Compliance and risk
Governance authors are concerned with compliance and risk – not only in the narrow sense of regulatory compliance (although that’s part of it) but in ensuring that your organization meets its obligations and commitments, without unexpected, unplanned risk.
Governance documents govern what your organization does and how it does it. Some examples are: regulations; business policies; contracts; leases; product & service specifications; terms & conditions of supply; service level agreements; advertisements; customer help-desk scripts.
They also define or imply some risks to your business. Risks ought to be planned and managed. Unplanned, unexpected risks cause problems. For example:
- Misleading advertisements cause disappointment and anger. An offending organization will lose customers and may be fined.
- Inaccurate or ambiguous product/service specifications give rise to disputes and, perhaps, lawsuits.
- Failure to comply with regulations incurs penalties – in extreme cases, closure of the business and/or prison sentences.
These kinds of problem are usually caused by ambiguity, omission, inconsistency, contradiction or misunderstanding (or deliberate misrepresentation – which we shall not address here).
Governance authors are the people in an organization who have responsibility for its governance documents, in two contexts:
- Documents that originate within the organization, such as: business policies; employment contracts; the organization’s own product & service specifications and terms & conditions of supply; advertisements.
- Documents that originate outside the organization, such as: industry good practice guides; suppliers’ product & service specifications and terms & conditions of supply; regulations.
Governance authors need to:
- Interpret the governance documents and provide internal advice and guidance on compliance with them.
- For governance documents from outside the organization, define traceability from the received documents to the business working practice, to support the organization’s position in case of dispute.
They have to ensure that:
- The documents themselves are not a source of unplanned risks. This often requires governance authors to challenge the documents and negotiate changes that resolve the problems
- Misinterpretation of the policies, rules and advice about compliance does not cause unplanned risks. People in the organization need sound advice and guidance.
Policies, rules and advice
“How an organization does what it does” is governed by business policies, rules and advice.
A major risk is that policies, rules and advice look well-formed and unambiguous, but are based on definitions that are ambiguous, inconsistent, informal – or exist only in the minds of the beholders. For example, how many meanings for ‘customer’ might a business have? And how well is consistency of meaning managed when ‘customer’ is used in policies and rules?
To develop and manage high-quality governance documents, governance authors need business vocabularies that:
- are usable by authors to produce content that people in their organization can confidently use – in the language of the business
- are sufficiently formal to be the basis of specifications for information systems that will support working practice.
Some useful vocabularies are available, but many are focused on information system specification – they would define ‘customer’ as the data to be kept about customers, rather than defining the real-world relationship with a person who buys things from the business. When you write the rules for, say, how to close a sale, or how to resolve a dispute with a customer, you mean the rules for dealing with the person, not the data.