CHAPTER 3: THE ROLE OF GOVERNANCE, RISK AND COMPLIANCE
Risk management is an important part of direction, planning and improvement. No organisation is immune to risk. Risks need to be managed to increase the chance of an organisation meeting its objectives. Direction must consider risk; plans must address risk; improvements need to consider risk.
Is someone responsible for risk management in your organisation? Are you aware of a risk register for your team, your product or the organisation as a whole? How would you report a risk that you became aware of? If you can't answer these questions, that is a risk in its own right!
Risks and controls
Risk is "a possible event that could cause harm or loss or make it more difficult to achieve objectives. It can also be defined as uncertainty of outcome and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes."
A control is "the means of managing a risk, ensuring that a business objective is achieved, or that a process is followed".
Risk and direction
Risk management isn't a one-off exercise. It must be applied continually, at all levels of the organisation.
Table 1: Continual Risk Management
Long-term objectives and risk management
Long-term objectives relate to strategic decisions, setting the context for decision-making at other levels. Risk management considerations might include definition of the organisation's risk appetite and risk thresholds. How much risk is the organisation prepared to deal with? Strategic risks may not have any impact for weeks or even months, so they need to be reviewed regularly. Portfolio management has a role to play here, looking at risks to products and services.
Medium-term objectives and risk management
Medium-term objectives normally relate to the product portfolio, and programmes and projects used to deliver business change. The decision scope is narrower, and timescales are shorter than at the strategic level. Risks may create an impact more quickly, so they may be managed sooner.
Short-term objectives and risk management
Short-term objectives relate to the operational level. Risk management decisions made here need to be aligned with long- and medium-term objectives.
Figure 44 shows the interaction between long-, medium- and short-term objectives.
Figure 4: Interactions between long-, medium-, and short-term objectives
The most common failing I see in an organisation's approach to risk management is inconsistency. This happens in two main ways. First, some organisations focus a lot of attention on a risk management exercise, and then allow all the work that has been done to be wasted. This typically happens when a risk management workshop is held and risks are documented, but there is no role accountable for measuring progress or keeping the risk register up to date.
Second, I see inconsistency in the approach to risk management at different levels of the organisation. It's critical that all levels are aligned. For example, if the long-term strategic view is that security is fundamental to the survival of the organisation, it's not acceptable to have operational teams sharing passwords and lending each other their access cards to get in and out of the building. Vertical consistency throughout the organisation is necessary for effective risk management.
How difficult does risk management need to be? Put simply, not difficult at all! Consider a simple risk register and the information you need:
Risk number or unique identifier.
Date raised.
Raised by.
Risk and impact description.
Probability score (1-3).
Impact score (1-3).
Overall risk score based on probability x impact.
Owner.
Date of last update.
Status (open/closed/etc.).
Once you have this information, you can create a mitigation plan and rescore the probability and impact based on the mitigating factors being applied.
For example, at Banksbest, Doug Range might identify a risk that the quality of service in the customer service centre falls because staff don't have enough knowledge about the My Way product. This might be given an impact and probability score of 2 and 2, based on previous experience, giving an overall risk score of 4. The mitigating action might be for Doug and Lucy to work closely together, allowing Doug to gain insight into My Way and prepare training materials for the customer service staff.
Everyone in the organisation has a role to play in risk management. Staff should feel safe to report risks and know that their information will be acted on if appropriate. Direction, guidance and support can be provided so that people know what risks can be tolerated and what needs escalation.
Risk and improvement
Every plan needs to assess the risks associated with it. If the risks are too great, the plan may be terminated. Improvement plans also need to apply risk management principles. For any improvement, consider the risk of making the improvement, but also the risk of not doing anything. Each organisation has its own level of risk that can be tolerated.
DPI and governance
There is a strong relationship between direction, planning and improvement, and governance. The areas considered in the DPI syllabus include:
Governance structures used for decision-making;
Governance of the service provider;
Placing decision-making at the right level;
Impacts of governance on DPI; and
How to ensure controls are sufficient but not excessive.
An organisation's decisions must align with its mission and strategy. It will use different structures and methods to support decision-making and direction of activity and behaviours.
Governance structures
An organisation might not use all the structures defined, but the roles should be fulfilled.
Table 2: Governance Structures
Board of directors
The board of directors is responsible for the organisation's governance, including:
"Setting strategic objectives
Providing leadership to implement strategy
Supervising management
Reporting to shareholders"
Shareholders
Shareholders are responsible for appointing directors and auditors to ensure effective governance.
Audit committee
The audit committee supports the board of directors by providing independent assessment of management performance and conformance.
The governance structures supply directives, which then define internal controls. Controls can include:
Risk management;
Compliance controls;
Operational controls;
Financial controls; and
Any others required.
The board will review risk management systems and internal control systems at least annually.
Governance of the service provider
If a service provider is an organisation, it will have its own governance structures. If the service provider is part of a larger organisation (for example, an IT department in a business), the parent organisation will have governing authority over it. Authority and governance can be delegated to lower levels, but the organisation's governing body must still oversee governance.
The ITIL service value system (SVS) can be applied to the entire organisation or to a department or departments. If the SVS is used at departmental level, governance must be aligned with organisational governance. Applicable external legislation and regulations also need to be continually reviewed and integrated where necessary, for example Sarbanes-Oxley or the General Data Protection Regulation (GDPR).
Placing decision-making at the right level
Governors should review decision-making for the organisation and identify where decisions could be delegated. Equally, if there has been negative impact related to delegated decisions, the scope of control may need to change. This should be considered as an improvement exercise, rather than an opportunity to assign blame.
DPI and governance are closely related. Direction from the governing body affects the whole organisation. Employees will struggle if they are asked to carry out activities that are in conflict with overall organisational direction. Governance decisions and directives are inputs to planning at all levels. Plans may be used to deliver compliance or governance objectives. Improvement initiatives should increase the organisation's compliance with its directives.
Ensuring controls are sufficient but not excessive
Effective controls provide 'just enough' control. Too much, and outcomes might be negatively affected; too little, and risk is created. Controls need to be designed...
