Adaptability versus Auditability

As practicing IT project managers, we often find ourselves on the bleeding edge of change for the organizations we serve.  In many cases, we are asked to drive changes to business processes, in addition to the technical deliverables.  Whether the people asking us to do this driving understand either the status quo or the Brave New World is another matter, altogether.  But as agents of change, we need to address the interests of all stakeholders.  And for almost any project, for almost any organization, our stakeholder list needs to include those responsible for compliance with requirements from external authorities.  This includes both financial reporting compliance and operational compliance, such as data privacy and PCI requirements.  At most organizations, this will include the audit committee.

KPMG’s Audit Committee Institute recently issued the report from their annual conference.  It has some interesting tidbits, including the top ten concerns for audit committees in 2012, based on a survey of conference attendees.  Second on the list is IT risk and emerging technologies; fourth is information privacy / security and cyber-security; and sixth is a concern about the mix of skills on the audit committee, including IT expertise.  The report references, “… the ongoing economic and political / regulatory uncertainty, [and] the transformational impact of social media and emerging technologies…”  The auditors are concerned that change, driven by both internal and external forces, is outpacing governance.  This matters to them, because they aren’t just responsible for reporting revenues and expenses, but updating the value of assets and liabilities, and reporting risks.  Also, auditing is a governance function, in support of executive decision making.

Another sidebar in the report lists seven areas of IT risk that give attendees the most angst.  From data privacy and security, to failing to capitalize on opportunities, to the challenges of social media and BYOD, they represent challenges to both operations and project management.  Other sidebars address the impact of technology on customer strategy, social media governance, and cyber attacks.  These audit committee members know enough about these matters to identify areas of concern, but not enough to understand the specifics.  That’s where the practicing IT project manager needs to step in.

Take a look at your project charter, and especially your scope.  Where are the risks to the organization, aside from cost, schedule, and quality risks to the project?  Are they reflected in the risk register?  Have the right people been involved in developing and approving the risk responses?  Think strategically; think like an auditor.  What operational changes will be driven by your project?  How will they impact compliance?  How will they impact internal and external reporting?  What relationships will change?  Will responsibilities shift?  Consider your change management plans – not just training and knowledge transfer, but notifications to compliance authorities.  Take a look at your technical solution.  Look for vulnerabilities, including information security and continuity of operations.  Do the stakeholders understand what they’ve signed up for, and how it will impact operations?  Are you telling them in language that is meaningful to them, as opposed to “technically correct?”  Are you verifying that they understand well enough to make correct decisions?

As we’ve adopted Agile, fast-paced, low-governance approaches to development and delivery, we’ve improved our organizational ability to “adapt, improvise, and overcome.”  But we can’t ignore the need for senior decision makers to have actionable information.  And whatever changes we drive have to result in a finished deliverable which meets the requirements of all the authorities that the organization must comply with.  It’s not enough to be adaptable; we still have to be auditable.  That doesn’t mean mountains of process documentation, but it does mean we have to understand and meet the needs of stakeholders besides the product owner.