Friday 23 October 2020

Integrating GRC

Republished from June 2014.

I've been thinking about a strategy for integrating Governance - Risk - Compliance activities.  In any organization it is natural to organize around functional or regional lines.  Specialization leads to silos. Silos don't integrate well.  Our goal is figuring out how to design an organization and its business processes that maximize agility, capability, and ultimately effectiveness - that means break and/or integrate the silos .

There is overlap between governance (management and structure), risk management, and compliance activities.  Focus on one aspect without consideration of the others may not meet corporate goals like performance excellence.   To achieve performance excellence integration is our primary objective and just-enough specialization is our secondary objective. This appears to be a multidimensional problem where integration objectives, core capability (business strength and differentiation), and cross functional capability (enabling services) need to be identified.

A multidimensional solution based on capability is what many organizations need guidance on.  One of the pillars of continuous process improvement is process management and modelling.  However many organizations lack the maturity and experience in doing process modelling.  Project teams extend beyond critical processes and try to document everything.  Then there is no end goal of building this "organizational insight" into their corporate DNA.  The results are static process models that take a lot of people a lot of time with little realizable value.  However, how can you adequately determine risk without that detailed process insight as to how your business really operates?

Organizational designers should focus on a top-down problem decomposition into core and cross functional groups.  Call them practices, categories, portfolios, etc.  It doesn't matter what they are called, as long as there is a logical grouping that makes sense for the organization.  Focus on only the critical process groups; those that drive value creation, sustainment, and protection.

The following example is something I'd  propose for an energy company.  (It looks similar to the COSO cube or some of the Enterprise Architecture frameworks I've seen.)

Once this model is built, owners can be assigned in each group to move the ball towards the goal, apply PDCA, and enable integrated process and reporting.

Using Tension Models to Rationalize Competing Objectives

Republished from Mar 2015.

The Problem

A business group has a goal to improve performance, but after sustained effort the performance is not improving.

Case: Your safety leader/manager has been told to reduce the total recordable incident frequency (TRIF) by top leadership, and your team has tried all sorts of tools and methods but the frequency remains unchanged (or worse, increased.) You need to improve performance, and you have a well understood process with decent measurement in place, but you can’t seem to get break-through improvement or sometimes even incremental improvement.

There are a few common stumbling blocks in trying to solve process performance problems (not limited to safety):
  • Many objectives across an organization can be at odds with one another, and progress on achieving one may work against achieving another.
  • The analysts focus too much on the specific process or objective, and not necessarily the related processes that would enable performance within the broader context of the organization.
  • The analysts do not communicate or collaborate well with others that have similar processes or objectives across business functions, and so limit their awareness of what the relationships are, what the enablers are, and in some cases approaches on how to solve the stagnant performance problem.
  • The organization is unwilling or unable to perform process analysis at a high level across the organization (and eventually undergo a disruptive integrated process redesign.)
(Note when I used the word analyst, I mean anyone involved in doing analysis.)

To our case, a TRIF is a general measure of lagging performance. It is not a good indicator for safety performance improvement. It is multifaceted; many factors and variables are in play that span the entire organization, not to mention influencers from the external environment, and individual workers. With uncertainty, events happen regardless of controls in place that directly affect the TRIF – so a detailed look at variance may be required. The TRIF doesn't necessarily tell you what you’re doing right and many safety professionals believe performance improvement is doing more of the right thing based on leading indicators. However, using more leading indicators for measurement does not necessarily translate into measurable performance improvement.

A Solution

The first step, as obvious as it sounds, is understanding the problem. It is not obvious because the problem exists within a complex system. Part of this understanding is being able to discuss and visualize the problem systemically. We've all heard sayings like you only understand a problem when you can explain it. Performance improvement is the goal, but it is not necessarily enabled by its composite objectives. Goals are high level statements that may not be immediately measurable or tangible. On the other hand, objectives are measurable and timely. (For example, my goal is to be a rock star, and my objectives are to learn how to sing, form a band, and gather a following.)

