The Path of Accountability
The trap of the scapegoat occurs in many situations beyond compliance. It may be that ITIL "process owners" are tasked with implementing changes in the way the rest of the IT organization works. Or perhaps IT is asked to implement ERP and takes responsibility for changing clients' business processes.
The organizational principle that applies in all these situations is straightforward: Accountability and authority must flow down through the solid lines of the reporting hierarchy. It must never flow sideways such that someone is given accountability or authority for peers' behaviours.
Everybody in the organization must be accountable for their own behaviours, including for their own compliance. What this means is that everybody must balance operational objectives with compliance objectives. The degree to which operational objectives must be compromised to ensure compliance (or vice versa) is a decision that should be made by each manager for his or her own group (subject to review by his or her boss).
Idealists will claim that compliance helps achieve business results. That may or may not be true in the long run; but realists know that, at least in the near term, there's often a trade-off.
Consider the extreme cases. If implementing compliance means shutting down production, a manager may choose to take the risks inherent in waiting to implement the compliance measure and pray that nothing bad happens. Conversely, if the risks of non-compliance are huge, the manager may choose to shut down production to implement the change.
There's no one right answer for everybody. The degree of compliance is a trade-off made in the context of specific business imperatives. Each manager is in the best position to make these decisions for his or her own group and must answer to the consequences.
After explaining this to Allison, she objected, "What if one guy takes a risk and something bad happens. Then the whole organization suffers the consequences."
"Allison, would you advocate zero risk?" I asked.
"In public, I'd have to say yes. But I know that would be unrealistic. Zero risk would force us to shut down the business, at least for a while. We can't do that. And the costs would be astronomical."
"Right. So if you take a risk and something bad happens, the whole organization suffers the consequences, the same as if one of the managers had taken the risk. Whoever has the power to decide, the organization as a whole is at risk. The only question is who should make the decision on those trade-offs — you, or the managers running the business."
Allison honestly felt she was in the best position to make those decisions. She thought her peers were likely to sacrifice compliance for near-term business results. While she agreed that making the managers accountable for compliance would swing the balance somewhat, she still wasn't satisfied that they'd make the right decisions.
"You know there's a good chance you'll make the wrong decision too, Allison. Given your position, you'll opt for more compliance than they would and in doing so you might sacrifice critical business results — maybe without even knowing it since you're not in the trenches delivering IT services."
We agreed that the trade-off between compliance and business objectives had to be made with a full understanding of both points of view. Either she could study the business and make the decision, or she could teach others the risks and let them decide.
I reminded her of the golden rule of organizational design: Authority and accountability must match. If she's to make the decision, then she has to be held accountable not just for compliance but for everybody's business results. Otherwise, what's to stop her from deciding in favour of absolute compliance, sacrificing business results, and letting them take the blame when critical projects and services fail?
"I can't be held accountable for everything going on in IT!" she cried.
"Exactly," I said. "Therefore, you can't be the one making these decisions."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.