Nurturing accountability
Have you ever wondered how accountability can be useful from the perspective of compliance as well as productivity?
Your organization is comprised of thousands of activities performed by multiple teams. So, your organization becomes compliant when each activity becomes compliant. However, there can be non-conformities (NCs) in activities. And every time you fix an NC, you become more compliant. How do you ensure when an NC is fixed in one activity, similar activities in your company don't make the same mistake?
For example, Zylker considers coding as an “activity” in the company. There are 25 teams performing this activity, with hundreds of software developers. A developer from one team wrote some code containing a security misconfiguration that resulted in a bug. This issue, an NC under OWASP , was later resolved. This particular team learned the lesson to be wary of security misconfigurations every time they code—but what about the other 25 teams and their code?
There is a good chance that:
How can you ensure that the number of NCs decreases? How do you ensure that each developer is wary of this NC and does not make the same mistake in their code?
The answer lies in accountability. If the accountable person for each activity is known and recorded, they will be obliged to ensure that the activity is compliant.
Once the NC is identified, the SPA team at Zylker sends an email to all accountable people telling them about this NC, including steps they should take to ensure this NC isn't repeated in their activities.
This is the first leg of the 3P framework, where you map People and Processes together.
How do you do that?
You invoke one of the most powerful tools for compliance: documents.
Documents: Your primary instruments
What is the simplest, most logical way to start putting the 3P approach to work? To put it on paper. But first, keep in mind that many employees have these preconceived notions about documentation:
- "It is added work, something that will reduce my productivity."
- "It serves no real purpose as I am just repeating what I know."
However, documenting is the first step towards clarity. Whatever you know about your work is only in your head. Only when it comes out on paper will you actually know what you know and what you do not.
Until you confidently document what you do, it is almost impossible to ascertain the areas where you can do better.
An institution without proper documentation is looked down upon by regulators and law enforcement agencies.
The GDPR's accountability principle, which indirectly hints at comprehensive documentation, is as important as its legal agenda. Article 30 of the GDPR emphasizes the need to create a “record of processing activities” and deems that organizations need to demonstrate “Data protection by design and by default,” which implies that you must identify and fix problems at the initial stage of processing.
We’ll show how you can document the following:
- Your activities that are part of work (activity register, RACI Matrix)
- Details of the products, services, or deliverables (information asset register)
- The potential dangers associated with these processes, and how you would handle them (risk assessment)
The above is literally what every international standard seeks from you. Having this kind of documentation makes obtaining certifications like ISO and SOC simpler, as your documents are the primary and most trusted source of communication with external auditors.
Activity register
An activity register is the most straightforward adaptation of Art. 30 of the GDPR. You simply list all the activities in your company. Even if it isn’t used for compliance, an activity register is a good thing to have.
Each activity is a building block of your organization. Your company will have a strong, unassailable compliance structure only when each block is accountable, compliant, and robust.
To bring accountability to your organization’s activities, you also need to mention who is accountable for that activity—in simpler words, who will be questioned if the activity goes haywire.
There are multiple ways to go about this:
- Method 1: Ask every person in your company to record what they do as part of their job Gather all such activities and make a register Tag the accountable person and their team with each activity
- Method 2: Assign managers for this project Ask them to list each activity happening in their team Ask managers to tag an accountable person in their team for each activity.
- Method 3: Have the SPA team create a list of activities for the company based on functions Ask managers to use this list as a base and make modifications to suit their team Have managers tag the accountable people for each activity Require the accountable people to verify the list.
Depending on the size of your organization, the nature and experience of your SPA team, and your organization’s culture, you can choose the method that’s best for you.
Activity tree
An activity tree solves the managerial problems that occur when you add your activities into a spreadsheet and they pile up into hundreds of rows, making it difficult to search and extract data. To sort this out, you can use an activity tree:
This way, you can choose which level of the activity tree you are interested in.