So, where do you start? In our case, we might start with looking at the performance of individual safety programs. Possibly you've already done this and it didn't help. It may be that the performance of the safety programs are as good as they can be in their present environment; so we need to tackle the bigger systems picture to explain the lack of improvement problem in order to solve it.

Performance is meeting objectives effectively and efficiently, often supported by evidence (provided by measurement.) Effectiveness and efficiency are not the same. Effectiveness is about achieving a desired outcome. Efficiency is about using the least amount of energy to do it. However, both effectiveness and efficiency are hindered by competing objectives. There is an inherent tension between many objectives, and those objectives may be owned by different groups within the same organization (and so out of any one group’s control.)

In some business environments there is little awareness of competing objectives.  As a result the business will put effort into two directions that effectively work against improving performance in either direction.   For example, consider a company that has the following goals:
  1. innovate at all levels to improve efficiency on capex/opex
  2. a ZERO safety incident policy
  3. a risk based approach to doing business

An operations group may focus on calculated risk taking to achieve #1, where a safety and regulatory group may focus on increasing compliance and controls for #2 and #3.  Balancing safety with operations has always been a challenge, but if both groups believe they have a strong mandate the resulting tension could decrease performance for both groups.


In the December 2006 issue of HBR (under finance), Dominic Dodd and Ken Favaro had an article called Managing the Right Tension, on how good leaders are good at managing tension (sometimes without knowing they are doing it.) They focus on what matters most, and recognize that good performance on one objective does not necessarily mean good performance on another. When you have tension between two or more objectives, they work against each other and hinder momentum. Performance improvement here is not a balancing act; it is removing forces pushing in opposite directions to get movement in one direction.  Compromise, though very important, is a decision based on awareness and cooperation.

Here are some examples of tensions between objectives, and you can see there may be more than two dimensions:
  • Leading vs Lagging Performance
  • Negative Consequence vs Positive Reinforcement
  • Control vs Flexibility (like Safety vs Operating Efficiency)
  • External vs Internal Stakeholder Satisfaction
  • Old Business vs New Business
  • Whole (System) vs Part (Program)
  • Threats vs Opportunities
  • Corporate Identity vs Business Unit/Function Identity
  • Centralization vs Decentralization
  • Current State vs Ideal State
  • Accountability vs Authority vs Ownership
  • Strategy vs Analysis vs Execution
  • Time vs Cost vs Quality
Tensions are not independent. Achieving performance on different objectives at the same time requires managing competing interests of different stakeholders. Some objectives are diametrically opposed, and the worst case scenario is when you have equal force applied in two opposing directions. The key to improving performance when you have multiple objectives is to weed out overlap by identifying and communicating related tensions, and picking the direction you want to go on a “more important” objective while managing the expectations of your internal and external stakeholders when you add slack on (or remove) a “less important” objective. In addition to measuring goals and objectives set and met, you need to measure the tension between objectives.

Competing Objectives

The Competing Values Framework is a good way to illustrate tension so you can not only compromise but be aware of the "give and take."   In 1983, Robert Quinn and John Rohrbaugh published a paper in Management Science called A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis. From this was born the Competing Values Framework that proposed that corporate values (their motivations and outcomes) could be plotted on a quadrant chart with a structure axis by a focus axis. This chart is an easy way to frame and articulate tension between competing values (and in our case objectives.)

Plotting on this diagram shows where objectives compete, but it also helps leadership decide where they really want to move in a direction. The position of where objectives are on the chart will change over time based on the corporate strategies and business drivers.

You can also see where traditional approaches using some best practice improvement tools can falter. For example, process management and mapping will work well in an organization mostly in the Internal Process Model quadrant, but will fail to keep up (or add value) in an entrepreneurial environment under the Open System Model where processes may be intentionally dynamic and undefined.

