|
Vendor Accent
Enabling crosstalk between quality, information security and compliance
Manish Jain and Srinivas Sripada lay down some
of the key lessons and best practices in enabling crosstalk between quality,
information security, compliance, and internal controls
Manish
Jain |
Srinivas
Sripada |
The ways of doing business are changing rapidly and service
providers are now required to provide assurance to their customers on a high
quality output, but also the fact that the work will be performed in the right
environment, in compliance with the multiple industry regulations. These evolving
business demands require an integrated view into the management of the seemingly
disconnected world of regulatory compliance, information security, internal
controls, and quality to create a best practice operating environment that utilizes
a set of common tools and initiatives across multiple domains.
This white paper shares 10 Best Practice tactics from Perot
Systems’ experience to help build an integrated audit and governance framework
using common toolsets and methodologies.
Strong Certification Programs – A Basis for Effective
Crosstalk
The comprehensive audits and assessment needed to meet the requirements, causes
an organization to evaluate, refine, and document processes for consistent and
repeatable results across the organization. One of the most widely recognized
industry standards programs is the ISO 9001:2000 certification.
ISO9001: 2000 - A Successful Quality and Compliance Journey
The ISO9001: 2000 process is flexible in accommodating the evolution of an organization
and its adoption of newer work processes, tools, policies, and procedural frameworks.
This is the beginning of a broad process integration and quality enhancement
journey.
A key ISO premise is “Do what you say and say what you do” and the
development of baseline “Say What You Do” documentation for the IBPS
division began with the development of basic templates to share across the organization
and empowerment of every individual within each process to write, rewrite, or
modify the process documents pertaining to their work.
Once the initial process documentation was complete, the challenge of ensuring
“Do What You Say” premise was met by continually monitoring compliance
and reviewing the adequacy / applicability of these documents to match the processes
in practice. A framework was developed to empower audit team staff with the
ability to identify and communicate improvement opportunities to the leadership.
Whether your organization is following ISO guidelines, internal processes, or
other industry standards such as Six Sigma, ITIL, CMM/CMMI (Capability Maturity
Model), etc., our experiences at Perot Systems can recommend 10 best practices:
Best Practice #1: Create a Governance Fabric through Internal
Audit Teams
A team of internal auditors and process analysts were formed to participate
in the ISO9001: 2000 implementation and management, and were empowered with
the proper tools and practices to assess performance and report non-conformance.
An internal audit calendar was created for the entire organization and the audit
team tracked and reported back the findings/opportunities for improvement using
automated audit and management reporting tools.
Best Practice #2: Automate. Automate. Automate.
The are many benefits of automation:
- Automation eliminates paper and with your
workforce having controlled and software-driven access to their specific work
area, there is greater assurance of a secure working environment. Over time,
with subsequent refinements of access controls and permission rights, an even
more secure workplace with the appropriate levels of information protection
can be created.
- Automation helps keep an auditable trail and
creates accountability. Version control tools can monitor additions and
changes to build comprehensive update archives and also leads to increased
audit-ability of process improvements and work performed.
- Automation creates transparency. With baseline
automation, a more productive work environment is created for your workforce
and one can create backward and forward integrated tools that connect back
to the suppliers and customers of each process.
Best Practice #3: Capture and Present Opportunities for
Process Improvement and Transformation through Innovation
Innovation helps create market leadership, impacts the way
an organization is perceived, and influences how it is respected in the market
place. The right kind of innovation can also create competitive advantages.
While the initial certification processes help an organization build important
discipline and management rigor, the real value opportunity is often created
when documentation procedures help uncover innovative responses from the participants
and process owners and implementation of these responses.
