I have outlined some of the hazards inherent to an initiative to improve internal processes at a technology service provider for the purposes of a service audit (e.g. SOC-2). This diagram shows a process flow annotated with some of the risks involved.
After leading one service organization through such an initiative, and studying the way that six other firms approached similar initiatives, I found the above process to be fairly consistently deployed, despite the risks. I then began to search for an approach can correct for those risks. I also wanted to know if there was a better way of obtaining more of the strategic benefits from such an undertaking. These are the impacts I referred to in the previous post: the lasting competitive advantages to be had by positioning the organization’s service more in line with regulated client’s core needs; the improvements to brand that result from improved quality and consistency; and the improved differentiation of the firm against competitors or new entrants to the business.
I’ve found clues in the literature, and am proposing an alternative approach as a sort-of request for comment. This approach utilizes concepts of strategic planning and the management of strategic execution. The following diagram shows this improved flow.
A good deal of work remains in the “Initiative to overhaul operations”. But there are more inputs at the outset, and certainly more benefits baked in. It is by using a more informed decision-making process at the outset that a firm can better understand the range of potential outcomes inherent in such an initiative. This shifts the focus of the initiative from one of revising a grab-bag of seemingly peripheral IT and operational practices and recasts it as a fundamental mission of innovation: to construct a better-built firm that is more focused, capable, and profitable.
Of the many steps in the new flow, the review of strategy at the outset is crucial. This is an evaluation of the opportunity to undertake service audits in light of changing market realities and the firm’s place in that market.
The strategy review stage has two internal inputs: the firm’s existing value chain, and an enterprise-wide risk assessment. It also has two external sources: an analysis of its regulated clients; and the published standards for operations and governance.
Evaluating the existing value chain in light of these inputs allows the company to produce a new value chain model (as in Andrew Spanyi’s Operational Leadership). This model I’m proposing here is not only shaped to meet the “audit requirements”, but is designed in a way that refines the company’s consistency of service and distinguishes the firm from its competition.
Assessing risk across the enterprise falls out of understanding the value chain. Once the core processes by which the company adds value are understood and mapped out on paper, risks can be identified by simply asking ‘what can go wrong’ for each step in every process, and then understanding the impacts (asking ‘so what’).
Evaluating the company’s service portfolio against the needs of regulated clients allows the firm to understand the types of services the regulated clients need, and the degree of risk management competency with which they must be delivered. One excellent source of material here are the clients’ regulators. I’ve had the pleasure of writing an outsourcing process manual for use by financial firms, based on regulatory guidance. I’ve also taken the outsourcing requirements of regulated clients as guidance when at a service provider. These sources are vital to understanding how a service organization fits its regulated client’s needs. But moreover, client personnel should be polled for input at every opportunity. For instance, if a service organization is delivering software, what does the client expect in its user acceptance testing?
For a technology service provider, the operations and governance sources should include ITIL, COBIT 5 (and possibly COSO), as well as the criteria for the SOC-2 audit, the AICPA/CPAC Trust Services Principles. It’s likely that any firm undergoing a service audit is already using these sources. But the CPAC offers the “Twenty Questions” publications, available free of charge, that list “twenty questions a board should ask” on a variety of subjects. These documents will prompt detailed thinking to help shape one’s understanding.
Pulling these sources together, the strategy review process should deduce a clear picture of the needed changes to the value chain. This is the time to evaluate how changes to the consistency and fit of its core activities will impact the competencies and character of the company, and understand how the emerging firm will be changed. Lastly, the strategy review should understand any changes in the expense of and restrictions on delivering its service, and how these will cause the firm to evaluate the profitability and suitability of different groups of clients.
Matching the firm’s overhauled capabilities with the identified market opportunities allows the company to understand whether it wants to pursue the undertaking before it embarks on its initiative to overhaul its activities. The questions should be:
Armed with such understanding, the firm can then make the decision to proceed with a planned project to improve its processes (and activities) with a clear sense of mission. The firm will also understand any required changes to its portfolio of services, and better realize its alignment with its regulated market.
These things, in turn, improve brand cachet within that market and, by Michael Porter’s definition improve competitive advantage. Through the adoption of measures of financial and operational performance (e.g. as outlined in COBIT 5), the firm can demonstrate and monitor these effects.
I believe that the differences in outcomes between the usual process used at service organizations today and my proposed methodology are so significant that no service organization should consider undertaking a service audit without a rigorous look at the strategic implications.
Parts of what I'm proposing here are things I haven't done quite this way (thought I intend to). I'd love to hear from those who have tried something similar.
Undertaking an annual third-party audit may feel like a dreary and endless burden, especially to those who've seen a SOX implementation go awry. But it can be a clear advantage.