See things clearly

Governance, OBASHI, and the UK CNC

The Civil Nuclear Constabulary (CNC) is a specialist armed police force, which looks after all of the UK's nuclear assets and resources, both nationally and internationally. 


Recently, I asked Paul Stone, Deputy CIO at CNC, why he, and his colleague Mark Verrier (CIO), had decided to become OBASHI accredited, and use the OBASHI Methodology, and software.


Paul’s reply is,

“OBASHI is a straightforward methodology with simple diagrams and simple rules. That means everyone ‘gets it’ first time.  It lays bare the dependencies of infrastructure, not in a Haynes manual way, but in a simple diagrammatic form.”

One of CNC’s reasons for using OBASHI is to help with Governance. 


Governance is something that I read about, and hear discussed, with increasing regularity. 


Events in finance, like the flash crash and the MF Global scandal, have led to increasing interest in the subject, in both the business and general media.  In my conversations with leaders in IT, it is clear that the topic is moving up the agenda in many organisations, not least because of concerns surrounding issues like fiscal husbandry, regulatory compliance and cybersecurity.


In my latest blog, “OBASHI and Data Governance” I mentioned that

“Fundamentally, good governance…relies on managing the underlying policies controlling risk.”

In this post, I’m going to further explore, some of the aspects of governance.


I like to think of governance in two ways.


Firstly, as a set of rules and policies which form the framework in which a group of people operate, that allows for consistency, resolution of conflicts, and people working together to achieve a shared goal or objective while minimising risk.


Secondly, as the processes by which we ensure those rules and policies are being adhered to, and not broken.


In a business environment, the rules and policies are there to regulate how operations are performed, and how decisions are made, to maximize business effectiveness and to minimise the risk to the business of bad practice. 


But without a practical implementation of the process of governance - those checks and balances to ensure the rules and policies are being adhered to – there is no way to guarantee that they are not being bypassed somewhere in the organization.


By way of an example, a recent event took place in the finance industry where David Higgs, who worked as a managing director in the investment banking division of Credit Suisse, pled guilty in a New York court to falsifying bank records, by inflating the value of mortgage securities. The overstatement forced Credit Suisse to announce a $2.65bn write-down.


Obviously, Credit Suisse had policies and rules in place stating that traders shouldn’t act in this way.  What appears to have been missing was an effective means of highlighting the situation that was developing as Higgs falsified records in order to hide losses.


It is difficult to imagine that Credit Suisse hadn’t performed a prior risk assessment of the way the trading operation worked - identifying threats and vulnerabilities, analyzing and assessing the risks involved - before creating their rules and regulations on how traders should act. 


It should be clear then, that in this case it was the process of governance that failed, despite the policies being in place to prevent this risk occurring to the bank.


As companies increasingly rely on IT in order to operate, IT Governance has become increasingly important. 


The adoption of best practice methods, such as ITIL, help ensure that IT departments operate in a standard and transparent way.  Checks and balances can be employed to ensure that the department is achieving the required level of service to the business, and that day to day operations are working effectively.   Governable processes can be put in place to ensure things are being dealt with properly from an operational perspective.


That’s all well and good, but IT Governance needs to be more all encompassing than simply making sure the department works smoothly.


As I mentioned last time, managing the underlying policies controlling risk is fundamental to good governance.  Trying to understand the risks to the business surrounding any IT portfolio is a complex undertaking.  To illustrate, I’ll scratch the surface of one of the aspects of IT Governance, that of Data Governance – which covers data quality, data management, data policies and risk management of data.


In this example, the data we’ll look at is the humble name and address, through the prism of data quality. 


One of the common ways used to assess data quality is by asking the question “Is the data we are holding ‘fit for purpose’?”


The answer is subjective.


If we are considering it from a CRM system perspective, we might say that if the data for the fields is present, then the system can operate.  Without the data, there would be an error and the system would fail.  In order to keep the system running, any name and any address is fit for purpose, so long as it’s filled in.


But what if the address doesn’t physically exist, because of an error in data entry? That might cause a secondary system to fail, one that relies on accurate information – in that case, the address is not fit for purpose.


What if the house or apartment number is incorrect? If the marketing department is using the data for direct mailing, we can see that it is clearly not fit for purpose.  If the same marketing department is using addresses to build a demographic profile of customers by region, the house number is not relevant – in which case it would be fit for purpose.


However, if the customer has moved house without informing us, even an accurate address would be incorrect, and would therefore be not fit for purpose.


Unless we understand how data is used by the business, we can’t assess the impact of risk, should that data fail in some way.


And the same is true of the IT assets that allow the data to flow around an organization.  Unless we understand how the IT assets are used in a business context, we will never be able to effectively perform the risk assessment which forms the backbone of good IT Governance.


There is an International Standard (ISO27001) which covers IT Governance, and in particular Information Security.  Part of ISO 27001 covers the risk assessments which should be made in order for IT Governance to operate effectively.  The standard is very clear that decisions regarding risk should be taken not by the IT department, but by the business.


A major stumbling block in achieving this shift to the business from IT, is that without knowing which IT equipment supports which business processes, and without clarity on how data flows around the organization, it is impossible for the business to best assess the risk of a system failure, let alone a component failure.


OBASHI provides that practical clear picture, which is something Mark Verrier and Paul Stone identified as being very useful when they investigated how OBASHI could help at The Civil Nuclear Constabulary.  


By mapping out how IT assets link to business processes, using OBASHI B&IT diagrams, everyone can understand what is required to keep any part of the business working, providing the business context needed for a true risk assessment. 


OBASHI Dataflow Analysis Views lets us see how data, such as that described above in the CRM system, is used by the business.  Again, this is vital contextual information needed if the best business decisions are to be made on policy and regulation.


CNC plans to use the OBASHI Methodology and software to,

“allow the full scope of processes to be seen by all departments involved (and their reliance on each other and the infrastructure).”

Good governance is more likely when we have the simple ‘big picture’ that everyone can understand.




Views: 193

Add a Comment

You need to be a member of OBASHI Think to add comments!

Join OBASHI Think

© 2018   Created by Fergus Cloughley.   Powered by

Badges  |  Report an Issue  |  Terms of Service