Your organization is an ecosystem of interworking parts; a vast collection of automated and manual agents, ideally pointed in a direction with the intent of improving your chances for success or optimizing market value. Healthy organizations spend an immense amount of time documenting their inner workings though training both verbal and written. But how do we determine if your activities are contributing to positive change?

Obviously, policy plays an important role. SOC2 addresses many of the key points required to operationalize your workflow. It codifies board involvement, hiring, operational flow and security just to name a few. Even with all its strengths, an organization cannot realize the full benefit without oversight.

Oversight

Mature organizations understand the benefits of meaningful oversight. The connotations of oversight range depending on one’s perspective. It’s understandable for an employee to feel mistrusted if their work is always scrutinized by a third-party. As a leader, it’s important to focus on organization excellence and how oversight can unearth meaningful data to inform decisions leading to better outcomes.

At this point, it’s important to visualize an example of oversight applicable to your organization. Let’s assume that your organization conducts background checks on individuals and maintains standards related to the results of those investigations. We can break this down and follow the path through, control, policy, procedure and evidence.

• Control. SOC2 CC1.4.2 contains relevant language related to an employee’s background. While this control isn’t completely prescriptive, it makes that point that you, as an organization, make every effort to hire individuals who have the skills needed to perform their intended job function.

• Policy. If we look to your Workforce Onboarding and Clearance policy, we are likely to find an article related to the Scope of Background Investigations. This article must state the organizational requirements; in this case, that a background check must be performed, reviewed, and stored.

• Procedure. This is where the substantive language begins. The procedure outlines specific steps, vendor names, individual or roles and, properly written, allows for little to no room for interpretation.

• Evidence. (also known as control tests) Evidence captures procedural activity demonstrating that procedures are followed as written. Referring to our example, this might be a list of current employees cross referenced to a list of background checks. Do we have a 1–1 match? If we have standards for rejection based on the background check findings, did we follow those standards?

The steps above are all critical to your compliance effort, but getting to finish line requires several more important steps.

Accountability

Let’s focus on the last step, evidence. I’m going to make a case here for the importance of separation of duties for automated and manual evidence gathering. It’s great when we use API’s to automate gathering routine evidence month after month. For information we cannot gather automatically, we must gather manually.

Automation breaks. Who holds accountable the programmer responsible for the script when it stops functioning as expected or when the returned data is not longer relevant?

Manual processes become outdated. Who reviews manual evidence and compares it to the procedural language to ensure that it satisfies the spirit of the connected procedures, policy and controls?

The answer to both questions points to an independent review process. This means that the person or process gathering evidence must not also bear the responsibly for verifying accuracy. This distinction lays the groundwork for how Management Action Plans can transform your organization.

Self Improvement

Athletes don’t excel by being complacent. It’s a daily routine of self critique, analysis, and a will to improve. Organizations are no different. Oversight highlights weak processes by shedding light on procedural shortfalls, but awareness is only the first step. Next, we must devise a plan to remediate.

Management Action Plans do exactly this. They set into motion a chain of custody between the reviewer and the procedural stakeholder ensuring that steps will be taken according to mutually agreed upon timelines, to resolve failed control tests.

Let’s look at our previous example to see how a Management Action Plan might be used to resolve a failed control test.

• Assignee submits the results of employee background checks monthly.

• Reviewer views each background check and finds that there are 3 employees on the new hire list without a background check on file.

• Reviewer fails the period and sets in motion a Management Action Plan. At this stage, the reviewer (1) crafts a narrative explaining the nature of the failure; (2) assigns a plan Author with the necessary skills to write the plan and; (3) sets a due date for the written plan. “I’m seeing 3 employee background checks missing from February. Please explain why and how you expect to resolve this in the future.”

• The Author is now required to submit their plan by the prescribed date. The Author must also provide an estimated plan completion date. This plan is not considered approved until the initial reviewer accepts the plan. “We changed to a new vendor in mid February and our new vendor isn’t sending the to us. I will notify the vendor to get the missing three background checks and will ask them to setup and automated process to place these in the correct location upon completion.”

• Once the plan is complete, the Author is again responsible for explaining the details of the completion, and this too, is subject to reviewer approval. “Our new vendor was able to provide the past reports and they have agreed, and I have verified that reports are going to the correct location.”

The example above represents a straightforward use case. Management Action Plans can be very complex involving months or years of planning to remediate. It’s plausible that an organization might consider modifying policy or procedures in order to accommodate limitations around evidence gathering activities.

I hope this article has helped you better understand how Management Action Plans can help you and your team think critically and use that information to continually aim for excellence. Reach out to us to learn more.

How Do Management Action Plans Lead to Organizational Excellence? was originally published in PolicyCo on Medium, where people are continuing the conversation by highlighting and responding to this story.