In a similar vein, if people outside the IT organization (like regulators) ask for information or impose an audit, she can coordinate the organization's response. But every manager must be held accountable for his or her own piece of that response.
She also can coordinate planning. At one level, she can teach individual managers how to put together their own plans. Beyond that, her coordinating services include consolidating all their plans into an organizational plan, and bringing people together to work out the integration of the various pieces. Again, this is a service. Everybody must be accountable for planning; Allison is there to help them satisfy this requirement.
The same roles apply to testing the plan, as in the case of business continuity. Allison can coordinate the test, while everybody remains accountable for their own groups' responses.
Throughout this service-oriented role, Allison can teach her peers the regulatory requirements, the risks of non-compliance, and the kinds of changes required to mitigate those risks. Educating others puts them in a position to decide the trade-offs. In the spirit of education, Allison may offer a risk assessment service, if her peers are willing to "buy" it from her.
"One final concern," Allison said. "What if they just don't do anything about compliance? Who's to catch them? Their bosses may not know enough about the regulations to know that they've got a problem."
There may be a need for auditing, I granted. But here too, a service approach works best.
"Remember," I replied, "the real auditors are outside the organization — the regulators, hackers (in the case of security), or Mother Nature (in the case of business continuity). If you are seen as an auditor, doors will close as you approach and you won't be able to implement meaningful change. But you can sell "compliance assessment studies" to managers which help them get ready for the real, external audit."
The difference between an audit and an assessment is this: An audit is imposed, and the results are reported to others than those being inspected. An assessment is voluntary (if not requested by the manager, then by his or her boss). And the results are reported back to those who were inspected.
"Describing it this way keeps the accountability where it belongs, and keeps you on their side of the table — there to help them, not judge them. You've got to maintain good relationships to implement meaningful change."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.