Category Archives: Resource Hub

snowbird

Leaning into risk to stay in control

leaning into risk

It was a lovely Saturday in Snowbird, and I was so excited to spend the next couple of hours with my friends exploring the trails going down a mountain I’d never been on before. Based on my experience with downhill skiing in Europe, and the fact that I am very risk adverse, I made it clear in the chair lift during our trip up that I am happy to do any colour trail as long as they are prepared.

“Sure, no problem.. no moguls, promise” was my friend’s response.

And with that said, we set off on our very first run down. From the top of the lift, we turned right and the 2 boys dropped down a trail that started about after a few hundred meters on the right, and I followed onto what I now know is called “Gad Gully” a black narrow slope with (you guessed it!) moguls. My heart was in my throat as this run was steep, with lots of moguls and the worst bit is, it’s also quite narrow so there isn’t a lot of room for mistakes.

I slowed down after a couple of near accidents (involving other people and a some trees) and had to remind myself of the basics of skiing. Lean towards the valley and keep your weight on the tips of your skis. Man, it was difficult and it took all my mental strength to do it but I knew it was the only way I would make it down that mountain alive and in one piece.

I made it down and the adrenaline rush was amazing! That was definitely outside of my comfort zone. I was scared and elated at the same time. And also extremely proud because I didn’t give up – I worked my way through it and lived to tell the tale.

Why did I want to share this experience with you? Because this week we were talking about risk leadership and how this is more than simply analysing, recording, and managing risks. A true risk leader shows vulnerability to share where there are unknown threats to the businesses. Or where there are vulnerabilities internally due to unclear or immature processes. A true risk leader also knows it’s alright to stop and consider the best course of action. To pause and think about the best way forward to make sure you get out of the situation alive and improved.

You know when to push through and when to stop and think.

Experience and skill

As risk leaders we need to be confident in our skill level to approach the vulnerabilities and threats. We have past experiences to draw from, and if this is not the case, we need to find people around us that we trust so that we can draw important learnings from their experiences.

The team you have around you must also have the skills to understand the situation they are in and to be able to assess the situation correctly.

Back to my ski trip – it’s because of my decades of experience and many hours of private lessons in the snow that I had the skill set to assess the situation correctly and had the ability to chart a course down the hill.

My question to you is: What training do you need to commit to for you and your team to navigate your business through the potential risks coming your way in the next 3 – 5 years? What do you need to know to be compliant to industry and legal regulations? How can you support your team to perform to the best of their abilities?

Are you leaning into the risks ahead of you? Do you have a proactive approach to external and internal threats? Or are you defensive and trying to avoid all the risks?

I know from my ski experience, that being defensive would have put me on the backfoot and I would have ended up in a place I didn’t want to be. It’s only because I was literally on the front foot and tackling the situation head on, but with a calm perspective and attitude, that I managed to make it through a potential dangerous situation alive and learn a lot of lessons from it.

Some questions to ask to become a better risk leader:

  • Who should be included to cover the entire organizations security and business needs?
  • Who has responsibility and accountability for treating and managing the risk?
  • What information security risks exist in the environment in which your business operates?
  • Do processes monitor your organizations ability to re evaluate risks and adjust controls effectively in response to changes in its objectives, its business and its external environment?
  • Do you believe that additional, specific regulatory guidance on cloud risk management is warranted?
  • What are your information and process requirements when completing the third party risk management process?
  • Are supply chain vulnerabilities protected from threats initiated against organizations, people, information, and resources that provide products or services to your organization?

How to get clarity within your business and avoid costly assumptions

How confident are you?

As a Project Manager or Risk Manager we are quite comfortable with the concept of risk. You are trained to identify risks, discuss them, and address them based on their impact and priority.

However, the risk that is often misunderstood or even neglected, is the risk of assumptions. Especially when a team is growing, you need to spend time documenting the way you make decisions. What is the basis of your analysis? Where do you go for the definitive answers?

Why is that?

Look at this picture, this is a ‘team’ with only 7 people. The lines are a representation of internal communication showing no form of hierarchy.

The more people you have in your team, the more information is going to be lost in translation. This is why the quality standards place such emphasis and importance on documented policies and procedures. Not just setting them up, but the team adhering to them and using the information from a single source.

Everybody is guilty of setting up their own systems, storing their own documents and keeping their research methodologies private. You may not do this on purpose, but it happens. The downside of this is that different team members start basing their decisions off different information sources.

During my quality management training, it was often said that a decision made on wrong information has more risk potential than not making a decision at all.

That’s one of the reasons why our Self Assessment Toolkits are based on the principle of the power of questions.

If you don’t ask the question, you will never find out whether everybody has a different answer. In your head you may assume that each person has the same answer, or you assume that it is clear and obvious. But it isn’t until you actually ask the question that you find out this was never the case.

Asking your team members where they store their analysis documentation offers great insight into the discrepancies. Some store on their local computer, others in a file management system, and others use cloud based solutions. While this seems like a silly and overly simplistic example, it may actually have major risk impacts.

