It’s the 30 year anniversary of Robocop this year and it would be remiss of me not to post about one of the all-time greats and tenuously link it to today’s world. I’ve been through the wringer of compliance from the ISO through to PCI and every stress-laden step in between, so you get to hear my ramblings lucky reader.
Check out the range of available guidelines, there’s an ISO for everything and if you ask me it’s a lovely little niche. Check out ISO 11869 as one of my personal go-to references…..unreal. In the same manner, there was a fixation with ITIL a few years back the game of compliance adherence continues in the same way drugs cheats continue to stay one step ahead. A loser takes all battle of attrition.
I am a strong believer in defining the frameworks around how to operate, and publishing a standard is a great way to show that your company has a structure and control around it’s operating procedures. My concern is the manner in which these things are obtained and the credence giving to the certification.
Taking ISO20k for example a quick google search turns up the benefits of being compliant. I’ve edited the syntax to protect the innocent but let’s take a look at these ‘great reasons’;
…benefits of ISO20000 certification for…providers are:
1. …competitive differentiation demonstrating reliability and high quality of service;
Sadly this is true through a form of ignorance rather than the demonstration of ability. The fact that next door have Ocado trucks deliver rather than the Iceland(1) truck that turns up at my place doesn’t mean that he’s a better chef than me.
The point is that having a certification simply means you’ve passed a single day’s scrutiny from an auditor. More than likely it was one hour of work with a seven hour chat about nothing in particular.
2….gives access to key markets…organisations in the public sector demand that their IT service providers demonstrate compliance;
Sadly, this is somewhat true, there is a demand for compliance and rightly so. My issue isn’t in the desire for approvals, in much the same way we all went safe cars that score well on the NCAP rating. I question whether you would be quite so influenced had you realised the car submitted for the crash test had been reinforced for that particular test with a roll cage and a less sensitive dummy.
So what’s the point?
Compliance is absolutely the right thing to follow, but embrace it as a cultural shift, not a knee jerk reaction. Financial regulations, security regulations, they’re all there for a reason. They aren’t there so you can game the system and pretend you run a tight ship.
Don’t aim for compliance to a standard, aim for best practice and the cogs will naturally fit into the ‘framework’.
Too many companies claim compliance only to spend the week before an audit brushing up documentation, briefing the individuals and generating enough collateral to guide the external auditors to handing out a certificate.
If you want to eclipse the competition embrace the frameworks as part of your culture, pick the relevant standards and live and breathe your version. If you employ internal auditors, empower them to make change. Chastising a department manager for weak KPI’s does nothing. Challenging and helping set targets that fundamentally change the ability of your company to perform will reap benefits.
Alternatively, keep ignoring your strategy and then panic when audit time comes, after all, you’ve got 20 seconds to comply.
- I’ll caveat that by saying that I’ve never been to Iceland. The truth is my better half would kill me, some time after she’s resurrected herself from the grave of shame in which she would languish if I deigned to shop there – other delivery firms are available).