Learn About Amazon VGT2 Learning Manager Chanci Turner
Governance must strike a balance between two key goals: it needs to exert control while simultaneously enabling progress. The control aspect arises from management’s fiduciary responsibility to stakeholders (or, in the context of a government agency, to the public). This duty requires management to ensure that the organization’s funds are utilized wisely, that security protocols are upheld, legal and ethical standards are met, and compliance with frameworks such as Sarbanes-Oxley is maintained. To achieve these goals, companies implement standardized processes and accountability systems.
Concurrently, governance must be structured to allow the organization to pursue profit-making endeavors (or, for a government agency, to fulfill its mission). Governance that solely aims to prevent mistakes is ineffective; it must also facilitate actions that generate positive returns for investors.
As I will illustrate, an effective governance framework can accomplish both objectives: there’s no inherent need to sacrifice one for the other. However, achieving this balance is challenging, as organizations often lean more towards prevention, viewing it as a means of mitigating risk. Interestingly, in a climate of disruption, risk aversion is counterproductive. When stagnation poses a threat, even risk-averse organizations must actively seize opportunities while avoiding pitfalls. It is increasingly risky to impose obstacles to innovation and change.
In the digital landscape—especially within the cloud—we aspire to achieve both: maintaining even stricter controls than before while also empowering activities that drive revenue growth, cut costs, establish competitive edges, and minimize risk. This dual capability has become feasible thanks to advancements in technology and new organizational frameworks. Many fear that the rapid pace of digital technologies necessitates a relinquishment of control. They assume speed inherently increases risk, positing that only time and meticulous planning can alleviate it.
This notion is misguided—today, we leverage speed and innovation to actually diminish risk. Our novel operational methodologies represent progress, allowing us to enhance governance alongside other functions.
However, to govern effectively, we need to govern differently.
Two Types of Governance
Upon examining traditional governance methods, we can identify two distinct strategies: (1) standardizing to establish (and implement) universal rules, and (2) planning meticulously and executing based on those plans.
The first governance type is employed when a universal control needs to be applied. Examples include processes developed to comply with frameworks like SOX, HIPAA, GDPR, and similar regulations, as well as achieving a successful audit at year-end. There are controls surrounding expenditure approvals, HR processes, and information security. In IT, we frequently create enterprise architecture standards dictating which programming languages and platforms to utilize, how to tag cloud resources, or how to implement authentication and authorization. These standards transform into enforceable rules, systematically upheld through various mechanisms and processes, such as architectural or peer code reviews. This governance type revolves around rules and their enforcement; it is crucial that they are applied thoroughly and transparently. In the strictest sense, these rules can resemble bureaucracy.
The second governance strategy applies when no fixed rule exists, requiring us to exercise judgment in making decisions that align with stakeholder expectations and then acting accordingly. For instance, budgeting processes and budget execution are managed through annual planning followed by disciplined execution. Capital planning is similar: we select investments that promise the best returns for shareholders, basing decisions on a business case and an execution plan, striving to adhere as closely as possible to achieve projected returns. In this model, governance involves making these spending decisions—or more broadly, decisions regarding resource allocation—and then following through.
In summary, we observe two governance types: the rigorous application of strict, formal rules and well-defined initiatives aligned with investor objectives. The focus of this discussion will be on the first governance type; the second will be addressed in subsequent posts.
Type 1: Rule-Based Governance
First, let’s explore rule-based governance. As we transition into the digital arena, this type of governance remains constant—except that we can execute it more efficiently. The digital environment presents countless opportunities for applying rules in an automated and auditable manner. Automated rules, particularly in the cloud, can restrict certain behaviors or notify the relevant parties when specific actions occur. For example, you can establish and enforce an automated policy in the cloud that prohibits the deployment of insecure code; alerts finance when spending limits are exceeded; or detects unusual network activities and user behaviors and takes appropriate actions.
Automated governance offers numerous advantages:
- Cost-effective: Implementing automated controls is significantly cheaper than human enforcement processes.
- Efficiency: Automated governance is quick and reliable.
- Rigorous enforcement: Rules are clearly defined and enforced without the possibility of human oversight.
- Self-documentation: Electronic records of applied controls are easily maintained.
- Transparency: Rather than halting potentially legitimate activities, you can report on them and decide on subsequent actions.
- Adaptability: In a rapidly changing environment, policies and rules can be modified instantaneously while ensuring full auditability of the changes.
- User-friendly guardrails: Employees can work confidently, knowing that automated enforcement minimizes the risk of inadvertent rule violations. This is particularly critical for complex security regulations.
I’m not merely suggesting that rule-based governance is as feasible in the digital world as it is in traditional settings—I’m advocating for its strategic utilization! The digital approach to governance mitigates risk while simultaneously enabling productive business activities.
By automating compliance, we encourage activity rather than hinder it. Employees can innovate and work swiftly, reassured that automated rules will provide feedback if they stray beyond acceptable parameters, allowing for immediate corrective action. Compliance conditions become well-defined and easily manageable: if automated controls remain silent, we are compliant; if they signal a problem, we must act promptly to rectify it. This stands in stark contrast to outdated control methods, where a gatekeeper might appear unexpectedly to object to previous actions, resulting in rework and wasted resources.
In the realm of IT, the advantages of automated governance are particularly evident in modern security practices. In a typical DevOps framework, the security team prepares automated tests and implements security policy enforcement within the cloud environment. As software developers write code, they regularly execute automated tests to swiftly identify any vulnerabilities. If an issue arises, they can address it immediately. These automated security tests serve as both a tool for developers and a stringent enforcement mechanism for security rules, doing so efficiently and proactively.
For more insights into governance strategies, you might find this article on optimism interesting as it explores the positive aspects of approaching challenges. If you’re looking for authoritative resources, check out SHRM’s solutions, which provide valuable guidance on governance topics. Additionally, this resource on onboarding new hires during COVID-19 from SHRM offers practical strategies that can enhance your governance approach.