Yellowtail Conclusion is part of the Conclusion ecosystem

Ownership and decentralization of quality management

For years, the field of (financial) accountability, internal control, internal audit and compliance has remained relatively stable. But management and senior management cannot ignore the ever-changing world with major social challenges, endless technological possibilities and a critical citizen. Available techniques such as data analysis, GRC software and continuous monitoring are taking off. In addition, information security and privacy legislation have a significant influence. How do you translate this smartly into the management and accountability function of the organization?
Eigenaarschap en het decentraal beleggen van kwaliteitsmanagement

In part 3 of this series, we will discuss the theme of decentralizing quality management and accountability for information security and privacy. The large amount of new legislation and regulations with which ministries and government organizations must comply means that these organizations are often busy resolving issues, collecting accountability information and dealing with the consequences of incidents on an ad hoc basis. This places demands on responsible officials, such as a Chief Information Security Officer in relation to information security or a Data Protection Officer in relation to privacy. That is why more and more organizations are looking at how they can decentralize quality management and accountability for standards in a more decentralized way within the organization. Because these topics are only sustainable if the rest of the organization helps out and feels jointly responsible.

Involvement

Involving the line organization in quality management and accountability for, for example, information security standards is not only done for efficiency reasons. Greater involvement must also ensure that findings are actively addressed. In other words; optimally arranging the processes and ensuring that errors and incidents that are found actually contribute to process improvement.

7 tips for decentralized quality management and accountability for information security and privacy

Quality management provides added value by operating in collaboration and interaction with the organizations involved, supervisors, policy management, line organization and society. Each from their own responsibility.

This means that more and more organizations are choosing to decentralize quality management and accountability for information security and privacy. But how do you approach this?

  1. From hierarchical thinking to networking
    Involve the first line explicitly in the preparation, testing and periodic evaluation of results. Not just shifting and delegating, but actively involving people and clearly informing them about the benefits and necessity. Being aware of this is important.
  2. Create support
    Everyone has to do their part. The topic is not popular everywhere, so it is important to create support among the line and management.
  3. From digital sending to digital interactive
    A supporting information provision (GRC or ISMS software) to be able to manage integrally is essential. It is important that this information provision supports the governance of the organization. In a decentralized setup, many different parties and officials contribute to the organization being in control. Having central insight, being able to adjust, being able to decentralize activities and being able to monitor progress is essential.
  4. Think in chains
    You can’t do everything at once. Therefore, always take one topic that needs to be centrally assigned and do it well. For example, first focus on demonstrably gaining control over information security, by implementing the Baseline Information Security Government (BIO) or ISO 27001. Then determine who coordinates centrally and who in the line organization will own certain standards and activities. Work with mapping. Also think carefully about how the independent review function is secured in the organization.
  5. Focus on data-driven and continuous monitoring
    There is more and more data available in applications and systems that show whether an organization is in control. Use this data! It can significantly reduce the control pressure on the organization.
  6. Work on a risk-aware culture
    Making mistakes is allowed. As an organization, do not only focus on what is wrong with incidents and findings, but also report on the actions and improvements. Being in control of the organization must be seen as a development and a source of value.
  7. Work on demonstrable and good file formation
    Support the organization with a good COS610 workflow and ensure a visible audit trail, review function and qualitative and proportional file formation.

The number of subjects for which accountability must be rendered is so large that the decentralization of quality management and accountability for information security and privacy is a must. A successful approach requires attention to ownership, interaction and commitment within the entire organization.

More information?

In this series, Edwin Lodder discusses the latest developments in this area at ministries and government, which are faced with the task of modernizing their accountability function. Based on a tour of the fields, Edwin lists the six most important developments within this new dynamic. We are happy to help you take the first steps towards a modern accountability function. Let us know!

Hypact Advisor

Want to know more about our services?

Contact us and delve deeper into the possibilities. Discover how our services and solutions can contribute to your organization.

Waar kunnen we je mee helpen