The Importance of Governance with Mark Thomas

Audio Title: S1-Ep1 The Importance of Governance with Mark Thomas - APMG

Audio Duration: 0:22:55

Number of Speakers: 2

Transcript

Mark Thomas: … because we always have this little saying, “If I’ve given you the authority to make a decision and you follow the specific controls that are in place, let’s say something doesn’t go right, well, you’re protected.” I’ve given you the authority. I’ve given you the knowledge, skills and abilities and let’s face it. There’s no such thing as zero risk when you’re deploying. If something goes wrong, you’re protected because we’ve put all the pieces in place.

Richard Pharro: Welcome to this episode of Implementing Best Practice in Business. We’re here to help you and your organization understand and implement global best practice to help you face the business challenges of today.

Join me Richard Pharro, CEO of APMG International, in talking to leaders and practitioners who have applied these frameworks and practices to boost their productivity. They’re here, willing to share their knowledge and experience to help you learn from them, so you can do the same to make you more competitive in today’s market.

Mark, please tell the listeners far more about yourself and give them a good overview of where you come from in your career and the breadth of topics that you cover.

Mark Thomas: Thanks. Thanks again for having me, Richard. So my specialty area across the globe is around GRC or what I like to consider governance risk and compliance. Interestingly, I wasn’t in this space when I started my career. I was actually in the United States Army but I had to learn the hard way what we meant by governance versus management.

But I really specialize in information assurance, information technology risk, a lot around strategy service management and of course recently the big push with digital transformation. I’m starting to see a huge, huge effort around revitalizing a lot of the GRC or governance programs that organizations have.

So I have a lot of experience most recently in the international banking sector but I’ve also worked in technology services, healthcare as well as state, local and federal government. So I really, really love frameworks. I love COBIT. I love ITIL, NIST, multiple ISO standards. But one of the things that I like to do is say, hey, the framework is not going to answer all of your questions. You really have to understand what it is that the business needs to accomplish from a value perspective.

So those are some of the things that I will be able to share with you in this podcast and talk a little bit about what I’m seeing around not just North America but around the globe when it comes to leveraging not just frameworks but good practices around governance over enterprise information technology.

I am stationed in the great State of Kansas USA but I’m talking to you from Phoenix, Arizona right now. I do also have the CGEIT which is certified in governance of enterprise IT and the CRISC certifications, which is certified in risk and information systems control.

Richard Pharro: Wow, thank you very much Mark. I had a couple of questions for you but you may have answered a lot of them already. You know, let’s see if we can explore some of these things and maybe going to a little bit of that in some areas for people who are on the podcast.

I mean governance seems to be a very hot topic at the moment. I remember seeing recently that about 100 big business leaders in the US got together and they’re proclaiming governance and have governance on top of the agenda. You know, what do you think is driving that interest from those companies?

Mark Thomas: I will start off with this, that the primary tenets of governance really haven’t changed in decades, if not even longer. But what I’m seeing is many organizations have become very reactive as opposed to being proactive, meaning that they’re responding to some new loss, some new requirement, some new threat that we’re seeing take place in the environment.

So in the business space that we’re working in today, legal and regulatory requirements and that environment has become immense. Now add to that, the whole idea of digital transformation, you can’t have a discussion with an executive or a board member today without digital transformation coming up. So we’re seeing –

Richard Pharro: Mark, can I just stop you there?

Mark Thomas: Sure.

Richard Pharro: What do you actually mean by digital transformation? Because over the last five or six years, everyone has been transforming. You know, when did projects move towards programs, move towards change and into transformation? What is digital transformation?

Mark Thomas: So I will say this is using advanced technology to enhance the customer and user experience of the organization. How you touch your stakeholders and how you touch your users and using advanced technology to do that, which is why now we see things like the cloud, Internet of Things, right?

These are becoming huge right now. In a world today where a single act by a competitor can put you out of business, that is digital transformation because they’re streamlining that experience that they have with their users and their customers.

But here’s what I would say they caution to the whole idea of digital transformation is many organizations will invest in technologies just to invest in that technology. What I’m seeing right now in the global landscape is we’re moving so fast technically that we’re leaving vulnerabilities that we normally didn’t think about.

