Posted by: David Scott
business and IT policy, business and IT planning, business planning, business plans, business policy, business risk, IT planning, IT plans, IT policy, IT risk, risk analysis, security policy, velocity of risk
[Note: You may wish to see Velocity of Risk prior to reading this post]
Recently, a colleague was crafting policy at a satellite organization. In other words, it was subordinate to a parent organization. This was not a case of one specific type of company owning another type of company, of a wholly different mission and set of products and services (albeit a common enough occurrence). This was like-companies providing the same product and service set, but having robust business operations in different physical locations, and one reporting to the higher headquarters. Futher, headquarters published most policy, with minimal room for local influences or accommodations.
Interestingly enough, the satellite wanted specific policy that was further-reaching than the higher headquarters’ policy. It involved security. My colleague was careful to consider that any policy crafted, as a draft, should not violate the “trunk” of the headquarters’ policy. Further, any additional security measures should be “greenlighted” by headquarters.
And, of course, any satellite policy would have to be approved by the headquarters, wouldn’t it? “Yes,” replied this IT leader. Through careful query, I was able to determine that the IT leader felt a liability in his particular environment due to lagging policy on behalf of headquarters, and headquarters’ guidance. It was his intent to await the next regularized meeting with headquarters to lobby for his local institution of what he felt his superior policy to be.
Absent approval, he at least had a policy that, in the event of a breach or bad outcome, he could pull from a drawer. Ah ha! Look what I wanted to do!
This represents a divide in communication on a couple levels. 1) He should have called his boss upon completion of the policy. If the policy had merit, and if he can communicate effectively, he should suggest that the robust policy supplant, or be used to infuse, the headquarters policy for update, with subsequent distribution to the satellites.
Minimally, headquarters should look anew at all security measures: Solicit input from all satellites. Collect and evaluate. Use the occasion to bolster the central headquarters security policies, and distribute. Consider a degree of local freedom in allowing satellites to make proper adherence of policy to local liabilities and allied protections – all with full knowledge and approval of headquarters, of course.
Why wait? Velocity is now associated with risk. Risk does not wait.
November 4th: On this day in 1939, the first air-conditioned automobile was exhibited in Chicago, Illinois.