CHAPTER 9: INTEGRATING FRAMEWORKS

Over the years, the word ‘holistic’ has become associated with a wide range of causes and concepts, often ecological ones, and more recently it has begun to filter through into the business world, as organisations are encouraged to take a more rounded view of their place in the world and their contribution to it.

Yet, for all the opprobrium it receives – occasionally justified – the notion that all aspects of the organisation are interconnected, and that the success (or failure) of one aspect in turn influences others, is surely common sense. All organisations must account for and appropriately integrate their various operating frameworks into a coherent and comprehensible whole if they are to succeed.

Integrating those frameworks is perhaps one of the greatest challenges of effective governance. All too often, frameworks become fiefdoms, operating as silos with little awareness of their impact across the organisation. This can lead to competing and contradictory goals, factional infighting and increased risk to critical projects, as practitioners struggle to demonstrate the supremacy of their particular framework while playing down the achievements of others. Governing bodies are then given inadequate, biased information on which to base their decisions, ultimately subjecting the whole organisation to increased operational risk. Effective integration is the first line of defence against these risks, and should be a primary concern when considering adoption of any new framework or standard.

Of the commonly encountered frameworks, management system standards published by ISO/IEC most lend themselves to effective integration. A common underlying structure gives ISO/IEC management system standards shared ground on which to build an integrated framework, allowing, for example, ISO/IEC 27001 to coexist with and complement other standards such as ISO 9001, ISO 22301, and so on.

These standards share principles and terminology, easing understanding for practitioners. Meanwhile, common management system requirements such as audit and management review allow newly adopted standards to merge effectively with existing systems – all that is required, in many cases, is additional training or a minor increase in headcount to resolve relevant skills gaps. In some cases, third-party audits of ISO/IEC standards can be combined to reduce disruption to operations.

This is not to say that frameworks such as COBIT, ITIL, and the like cannot also be effectively integrated. COBIT, for example, describes an ‘evaluate, direct, monitor’ approach to governance similar to ISO/IEC 38500. As a detailed governance and control framework, it can be used to implement the principles of ISO/IEC 38500, in conjunction with a continual improvement model to ensure ongoing effectiveness, and supporting ongoing audit and review functions.

Even where frameworks appear to bear little relation to one another, close examination often identifies areas of interaction and dependency that are not apparent at first glance. Such examination can also shed useful light on areas of the organisation that many governing bodies traditionally consider opaque.

The key to all such integration lies in recognising the interdependence of all aspects of the organisation, and accepting that changes in one area will inevitably impact others. Once this concept takes root within the governing body’s thinking and begins to cascade down to operational management, integrating apparently disparate frameworks and standards becomes less of a challenge and more of an opportunity.