2013.07.01
I believe that service organizations selling to regulated industries such as finance, insurance, health, energy, and the private sector don't really don't have a choice but to work the way their clients do: in regular, predictable ways that come without surprises. It's not a simple matter of "having the piece of paper". Regulated organizations might seem like Kafkaesque bureaucracies, it's because they have to be. I'm in no way recommending mindless bureaucracy, but instead learning the best of what these organizations were trying to achieve—consistent quality and attention to detail.
Without this, and without all of the things that come with it (internal controls, process manuals, etc) you won't sell to the regulated clients, and you'll have a harder time keeping them happy. You'll also, I predict, suffer more internal chaos and higher staff turnover due to the many frustrations that come with more ad-hoc ways of running a business.
Besides, your clients are demanding it. And some of your competitors are already doing it.
Without the sort of demonstrable excellence that's behind an audit report, a sales journey within a regulated firm can include a series of gatekeepers similar to that in the image below.
A service organization armed with an audit that’s backed by genuine internal excellence and a unified vision can bypass the gatekeepers and engage the client's decision-makers in the sort conversation that really matter.
A service organization armed with an audit that’s backed by genuine internal excellence and a unified vision can bypass the gatekeepers and engage the client's decision-makers in the sort conversation that really matter.
But meeting a client’s needs at every level earns and keeps a client's trust and builds "brand" with every interaction. A focus on the customer is the most powerful way of winning and keeping that customer. This sounds like a marketing talk on purpose; marketing experts understand the importance of a consistent message of excellent results. And what is an audit but proof of consistency?
Here’s how I believe it works. Initially, a process improvement initiative exposes the differences in expectations, assumptions, and interpretations behind existing process. Eliminating those differences allows the firm to adopt a unified way of thinking and a unified level of consistent behavior. It allows the firm to adopt a culture of excellence, and allows the firm to find a competitive advantage based on processes that are not merely improved but (in the words of business strategist Michael Porter) that “fit” one another and are hard for a rival to copy. In this way, the conversation is no longer about “audit” but about lasting strategic advantage.
If a service organization approaches this like it's a mill-stone around their neck, that's what it will become. I think this is why one hears such stories arising from the banks in particular—they didn't want all of the overhead, and it shows in their approach and the results. Instead, I believe that this is a chance to excel, to differentiate your business, and to even land new clients. They is to not say, "let's do this for audit", but to take on an initiative to improve processes in preparation for serving regulated clients. Call it risk-centric, call it 'continuous improvement', call it 'client-focused'. But take it to heart, because it's coming one way or another. (I'll talk more about this at length in the 'how' section.)
These are the direct benefits of adopting such an initiative toward sustainable process improvement that you need to pass an audit every year:
This is probably the single most important step, and the most tangible outcome of this entire process. It's a big deal to achieve consensus around objectives, the activities to reach those objectives, and the standards by which we deem those objectives met. In fact, I believe that this is the real battle. Once these are in place, they define "business as usual"; momentum is on the side of new consensus, and the rest becomes ways of finding solutions for specific process glitches—every day improvement. This spans not only the organization but its dealings with providers, its clients, and even prospective hires.
It sounds like meaningless consultant talk, but once people understand the aims of an organization's activities, they suddenly grasp how the activities themselves can be improved. This benefits the personnel themselves, but it pays enormous dividends for clients who reap the benefits of every improvement.
Once people start working in a consistent way, it's amazing how so many of the blow-ups disappear. Gone are a lot of the:
There suddenly comes a time, in an environment that's organized itself, when staff are making predictable decisions rather than running to their management for decisions. This means that executives are focusing on what they should be: defining the firm's goals, shaping its strategies, and guiding the execution of the firm's tactical initiatives.
It cannot be overstated how much risk-centric process retrofit can improve your ability to sell your service to heavily regulated financial or health or government behemoths. They have vast volumes of regulations to stay ahead of, and so must must share that burden as their suitor. Armed with your audit report and all of the good things it represents, you can bypass the gatekeepers and engage the client's decision-makers in the sort conversation you really want to be having. Years of RFI's and review meetings can vanish.
More consultant speak. But the staff in a functional environment know what the company is, they know what to do, and they know how their energy &ideas contribute.
This is a lot of heady stuff. But these directly applicable outcomes, are, to me, the entire point. It's not about the theoretical 'risks' being controlled, and it's certainly not about the piece of paper.
Undergoing risk-centric process improvements towards annual audits that verify operational excellence is about being the sort of firm that has the capability to consistently excel; it's about building your 'story' as a firm; it's about of your identity.
There's no such thing as audit of service excellence or an audit of fit for process, but the auditor still sets the bar for performance to which your firm must attain. They key lies in the auditor's adoption of recognized standards for measuring operations performance, his stolid consistency, and his demands for proof that it's always done right (every time). With the auditor holding the bar, your firm has no choice but to go forward.
An auditor isn't prescriptive; I don't think it's widely recognized, but if you've been tasked with managing an external audit process, an audit is your opportunity to take the initiative, to build what needs building (at last!), and then to explain how your firm's found its path. Your challenge, in turn is that you mold his requirements, build that consensus, and build that lasting competitive advantage.
A technology service provider that undertakes a SOC-2 audit runs a curious risk; the company that emerges might be a different company.