It’s a fundamental tenet of the “governance, risk and compliance” (GRC) set of enterprise-wide processes that a well-governed organization operates within an appropriately defined and structured framework of controls, policies and practices.
Plenty of published governance frameworks exist for almost every operational aspect of an organization to ensure that they operate as intended (and presumably also operate in support of the organization’s overall objectives).
Entire sections of the advisory industry thrive on the evolution, implementation and maintenance of these governance frameworks, and support the development of “industry standards” – setting expectations for how things should be done.
Most of these frameworks embody the concept of a “best practice,” which implies that (a) there is always a “best” way to do anything, regardless of context; and (b) the adoption of these practices will help the organization achieve its goals with a higher degree of probability than would otherwise be the case if “less than best,” non-standard practices were for some reason adopted instead.
Selecting, deploying and integrating the various governance frameworks across the organization is no trivial task. So it’s important to understand what is actually “best” in various possible contexts. The Oxford dictionary defines best practice as: “Commercial or professional procedures that are accepted or prescribed as being correct or most effective.” Correct is clearly beneficial. Most effective is a more difficult goal.
There are a few potential problems:
- The practices of the “best” organization in a market or business segment aren’t always going to be the best for everyone, especially if it’s not obvious why they are the best. You can argue that trying to emulate a competitor that’s a lot better than you are is actually foolish and may increase the probability that you will fail. You will probably learn most (and most safely) from those who are a little ahead of you rather than a long way ahead.
- In an environment that is generally static or that changes slowly, an accepted “best practice” generally makes sense. If followed in a disciplined fashion, it increases (and potentially maximizes) the likelihood of the intended result being achieved. After all, the approach has been shown to work many times in many organizations, and will often be supported by an extensive body of evidence that has been used to reinforce adherence to the relevant set of standards. Attempting to reinvent what’s already working well is a potentially risky and expensive endeavor. However, an accepted “best practice” may no longer be appropriate or wise in the face of fast-moving disruption, especially that which is technology-induced. If you’re dealing with a rapidly changing, innovative and disruptive competitor, the rote adherence to what had previously been a best practice may be anything other than best going forward.
- On the other hand, if you’re the one doing the disrupting, it is more likely than not that you will have already had to move away from those organizations that are still constrained by the prevailing governance or operating models based on what have been considered to be demonstrated best practices. To win you’ll need new practices, and it may take some time (and demonstrated success) to get them to be the best. That can be scary.
In terms of how you structure and operate your enterprise governance frameworks, the assumption that, by merely following conventional wisdom and relying on past success, you will also succeed in the future needs to be regularly examined and tested. In the face of volatility and disruption, an organization that is stuck with an increasingly archaic set of industry standards may have difficulty adapting to new challenges if the industry standard itself does not evolve.
You’ll need to understand the context within which the established standards were developed and ensure that the current context is still closely enough aligned that the standards remain relevant and useful. If not you’ll need something new.
Information technology is a good example. Today, IT is integral to the operation of most (if not all) aspects of the enterprise. Hence, any assumptions about the relationship between IT and enterprise-governance frameworks need to be carefully considered. For CEOs, CFOs and boards of companies whose viability depends on effective IT governance practices, the old standards of “alignment” don’t seem to work well any more (if they ever did).
IT values stability and reliable performance because that’s how they are often measured; the business wants agility and speed because that’s what fuels growth. The consequences for a leadership team with a critical dependency on enterprise information technologies is that creating an effective governance model that links IT and the business is essential for delivering results. That isn’t an easy shift.
Shifting the perception that IT should simply be subservient to the demands of the business (the “order taker” paradigm), to one where IT is an active partner in delivering transformational value for predictable and manageable risk and cost, is a start. Bringing together the enterprise and IT GRC policies and processes and the practices that make them effective will also be necessary. Fortunately we have some emerging examples of what (potentially) works. Not yet best practices, perhaps, but clearly not the status quo either.
We all need to learn from the early movers. Pay attention.
John Parkinson is an affiliate partner at Waterstone Management Group in Chicago. He has been a global business and technology executive and a strategist for more than 35 years.