When it comes to listing activities, it is common to be stuck at a few questions:
-
What type of activities should not be mentioned in the register?
For operational activities like recruitment and support, instances of activities need not be mentioned. Let’s assume Zylker recruits new college graduates every year. Recruiting college grads is an activity headed by John Taylor of Zylker HR, and it must be in the register. However, hiring for the year 2020 for a particular team from a specific college is an instance of recruitment, so it should not be mentioned as John repeats that activity many times. John handles such instances using project management tools like Zoho Projects.
-
How fine-grained must you be while listing out the activities?
It depends on the person that’s accountable. If you can't find a unique accountable person for, say, subactivity 2(a1) in the above illustration, then you should stop with subactivity 2(a).
For example, Zylker's sysadmin team, headed by Graham Peterson, is structured in such a way that Michael Smith handles all onboarding activities for new employees, while the exit process is taken care of by Brendon Drake. Michael handles all onboarding activities like assigning laptops, creating accounts, ensuring encryption, and providing gadgets and software. Brendon recovers all gadgets and updates the asset registry during the exit process, but it is Martin Groove's job to remove email aliases and shut down access to critical environments like data centers.
Here, the activity tree stops at “Onboarding,” while “Exit process” branches out into “Recovery of gadgets and update of asset register” and “Removal of email aliases and shut down of access to critical environments.”
-
Should mundane actions, like logging in to an account or accessing a server, be mentioned?
This level of detail is not necessary, as this information can be added as the procedure for the subactivity that cannot be further branched.
-
How should development/production activities be mentioned?
Developers are often in charge of a feature or module in the product or service they are working on. Development itself can be an activity with subactivities, but the feature or module a developer is working on should be listed alongside the developer’s name in the activity register.
For example, Zylker is developing an education platform, Think, for enterprises to help educate and evaluate their users' knowledge regarding any subject. This project is headed by Dwayne Charles. In this platform, Julie Ann is developing the content module for storing and distributing educational materials, while Lisa Bingel is in charge of the evaluating module that asks users questions. Although they are both doing the same activity, development, it makes more sense to include the modules they are developing in the activity register for better accountability.
-
What is the actual role of an accountable person?
An accountable person will ensure that their activity is compliant. They will be provided with tools and education through the SPA team.
Parent activity |
Activity |
Accountable |
Zylker Operations |
Sysadmin |
Graham Peterson |
Sysadmin |
Onboarding |
Michael Smith |
Sysadmin |
Exit process |
Brendon Drake |
Exit process |
Recovery of gadgets and update of asset register |
Brendon Drake |
Exit process |
Removal of email aliases and shut down of access to critical environments |
Brendon Drake |
Zylker - Think |
Development |
Dwayne Charles |
Development - Think |
Content module |
Julie Ann |
Development - Think |
Evaluation module |
Lisa Bingel |
The RACI magic
An activity involves more than just the person who is accountable for it.
For example, 2020's campus recruitment drive at Zylker involves more than just John. Dwayne, manager of project Think, decides how many developers he needs. Lisa evaluates candidates and gives appropriate input to the HR team. John then asks his team to conduct the final interview. Graham the sysadmin must know about the recruitment drive, as he must raise the request for assets and procure them before the recruits join. Likewise, the finance and admin teams must also be notified of the hiring event.
Although John is tagged as the person that’s accountable for the activity, it involves other roles as well.
Here are those four crucial roles:
-
Accountable: The one who takes charge of the activity and is ultimately answerable for it. This has to be one individual, as having more than one person be accountable leads to conflicts of interest and confusion. In the above example, only John is held accountable.
-
Responsible: The people who actually perform the activity. This can be a person, a team, or an ad hoc group. They answer to the accountable person. In our earlier example, the five-person recruitment team under John will be tagged as responsible.
-
Consulted: The people who offer opinions. They are typically subject matter experts who must be consulted before a decision is made. This can be a person or a team. In terms of Zylker’s recruitment drive, the project team Zylker - Think led by Dwayne, who assess the candidates' technical ability, will be consulted before any hiring decisions are made.