Some industries (financial or government) have legal requirements that all their data is stored onshore. If found that data is stored on an international server because of the use of cloud storage, the company may be fined.
Or maybe first party personal data is stored on a local drive, which is against GDPR regulations, this could pose a risk for the company. And saying ‘I didn’t know’ is not a good enough answer. You should know, and that’s why you have to ask these questions.

How to make people follow the rules?

Everybody in your team needs to be fully aware of the way your business works. Obviously this is a skill building opportunity and you can organise a workshop or training to bring everybody on the same level.

Deeper than that – ongoing discussions on your company culture and core values is an important basis for the alignment of the individual team members. Start with creating clarity on your company core values before you build the understanding of the risk and compliance requirements.

Once that is clear – create a single source of information and make using this system the most intuitive and easy way to work.

When people have to use multiple systems with manual copy-paste actions, it’s a recipe for disaster as there are too many manual steps that just scream error rates! And when it’s too hard, people will come up with their own processes to follow.

So I guess you don’t just ask the questions, but also listen to the answers… and I mean really listen. Check in with the people in your team on how they use the systems, data sources and information to make decisions and translate their lack of clarity into better processes, procedures and systems.

What is the Service Management System in ISO 20000?

Why do we need the ISO/IEC 20000 standard?

Getting your ISO 20000 certification is all about showing (with documented evidence) that you have control over the processes, policies and procedures to deliver services as per the agreed needs and demands of your customers.

Do not confuse this with your professional development certification – ISO certification is for your business, or at least a contained portion of your business determined by the scope of the project. (This is important, more about that later).

ITSM – Implementing IT Service Management, or the management of your IT Services has been tricky for many organisations in the past few decades.

There are so many different frameworks and methodologies – there is DevOps, Cobit, Lean IT , Microsoft Operations Framework and of course ITIL.

What is IT Service Management?

IT Service Management is the management of all processes that cooperate to ensure the quality of live services, according to the levels of service agreed with the customer.

It addresses the initiation, design, organization, control, provision, support and improvement of IT services, tailored to the needs of the customer organization.

The term IT Service Management (ITSM) is used in many ways by different management frameworks and organizations seeking governance and increased maturity of their IT organization.

Standard elements for most definitions of ITSM include:

  • Description of the processes required to deliver and support IT Services for customers
  • The purpose primarily being to deliver and support the products or technology needed by the business to meet key organizational objectives or goals
  • Definition of roles and responsibilities for the people involved including IT staff, customers, and other stakeholders • The management of external suppliers (partners) involved in the delivery and support of the technology and products being delivered and supported by IT. The combination of these elements provides the capabilities required for an IT organization to deliver and support quality IT Services that meet specific business needs and requirements. IT Service Management gives the following benefits to the customer:
  • Provision of IT services becomes more customer-focused and the relationship between the service provider and the customer is improved through agreements about service quality.
  • The services are better described in customer language and in more appropriate detail.
  • The availability, reliability, cost, and other quality aspects of the service are better managed.
  • Communication with the IT organization is improved by agreeing on points of contact.

What is a Service?

Means of delivering value for the customer by facilitating outcomes the customer wants to achieve

It is important to note that a service is generally intangible.

The term service as used in the standards document means the service or services in the scope of the Service Management System (SMS for short) .

What is a Process?

A process is a set of interrelated or interacting activities that use inputs to deliver an intended result

The construction of a process is rather simplistic and involves detailed documentation of the following components:

  • Inputs – what the process must have in order to begin, such as information, tools, and triggers.
  • Triggers – an event that invokes the process or an activity within the process.
  • Outputs – what the process must deliver in order to achieve the desired outcomes. Outputs are always tangible.
  • Activities – the process steps necessary to transform the inputs into outputs. • Roles – the people, systems, or tools used to execute the process.

Words are important in the ISO/IEC 20,000 standard – especially the words SHALL vs. SHOULD

Part 1 = system requirements

The current edition was  of ISO 20000:1 was published in 2018 (which means that the 2011 version has been withdrawn)

The requirements specified in this document include the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value.

Part 2 = Guidance on application and implementation (should statements) – published in 2019. It’s all about how to interpret and implement the standard.

First things first… when talking about standards, we need to talk about SCOPE. Listen to the video on the description of the scope in the standard and why this is so important.

 

Some questions to ask when discussing ISO 20000 internally

  • How does a software provider ensure that users understand how to use systems?
  • Which interfaces exist between systems?
  • How robust are the processes in place to identify and make efficiency improvements?
  • Have policies, procedures and processes been revised or developed to support the new way of work?

** These questions appear in the ISO20000 Self Assessment Toolkit

How to Simplify Your Risk Management System

Risk management is a big and complex topic… but that doesn’t mean your approach to risk management has to be. In fact, the simpler it is, the more likely it is to be adopted and successful. Understanding the 7 levels of process maturity can keep you in compliance and mitigate your risk exposure. 

RECOGNIZE

Admitting the need for change is always the first step. But you can’t admit that need until you recognize the nature of that need. Whether you’re just starting with risk management or managing a long-neglected risk, it’s important to examine the risks that threaten your company and your ability to manage them. Is your organization fully compliant with good clinical practice? If not, then it’s time for a change. Make sure you communicate that to all the relevant stakeholders so you can get the ball rolling on these changes.