Integrative Thinking

In the Fall 1999 edition of the Rotman Management Magazine, Roger Martin and Hilary Austen wrote an article called The Art of Integrative Thinking. “Integrative thinkers embrace complexity, tolerate uncertainty, and manage tension in searching for creative solutions to problems.” When you are dealing with big picture performance issues on an enterprise scale, there is a great deal of complexity and uncertainty. To solve these complex problems, Integrative Thinkers exhibit these traits:
Salience knowing what is relevant
Causality identifying the critical relationships, building a robust model (and handling ambiguity by having several models)
Sequencing attempting to identify steps (that may not always be ordered)
Resolution managing the tension
Many people do not grasp either uncertainty or complexity easily that is why we try to simplify complex problems through models; identify inputs and outputs, and the various processes of transformation in between. (If we don’t do that we go on feelings of urgency and importance, and feelings are not factual evidence for good decision making.) Most business processes are stochastic which means you can be in many states or processes at once and there isn’t always an ordered progression through those processes. So in solving these systemic problems, you need to engage individuals that exhibit integrative thinking, possibly from multiple disciplines, with deep organizational and process insight.

Visualization and Communication

Plotting competing objectives on the Competing Values quadrant chart can be a valuable but also a subjective exercise. So another way to quantify the problem is, after you’ve identified the competing objectives across the enterprise and their various critical relationships, use a Likert scale and perform a survey. For each point of tension use a "blind" survey (that means the points of tension are not collocated and could be presented randomly) and state the objective in terms of its value or outcome. Use a Likert scale to evaluate the response:
  1. strongly disagree
  2. disagree
  3. neither disagree nor agree
  4. agree
  5. strongly agree
For example, the following questions illustrate control vs flexibility related to safe work.
Q1:Controlling hazards and other risks is only achieved through consistent application of mitigative procedures.
Q2:Operational efficiency is achieved by letting workers use their best judgement of what (and when) processes and procedures should be applied.
After surveying a healthy sample of the workforce (from leaders through to trench workers) with a carefully designed survey, produce a bubble chart (using Excel) to show the relative size of the responses.

This visualization shows you where opinion is on an individual objective, but we can gain further insight by adding its competitor showing 1) the distance between objectives, 2) where the midpoint is, and 3) the weighting (momentum) each objective has.

The above example shows a sum of weighted responses (the Likert level [1..5] was used to weight the number of responses at that level.) The assumption is that for a negative response (strongly disagree) the objective carries little weight with the responder and collectively may show little momentum for the objective.

When presented with other objectives, you begin to get a picture of the tension and momentum each objective has in context. If you group the objectives that have high tension (great distance and equal weight), you can perform deeper analysis as to why the tension exists and make decisions on whether or not to relax (or eliminate) one of the objectives in order to get progress on the other - and so debottleneck the performance improvement.


By identifying, measuring and communicating tension between objectives, you can target competing objectives that can be communicated and/or modified to unblock performance improvements.

The steps, in general are:
  1. Identify the top corporate objectives for each business unit or function.
  2. Identify the relationships between the objectives, specifically those that are in competition with one another, and those critical to the business.
  3. Frame the problem by plotting the competing objectives on a chart, and highlight the alignment with corporate values and business drivers.
  4. Combine common tensions, identify the relevant ones, and put together a survey that can be used to quantify the tension.
  5. Review and socialize the analysis of the survey results such that leadership can make fact based decisions on which tensions need to be relaxed or removed for progress.
You can narrow the focus by looking only at a subset of tensions, as to our case, ones that related to safety performance.


Managing The Right Tension
Quinn, Robert and John Rohrbaugh, “A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis”, Management Science, Vol. 29, No. 3, March 1983
The Art of Integrative Thinking
The Likert Scale

Thursday 19 September 2019

How do you Re-energize a workforce?

Drive... what a great book. And great TED talks.

One thing though, many of the things Pink describes in "Thirteen Ways to Improve Your Company, Office, or Group", I've tried them in several jobs. But they don't always work!

I have tried:

  1. Time for the non-comissioned big idea.
  2. The 20% "Operations Excellence" time.
  3. The Google or Fedex day.  (Or the Hackathon.)
  4. Inversion of control.

