Building effective governance, risk and compliance with ITIL 4
November 11, 2021 |
4 min read
For organizations operating in highly-regulated and safety-conscious sectors, their culture – typically a less risk averse one – will always define the level of governance applied.
Immediately post Millennium, governance was very much about compliance. In the wake of the Enron scandal and resulting Sarbanes-Oxley legislation, this was probably unavoidable.
What’s changed today is the view that governance is just as much about helping an organization to achieve its vision and mission. In that sense, governance becomes everybody’s concern in the enterprise.
Therefore, the closely associated themes of governance, compliance and risk can be split to get a much better view of the way governance fits in to this picture.
Where does governance begin?
Board members have a significant role to play in how governance guides a company and what the parameters are.
Like children in a playground sandpit, everyone is allowed to “play”, but venturing outside the “sandpit” will need discussion, control and permission.
When setting the governance parameters, the board needs the right information. But rather than being the fount of all knowledge, the board needs only to surround itself with the right people and sources of knowledge – which may include external technical and legal advice.
This is essential for decision making and to ensure that governance is supporting the organization’s objectives, which may be about attracting the right talent or increasing reputation in a particular market.
Governance with the ITIL 4 service value system
Within ITIL 4’s service value system, the seven guiding principles are key elements to support governance.
Any organization can review the guiding principles and decide which will work in their organization and how they will be adopted.
For example, the principle “focus on value” will help establish that the organization’s governance approach is value driven. So, whenever a new process or constraints are mooted, how will value be derived?
The continual improvement element in the service value system needs to be about empowering people through trust to introduce new ideas, processes or governance arrangements, rather than exercising too much caution. If people’s decisions are based on good information (i.e. they have examined the options thoroughly and are confident about compliance), this should lend itself to better and faster decision making.
Equally, it is paramount for organizations to understand that compliance is not an endgame in itself. We can be formally measured against a rigorous industry standard or more loosely baselined against ITIL 4. Remember that a good compliance score is no guarantee that the organization will meet anything but its compliance objectives. However, there is no disguising that a good compliance score measured against a standard or best practice baseline is a powerful marketing tool for the organization and a morale boost for staff involved.
ITIL 4 risk management practice
In most industry sectors, risk is at the centre of everything you do and requires levels of governance that can react quickly to either project or business-as-usual risks.
As ITIL 4’s risk management practice emphasizes, understanding and effectively handling risk should support the management of change in an organization.
In every sector but more especially in a high-risk and safety-critical situations, the consequences of getting this wrong are unthinkable, so that requires boundaries you cannot cross – in my experience I have seen this apply equally to safety in the nuclear industry and safeguarding of school children as a school governor.
However, you a need risk model that is founded on the organization’s raison d’etre. This affects every risk and compliance decision; understanding where the red lines are but also the circumstances where they might be crossed (with attendant risk implication).
Governance: harnessing the right skills
Returning to my opening theme, whether it’s a company’s board of directors or the board of governors at my local high school, this group plays a vital role in establishing and maintaining governance.
The skills mix across the group must be right: add the behavioural competency to influence others while, at the same time, avoiding the trap of micromanagement and you are set up for quality governance.