Monday, April 20, 2015
Create the best policy but exclude me from it …
The compliance audit demonstrated significant gaps in the processes and policies which had put the new CIO in a quagmire on how to get started. The report was indeed incriminating to the internal and outsourced team; there were numerous cases of process being bypassed or ignored along with weak ambiguous policies and controls. The task appeared to be herculean and the team was smarting from the beating they had received from the CFO to whom the Audit team reported. The CIO had come on board a month back and was still undergoing his induction.
Every company that has an active audit function reviews compliance, risk and process strength linked to defined policies; the frequency of audit varies but at least once a year IT does figure in the calendar. They sift through logs, evidence of process adherence, change requests, documentation, defined standards, IT security, procurement discipline, and exceptions to all of these. For IT the exercise is fraught with danger when in the real world compliance is difficult with almost every senior manager requesting deviation to policy.
To get started the CIO decided to seek help from the audit team who had engaged one of the big audit firms. The audit team was surprised since none of the auditees had ever asked them for help; they dutifully connected the CIO to the Consultants. Citing conflict of interest, they recused themselves from the potential engagement. Not one to give up so easily, the CIO reached out to their competitors and engaged them in a full review of people, process, policy and technology towards creating a practical implementable set of policy.
Months and many iterations later the CIO was satisfied with the end result in which his team had contributed through the process. The classification of policies and associated procedures appeared comprehensive and pragmatic in their intent. The IT team was also content that finally they had markers that would leave little room for exceptions while the outsourced team who is responsible for execution will find it easier to comply. But before putting the plan to action, the CIO sought the opinion of the vocal CFO.
Weeks passed after the documents were emailed with no response; the CIO personally reminded the CFO of the pending request. Time was running short as the next audit was due in another few months and the CIO did not want another negative rating to fend. He also had dependencies on some of the other functions to work in tandem. Much nudging and cornering later the meeting was scheduled. The CIO had his team and the consultants on standby should there be a need to discuss some aspect in detail.
These policies are not user friendly ! The consultant has given you standard cookie cutter templates ! How do you expect senior management to comply with these ? We cannot be expected to change and remember complex passwords every so often. World over businesses are going digital; how can you have a draconian internet access or social media policy ? We need to allow people the freedom to engage with customers ! The world is going mobile; you should allow access to information on demand. You have to figure out a better way to implement security !
The CFO went on shredding the documents deriving satisfaction in his qualification and comment; the impracticality of the suggestions had the CIO wondering if ever the company will succeed in creating a framework that will protect the systems as well as allow for processes that are necessary towards good governance. His counter arguments were brushed aside by the CFO who was unwilling to listen in his quest to add value. The CIO thanked the CFO for his critique and decided to seek counsel from other CXOs towards implementation.
The rest who had lived with far more restrictive policies elsewhere commended the CIO for his rational real-world approach. Soon the next audit came and the results showed significant improvement in compliance which validated the approach taken. The CEO was full of accolades for the CIO while the CFO squirmed and then tried to take credit by highlighting his review prior to execution. The rest knew better and nodded to the CIO on the road taken and positive end outcomes. The CIO thanked everyone for their understanding.
A few weeks later when the CFO requested an exception to a policy which was denied as it required the approval of the CEO who was against deviations !