Five Core Competencies of IT Compliance Six Sigma :: The Compliance Authority - Insights, Perspectives, and Best Practices in Compliance Management for Business and Large Organizations

Five Core Competencies of IT Compliance Six Sigma
BY CHRISAN HERROD,
executive editor, The Compliance Authority

Peter Allen's song "Everything Old is New Again" is a truism that applies in the world of Business Process Re-engineering (BPR). Six Sigma methodologies clearly fall under this rubric and are fashionably back in vogue in the world of IT management. IT compliance management is a critical component of information technology processes and procedures and therefore should be treated as a "core competency" as it relates to the analysis of success factors in IT organizations. Using the Six Sigma approach can help organizations successfully integrate IT compliance management into their overall operational risk management and regulatory compliance management programs. This is particularly important because a recent study byx the Business Performance Management Forum states that "while compliance is definitely a management concern, policies and procedures are yet to take hold, enforcement seems to be a loose concept, and management's general familiarity with issues around compliance is painfully lacking.

The Six Sigma methodology includes the core competencies of: performance, change, communication, collaboration and critical thinking.

Performance

The most difficult aspect of applying Six Sigma to IT compliance management involves defining how to assess the performance of an IT compliance program.

For years the IT field struggled with the best ways to demonstrate the value of IT to senior management. Defining a return on investment (ROI) is a sticking point because the conversation always seems to delve into soft claims that cannot be quantified. For example, allegations that non-compliance will lead to loss of brand or a decrease in market value are perfectly valid. However, they do not establish the cause and effect between the financial impact and IT compliance management.

Using performance measures such as the balanced scorecard helps frame the argument of ROI. And metrics add credibility to the ROI discussion. The balanced scorecard approach gathers information about all the significant business processes of a company.

Metrics define what is to be measured. Some metrics are specialized and cannot be directly benchmarked or interpreted outside a mission-specific business unit. Other measures are generic and can be aggregated across business units - cycle time, customer satisfaction, and financial results.

Quantitative performance measures are difficult to develop for IT compliance management. It is generally impossible to make statements like “continuous monitoring of the network, active scanning and evidence collection and aggregation will protect a network 3.53 times greater than if only quarterly monitoring is instituted.”

As difficult as it may be to measure or even to connect compliance activities to specific outcomes, it is essential to strive for a results-based program.

Embracing Change

Another key principal of Six Sigma includes embracing change and the modification of processes and behaviors to adapt to change.

The most casual observer of technology, society, and the environment would agree that change is pervasive and that the rate of change is radically increasing. In the 5th century B.C., the Greek philosopher Heraclitus of Ephesus observed “There is nothing permanent except change.”

The flux and chaos that often result from having to comply with multiple regulations presents opportunity, both for an organization and for those managing the IT compliance program.

In the world of IT compliance management, the core competency of change, once mastered is an organization’s strength. Organizations that are effective and efficient at change can strengthen organizational information-technology policy as the result of audits. And they can increase the number and effectiveness of automated access management and identity management features when the enterprise is forced to move quickly to address audit findings around financial controls.

The key success factor for change management is the skill and commitment of the leadership team implementing the approach rather than the approach itself.

Change management includes a couple of elements:

Establishing a sense of urgency. This is particularly important in the area of IT compliance since regulatory requirements are often redundant and auditing is tied to regulatory timelines, which are often overlapping.

Forming a powerful guiding coalition to gather a large initial core of believers. The “guiding coalition” for change will need a small group of three to seven people leading the effort and working to bring others on board with the new ideas. The building of this coalition – their sense of urgency, their sense of what’s happening and what’s needed – is crucial.

Centralizing the IT compliance management function and forming an IT risk management review committee are two ways to achieve the Six Sigma approach to coalition building.

Communicating a vision

A vision is a picture of the future that is relatively easy to communicate and appeals to customers, stockholders, and employees. A vision helps clarify the direction in which an organization must move to be compliant and maintain a consistent level of operational compliance based on the company’s risk profile and the legal requirements inherent in the federal or state mandates. If an organization’s vision cannot be communicated in a five minute elevator speech, it needs more work.

Information technology compliance is often not well understood by senior management. So communication and short-term wins with little or no expenditure can be critical to maintaining the compliance posture of the organization. For example, implementing a training and awareness program focused on employee roles and responsibilities with respect to compliance management is often effective and certainly less expensive than most other solutions.

Collaboration

It is essential also to collaborate with key stakeholders, to ensure effective understanding of policies and standards to achieve corporate compliance during audits. Establishing relationships with key stakeholders such as business owners, information technology operations, auditors, and senior leaders facilitates knowledge and understanding of the information technology compliance management program’s value to the organization.

Critical Thinking

Phenomenal results can be achieved by continual drilling in simple areas. Six Sigma practitioners spend years learning how to effectively engage the five core competencies to improve projects, programs, and business process. These competencies achieve their full power as they are practiced daily and used to reinforce each other.

Continual application of the Six Sigma approach and Six Sigma core competencies as a framework for development and action will greatly contribute to the success of an organization’s information technology compliance program.

Institutionalizing a culture of continuous monitoring as an essential part of IT compliance management can be achieved using the best practices of the Six Sigma methodology. IT compliance should be treated as a critical corporate program and to that end Six Sigma can be used to assist organizations in implementing a robust and effective information technology compliance program and culture.

References: Balanced Score Card Institute, Measures and Metrics, 2006, retrieved from Balanced Score Card Institute.gov on 8 March 2006. Government Accountability Office (GAO) Report on Performance Measurement, 2005, retrieved from GAO.gov on 8 March, 2006.