I was asked in a board meeting by a very, very savvy board member. She’s a former CIO of a federal agency in North America. She asked me in a board meeting, “Mark, can we be compromised through an internet-enabled coffeepot?” and it was a very keen observation and it took some research but, you know, that’s always – you know, that’s – people have probably heard that joke but that actually happened to me.

So we’re starting to see an interest around the vulnerabilities that we’re creating for digital transformation and like you said, we’ve been digitally transforming for decades. Right now it’s a great buzzword because of the proliferation of web-enabled services. Now we’ve got a full stack that we can go through Amazon or Microsoft with what’s called “platform as a service”. But the bottom line is this, is if you invest in technology to enhance your customer or user experience, you are digitally transforming because you’re increasing your capabilities in communicating with your customers.

Richard Pharro: But if I have all that investment in the technology and the kids [0:06:38] [Phonetic], what about my people? How do I get my people to be digitally transformed? How do I get my people to work in this brave new world?

Mark Thomas: Two tenets of governance that I feel very strongly about and this goes to the point that you just mentioned. Number one is what’s called culture. If I get an opportunity, I will talk to you a little bit more about my thoughts on culture in organization here in just a few minutes.

But the other one is people and in the old days when we used to think about our people or the human resources, the side of an organizational ingredient, we still look at hey, we have certain skills and now we have certain hours available for those people and so on.

But now what we’re starting to see is this increase in an awareness of basically knowledge, skills and abilities because this is something – I actually see this now on agenda items for boards and it’s talking about the knowledge, skills and abilities of the human resources that are supporting the organization.

So obviously big training programs are huge and like I mentioned before, I’m a big fan of frameworks. But one of the things that I’ve seen some organizations do is they will send staff members from their information technology group. They will send them to training, whether it be a project management course, cybersecurity course, service management, whatever that might be.

They expect this framework to magically occur in an organization by just investing in training. So I challenged a couple of board members that when we’re looking at the allocation of funding towards our people, how are we measuring the fact that they’re taking things out of these courses and of being able to apply those in our environment. So that’s why I think that of course training certifications are very, very important. But where people are missing is how do I now take accountability at the executive level to ensure that I’m measuring that my investment in that training – because sometimes maybe training might not be a regulatory requirement for some things. It is for say PCI, for HIPAA and things like that.

But yeah, it’s – I think it’s one of those things that we really have to keep an eye on and we’re seeing that shift now in many boards that are asking the question, “Do we have the proper knowledge, skills and abilities to achieve the tasks in order for us to create value for the enterprise?”

Another piece that I wanted to share with you on this – and I will probably bring this up several times during this podcast. It’s the whole idea of what we call “goals cascade”. A goals cascade says, “All right. Have I been able to line my particular goals up with my boss’s goals, with her goals and therefore they align with the enterprise?” because what we’re now seeing is, is organizations – here take my – an organization that I was a part of.

I was a CIO for a very large organization and we set up our rewards structure around your ability to be able to do your tasks. But I had to provide you the knowledge, skills and ability. So when you sat down with your manager, you created your goals. What you would do is you would line your goals with the goals of your manager and what your manager would do, she would make sure she aligned her goals because that way, if everybody in an organization has certain goals they have to meet, I as an organization, I now have responsibility to ensure you’re trained for that and you have the skills and abilities to do it.

But if everybody does and everybody meets those goals, then the enterprise reaches its goals. So therefore when we talk about reward structure, at the end of the year when the CFO says, “Mark, you’ve got X million dollars or X hundred thousand dollars to give out for bonuses this year,” I can now allocate that based on your ability to meet your goals. So it’s a good driver for folks to really focus on those pieces.

So I think that it goes down to the basics of good customer service like I mentioned before. Since this started, this conversation you and I are having started with digital transformation, because now we may be disrupting the way some of our employees work.

So the whole idea of change enablement is a very, very big factor here. I will tell you that I think change enablement – not to be confused with change control – but I think change enablement is one of the number one silent killers of any governance initiative because people think, organizations think. We tell them to do it. They will do it. But today, we need to communicate why we’re doing it the end state, right?

