planned and implemented policies and procedures, along with the right people in the right positions, create a control framework that enables an IT organization to meet objectives while managing risks. The goal of the control framework and IT in general must be to assist the organization by adding value, not simply creating policies and procedures.
The All-too-Often Reality
Unfortunately, the intentional bypassing of policies and procedures too often is reinforced from the top. In other words, senior management creates an environment which rewards the violation of controls: “Just get it done.” Those four words can do more damage to a control framework than an explosion.
As Dietrich Dorner points out in his excellent book, The Logic of Failure, the bypassing of standard protocols rarely results in an explosion, and bypassing them often has a positive outcome. In other words, it is very easy to skip or change the steps in a process to yield a result that is faster and/or cheaper.
This creates fertile grounds for the mindset that it is acceptable to cut corners, especially when management lauds the results. Regardless of the perceived benefit, the margin of safety was reduced by the action.
Applying this to IT, how often are policies and procedures bypassed to gain an advantage? For example, how often are changes introduced into production by well-meaning people? Odds are that many of those changes go into production just fine. There likely also are many cases, both known and unknown, where changes brought the same systems down or had negative consequences.
In bypassing change management, the seemingly positive incentive is faster deployment to production. The negative is that there are always risks associated with changing the state of anything and sooner or later an applied change will create an undesirable result.
Critical Success Factors
Controls have very real benefits for an organization by improving security, availability and integrity while managing costs. Getting to the point where a sustained positive control environment exists takes very real effort. For controls to be implemented successfully in an organization, there are some essential elements that must be factored in:
- Tone at the Top — First and foremost, the upper levels of the organization must support the control environment and not ask or imply that the practitioners bypass them. A carefully constructed set of controls can be irreparably damaged by the actions of senior management.
- Understandable — The control environment and associated policies and procedures must be clear. They must both be applicable and legible to the parties reading them.
- Add Value — As important as tone at the top, the practitioners must see the value of the controls. The controls must not be arcane and bureaucratic. They must be seen as adding value both to the organization as well as to the individuals.
- Proactively Communicate — Simply writing policies and procedures is not sufficient. They must be communicated to the organization — not just IT, but to all relevant stakeholders of each policy or procedure. Furthermore, the communication must move from simple awareness to true understanding.
- Training — In situations where communication isn’t enough, training is a must. Sometimes the training involves how to actually implement the new policy or procedure. Other times, training may be needed to ensure the recipient(s) comprehend the new policies and procedures.
- Regular Review — Policies and procedures must be regularly reviewed to ensure that they continue to reflect reality.
- Audit — There must be routine audits to ensure that what is documented is being followed. Variances could mean that training is needed or that the process needs to be revised.
A BalanceNone of this is meant to suggest that controls are more important than adding value. The fact is that IT and management must balance controls so important risks are managed appropriately. A control framework should not impede business, but support it.
At the same time, everyone must understand why the controls are necessary and what the function of each control is. “Just do it” doesn’t do much to further understanding. All it does is create another perceived layer for bureaucracy. Take the time, provide the rationale and drive home as many direct benefits to the stakeholders as possible — not just in IT, but outside of IT as well.
Summary
Policies and procedures alone do not create a control environment. Management cannot simply buy a set of policies and procedures and expect IT to follow them. There is far more to the creation of a positive control environment than that. This article listed a number of critical success factors to consider, but the fact is that each organization is unique and they need to understand what is needed to create and sustain a control environment. The effort is significant and the journey begins with the tone at the top.