Best Practice #4: Creating Acceptance of Audits as an On-going
Process
The role of the process compliance auditor needs to be perceived as a positive
“Change Agent”. By empowering auditors with the right training and
tools, and by publicizing an audit calendar, process audits were made a part
of the work culture. An appropriate reward structure for process teams that
showed remarkable progress over previous audit results helped reinforce the
commitment of senior leadership to the importance of maintaining an internal
control environment. Benchmark expectations were established with process owners
to re-mediate any deficiencies identified by the audit team within a stipulated
time period.
Best Practice #5: Direct Executive Involvement is the
Cornerstone of Successful Implementations:
Active involvement of senior leadership when the organization embarks on ISO
9001:2000 or any other major process initiative is imperative to establishing
a vibrant, quality-focused organization. With leadership team periodically reviewing
findings, they can help remove implementation bottlenecks and also help create
and empower a responsive team that is on the lookout for continuous improvement
opportunities.
Best Practice #6: Use the QMS for Internal Controls and
Information Security Management
Over time, all of the company’s QMS processes, information management systems
and regulatory compliance should be placed under the ISO9001: 2000 QMS umbrella.
Some of the benefits realized through this integrated framework were included:
Common Calendars, Common Measurement Tools, and Standardized
Frameworks. As the control environment became part of the overall QMS, process
audit calendars became more tightly integrated. Process owners worked on creating
one over-arching process document covering quality and internal controls, thereby
reducing duplication and the time spent in documentation and management of compliance.
Cost Savings. Instead of multiple teams implementing and managing the audit
framework, we were able to utilize a common team for these functions, thereby
reducing the time needed for audits and measurement. The investment made to
cross-train the Audit Team on all compliance, quality, and regulatory requirements
was well spent in added efficiency and reduced labor requirements.
Realignment of the Organization’s Focus toward Continuous Improvement.
One of the biggest benefits that emanates from integrated framework is the ease
of implementation of a robust Continuous Quality Improvement Program (CQIP)
along with Six Sigma initiatives.
Best Practice #7: Cross-mapping between ISO9001: 2000,
ISO27001: 2005, SAS 70 and Other Industry Regulations
The focus of each of these certifications/controls is to improve quality, infuse
efficiencies, and create a more secure, predictable, and risk-free workplace.
Cross-mapping of the requirements prescribed by different certification frameworks
not only helps in developing and maintaining a focused audit regime, but it
also cuts the redundancies required to ensure adherence to the established standards
and policies.
Best Practice #8: Combine All Audits under One Framework
Once the control requirements under different certification systems and standards
are successfully mapped, the key is to educate and empower your internal Audit
Teams on all of these different regulatory control requirements, information
security controls, and quality management system. It is recommended that audit
assessments for all certifications be conducted at the same time thereby decreasing
time and effort without compromising the exhaustiveness and effectiveness of
the audit process.
Best Practice #9: Understand Audit Findings One-Level Deep
The ISO9001: 2000 baseline QMS is based on the philosophy that every issue discovered
during audit evaluations presents an opportunity to improve.
A cross-functional team of senior leaders and managers across
the organization can be asked to examine the findings of the internal and external
audits, and lend their support when change is indicated. A candid discussion
on the non-conformance issues brings out significant innovation opportunities.
Best Practice #10: Create the Culture and Institutionalize
the Framework for Improvement
Creating a process mindset is perhaps the biggest challenge of the integrated
process management framework. Some of the approaches that we adopted are:
- Forming an internal audit team with representation
from across functional areas
- Creating learning culture, promoting internal audit
certifications
- Link career advancement opportunities & internal
audit performance
- Capturing findings through online/automated tools
- Encouraging of transparent discussions on non-conformity
issues
- Conducting all audits simultaneously; Publishing
the internal and external audit dates in advance
- Involving senior leadership and leading by example
to create an institutional practice
Authors are Manish Jain, Sr. Manager -Marketing, Sales,
and Communication and Srinivas Sripada, Leader –Quality, Perot Systems’
Insurance and Business Process Solutions group, India The authors can be reached
at Manish.Jain@ps.net and Srinivas.Sripada@ps.net
|
