It’s a fundamental tenet of the “governance, risk and compliance” (GRC) set of enterprise-wide processes that a well-governed organization operates within an appropriately defined and structured framework of controls, policies and practices.
Plenty of published governance frameworks exist for almost every operational aspect of an organization to ensure that they operate as intended (and presumably also operate in support of the organization’s overall objectives).
Entire sections of the advisory industry thrive on the evolution, implementation and maintenance of these governance frameworks, and support the development of “industry standards” – setting expectations for how things should be done.
Most of these frameworks embody the concept of a “best practice,” which implies that (a) there is always a “best” way to do anything, regardless of context; and (b) the adoption of these practices will help the organization achieve its goals with a higher degree of probability than would otherwise be the case if “less than best,” non-standard practices were for some reason adopted instead.
Selecting, deploying and integrating the various governance frameworks across the organization is no trivial task. So it’s important to understand what is actually “best” in various possible contexts. The Oxford dictionary defines best practice as: “Commercial or professional procedures that are accepted or prescribed as being correct or most effective.” Correct is clearly beneficial. Most effective is a more difficult goal.
There are a few potential problems:
In terms of how you structure and operate your enterprise governance frameworks, the assumption that, by merely following conventional wisdom and relying on past success, you will also succeed in the future needs to be regularly examined and tested. In the face of volatility and disruption, an organization that is stuck with an increasingly archaic set of industry standards may have difficulty adapting to new challenges if the industry standard itself does not evolve.
You’ll need to understand the context within which the established standards were developed and ensure that the current context is still closely enough aligned that the standards remain relevant and useful. If not you’ll need something new.
Information technology is a good example. Today, IT is integral to the operation of most (if not all) aspects of the enterprise. Hence, any assumptions about the relationship between IT and enterprise-governance frameworks need to be carefully considered. For CEOs, CFOs and boards of companies whose viability depends on effective IT governance practices, the old standards of “alignment” don’t seem to work well any more (if they ever did).
IT values stability and reliable performance because that’s how they are often measured; the business wants agility and speed because that’s what fuels growth. The consequences for a leadership team with a critical dependency on enterprise information technologies is that creating an effective governance model that links IT and the business is essential for delivering results. That isn’t an easy shift.
Shifting the perception that IT should simply be subservient to the demands of the business (the “order taker” paradigm), to one where IT is an active partner in delivering transformational value for predictable and manageable risk and cost, is a start. Bringing together the enterprise and IT GRC policies and processes and the practices that make them effective will also be necessary. Fortunately we have some emerging examples of what (potentially) works. Not yet best practices, perhaps, but clearly not the status quo either.
We all need to learn from the early movers. Pay attention.
John Parkinson is an affiliate partner at Waterstone Management Group in Chicago. He has been a global business and technology executive and a strategist for more than 35 years.