I have not tried:

  1. Autonomy audits.
  2. DIY performance reviews.
  3. Peer-to-Peer performance reviews.

The problem is how to foster intrinsic motivation?

I've been in big ideas meetings where literally I was the only one putting out ideas. And this was at a time when myself (and most of my PM peers) were getting assassinated by management.

I've been in a group where the first Hackathon was scheduled with good participation, but the next had no engagement. Turns out engineering had a hate on for management because of lack of transparency.

I've been promoting hackathons and OE time when management fully supported it. Yet few wanted to participate because there was so much fatigue due to non-delivery. There was no trust in management, because there was no perceived leadership.

So what I really want to know (Do I really want to know?) is how to do a Whole 30 style reset of engineering and product culture - to get a toe hold back in building the relationship between engineering and product.  Ideas?  Anyone?  Bueller?  Anyone?

How to rebuild trust. How to regain enthusiasm. How re-energize the organization.

When I figure it out, I'll let everyone know.

Friday 3 July 2015

Transferring Domains

Sorry, I've been offline for a few weeks.

Recently I transferred a domain from Network Solutions to GoDaddy... there were some hick-ups. First Network Solutions didn't want to let me go (and give me my transfer confirmation key) without a big upsell.  Any information on the web that you can do this without talking to someone is wrong. Second, the registrant contact info was so old on Network Solutions that it didn't appear to come from any current record I had there and so the email address notifications were going to didn't exist anymore.  That got solved when I updated the information in GoDaddy after transfer (and getting some warning messages on other contact accounts.)  Finally, DNS is not automatically transferred, so I lost my zone file.  I had to detach the DNS from Network Solutions manually and create the zone file on GoDaddy (and hope I didn't forget any of the Google special auth URIs.)

Hopefully now it is all better.

Sunday 13 July 2014

Technology Road-map Outline

I've been considering the following outline for a technology road-map.  My main goals are to focus on the gap assessment between current state and trends, and the risks and relationships between the parts.

1. Vision, Mission, Goals
2. Business Drivers
3. Business Capability
4. Maturity Assessment / Measures

Shared Governance
5. Stakeholders
6. Workflow / RASCI / Structure
7. Communication Plan
8. Organizational/Functional Relationships

IT Risks and Strategy
9. Technology Trends
10. SWOT Analysis / Key Risks
11. Contingencies / MoSCoW
12. WISE Grid

IT Tactics
13. IT Alignment
14. Concept Diagrams (As-Is, To-Be)
15. Context Diagrams (As-Is, To-Be)
16. 5 year Gant (-1,this year,+3)

IT Details
17. Dependencies
18. Initiative Details with CAPEX/OPEX
19. Parking Lot
20. Sign off

I've thought about a section of success and accomplishments; something to show measurement against objectives.

Saturday 12 April 2014

How to Kill Innovation

It annoys me sometimes when people introduce me as "The IT Guy."  I went to school to become a computer scientist.  Computer science is about creating and/or synthesizing solutions to problems following the scientific method.  It is innovative and it is creative.  IT is about management.  It is a profession that, for the most part, is about control.  Control and innovation are at different ends of the spectrum.

Aaron Schwartz (1986 to 2013) was a brilliant mind who went places he shouldn't have gone and did things he shouldn't have done.[1]  He had a thirst for knowledge and he believed it should be free.  This got him in a lot of hot water, even given his accomplishments, and ultimately he took his own life rather than face massive fines and jail time for stealing academic knowledge.  His end purpose for this knowledge?  Increasing his intellectual ability.  How many of us have had our wrists slapped for doing the wrong thing for the right reason?  (In my professional life, I can think of numerous reprimands for doing the right things for the right reasons.)

Aaron tried unsuccessfully to get on the board of directors at Wikipedia; as his intuition told him things were not quite right at this breakthrough of community involvement and intrinsic motivation.[2][3]  The momentum of Wikipedia was immeasurable.  Wikipedia as a source of knowledge was game changing and saw the death of Encyclopedia Britannica and Microsoft Encarta.  The biggest collection of human knowledge ever collected and edited by volunteers.

