We surveyed 100+ people on IT Controls, Governance Frameworks and Standards!

When I was younger, I liked Family Feud. (You got me - I still watch it on occasion). When the host started each question with: "We surveyed 100 people and the top answers are on the board", I kept wondering about how they found those 100 people.

My imagination ran wild.

Could it be that the same 100 people were answering all the questions? Did the show lock them in a room with no windows until all questions were answered?

I recently had a chance to run my version of the Family Feud polls.

Before my speech in August 2017 about "IT Governance" at the Governance, Risk & Compliance (GRC) conference organized jointly by the Institute of Internal Auditors (IIA) and Information Systems Audit & Control Association (ISACA) in Dallas, Texas, the organizers alerted me of a mobile polling tool we could use to live-poll the audience.

I jumped on the opportunity.

In October, I spoke on the same topic at ISACA's Cyber Nexus (CSX) Security Conference in Washington, DC and used the same polling tool.

According to the official numbers:

• 225 people listened to my speech at the GRC Conference; about 110 people answered the live surveys. 
• 130 people listened to my speech at the CSX Conference; about 43 people answered the live surveys. 
• Attendees for both sessions represented various sectors including financial services, healthcare, government and utilities. 
• Among them were GRC professionals, auditors, banking regulators, CISOs, CIOs etc. Most of them were from the US, but I also met some folks who attended from Brazil, South Africa and Ghana.
• What you see below is the combined polling results from those two sessions. 

We surveyed a 100+ people and the top answers are on the board...

There are no major surprises from my perspective.

Here are my observations:

• Many enterprises perform risk assessments. 
• Several companies use COBIT, COSO, ITIL and NIST frameworks.
• Majority of the organizations have a control library.

Here is my wish list: 

• More companies should consider implementing a governance framework. 
• Organizations should focus on control self-testing and process maturity assessments.
• A broader adoption of best-practice frameworks such as OCTAVE, TOGAF, Risk IT, PMBOK, and Balanced Scorecard could benefit many organizations. 

What do you think?

How to set up a first line of defense & governance function – Part 2

In Part 1, I shared my thoughts on the three lines of defense model and listed key prerequisites for building an exceptional first line of defense function. I highlighted executive commitment and hiring the right resources as building blocks and shared ideas with regards to some techniques I use for interviewing candidates for the first line.

Part 2 focuses on specific actions I recommend for setting up a first line of defense function. As I mentioned earlier, a lot of these ideas could be leveraged to build and improve all three lines.

1. Create Your Roadmap:

Everyone in the company is excited about what was promised to them: An exceptional first line of defense function.

Your budget to build your function is approved. You hired a few new resources from the industry and convinced some good fellows to come over from other departments and join your team.

Life is good, but now what…

If “going with the flow” sounds like a good approach, think again. One of the key components of effective governance is knowing and articulating where you are going. At the risk of sounding like a consultant (heck – I used to be one), you should develop a roadmap and a timeline. 

I like roadmaps because they serve as a good communication tool for your team, executives or anybody interested in understanding how you’re building your function. A roadmap will show everyone else the progress you’re making. Also, it will help you course-correct faster if things are not going so well.

Your entire roadmap may span multiple years. 

A good roadmap should include interim milestones which, when achieved, will give everyone hope that things are on track. Life is too short not to celebrate our achievements – no matter how small they may be. 

2. Choose & Define Your Governance Framework:

I am a fan of frameworks.

A framework gives you the structure with which you can build your processes. It also gives a venue to define and articulate your scope of coverage. 

Best-practice frameworks such as COSO and COBIT 5.0 will help you think through what needs to be included and excluded in the scope of your function and roadmap. They will also make your life much easier when you communicate with external parties such as your regulators because most of them will already be familiar with most of them.

The framework I particularly prefer for IT Governance is the one from ISACA’s IT Governance Institute (ITGI), which can be used in conjunction with COBIT 5.0 - also from ISACA: 

A word of caution. A framework is as good as what you make of it. Adopting an entire framework as is could prove to be too big an undertaking for many companies. You should only use the parts that make sense to your organization and consider customizing it to fit your particular needs.

Finally, you may want to use a combination of frameworks to address different processes (ITIL for IT Service Management; PMBOK for project management; NIST 800-53 for information security etc.). 

3. Document, document & document (really):

Let me first catch you up on a couple of my definitions:

When I refer to documents, I’m talking about policies, procedures, standards, frameworks etc. Your own definition or scope could be different.

