Note: GRC refers to Governance, Regulatory and Compliance, which is the umbrella for all of the state, federal and international regulatory requirements that companies, especially banks, must address.
All the images of IT-GRC relationships have an item for “Incident Management”. What’s wrong with this picture?
Considering that it is an accepted fact that at least 80% of all incidents are change-related, wouldn’t it make sense to shore up the change management processes, policies and procedures? The current paradigm of focusing on the symptom will only perpetuate the risk, whereas directing some of the energy towards the actual underlying mechanisms will reduce the number of incidents, as well as improve MTTR of those that do occur.
To the extent that the regulatory environment is becoming less and less tolerant of incidents, of any type, the argument should be to eliminate the source of the problem, rather than merely improving the ability to resolve incidents.
It’s my opinion that focusing on incident management is the cowards approach to solving the problems. This approach basically throws bodies at the problem, but does nothing to prevent them. The experienced leader will easily recognize that more bodies will cost far more, in the long run, than committing to improving the overall control of the enterprise.
It’s easy to yell “Fire” and get a spend for fire extinguishers. It’s a lot harder to get money for an “intangible” or “potential” problem.
Ask the designer of the Titanic what his motivation was for not extending the chamber walls all the way to the top of each making them *completely” sealed from one another. (The titanic sank because as water filled each chamber, and causing the ship to dip, water would then spill into the next chamber. Had each been completely separate, no one would have been hurt).
Our culture is happy to pour money into fixing a crisis, but it’s far cheaper, over time, to prevent it.
By integrating better change management principles, and doing so in a collaborative and cooperative manner, many goals can be easily accomplished. By including the enterprise in the paradigm shift, they become champions of the process, because they become partial owners of it. This make socialization far easier, as the communications are developed contextually, rather than independently. This inherent inclusive attitude will ultimately encourage others to be more proactive in approaching change management, and seeking guidance *before* a incident occurs, rather than in crisis, afterwards.
Post a Comment