And here is what changed.  The momentum stopped.  A small portion of content was being vandalized.  So control was needed, and Jimmy Wales facilitated the rise of the administrator.  He justified it by saying that only 500 or so core people contributed content.  What Aaron showed was that there were outsiders and insiders, and outsiders - infrequent expert contributors - accounted for most of the new content, while insiders provided most of the editing.  So Jimbo focused on supporting the insiders and the new administrators.  Though the motivation of the editor was to maintain a consistent quality, the motivation of the administrator was to implement control.  Outside contributors started to decline.

I and others have experienced this personally.  I stopped contributing to Wikipedia last year.  I tried to start an entry about the accomplishments of my recently deceased father.  He did a lot of good things for the City of Calgary that had not been recognized.  I have (he had) volumes of photographs of Calgary history that you wouldn't find in the city archive.  So I started the draft Wikipedia entry.  By the time I had the outline done, the draft had already been tagged as non-standard for deletion by an administrator.  By the time I figured out what was wrong, it was expunged.

A good friend who is very active in the tropical fish community was an avid contributor on the topic.  He was disappointed so many fish on the tropical list didn't have pictures.  So he reached out to the community to contribute their personal photographs - copy left - under Wikimedia.  He had a great response; over forty contributions, that he started to link into the Wikipedia page.  After a few, an administrator tagged the images as "stolen" because they were" too good" to be free.  The justification, later learned, was that he found one image contributed to a photo stream site by the same user whom contributed it to Wikimedia...  Wait a second.  An enthusiasts posts a picture of his fish to the public, grants public license, and that's theft?  And justification to remove 40 superb images?  Suffices to say that was the last time my friend contributed to Wikipedia.

Motivation is a fragile thing.  It doesn't take much to quash enthusiasm. Those two things are the keystones of innovation.

Wednesday 15 January 2014

It's the Little Things that Count

It has been a while since I posted from the Armchair but today I was reminded of something so important to IT shops: It's the little things that count.  I did a quick job for a company - an out of band job - in that their internal IT was not able to do it - and it took me 23 minutes.  15 minutes of that was trying to figure out what the problem was.  Another 5 minutes to generate a wee bit of VBA code to change all control formats in an Excel spreadsheet.  And two days of someone's time saved (multiplied by how many spreadsheets, and there were a lot, as they were audit worksheets.)

I felt good about this.  This is one of the reasons why I liked being in IT: helping clients, saving time, saving money, and saving frustration.  And then the reflection on my past experiences and why I was popular in groups I worked in and why the IT machine disliked me.  Productivity solutions are not big projects.  They're tiny things.  They don't require high priced software or managers.  It is the practical execution of LEAN principles.  Identify those little, repetitive things that waste time and money and get rid of them.

In three local companies over the last 10 years I saw the "office productivity" groups get disbanded.  Each of these groups had "too much work" yet were eliminated anyway. They were very popular in the organization because everyone used PowerPoint, Word, Excel, and even Access and had these tools on their desktops. End users just needed a little bit more out of those applications - slightly beyond the reach of a power user. Personal productivity software is often the right tool for the job.  But big IT seems hell bent on killing the spreadsheet, etc.  Why?  Because its not manageable.  Because its not supportable.  Says who?

Says the person who measures themselves by projects and project price tags.  IT is ultimately a service within a company.  Technology enables people to work effectively and efficiently.  Isn't it fascinating how IT is trying to reposition itself these days as the agent for business transformation?  We can help our internal clients do better by being champions of continuous improvement.  Unfortunately many C.I. groups I know are very keen to coach others on how to work better without actually being able to do the work.

Givers Take All from McKinsey is a fascinating article about corporate culture that promotes the belief that workforces that help enable each other are the most productive.  For me that is true transformation: break IT silos and help lighten the load.