BT

Chris Matts & Tony Grout on IT Risk Management Framework as a Catalyst for Change

| Podcast with Chris Matts Follow 1 Followers , Tony Grout Follow 0 Followers by Shane Hastie Follow 24 Followers on Apr 23, 2018 |

In this podcast Shane Hastie, Lead Editor for Culture & Methods, talks to Tony Grout and Chris Matts about building an IT risk management framework at a large bank and using that as a catalyst for a digital transformation.

Key Takeaways

  • Just deploying another prescriptive method will not make an organisation agile and adaptive
  • A risk management framework can be a catalyst for change
  • The components of a simple framework which enables adaptation at the team level while ensuring alignment to organisational outcomes
  • The importance of an organisational-level backlog which is transparently prioritised to ensure the teams who need to collaborate have clarity about cross-cutting priorities
  • Ensuring that controls are as easy to evidence as possible and that there very low overhead in gathering the metrics
  • 0:22 Introductions & background
  • 1:00 The challenges faced by a 250 year old bank which wants to become digital
  • 1:48 Just deploying another prescriptive method will not make an organisation agile and adaptive
  • 2:12 The importance of regulation and risk in banking
  • 2:20 Being able to use risk and regulation as a framework for new ways of thinking and working
  • 2:33 Describing the four drivers in the framework:
    • You have to deliver value quickly
    • You have to measure lead time
    • You have to have sustainable quality
    • You have to manage risk
  • 2:55 Describing how the team, team-of-teams and portfolio structure fits the framework
  • 3:06 The importance of governance and enabling functions
  • 3:33 Finance and HR as enabling functions
  • 3:40 The simplicity in the framework made it easy for people at all levels and roles to accept and engage with the approach
  • 4:10 The drivers and outcomes acted as an alignment function that all stakeholders could agree with
  • 5:06 The challenges in the conversation around “reducing waste” – what is necessary or good waste vs bad waste
  • 5:28 The simplicity was the result of lots of thought and careful design  
  • 5:40 The influence of Cynefin and Dave Snowden’s work on “negotiable boundaries”
  • 5:56 Describing the metrics hierarchy which identifies value
  • 6:35 Using the metrics hierarchy to expose that some of the business cases were not delivering value for the organisation
  • 6:50 The ability to negotiate and identify what is and what is not valuable in the context
  • 7:05 Examples of the type of metrics which actually realise value   
  • 8:35 Explaining how executive responsibilities are imbedded in the model
  • 9:00 Executives are required to show that they are looking at the metrics, not that the metrics are changing
  • 9:18 The strict rule at the portfolio level that there must be a single, ordered list – no two items can be classified at the same level of importance
  • 9:38 The framework enabled the identification of detailed controls which can be measured against   
  • 9:55 Explaining how risk and controls are applied in the regulated financial industry
  • 10:36 Showing how the controls are applied without burdensome paperwork through tooling and report automation
  • 11:05 Lead time as an important metric, and how it can be used
  • 11:36 Explaining weighted lead-time and how it allows aggregation of results across the portfolio
  • 12:25 Ensuring that the controls are as easy to evidence as possible and that there very low overhead in gathering the metrics
  • 12:50 Some of the challenges the new way of reporting raised
  • 13:15 More accurate evidence because the metrics were produced automatically    
  • 14:01 The challenges around socialising the new ideas across the senior levels of the organisation 
  • 15:34 The importance of getting the audit function engaged with the new way of working from the very beginning
  • 17:05 Examples of how engaging the audit function smoothed the adoption of changes in roles and structures
  • 17:58 The immersive training experience using the Lego game which socialised the new way of working
  • 19:10 A strategy of ensuring that managers feel they can win in the new game
  • 20:05 Using the culture to change the culture    
  • 20:35 Getting a “green” audit result open the opportunities to doing additional things
  • 20:48 Engage allies to help get the message across
  • 21:43 At the team level the teams implemented scrum
  • 22:05 Empowering the teams to adopt different approaches as long as they discuss the implications with a coach
  • 22:17 Scrum exposes the existing disfunctions – tackle those rather than changing the framework    
  • 23:10 Scrum has the mirrors and edge points which enable teams to identify the challenges and begin to tackle them for themselves
  • 23:38 There are a set of controls which teams have to be able to show that they are following
  • 23:52 Examples of some of the control metrics the teams must be able to report on
  • 24:12 Building the compliance reporting into the automation tools (Jira)  
  • 24:28 Teams have flexibility on how the work, and are constrained to meet the controls
  • 24:52 Mapping the controls to the framework and providing the teams with guidance around how the controls can be met using specific approaches
  • 25:26 Community of practices so knowledge can be shared across teams
  • 26:04 Technical practices described in toolkits which were mapped to the controls
  • 26:57 The importance of not being prescriptive – the teams are empowered to adopt the practices and approaches they want, provided they can show that they’re meeting the controls
  • 28:05 Integrating CD/CI practices into the framework through the community of practice
  • 28:32 The controls are enabling constraints
  • 28:58 In a highly regulated environment it is risky to be first, so sharing this story shows other organisations that it is possible
  • 29:28 The influence of systems thinking and complexity theory on the decisions not to be prescriptive
  • 29:50 The importance of having a very senior person who can validate the ideas and champion the approach
  • 30:27 Cross team collaboration is a social problem not a technical problem    
  • 30:56 The importance of an organisational-level backlog which is transparently prioritised to ensure the teams who need to collaborate have clarity about cross-cutting priorities
  • 31:25 “Are we agile” is the wrong question to ask – rather ask “are we better than we were?”    
  • 32:03 Changing the direction of the inertia in the organisation towards improvement using the four drivers and transparent metrics
  • 32:40 The flawed assumption that you can outsource risk in complex environments
  • 33:04 The importance of ownership for the key metrics at the executive level which drives collaboration at all levels in the organisation
  • 33:57 Advice for others who want to adopt this approach – it’s not for the faint-hearted
  • 34:32 This was a two-year journey – change won’t happen quickly
  • 34:40 The zeroth constrain in the theory of constraints is having credibility to enable you to make the changes needed
  • 34:56 Explaining some of the things Tony did to build that credibility
  • 36:20 The framework is relatively easy – the biggest challenges are building the credibility to be trusted and respected to make change
  • 37:05 The simplicity in the framework is the result of lots of deep thinking and learning
  • 38:05 Where to find the details of the framework on the IT Risk Manager blog

Mentioned:

More about our podcasts

You can keep up to date with the podcasts via our RSS Feed, and they are available via SoundCloud and iTunes.  From this page you also have access to our recorded show notes.  They all have clickable links that will take you directly to that part of the audio.

Previous podcasts

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Sponsored Content

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT