ESTIMATED READING TIME: 7 MINUTES
This final instalment of our C-Suite Special Series is targeted to one of the most impact-heavy mistakes we see high level management making; one that has the potential to be hugely detrimental to ongoing business assurance, in this age of ever-expanding legal and regulatory requirements.
So let us make it clear and unequivocal:
Management is not Governance.
And even more:
Good management is not good governance.
To be even more explicitly clear:
Data management is not data governance.
Information management is not information governance.
Financial management is not financial governance.
…and so on… you get the idea.
When organisations set about creating governance, they usually set up a small team of responsible individuals who are tasked with reading through regulatory and legal requirements for governance in their particular area of business, and then these individuals write comprehensive policies and SOPs to outline the requirements of each functional area.
A big tick is then placed in a box on some forms, stating that you have governance requirements specified and staff have been notified – usually by way of an email with a hyperlink to the policy and SOP documents and, maybe, some training.
Not even close.
The activities of the governance team, described above, are definitely the right place to start. But they are just the start.
We do need to get very clear about what’s required of us and it’s always a good idea to have a solid SOP document covering these requirements and explicitly stating what needs to be done. This helps staff immensely in meeting regulatory requirements.
Management, then, is developing the specifics of what is outlined in the SOP document and the processes for enacting them.
If we are looking at the management of data, for instance, we might have instructions in the SOP document about backing up data, about the security level of data and procedures outlining how to approve access to data. These rules and procedures are how we “manage data”.
The staff teams who manage data for your organisation then take those SOP instructions and create the practical workflows, accountabilities and any further process details, that deliver what the SOPs have outlined.
This is still part of how we are managing data.
While it is then our goal to follow the SOPs perfectly, it may not always happen. In that case, we are actively managing our data in a manner that lies outside of SOP guidelines. In particular, this might happen when new staff make changes to the way things are done and SOPs are not updated – perhaps have never been read – and things progress with the new changes.
Believe me, this can not only happen quite easily, but it can go on for quite a long time (i.e. years) without being detected, potentially leaving your organisation at legal, regulatory or financial risk.
And that’s why you need governance.
Governance starts with ensuring solid policy, SOP and management guidelines exist and meet the legal and regulatory (as well as ethical) requirements of your industry and organisation. Having your governance team oversee and review SOPs and guidelines ensures that your organisation knows how our management should be conducted. A good governance team has developed those SOPs comprehensively, thoughtfully and effectively.
Once this is completed, we have the outline of good management, but how do we know we have good management in practice?
Effective governance means having procedures in place to ensure management is conducted in accordance with the guidelines.
At any given moment, the level of confidence you – in a C-Suite level leadership role – have that your staff are following management guidelines/SOPs is the measure of the quality of governance you have.
In our data example, the data governance team must develop procedures to check that the data is being managed in accordance with the data management SOPs. For instance, they would need to check security is being maintained as per the SOP, that back-ups are done correctly and effectively as per the SOP, that access to data is granted only after following correct procedure outlined in the SOP, and so on.
“Checking up” on management practices is the core of governance.
Here’s another example.
I once worked in an environment that required certain standards of security of data at the staff desk level – personal medical data was accessed on screens and on paper, which should not be viewed by anyone other than the individual processing that data, who had express permission to view it.
Our management of this process was to write an SOP about the use of digital and physical personal data forms. In this case, it was a simple SOP: staff should ensure all physical forms were covered up, and their monitors had password protected screensavers activated, whenever they were not at their desks.
Our governance of this process involved periodically walking around the department, checking empty desks for visible papers and password protected screen savers. We would record the number of desks found to be non-compliant with the SOPs.
The act of checking desks was our governance procedure.
The number of non-compliant desks was a management compliance metric to measure how well the division was managing the use of personal data.
The record of how often we completed these desk checks was a governance quality metric, measuring how good (or reliable) our governance was.
Determining whether or not you have good governance can be tricky.
In the previous example, the only proof the Director of our division had that the quality of our governance was good was a regular report we’d give him showing the dates we’d conducted a check (which we generally did as per our schedule, once a month).
In that context, this qualified as good governance. Perhaps it wouldn’t be enough to offer great assurance in other industries or situations, but it was good enough to meet our requirements at the time.
The number of non-compliant desks we found at each check showed how good our management of personal data was (which was also generally good). This added to the Director’s assurance that all was well.
If we had found our division’s compliance getting particularly poor, good governance would require stepping in and rectifying this. We might have introduced training, or incentives for those who were compliant, or actively seeking feedback on more useful management options. But this improvement process would have been management, not governance.
Governance monitors management processes and ensures action to change or improve management is taken when required.
Reporting of governance activities, from your governance team, will confirm governance activity is taking place and that it’s providing you with the assurance of good management of data, information and other assets. But what metrics you’ll use to measure governance activities are not always easy to determine. How do a governance team provide you with evidential proof of their governance activity?
When you consider all the different areas that require governance, and all the different activities that may be involved in enacting quality governance, this reporting could begin to get onerous both for the governance team to produce and for you to review.
But it is essential for business assurance.
Regulatory or legal non-compliance can be devastating to businesses.
And the real kick lies in the fact that, unless you have really solid governance activities, you won’t even know if you’re at risk – after all, do you personally know how closely your staff are following their SOPs?
Of course not.
As governance grows in scope and necessity, we will see a burgeoning industry of software solutions that are targeted to help effectively deliver governance of various business functions.
And this will inevitably mean we will see big promises and mediocre delivery from many big software companies, as they “tack on” governance components and hope you don’t notice that it’s not really all that helpful.
However, we also hope to see some really innovative software solutions that make life easier for everyone while making governance as simplified, transparent and achievable as possible.
To this end, our signature software, Intralign, a business information management tool – which was designed since its inception more than ten years ago with governance at its core – now has a dashboard feature that complements our governance reporting service and allows governance teams and senior leadership the ability to see:
Such governance software tools make governing a far less onerous and more transparent task.
But the best governance software in the world won’t work if people don’t feel compelled to use it.
Unless you are actively creating a governance-important culture, and demonstrate regularly that compliance is central to business success, you won’t have good governance or good business assurance.
The real solution to poor governance lies in the culture that is created from the top down.
That means you.
And that’s good news because you’re in 100% control of that.
So how are you ensuring SOP compliance in your organisation?
Other C-Suite Special Series Blogs
C-Suite Special Series Part 1: What does being a great business leader really mean? (read it here)
C-Suite Special Series Part 2: Why your struggles are your greatest strength (read it here)
C-Suite Special Series Part 3: Essential communication skills for CEOs (read it here)
Mark is a co-founder & Chief Development Officer at Intraversed, helping organisations establish the Intralign Ecosystem, an award winning information management & governance methodology, to achieve reliable information, stable tech spend & greater IT project success.
We’d like to send you our monthly email. They outline our latest blogs, talk about current events and give you information about our services and products. We strive to make them interesting, relevant and practical, so you can build your business assurance with each email. And we also do our best not to let our emails be too salesy, pushy or marketing-heavy.
In the meantime, why not connect on LinkedIn here?