We need to have input because you may have a better idea or a better approach than I would. So I think those are some key things that we’re seeing now starting to get some visibility at the board level and hopefully we will get a chance to talk a little bit about some of my interactions with some international boards and some of the other things I’m hearing around the governance initiatives as well.

Richard Pharro: Before we go onto that Mark, you talk about the end state. Again, you know, we run a few programs. We run a few projects here. Our businesses changed significantly over the last five to ten years. Do you think an end state is still something that can be defined or do you think now most organizations are moving down a trajectory or down a route towards something? And there’s a milestone but there isn’t an end goal.

It’s like, you know, I don’t believe in such a thing these days as an IT project because once you start down that digital automation path, you’re forever updating. You’re forever renewing. Otherwise, that great big bogey of a technology debt comes up and just cuts your legs out from underneath you and, you know, you’ve lost everything. So can you have an end state in a digital transformation or is it always aspirational?

Mark Thomas: It is always changing. So let’s use the concept of risk for a few minutes to kind of describe that. So, you know, what we used to see is organizations would go do this big annual risk assessment and they would march against how are we going to respond to these risks we identified.

But a risk that was identified one year ago may no longer be a risk and a risk that we may not have identified or deemed that as a low impact, low likelihood risk could change within a couple of months. So the landscape we’re operating in today moves very quickly. We can no longer use the information from last year’s meeting. So put that into the perspective of an organization.

Yes, we can have annual financial goals. If you’re a listed company, there are certain goals around that, that you have to meet. Get that part. But we are changing dynamically on a daily and weekly basis. Like I said before, one app can enter the market and change my entire business and I have to be able to have the agility to be able to change the way we’re operating as an enterprise because it changes overnight.

So having said that, I do believe that organizations, there’s never an end point that you will get to because you’re modifying these. So in my organization for example, two years prior to me being a CIO, the organization said, “Hey, we are in a cost-saving mode. Save money, save money, save money.”

But then within a period of about three months, the board said, “We now have cash. We will take risk. Move, move, move.” So people said, “Well, wouldn’t they make up their minds?” Well, they are. They are being fluid and they’re seeing what the market is doing and they’re changing their risk profile or their risk appetite levels based on what’s taking place in the market.

But even though there’s really – I believe there’s no end state because we’re going to be in a constant evolution here. I truly think some of the latest trends we’re seeing around fast IT are extremely valuable for us.

So a lot of organizations based on this slow waterfall approach where there’s an end state. This project goes live. Now we calculate the benefits of this.

Well, our customers said that’s not enough. So then we started to see the agile, right? Where now people said, “We want things fast. We love them in sprints,” where organizations can now deploy a service or modifications in a sprint that might be say two weeks or three weeks.

But that wasn’t enough because the market started moving faster than two or three weeks and now we started to see this whole idea of continuous deployment or dev ops. So I think these are good things for us to see and just with the evolution of those more iterative approaches to technology deployments, that is a reaction to what’s taking place in this market and I think what’s happening at the board level and the committee level is they’re finally starting to understand that this is not an annual event anymore.

But Richard, there are still some core tenets that I mentioned to you earlier that really don’t change, right? The governance has a couple of rules or a couple of ingredients that I really think are constant whether you’re a fast-moving organization or whether you’re a slow-moving organization.

Richard Pharro: Mark, you talk about fast IT and you talk about governance and boards being able to sort of recognize these things and get behind them. How does that apply to midsized organizations? I can understand you got tied to the very large organizations or the tech organizations or the one-man startup that’s going to put a man [0:16:15] [Indiscernible] within the next 20 years or whatever.

For those organizations in the mid-band whether it’s in the US, whether it’s in Europe. I know you work globally anywhere in the world. How do they deal with this constant evolution, this fast IT, this cultural change, this deploy every week a new functionality? How do they do that? And take their existing staff with them in terms of get it into that culture. This is what the world is. This isn’t unusual. This is now normal.

Mark Thomas: Yeah. So it gets down to a lot around resources and around what we call decision – the authorities, being able to delegate certain authority. You know, when you talk to an organization and you say here are the core objectives that have to be met, you know, everybody says, “Oh my gosh. We can’t go hire that many people.”

