Risk and governance

Governance is the ‘design of decision-making' as per Gartner. As IT decisions impact many stakeholders outside IT, our decision-making has to be collaborative and inclusive. Governance is therefore one of the most important processes in our digital transformation journey. 

Similarly, risk should not be a worry, but a formal process of mitigating whatever can go wrong with the enterprise. Risks must be considered in a bigger and inclusive way even as cybersecurity itself continues to be the biggest risk. Here we will cover risk in general not touching on cybersecurity. 

We cover Governance and Risk in the eighth article of the nine-article series on digital transformation.  In the first article, we talked about the Evolution of Digital Enterprise. In the second article, we talked about Building Trust among the various stakeholders of the enterprise eco-system. In the third article, we talked about how Experience Design is an important pillar. In the fourth article, we discussed how Technical Debt slows down the  journey. In the fifth article, we talked about importance of Architecture; how to build a team, how to engage your partners. In the sixth article, we talked about the right Perspective for Partnerships for success. In the seventh article, we discussed how building the right kind of Culture attracts the Top Talent towards an enterprise. 

IT’s own internal processes deliver to everyone in the organization (its customers) through portfolio of service providers (its partners). You, as technology managers, do not have direct power on anyone of them. Therefore, you need maturity and sophistication in making collaborative decisions with your stakeholders. That’s  governance – how you design your decision making. 

We’ll talk about governance participation, governance process design and governance as an empowering tool. 

Governance Participation

I was reviewing the health of our information security after taking over as a  CIO. We started with security policies. Our security policies stated that we needed to have an MISF – Management Information Security Forum for taking all Information Security related decisions. That was not in place, and my CISO raised his hands that no one wants it. He had obviously tried setting it up but no one was interested to attend that.

I asked him, “if there’s a major security breach tomorrow, who all will lose their sleep? 

The answers started - “Legal, Corporate Communication, HR, Finance, Sales, Operations ”. 

“Great! So, these are going to be the participants in our security governance forum.“

He then  prepared an effective engagement script which was aligned on the impact backwards. He went and talked to each one of them. He said “if tomorrow there’s a cyber-security breach, you’ll need to step in to clean the mess. Why don’t you join this forum and help usprevent and mitigate any breaches.” 

In a month, we had MISF in place with the participants very clear about why they were there and why they had to participate in decision making Because it would affect them materially. 

The most important point in governance - the people who are impacted by your decisions, need to participate in making those decisions.

The most important point in governance - the people who are impacted by your decisions, need to participate in making those decisions. Hence design your governance to include all potentially impacted parties. Tell them when involving them “We are going to make decisions which will impact you. Why don’t you participate?”

If you exclude someone you risk non-compliance – they can simply wash their hands off “We were not involved in this decision. So, you better handle the mess”. 

At the same time, if you include too many people, you risk over-democracy. 

Be thoughtful, asking a simple question: who is going to be materially impacted by our decisions, they need to be part of the  governance. 

This goes beyond cyber-security. 

In program management governance, include everyone who is impacted by the program’s success or failure. 

In vendor management governance, include everyone who is impacted by your vendor decisions, for example, procurement, biggest service recipient departments, as well as the vendor itself. 

In technology governance, involve people who are impacted by your technology decisions: the receiving department, the architects, including those of the applications to be integrated, and very importantly, the service management people, who will be maintaining the technology.

Governance Process Design 

Governance has to be at three levels: operating level, decision-making level and strategic level. For example, vendor governance has to be 

• at the operating level, for a daily review of operations, 
• at a managerial level, for decision-making on KPIs and 
• at a strategic level to expand the relationship and to take care of any chronic issues, or any contractual issues. 

Similarly, a business governance has to be 

• at an operating level where your customer-facing people are tracking and reviewing the day-to-day issues with their respective stakeholders regularly. 
• at a managerial level where you are reviewing the process efficiencies and target KPIs, any problems with technology, with the managers, and 
• at a strategic level, you are discussing the business value realization, the big business process or structure changes due to introduction of technology as well as future plans and requirements which may potentially ask for new technologies. 

I recommend writing down a one-page governance charter for each forum. This charter may constitute the following:

• Core purpose of governance
• Objectives
• Standing agenda
• Meeting frequency
• Decisions which forum can take
• Scope
• Chairperson – somebody who’ll take the decisions in the forum  
• Coordinator – somebody who’ll run the forum logistics and follow up on decisions taken.
• Core attendees
• Other invitees

Here is an example of a governance charter for service desk that we used. We had such charters going right up to the level of IT Steering Committee for strategic decisions.

Governance as an empowering tool

One of the first things I tried to do after taking over was to get a handle on the number of meetings I WAS EXPECTED to have with my stakeholders- my partners, business leaders. We started collating all these in excel. 

I was up for a shocking discovery - with the large and diverse organization like I was in, I would not have time to work if I would meet everyone at the same monthly frequency!! 

We had to prioritize. We iterated on excel, changing the priority, frequency and duration of different meetings. This iterative approach led me to a sophisticated design of my governance calendar. We had a clear view of what will get scheduled in which week of which month of a quarter. This was published to my key team members to proactively schedule review meetings 

The next challenge was to ensure we discuss the right things in the meeting and that led me to make the governance charter shared above.  

Given the importance of governance in IT,  it’s very important to design and track your governance score. Governance score is nothing but an aggregation of number of meetings/reviews as per your excel design that I made, against the actual number of meetings  that really happened. Urgencies will always prevail therefore a governance score of greater than 50 percent will always be a good score.  

Risk

As I took over my first CIO role, I scanned around entire IT and business landscape with a single lens - what could go wrong! There was quite a lot that could go wrong. This correlated with the current state of our IT which had been relatively underinvested. We had a three-pronged challenge:

1. Meet the demands of business growth
2. Invest in modernization
3. Build the team and processes

I collated all the risks systematically and correlated them with our plans. This led to a common understanding of IT under-investments and modernization requirements. This helped us in rightsizing the IT investments. While many things can go wrong, a typical risk framework works on two axes.

Formal risk management methodology would be to identify all the risks and then evaluate them on probability and impact severity. Multiplying the two together will give you a composite risk score. This creates a discussion agenda with your management to invest in mitigating the risks. 

Risks in multiple dimensions

Risks exist in multiple dimensions: cybersecurity risk, technology risk, program risk, vendor risk. The methodology above transcends the risks to give you the right view of where management interactions are required to safeguard the operations.op

Please leave your comments here, or in the author’s LinkedIn Posts. In the next article, we’ll discuss how leadership drives the digital transformation journey.  

The article has been written by Jagdish Belwal, Founder and CEO, Jagdish Belwal Advisory