HOME | Articles | Blog | Interviews | Experts | Webinars | Events | About Us | Submissions | Contact Us | Newsletter


Next Practices in Business Service Management



Business Services Management, Six Sigma and your IT Compliance Program
by Chrisan Herrod

Six Sigma

Peter Allen’s song “Everything Old is New Again” is a truism that applies in the world of Business Services Management (BSM). Six Sigma methodologies clearly fall under this rubric and are fashionably back in vogue in the world of IT management.

IT compliance management is a critical component of information technology processes and procedures and therefore should be treated as a “core competency” as it relates to the analysis of success factors in IT organizations. Using the Six Sigma approach can help organizations successfully integrate IT compliance management into their overall operational risk management/regulatory compliance programs.

This is particularly important because a study by the Business Performance Management Forum states that “while compliance is definitely a management concern, policies and procedures are yet to take hold, enforcement seems to be a loose concept, and management’s general familiarity with issues around compliance is painfully lacking.” 

The Six Sigma methodology includes the core competencies of: performance, change, communication, collaboration and critical thinking.  Each of these topics are examined as they relate to establishing a successful IT Compliance Program.

The most difficult aspect of applying Six Sigma to IT compliance management involves defining how to assess the performance of an IT compliance program. 

For years the IT field struggled with the best ways to demonstrate the value of IT to senior management.  Defining a return on investment (ROI) is a sticking point because the conversation always seems to delve into soft claims that cannot be quantified.  For example, allegations that non-compliance will lead to loss of brand or a decrease in market value are perfectly valid. However, they do not establish the cause and effect between the financial impact and IT compliance management.

Metrics are important because we can only manage what we know.  We can have lots of great policies, but metrics are needed to reveal whether our policies are producing the intended operational outcomes. 

Managers know that what is visibly measured will get done. Metrics are a powerful way for leaders to make clear what is important. Visible scores for important enterprise processes and outcomes motivate human behavior in a positive way because of our natural human desire to be successful and compare favorably with our peers. 

Metrics can also provide a helpful basis for communication between operators and particularly internal auditors, if they can agree on which measures most clearly reveal key aspects of enterprise performance.  Once agreement is reached on which metrics to track, the operators can present the auditors with a history of enterprise performance.

There are different kinds of metrics.  They can be general or detailed, qualitative or quantitative, process or outcome oriented.  Generally the best metrics are quantitative or capable of numeric valuation; outcome oriented, and include one or more implied assumptions.  An unacceptable value of an outcome metric will invariably reveal that the organizational processes need improvement.

Metrics define what is to be measured.  Some metrics are specialized and cannot be directly benchmarked or interpreted outside a mission-specific business unit. Other measures are generic and can be aggregated across business units - cycle time, customer satisfaction, and financial results.

Quantitative performance measures are difficult to develop for IT compliance management.  It is generally impossible to make statements like “continuous monitoring of the network, active scanning and evidence collection and aggregation will protect a network 3.53 times greater than if only quarterly monitoring is instituted.” 

As difficult as it may be to measure or even to connect compliance activities to specific outcomes, it is essential to strive for a results-based program.   

Embracing Change
The most casual observer of technology, society, and the environment would agree that change is pervasive and that the rate of change is radically increasing.  Author and pundit, Margaret J. Wheatley observed, “The things we fear most in organizations-fluctuations, disturbances, imbalances-are the primary sources of creativity.”

Another key principal of Six Sigma includes embracing change and the modification of processes and behaviors to adapt to change.  A recent study by the Information Technology Process Institute reports high-performing IT organizations that excel at change and configuration management experience less re-work and unplanned firefighting. This kind of disciplined, consistent enterprise performance meets the needs of customers and stakeholders and produces regulatory compliance as a byproduct.

The flux and chaos that often result from having to comply with multiple regulations presents opportunity, both for an organization and for those managing the IT compliance program.

In the world of IT compliance management, the core competency of change, once mastered is an organization’s strength.  Organizations that are effective and efficient at change can strengthen organizational information-technology policy as the result of audits. And they can increase the number and effectiveness of automated access management/identity management features when the enterprise is forced to move quickly to address audit findings around financial controls.

Communicating a vision
A vision is a picture of the future that is relatively easy to communicate and appeals to customers, stockholders, and employees. A vision helps clarify the direction in which an organization must move to be compliant and maintain a consistent level of operational compliance based on the company’s risk profile and the legal requirements inherent in the federal or state mandates.  If an organization’s vision cannot be communicated in a five minute elevator speech, it needs more work.

Information technology compliance is often not well understood by senior management. So communication and short-term wins with little or no expenditure can be critical to maintaining the compliance posture of the organization.  For example, implementing a training and awareness program focused on employee roles and responsibilities with respect to compliance management is often effective and certainly less expensive than most other solutions.

It is essential also to collaborate with key stakeholders, to ensure effective understanding of policies and standards to achieve corporate compliance during audits.  Establishing relationships with key stakeholders such as business owners, information technology operations, auditors, and senior leaders facilitates knowledge and understanding of the information technology compliance management program’s value to the organization. This element is of Six Sigma is directly related to the larger topic of Business Services Management and the importance of optimizing technologies in support of the business mission.

Critical Thinking
Phenomenal results can be achieved by continual drilling in simple areas.  Six Sigma practitioners spend years learning to effectively engage the five core competencies to improve projects, programs, and business process.  These competencies achieve their full power as they are practiced daily and used to reinforce each other. Continual application of the Six Sigma approach and Six Sigma core competencies as a framework for development and action will greatly contribute to the success of an organization’s information technology compliance program. 

Institutionalizing a culture of continuous monitoring as an essential part of IT compliance management can be achieved using the best practices of the Six Sigma methodology.  IT compliance should be treated as a critical corporate program and to that end Six Sigma can be used to assist organizations in implementing a robust and effective information technology compliance program and culture.

































Register for our monthly newsletter


follow us!


Copyright © 2009-2012 BSMReview.com or individual contributors.
All Rights Reserved.

Site Design & Management Christian Sarkar