Well, the idea is that you don’t have to hire more people especially if you are a mid-market kind of organization. It really comes down to organizational structures and this is very, very key. We mentioned a lot in things like dev ops and the idea of trust.

But I need to make sure that I can delegate certain authority levels down to the proper level that can make those decisions at what I call street view. But they can make those decisions based on some specific criteria.

For example, this continuous deployment can take place based on the following. One is there is a message or there’s – we may be able to do it automatically where we have something called “secure by design”.

We may have to have systems or tools in place that can track and know that you did it. But we identify what those authority levels are that we can delegate because there’s trust that that role we’ve delegated to has the knowledge, skills and abilities to be able to do that.

I think that’s probably one of the key areas for fast IT is that we have to be able to make those decisions at the closest point to that technical deployment as possible.

The days of having these big, huge four-hour change control and change advisory boards are starting to go away. I can’t wait until next week. So get that authority level identified. Get it documented because it protects you. It protects the organization. It protects our customers as well.

Richard Pharro: And how are you helping your clients train staff for that level? Because some people might be very uncomfortable making that decision, having that authority and being responsible for getting this thing out the door and to market within a week.

Mark Thomas: Yes. So we are – I am doing a fair amount of – I don’t do training specifically around the technical deployment through say AWS or Azure platform, those types of things. But what we’re really focusing on is how do we identify what we call the value streams of that service that’s being deployed for that particular customer and what are the decision points that need to be made because even though we’re trying to make sure we have a streamlined deployment of a service, there are still controls that have to be met.

I can’t let this take place without some checkpoints that are on them. So I’m not sure if I completely answered your question but what it really boils down to is understanding what those services are. It’s not about the technology as much as it is about the increasing of the user experience force.

Richard Pharro: Yeah. I wasn’t thinking so much about either the service or the technology, but the person. You know, the person, if you like, on the shop floor, the person at the cold phase – if that’s the right technology – right phrase in this high-tech world.

Mark Thomas: Yeah.

Richard Pharro: That person you’ve delegated to, you’re expecting them to drive these things through. How are they being empowered to train, to coach, to mentor to enable them to be confident about doing that and to accept that not everything works?

Mark Thomas: Yeah, that’s true. You know, and this is a time-honored thing and it’s called training. I would tell you, it’s one thing for me to be able to delegate a decision to you Richard in my organization. But it’s another thing for me to invest in the training you need. That may be a public training or that may be some specific internal training programs we have.

I can’t say enough about that. Certifications are also very important for us because what a certification does is it gives not only me as an organization the confidence that you have the knowledge, skills and abilities. But it gives you the confidence level as well.

So I think training is very important, external and internal training. But clearly documenting the authority levels that you can make because we always have this little saying, “If I’ve given you the authority to make a decision and you follow the specific controls that are in place, let’s say something doesn’t go right, well, you’re protected.” I’ve given you the authority. I’ve given you the knowledge, skills and abilities and let’s face it. There’s no such thing as zero risk when you’re deploying. If something goes wrong, you’re protected because we’ve put all the pieces in place.

But if you make that change or if you do that activity without proper authority, I may not be able to protect you and that sounds bad. But it’s an incentive that helped us in our organization be able to decentralize those decisions and it was all down to training and the confidence levels that we have in you and you have in your own skills.

Richard Pharro: Mark, as always, it’s good talking to you and thanks very much for sharing your insights into the world of governance and digital transformation. We covered a lot of information in this podcast. But I don’t think we’re finished. So very much look forward to talking to you about part two as we continue this conversation about governance and digital transformation.

Mark Thomas: Love it. Thanks Richard for having me.

[Thank you for listening. We’re always keen to hear your feedback and suggestions for future episodes. You can find all the information in the show notes below. Please visit www.apmg-international.com to find out more about our accredited training and the certifications that support them that are related to the topics discussed in this series.

I hope you’ve enjoyed today and I look forward to you joining future episodes while we continue our exploration into best practice and the benefits this brings to global business. Thank you.]

[End of transcript]