In layman’s terms, controls are the activities performed by people or systems to address risks. For example, looking both ways when crossing the street is a control that could save your life.

Over the course of my career, I advised and audited companies ranging from small pre-IPO start-ups to Fortune 10 giants. Regardless of the size or complexity of the organization, all of them benefited from formalization around their documents and controls (many times at my urging). The bigger the company, the more obvious the need around documentation.

How about smaller companies such as start-ups?

For starters, things happen and people leave. An IT director of a former client (small high-tech company) once told me that his team did not know how to properly maintain and upgrade an in-house developed software because the engineer (let’s call him Jim) who coded it had left the company. 

You guessed it – Jim did not bother documenting how the software worked, nor was he ever asked to. Jim was also not the only one not documenting stuff. Documentation was not part of the company culture which was all about going fast to the market and getting ready for an IPO.

Remember every organization will likely have to face an audit or go through regulatory scrutiny at some point of its journey. 

You  would like to start collecting credit card payments; then you need to think about compliance with PCI. You would like to serve European consumers; you’d better be ready for rigid European privacy regulations (does GDPR ring a bell?). You want to do business with government; you may need to start reading about FISMA.

A common theme about any regulatory requirement is that they all will require you to have documentation. If you have good documentation, you’ll be one step ahead in meeting those requirements and passing your audits.

To get ahead of these challenges, you may want to consider creating a formal program around documents. At the very least, having your key processes documented in written policies/ procedures/ standards will make your organization less dependent on individuals performing those tasks. If you also assign a formal documents program owner providing regular guidance and oversight, you would be in a great shape. 

Many public companies only limit their control libraries to SOX 404 controls, but my recommendation is to create a library that goes beyond the basic regulatory requirements. Creating an expanded control library will help you document control ownership and many other key attributes for additional areas of your business. It will also give you the means to spot-check or self-test those controls and remediate issues early. 

4. Perform Self-testing & Self-Assessments:

One of my current roles is to interact as the main IT point of contact with our IT regulators who perform periodic examinations of how we use and implement technology services and processes. In an “IT Exam”, regulators check the bank’s compliance against the Federal Financial Institutions Examination Council (FFIEC) Guidelines and other relevant regulations. The exam results in a long write-up accompanied by a report card telling us how we did.   

If you’ve been through one of those examinations, consider yourself lucky (seriously), because it is a great learning experience.

Many years of going through the “exams” has taught me that regulators’ interpretation of the three lines of defense model is much stricter than that of most organizations.

Here is a sample question you would dread answering: “We heard that your Internal Audit group (third line) has identified some issues. Can you please tell us why you (first line) had not found them before Internal Audit?”

There is really no good answer to this question at that point. Even if the answer is that you actually knew about the same issues sooner, the next question you will hear will be “Why haven’t you fixed it before Internal Audit came in?”  

Here is where regulators are coming from. They want the company to have good processes so that the issues surface much closer to the first line of defense who is responsible for operating the controls. 

A good first line should find and fix most meaty problems and fix them as quickly as possible. Self-testing of your controls (now that you have a control library) and self-assessments (risk or process maturity assessments) performed by the first line of defense will come handy in that quest. 

If you’re doing all the above, you deserve a pat on the back. There is always more you could do, but you should feel proud to have already built many key elements of an exceptional first line of defense function. 

How to set up a first line of defense & governance function – Part 1

The three lines of defense model is not new, but I don’t think it’s understood or applied consistently. Many companies from not-so-heavily-regulated industries and privately-held enterprises do not care much about the three lines until they hit a certain level of complexity, move into a regulated industry/jurisdiction or become public. On the other end of the spectrum, most organizations operating in regulated industries such as financial services and health care find themselves in a dire need to have clearly defined and functional lines of defense. No matter their particular situation, companies generally struggle with establishing, operating and enhancing these lines.

In the traditional three lines model, a company’s compliance and risk functions that provide independent risk oversight constitute the second line; its Internal Audit group is the third line. Everyone else belongs to the first line including the front-line employees operating controls, processing transactions and taking everyday risks as part of their job. In IT, database administrators and software developers are two examples of front-line employees. ISACA has a good article on this topic, if you’d like to brush up on the lines.

