Government ICT System Assurance Framework

I've just been browsing through the NZ Government ICT assurance site. The scope of the ICT assurance includes ACC, EQC, NZQA, NZTA, HNZC, NZTE, TEC and (of most interest to me)  from July 2015 will include the District Health Boards.

I'm reading the ICT Operations Assurance Framework (pdf) as that most affects me in a support role.

 Some Notes & Quotes:

 ---

 The Chief Executive remains accountable for the successful delivery of their ICT Operations and for ensuring risks are managed and
kept at an acceptable level.

Rob England would like this. Governors govern. The CIO might be responsible for getting stuff done - it's the CE that is accountable for ICT. The ISO standard for IT Governance is ISO38500 - it's actually titled "Governance of IT". Governance occurs outside of IT, and done to IT, it is not something that IT does. The CE can't abdicate accountability, putting everything on the CIO, any more than they can dodge unsafe working areas, blaming the facilities manager.
---

Seems very much focused on risk identification ... negative risks only (haven't seen anything regarding positive risks)
---
There is a diagram titled "Risk Universe" which is really a list of ITIL processes - this is noted as such - seems a little strange to list the processes as the embodiment of risk areas. I guess it's one way of compartmentalizing where risks occur. A problem remains with areas that are not covered by ITIL - which is quite considerable (Rob England again).

---

One of the key objectives of the ICT Assurance framework is to improve system-wide ICT risk management and assurance through lifting capability

 I like that - managing risk through improving capability.
---

A risk maturity model is due in 2014 sometime - will include a maturity assessment tool. That'll be interesting too.
 ---

General

I like the direction this is going. Identifying risk then managing that risk by improving capability is a good approach - sure beats improving capability in areas that don't matter to the organization. I'll try to keep an eye on this. Will ask our auditor about it when he's here next year.

Coaching - essential for staff development, and its not about being a trainer.

Staff development is crucial. Sure we'd all like to hire the perfect staff, who were all able to do anything we needed, to perfection, every time. Instead we end up hiring humans, as imperfect as their manager.

Often development is seen as "training" - with staff being sent away somewhere to receive it, somehow. Sometimes this is almost a punishment (a last ditch attempt to get someone up to speed before getting shown the door), often its done as a reward or bonus - especially if the course is out of town.

Training is part of professional development, there's nothing wrong with it and it's essential for some things. Its a mistake to think that's the only way to develop staff though. Coaching can be very productive..

First let’s knock down one fear I've often heard - "I can't train my staff in all the things they need". Coaching isn't training. Say that again slowly - Coaching is not training. You don't have to be an expert in something to coach it. Think about elite athletes for a second. They all have excellent coaches - yet the athlete is more adept in their field than the coach. The coach guides - not by showing how excellent they themselves are - but by guiding the athelete  in areas which will lead to improvement.

I'm a big fan of Manager-Tools podcast. They have  an excellent coaching model (Start here: Part 1 & Part 2).

The thing I like about the model is the amount of discussion between the manager / coach and the direct - and that it is short. There are only 4 steps
1) Negotiate the goal
2) Negotiate the resources to be used
3) Negotiate the plan
4) Action the plan

I add a fifth - which is defined in the very first step of goal setting.
5) Validation/Verification

The goal should be something substantial with milestones set in the plan at roughly a fortnight intervals. Early milestones will be pretty firm - with more vauge ones in the distant. These get firmed up as the plan progresses. The goal should be measurable and time bound. Everyone needs to know what's defined as "achieving it" and the time-span. Without either of those - you don't have a goal, just a vague dream. Make it firm - an exact measurable achievement, by a point in time (there's a manager-tool cast for that too).

The first three steps are a discussion between manager & direct. Both need to have buy-in here. The staff member needs to participate, and be heard. Put yourself in their position - if you need to work on something that you're pressured into then you're not going to really put  as much effort in compared to something that you really do want to work on. As a manager use that. There's probably a dozen things that staff need to work on. Hook into the ones that they recognize. Its a negotiation, if they don't buy into the area that's your focus - don't worry - by discussing that option, and maybe putting it off, its been raised and worth coming back to in a later cycle.  If there's a serious performance issue going on  then the rules change.

The fourth step is performed by the direct. The manager teaches absolutely nothing - its all about guiding and holding the staff member to the plan they agreed on.

Then finally there's the validation. The end-point for the goal. Being able to show that you've achieved what you've set out to do by the time you set originally.

I've been doing this for quite a few years in various forms. From a management perspective it is remarkably effective and efficient. I have weekly 30min catch-up with each staff member. The coaching part normally takes about 5 minutes. Checking where they're up to, what was achieved last week (if not, why not), whats coming next. It really is incredibly short.

Important IT Books

I've just listened to a Manager-Tools podcast on recommended books for everyone to (re)-read. It made me think about what I'd regard as the best IT books I've read over the last while.

Note: the links on the book titles take you to Amazon. Check out your local bricks & mortar bookstore first - you might be able to pick them up without the hassle of freight and waiting. And they need your support.

Fredrick Brooks (1975+) The Mythical Man-Month: Essays on Software Engineering (MMM) 

 

This is the classic book about working in IT. Few things date more quickly than a computing book. There is a reason that this book is still a best seller almost four decades later.

MMM is a series of short essays describing truths about IT and the activity of working with computers. An example of this book is his essay "No Silver Bullet" which was added to MMM in the anniversary edition.