DEFINE

Risks can come in all shapes and sizes. Financial, reputation, moral risks are just some that may impact your company, and your management and staff should have a pretty good idea of what they are – and what they could be in the future. Gather them together and brainstorm the possibilities.

Once you have these risks defined, identify which have the most realistic potential of disrupting your operations. Decide which strategic approach makes the most sense: avoidance, acceptance and mitigation, or reduction.

MEASURE

Even if you haven’t begun your risk management, it’s time to gather whatever relevant data is available to you regarding that risk. How is your company performing around that risk? How has that performance evolved? Recording and storing this data will help your company measure and track your risk management process over time.

ANALYZE

Once the relevant data is collected, analyze it. Record the causes of risk as well as your assumptions. Track your company’s risk management progress over time. From this analysis you may establish processes to assess ethics and compliance risk.

You’ll want to include plans for a quality assurance team that will check the accuracy of your internal assessments. Having this internal check will help ensure there are no surprises when external auditors or regulators show up.

IMPROVE

Done correctly, the analysis phase should highlight areas for improvement. Using these insights, develop practical solutions tailored to your organization. Innovate, establish, and test potential solutions to problems with relevant stakeholders.

New threats may emerge at any time and sometimes your solutions simply won’t work. Make sure your plan is flexible enough to adapt to evolving circumstances and make updates as necessary.

The key to success is regular assessment and improvement. Staying on top of compliance demands is essential as well. In addition to the other relevant risks, make sure every assessment you perform covers compliance risks.

CONTROL

With your solutions in hand, it’s time for action. Communicate them to relevant executives, key managers, and employees so they can buy into the process and execute. Make sure to include a plan for auditing their compliance as well, ensuring that everyone is held accountable and issues can be addressed quickly.

Ask the right questions to make sure you have the necessary control over all aspects of your company’s strategic risk response. Everything should be accounted for. This includes the triggers that initiate responses to risks, the individual tasks and activities employees must take in response, and the ability to accurately forecast deliverables and outcomes in these situations.

SUSTAIN

Setting up a risk management system takes time, and it’s important to protect that investment by sustaining your program through a continual review process. This could be an annual, monthly, or quarterly depending on what works best for your business.

No matter the size of your organization, it’s always possible to miss something. Stay on top of trends by seeing what other organizations are doing.

How to Protect Yourself against Employee Misconduct

Misbehaving bosses and employees are a fact of life. At some point, every organization will likely have to deal with them. But when the misconduct crosses a line, the fallout can ripple through your company costing you millions. Between hits to your reputation, fines, lost clients, decreased productivity, ongoing litigation, and increased insurance premiums, hanging onto bad employees can be an expensive mistake.


Here are 3 things you can do right now to protect yourself from the bad behavior of your employees:


Create a compliance program

If you don’t have a set of policies in place that address misconduct by employees, create one that clearly outlines what is and is not tolerated at the company and the associated consequences. Be sure to consult with attorneys and other experts to ensure that these policies are legal, enforceable, and match the needs and expectations of your organization.

Next, you’ll need the buy-in of your managerial staff. It’s up to them to communicate the mission and vision of the compliance program to employees. This messaging should be robust, scalable, and repeatable. Having a method for doing this should provide your managers with the tools they need to deliver these messages to your employees effectively. The better these messages are communicated, the lower your risk of employee misconduct.


While your managers will play a significant and important role in the roll out of these messages, they cannot do it all on their own. To really make sure everyone knows about them you’ll need compliance training and a code of conduct for employees to sign on to. Taking the time to train employees on the intricate ins and outs of your policy will help clear up any ambiguities in the code. Having them sign on to the code will communicate its importance to their continued employment and send a message that these codes of conduct are serious business. 


Incentivize compliance and enforce consequences

Laws are only useful when they are enforced. But enforcing the laws you’ve made may require additional resources. Assuming you planned for these during your policy formation phase, the next step is to gather the resources you need to enforce compliance through auditing and investigation.

Make sure employees are aware of the legal implications of non-compliance – both for the company as a whole and for them as individuals should they be held personally liable. This should be done throughout the program messaging, training, and in the actual code of conduct.

With enforcement resources in place and the stakes around compliance known, it’s time to formulate and implement screening standards for employees. These standards should be robust, scalable, and repeatable processes that provide your company with the assurances it needs to mitigate the risks you face.


Assess risk and be prepared

Once you have a documented and well-communicated set of policies in place, you’ll need to prepare for the worst case scenario. Begin by identifying potential areas where misconduct could take place and perform necessary audits to ensure policies and procedures are being followed. 

Next, consider those groups who would respond to a violation such as regulators, law enforcement, shareholders, employees, and even the general public. What do they expect from your company? How do they expect you – and your brand – to resolve the issue? 

Having a response plan in place will allow you to respond quickly and decisively to a crisis, in a way that inspires trust and confidence in your stakeholders that it won’t happen again.