Organizationally, I reside in a first line function in SVB’s IT group where I run the IT Governance, Risk, Compliance (IT GRC) team. However, my team transcends the responsibilities for a first line, as we perform roles typically associated with a second line function such as setting risk management standards, monitoring results, and challenging outcomes. For that reason, I’d like to think of my team as the “Line 1.5”. KPMG has a good video explaining this newer concept.

At my bank, I regularly interact with the third line (Internal Audit), Enterprise Risk Management, Corporate Compliance, our banking regulators along with other first and second line functions. In my previous roles as an external auditor/consultant, I had an outsider’s perspective while I was advising my clients on the lines. All these helped me accumulate enough appreciation for the best practices and challenges associated with the three lines.

Last week, I spoke at the 2017 Cyber Security Nexus (CSX) North America Conference in Washington, DC. My topic was called “Best Practices for Proactive IT Governance” that had a particular focus on establishing and improving a first line of defense function in IT. Most insights I shared are applicable to all three lines and different business units

Pre-requisites: 
Like with any other critical program or initiative impactful to the entire organization, the company needs to have the right tone at the top and support to build and improve the lines. This could be done as part of a specific “Lines” initiative or more likely, portions of each line could be established and improved as specific business or regulatory requirements arise. If you’re hearing executives talk about the lines and the company is shelling out funding to hire or re-position resources, rest assured that it is taking this concept seriously.

Now that you have the executive support and funding, you need to hire the right people from within the company or attract external candidates. It goes without saying that you need to define the exact skill set and number of resources you need and have a clear understanding of their roles and responsibilities.

Here is some generic advice when it comes to hiring for a first line function (can be applied to a second or third line). The top technical skills I would look for are risk management, compliance, audit, and data analytics. Experience with well-known industry frameworks such as COSO, COBIT and NIST is always preferred for IT.

I must admit that I prefer to place ex-auditors in these roles (only those who can convince me that they are ready to make the switch). Internal candidates that fit the bill should not be overlooked as their organizational knowledge and existing relationships could come handy. In terms of soft skills, relationship building and communication skills top my list.

Behavioral interviews for any position have been a long-time favorite, but you may want to dig deeper. During the interview process, I recommend that you weave in a realistic case study if your processes allow for it (No, I am not talking about the brain teasers like “How many piano tuners are there in the entire world?”).

During my Big 4 days, I was one of the primary interviewers for our Advisory Group and administered tons of case studies for campus recruits and experienced hires. Case studies were a critical component for us to evaluate how the candidate was able to structure his/her thoughts and provide a well-thought-out response to a usually tough-to-crack case. Yes, most candidates get nervous about case interviews, but wouldn’t you want to pick the ones who can handle a stressful situation?

Also, consider asking the candidates to write a short memo (could be combined with the case study) to test their formal writing skills, which usually don’t get validated in most interview processes I have seen. In my view, a first line professional needs to be exceptional in their documentation skills intended for distinct audiences (executives, regulators etc.).

Of course, you still need to interview them for other industry specific knowledge and soft skills applicable to your particular situation.

In Part 2, I will cover the next steps in creating a first line of defense function and discuss roadmaps, policies, controls, measurements, and self-assessments. 

What is "Governance" anyways?

I regularly get asked what “Governance” in my job title means by colleagues and friends who find what I do obscure. They understand the risk and compliance components better, because they can associate them with other jobs they know.

The dictionary definition for Governance does not resonate well with many of them. (If you’re so inclined, check out Wikipedia’s definition) 

This year, I was invited to speak at a couple of national governance and risk conferences, and the title of my talk was “Best Practices for Proactive IT Governance”. This provided me with extra motivation to come up with an easier-to-understand definition for Governance. I felt the following simplified version resonated better with those who came to listen to me:

Governance is a set of practices that steer the organization in the right direction.

I went on to explain that Governance (especially, a good one) does the following:

• Creates Structure by defining organizational reporting lines, oversight committees, rules, policies, and processes. A well-defined structure effectively sets the operating boundaries for the organization. 

• Sets Direction by creating or aligning with the corporate strategy, and defining the short and long-term goals for the organization.

• Defines & Assigns Responsibilities by providing a clear view of who is going to do what in the organization and who ultimately is accountable for the results.  

• Measures & Acts on Outcomes by defining, analyzing and reporting performance metrics. Regular measurement helps the organization course-correct as quickly as possible. It's true that “you can’t manage what you don’t measure”.

Regardless of where you sit in the organization, you are probably involved with some or all of these practices at some level. That makes us part of the extended Governance family.

Does this definition resonate with you?