Business Services Management, Six Sigma and your IT Compliance Program
Peter Allen’s song “Everything Old is New Again” is a truism that applies in the world of Business Services Management (BSM). Six Sigma methodologies clearly fall under this rubric and are fashionably back in vogue in the world of IT management.
IT compliance management is a critical component of information technology processes and procedures and therefore should be treated as a “core competency” as it relates to the analysis of success factors in IT organizations. Using the Six Sigma approach can help organizations successfully integrate IT compliance management into their overall operational risk management/regulatory compliance programs.
This is particularly important because a study by the Business Performance Management Forum states that “while compliance is definitely a management concern, policies and procedures are yet to take hold, enforcement seems to be a loose concept, and management’s general familiarity with issues around compliance is painfully lacking.”
The Six Sigma methodology includes the core competencies of: performance, change, communication, collaboration and critical thinking. Each of these topics are examined as they relate to establishing a successful IT Compliance Program.
For years the IT field struggled with the best ways to demonstrate the value of IT to senior management. Defining a return on investment (ROI) is a sticking point because the conversation always seems to delve into soft claims that cannot be quantified. For example, allegations that non-compliance will lead to loss of brand or a decrease in market value are perfectly valid. However, they do not establish the cause and effect between the financial impact and IT compliance management.
Metrics are important because we can only manage what we know. We can have lots of great policies, but metrics are needed to reveal whether our policies are producing the intended operational outcomes.
Managers know that what is visibly measured will get done. Metrics are a powerful way for leaders to make clear what is important. Visible scores for important enterprise processes and outcomes motivate human behavior in a positive way because of our natural human desire to be successful and compare favorably with our peers.
Metrics can also provide a helpful basis for communication between operators and particularly internal auditors, if they can agree on which measures most clearly reveal key aspects of enterprise performance. Once agreement is reached on which metrics to track, the operators can present the auditors with a history of enterprise performance.
There are different kinds of metrics. They can be general or detailed, qualitative or quantitative, process or outcome oriented. Generally the best metrics are quantitative or capable of numeric valuation; outcome oriented, and include one or more implied assumptions. An unacceptable value of an outcome metric will invariably reveal that the organizational processes need improvement.
Metrics define what is to be measured. Some metrics are specialized and cannot be directly benchmarked or interpreted outside a mission-specific business unit. Other measures are generic and can be aggregated across business units - cycle time, customer satisfaction, and financial results.
Quantitative performance measures are difficult to develop for IT compliance management. It is generally impossible to make statements like “continuous monitoring of the network, active scanning and evidence collection and aggregation will protect a network 3.53 times greater than if only quarterly monitoring is instituted.”
As difficult as it may be to measure or even to connect compliance activities to specific outcomes, it is essential to strive for a results-based program.
Another key principal of Six Sigma includes embracing change and the modification of processes and behaviors to adapt to change. A recent study by the Information Technology Process Institute reports high-performing IT organizations that excel at change and configuration management experience less re-work and unplanned firefighting. This kind of disciplined, consistent enterprise performance meets the needs of customers and stakeholders and produces regulatory compliance as a byproduct.
The flux and chaos that often result from having to comply with multiple regulations presents opportunity, both for an organization and for those managing the IT compliance program.
In the world of IT compliance management, the core competency of change, once mastered is an organization’s strength. Organizations that are effective and efficient at change can strengthen organizational information-technology policy as the result of audits. And they can increase the number and effectiveness of automated access management/identity management features when the enterprise is forced to move quickly to address audit findings around financial controls.
Communicating a vision
Information technology compliance is often not well understood by senior management. So communication and short-term wins with little or no expenditure can be critical to maintaining the compliance posture of the organization. For example, implementing a training and awareness program focused on employee roles and responsibilities with respect to compliance management is often effective and certainly less expensive than most other solutions.
Institutionalizing a culture of continuous monitoring as an essential part of IT compliance management can be achieved using the best practices of the Six Sigma methodology. IT compliance should be treated as a critical corporate program and to that end Six Sigma can be used to assist organizations in implementing a robust and effective information technology compliance program and culture.
Copyright © 2009-2012 BSMReview.com or individual contributors.