Further details on this book, including a summary of each chapter is at wikipedia

Peter Drucker (1967) The Effective Executive

If you thought I was pushing the age of books for IT with the Mythical Man Month then this might have you really shaking your head. This is a book about working in the modern IT world which was written before IT, as we know it, even existed. Drucker coined the phrase "knowledge worker". To him an "executive" isn't a manager of people or enterprises, executives are

 “those knowledge workers, managers, or individual professionals who are expected by virtue of their position or their knowledge to make decisions in the normal course of their work that have significant impact on the performance and the results of the whole.”

 That pretty much describes IT to me. Drucker emphasizes five practices that are essential if you're going to be effective:

• Managing time
• Choosing what to contribute to the organization
• Knowing where and how to mobilize strength for best effect
• Setting the right priorities
• Knitting all of them together with effective decision-making

My copy has been read several times, and each time I pick up tips for working more effectively. I swear Drucker was channeling some IT worker from his future.

 Kevin Poulson (2011) King Pin 

From two ancient books to something very recent. For many years I would have listed Cliff Stoll's "Cuckoo's Egg" in my favorites list. But it is quite dated today (still a great book) and I haven't mentioned it to anyone for ages. But we now have a modern, true, cyber-criminal book. Poulsen's story of an ace credit-card fraudster and hacker reads like a novel but is a well researched and referenced coverage of a very real threat. This is one of the best books I've read in a very very long time.

Eli Pariser (2011) Filter Bubble

This books stems from a TED talk that Eli gave in 2009. The book fleshes out the details he glossed over in his nine minute talk. The main point is that sites like youtube, facebook and google all try to use "smarts" to customize our searches to us individually. This means that as they learn more about us, they are able to give us more of what we are interested in. Sounds good?

The down side is that the more these sites learn about us, the more we see of things that we've already seen. We get exposed to more of the stuff that we already agree with. That's not healthy if taken to  the extreme. We start living in a bubble which we create for ourselves, unaware of the rich tapestry of life and views that we either don't really like or haven't been aware of. And as the bubble becomes more entrenched - we are less likely to be aware of.

This is one of the reasons I love twitter. I follow people because I find them interesting - and pourposly follow a number of people who I disagree with when I can see that they are sincere and thoughtful. I use twitter quite deliberately to be exposed to things outside of the bubble I create. An analysis of those I follow would show that I'm not very successful ... but I do try :-)

Value Center? Yeah ... naaa

At the end of the day - an IT department is a Cost Center.

There! I said it. Begin the stoning.

But don't get too excited about cutting IT costs - almost all of the rest of the business is also a Cost Center.

The idea of a "cost center" was proposed by Drucker to differentiate the parts of the business that earned revenue (Profit Center) from those that don't directly earn new money, but instead support those that do. He regretted that distinction and later said that "The only profit center is a customer whose check has not bounced" (1). But now the idea has been adopted in general language.

Assuming that you're not working in an area of IT which contracts out to other businesses, and earns an income for your organization, then you're working in a Cost Center. Regardless of how vital your work is to the organization, if you are not bringing new money into the organization, you're in a Cost Center.

A while ago Kaplan pronounced the end of Cost & Profit Centers (3) by reviewing the wide range of other "centers" that had grown up, partly because people don't like to think of themselves as being just a cost to the business. There were Investment centers, Discretionary Expense centers, Revenue centers, and others

Within IT, we don't like to think of ourselves as being a cost to the organization either. We're special, not like HR, Payroll or Facilities Management, or (heaven forbid) Marketing. We provide value to our business. We do really cool things that allow the business to do more with less, open up new markets, allow our front-line people to provide better value to our businesses customers. Yeah IT departments are important, we're not just a cost center!

The only problem is that this is the view of all areas of the business. HR try to make sure that people are working well - thus providing value to the business, Marketing people are pushing to earn money from customers  (2), facilities management people take pride in ensuring that buildings etc are working as best they can for the staff and customers. And lets get real here - in a brick & mortar business, the customers are more likely to notice bad performance in facilities management before they notice poor IT - they definitely do provide value to the organization.

So how is IT more important that that - how do we show that we provide more value to the organization than those other support functions? If that's at the back of your mind - get over yourself. All areas of the business provide value - otherwise why does the  business put up with them? Trying to compete with other areas of the business is harmful to the business (aside - check out this competition between the brain and the rectum as to who is most important).

It's more useful to consider how we provide value to the organization. IT acts as a leaver to the organization. Investment in IT should allow other areas to work for effectively, more efficiently, and open new opportunities that were not otherwise available.

Sometimes an organization treats IT as a cost center and then takes the view that all costs should be minimized. But reducing the investment means minimizing the benefits that IT can provide to the organization. This happens, but often to the detriment of the organization.

However,  it's silly to say that we're not a cost center, because - by definition we are. We don't directly bring new money into the organization. Or to say that we are a "value center" - all functions provide value, the term is meaningless.

If you want a term to make you feel special about IT, then claiming that we are an "investment center" might be useful. By investing in IT (and not being dumb about it), the organization should see benefits which would not otherwise be realized. But lets not pretend that we're something we're not.

References

(1) Managing in a Time of Great Change

(2) Marketing Should Be a Profit Center, Not a Cost Center

(3) The Demise of Cost and Profit Centers

Moving in

Moving onto Blogger after having a (mostly neglected) blog on ToolBox.com. I ended up getting fed up with people having problems commenting on my blog entries. It also has a bit of a dated in it’s look & feel.
The down side of moving – I’ve got to get my head around sorting out this blog. I’m sure it’s simple, but I really don’t have the time