Most customers usually react when a new version of their product is available and while there are technical and business reasons to act on new versions, the question is always raised, “How does this add value?” The obvious reason is to maintain support for the product so you can get bugs and fixes when they arise. However our experience has produced several ways to improve the value you can gain on an upgrade. There are three cases and examples that might apply to you. Consider these items while building your case for an upgrade project.
Implement new features with the upgrade and eliminate manual processes One customer had the bare bones SoD analysis and emergency access features of their GRC operating. However, most products have components that enable customers to automate their user access reviews and automate the security request process. In this case the additional functionality was added to the upgraded system and enabled the customer to reduce expensive manual methods for resolving manual analysis and mitigation options. They also replaced the arduous manual access certification process. Rethinking how things operate Sometimes the chance to upgrade provides the opportunity to ask how can we make our current process more efficient. Or in this case, can we use the upgrade to resolve some repetitive audit issues. There was currently no formal process to approve mitigating controls used to resolve SoD conflicts. As a result mitigating controls were often used to eliminate conflicts however, auditors found the procedures mentioned were not followed. In addition, many acquisitions and reorganizations had made the process even more complex because many changes to roles and assignments often created more conflicts. The existing reorg and consolidation process was not expected to change. In this case, there were limited resources to keep up with security changes and also resolve conflicts among users in a timely manner. By implementing the provisioning features with the upgrade, the team was able to use the feature to keep up with organization changes as well as automate a standard approval process for resolving conflicts. Improving Rule Maintenance Process The realization that GRC is not a project but a journey came to a customer who had not done anything to their rules since their initial installation project was implemented 2 years earlier. Unfortunately the implementer had not included a maintenance process to keep their business rules for access updated with business and technical changes. As a result the rule set had no custom transactions or new transactions incorporated since their initial project was over. There was no process in place to identify the magnitude of new transactions or business changes. In some cases there were important changes made and significant risks were not being identified. An upcoming audit started to raise the priority of this issue. When the upgrade was performed, the rule set was analyzed and updated. In addition, a rule maintenance process was put in place which enabled them to avoid audit deficiencies and keep up with business and technical changes in the future without consulting support. Well the news is full of replays of the Ray Rice Video. Just a few months ago it was the replay of LA Clippers owner, Donald Sterling, discussion with his girl friend. In both cases the commissioners were forced to decide on the best punishment or position appropriate to save face to the public. The news media frenzy was full of opinions and analysts were busy to second-guess the decisions. And even other players get in trouble tweeting their opinions about the deplorable actions taken by the player or owner. There is no doubt in my mind that players’ are educated when they come into the league about how to protect their financial assets from scammers and what the rules for attending practices etc. Each of the teams do this to avoid loosing the services of personnel as well as making sure they are able to focus on the right things. Most of the behavior is predictable. So I ask why isn’t the negative behavior predictable? Seems as though organizations need to assess what the bad behavior is and make it well known what the costs are to owners as well as players. Why should this be one poor Commissioner’s choice? This is a good way to lead a Commissioner who is serving owners to failure. A more pro-active approach would be to establish both positive and negative behaviors that will be acceptable and unacceptable. In addition the rewards or punishment appropriate for each should be derived as a policy so the decision doesn’t become a case-by-case issue. I know the Green Bay Packers take extra caution to research the characters of proposed players before they are added to a roster. The reason is because they don’t want the close-knit relationship to their hometown fans compromised. It is hard to injure the value of this very popular entertainment monopoly, but if incidents continue the devaluation could be huge. These instances are not new but now accentuated by our social media and news media thirst for emotional and controversial stories. Until the incentives and penalties are clear, negative publicity will continue to injure the organizations value. This same issue could be also applied to organization that have disastrous events occur in their public domain. Biggest recent example is the huge oil spill of BP. They are now trying to repair the damage by telling the people about all the jobs they create as a result of their business. This doesn’t even approach the number of jobs that were destroyed when their imprudent judgment on well testing led to the biggest offshore disaster yet. They also experience other life threatening events at plants in Texas like refinery fires, explosions etc. This disregard for the environment will cost organizations. Organization leadership could avoid problems by building a behavioral ethics program. The pro-active program can avoid negative impact and at the same time improve performance by reinforcing the right behavior and penalizing the negative behaviors. The time has come for all good leaders to come to the rescue and make pro-active ethics policy and programs a higher priority in organizations! I think it exists in organizations, which we don’t hear about on the news!!! |
AuthorsAssorted Members of the CAG Team providing insightful information on current topics related to GRC, Security, and Audit. Archives
July 2016
Categories |