Managing organisational maturity

If you are working with Corporate Governance, Risk Management, Compliance or Information Security, you may have wondered:

How do I get the organisation to do their part?

How do I help them to take responsibility and ownership?

If so, you are definitely on the right track, because without the organisation you will most likely drown in work. Unless of course you are self-employed, or part of a very small company (i.e. 4 person or less), you will never succeed with either Governance, Risk Management, Compliance and Information Security without getting your colleagues to do their part.

You will basically need to meddle with the organisations culture. At least for a selected range of key-roles. But how do you change a culture, and do you know which role you need to create and address?

Personally I’ve been in this position and felt like drowning. There was simply put, too much that needed to be done, and far from enough people to do it. My main problem, as I now know, was prioritisation. Simply what to do first and what to forget about until the organisation is mature enough.

It was actually first when I started looking into organisational maturity, and ended up with the rough framework of a tailored maturity model for Governance, Risk, Compliance (GRC) and Information Security, that I got it.

The path from from immature to mature isn’t linear. And in that respect I was effectively flying blind.

The first thing to do, was to establish some way of measuring how mature the organisation was and plan accordingly. This gave me a powerfull advantage: I would later be able to measure again and document, whether our efforts created the effect we wanted.

Looking through the maturity perspective and the results of our first water mark, I found that the organisation was far less mature than I had thought.

We had to start of in a different direction, than I expected. We had to start by side-tracking the few security experts already advocating security.

These few and good people, often take a big responsibility on security aspects within the organisation, with the sad side effect, that no one else feels they can pick up this responsibility without standing in stark contrast to these heroes.

This hero issue, I have later learned, is not a unique thing but actually a systematic issue that most low maturity organisations are facing. A good Norwegian colleague of mine at the time, nicely coined it the “Hero Organisation”. Where this term originates from I forgot to ask, but we are now using it as THE term for organisations at the lowest maturity level on the scale.

Identifying the key-roles

So the first step for a low maturity organisation, as I found it, is to move the responsibilities away from the heroes, and into the hands of the natural owners. These owners are of course distributed throughout the organisation and represents the key-roles that you will need to focus and build on. But how do you do that?

Well to start with, Information Security is centred around information assets. Some of these will be naturally anchored in IT, but most are actually not.

Taking the organisation apart and looking at it in a customer, supplier perspective, with the IT department as the supplier, you should be able to find the roles of both information owner and system owner within these customers. Looking closely I’m finding that we are looking for the managers responsible for either a process (e.g. HR, accounting, customer services), or a product (things sold or delivered by the organisation).

Typically both products and processes are part of a hierarchy. Related products are often aligned in product groups and each product might be broken down into components, variations. We are not looking for the breakdown or grouping of the actual products, but of course how the responsibility is broken down or grouped in the organisation.

For processes, you may start with the main activities like HR, finance, IT, Operation, Sales etc. Each of these will often have a set of separate sub-processes with different owners e.g. HR might have different teams handling employment law, salary management, training and counselling, while sales might be broken down into incoming sales, key account management, lead management, sales planning etc.

The main activities are mostly generic with a few differences between public, private and NGO sectors. How these activities are split in the organisation may however be quite different from company to company.

You need to find the responsible managers. In big organisations, you might just want to start from the top and work your way down. In other words. You don’t need to map it all, just identify the main products (e.g. business units) and the main activities (e.g. cost units).

The rest is easily mapped using a survey, which incidentally is also how to most efficiently measure the maturity in big organisations.

Reversing the flow

Having found the natural governance structure of the organisation, you now know exactly whom to influence. But you will most likely find, like I have, that you would still be stretched thin, and be far from effective trying to affect these key roles alone.

I have spent a lot of effort trying to push knowledge, methods, disciplines and tools into the hands of an unwilling organisation. It is by design a very ineffective approach. In stead I find, that sharing knowledge, methods, disciplines and tools with people who are genuine interested, is a quite different experience. It will still take time, but the process feels more like rolling a ball of snow down a slope. It will pick up the pace on it’s own accord.

The big question is of course: How is it possible to create a pull from the organisation?

Creating the pull

Well actually, I found, that most people in the organisation, did not have a clear picture of their responsibilities, if they had one at all, and once I helped them get a clear picture, they had no idea how to go about it.

But worst of all, most of the people I engaged, wouldn’t admit this without having to answer some hard questions.

So I’ve build a way of guiding these colleagues through the few steps of the realisation necessary, and later integrated this into the way we measured the organisations maturity. One tool, multiple results. And it worked wonders.

This is now all part of the full organisational maturity survey. Running the survey is a 6 to 8 week process, covering from setup and execution to management reporting.

If you are interested in more information on this, then please call our sales team, at +44 8445 499 101 or simply have us contact you on your convenience, by filling in the contact form below.

You may also be interested our basic maturity assessment, which simply is a survey for you or another single individual with the right level of insight. By completing this survey, we will be able to assess your organisation and send you the result.

The en report includes:

  • a basic indication of where your organisation is on the maturity scale
  • a breakdown of the maturity for specific key-disciplines in the organisation
  • recommendations of actions to take to improve
  • observations made and the risks related to these

The basic maturity assessment is simpler in it’s form, targeting a single expert only (you) with no intention of creating the kind of realisation described above.

As such it is more of a starting point and a simple indicator, but just enough to let you gauge where on the maturity scale your organisation currently is and how best to approach the organisation maturity from there.

Get the basic maturity assessment report

I have priced the basic maturity assessment very low, to help you get more easily started on building your organisations maturity. With the price of only €100, far less than I normally bill per hour, and you get tens of hours worth of value.

Best regards,

Nicolai Elberling,
Company founder