-
Informed: The people who must be kept in the loop about how the activity is progressing. This can be a person, a team, or a group of individuals. In our example above, Graham of the sysadmin team, along with the finance and admin teams, will be kept informed of this activity.
For every activity you’ve listed in your activity register, identify four groups that are responsible, accountable, consulted, and informed (or RACI for short). Once you’ve done that, your activity is owned appropriately. And why did we call this magic earlier? Because it solves real-life problems that you did not even know were there:
- Uncertainty regarding who makes decisions
- Creation of and engaging in non-essential work to fill time
- Questions over who does what
- A reactive work environment rather than a proactive one
- A “not so sure, so take no action” attitude
- Blaming others for not getting work done
The first step of your compliance framework
Here's what Zylker’s activity register would look like after the RACI touch:
Parent activity |
Subactivity |
Accountable |
Responsible |
Consulted |
Informed |
HR |
Recruitment |
john.taylor |
Recruitment team (D) |
Zylker - Think (D) |
graham.peterson, finance (D), admin (D) |
Zylker Operations |
System administration |
graham.peterson |
michael.smith, brendon.drake |
- |
Top management (D) |
Sysadmin |
Onboarding |
michael.smith |
michael.smith |
- |
Project owner |
Sysadmin |
Exit process |
brendon.drake |
Brendon.drake, martin.groove |
Project owner |
|
Exit process |
Recovery of gadgets and update of asset register |
brendon.drake |
brendon.drake |
Manager |
|
Exit process |
Removal of email aliases and shut down of access to critical environments |
martin.groove |
martin.groove |
Manager |
Project owner |
So, now you know what you do and who exactly does it.
Useful tips
- It is preferable to denote people with unique IDs to eliminate confusion. This could be their email address (micheal.smith@zylker.com) or employee ID (Zylker-1234). In the above example, we’ve listed each employee’s email address but left off the domain name.
- This also makes it easier to link the activity register to your employee portal.
- It is also advisable to add a mark next to departments or teams [like “(D)” in our example] so they can be located and linked to the employee portal.
- The Consulted and Informed columns need not always be filled. For major parent activities like system administration, this may be the case.
- The accountable person will often also be responsible for carrying out the task.
- The project owner and manager will change with projects. So, instead of mentioning so many names in the columns, ”Project owner” will suffice.
The SPA touch: The SPA team must create an environment where the entire organization can be open about the roles of any individual. Here's how it can happen:
- They must create a central repository where all such activity lists, with RACI details, are maintained. It can be as simple as a spreadsheet.
- They must make the spreadsheet accessible to the entire organization, and they must give the respective managers the option to edit it whenever necessary.
- The changes to this RACI repository should be governed by the SPA team. Any change in an activity should be shared with the parties under the Consulted and Informed columns so they will be prepared.
- If you have a module or portal for managing your workforce, where each employee gets a profile, you can integrate this module with the RACI matrix. Every time someone logs in, they can find the list of activities they are responsible and accountable for, or simply consulted and informed about. Features to search for employees, activities, and responsible teams can also be included.
ZOHO STORY
Zoho and the RACI magic: With hundreds of product teams, using an RACI matrix was by far the obvious solution to get the most clarity about our organization. Looking at RACI changed the way we look at processes.
- People have a better sense of ownership about what they are doing. Once we created and implemented an RACI matrix, the number of excuses for not getting things done started declining.
- Determining the RACI for each activity has helped us communicate much better. Group chats are less active since people know exactly who to communicate with.
- Meetings for small incidents, internal feature audits, etc. require fewer people since we know who is accountable for what.
- External audits are smoother, as the auditors are able to easily point out the accountable person they want to question.
Compliance truly becomes a shared responsibility only when you’ve built an RACI matrix for your organization’s processes.