By Jeffrey Morgan
This is a test. Which of the following are common occurrences during IT Management Audits?
1. Staff members quit.
2. Staff members break down in tears in front of the consultants.
3. Staff members fly into a screaming rage at the consultants.
4. Staff members lie to the consultants.
5. Staff members refuse to cooperate.
6. All of the above.
If you selected item 6, you get a gold star! There is no reason for any of these behaviors but they occur all too often, especially in organizations in which audits are not routine events. The consultants are there to identify problems and help improve operations. They wouldn’t have been hired if everything was peachy keen, but Information Technology management and staff members rarely see it from this perspective. Identifying the problem is the first step to recovery. All Information Technology organizations should be managed as if an audit is imminent. How would you fare if auditors walked in the door tomorrow morning?
Why are you being audited?
There are many reasons for conducting audits, but following are the four I encounter most often.
Regulatory compliance audits
In market sectors such as Financial, Behavioral Health, Medical, and Pharmaceutical, periodic audits are the norm and the guidelines are clear. In any given year, a Behavioral Health clinic in NY State, for instance may be required to undergo 4 separate audits including Medicaid, HIPAA, OMH (Office of Mental Health), and OASAS (Office of Alcohol and Substance Abuse Services). In many of these cases, the auditors show up unannounced or on very short notice.
Compliance audits aren’t technically management audits, but the scores on such audits are certainly a direct reflection of management’s performance. Would your policies, practices, procedures, and documentation measure up to the scrutiny to which a Behavioral Health clinic is subjected?
Performance audits or ‘What’s wrong with our IT operation?’
Often, members of the IT management and staff think they are doing a spectacular job but the customers and executive management disagree vehemently. In the worst cases, end users are preparing their pitchforks and torches in case the audit doesn’t bring about some positive performance outcomes. These audits are tough; the IT staff is defensive and they all assume that the consultants are there to fire them. Sometimes, the hostility reaches levels that make me feel like Patrick Swayze’s character, Dalton in the 1989 movie Road House. I have been accused of cherry-picking information, interrogation, and cross examination and I have been screamed at in front of a large audience. The truth is, I am simply researching a complex problem and I will work diligently to provide answers to the people who are paying me to do so.
During these audits, employees sometimes resign even before the final report is released. This is unfortunate because poor performance is a reflection of management rather than staff. At other times, excellent employees leave because they have had their fill of ineffective management. Frustrations become bitter tears dripping on the conference room table, even from managers.
Sometimes, incoming executives want an X-Ray of organizational performance and requesting an audit is an intelligent professional move. They want a clear distinction between the previous management’s practices and their own and they use the final report to establish a program of organizational change.
IT is too expensive
Occasionally, IT audits are conducted because executive management considers the IT operation too expensive. They want an independent audit and a strategic plan that shows all the viable options.
4 tips for a lower stress audit
If the auditors are coming next week, there probably isn’t much you can do to improve the outcome, but there is plenty you can do to make the process more comfortable for everyone involved.
Answer binary questions with binary answers
When questions requiring a Yes or No answer are met with lengthy explanations, it is a clear indication of a problem. When I ask if you have documentation of your daily security log validation, just say yes or no! If you don’t have the required documentation, no amount of explanation is going the help. Also, I am not really interested that you are going to begin implementing your security program next month. Good for you, but I only care about what your actual practices are at the time I ask.
Don’t lie, embellish, or bury information
I always walk into audits and assessments taking a neutral, objective stance and I appreciate clients who don’t try to pre-program me. I will selectively ask for evidence or documentation for every statement you make and false statements will certainly damage your credibility. When subjects provide evasive or ambiguous answers, my inner Columbo puts on his trench coat. Equivocation and rationalization drive me to keep searching until I get the answer. Just tell the truth.
Instruct your staff to cooperate politely
I recall one compliance audit where a staff member served up every document request with a plate full of anger and hostility. The odd thing about it was that all her ducks were in a row, which is pretty unusual. So, why the anger? Don’t unleash it on the consultants.
I remember several engagements where the IT staff tried to tell me that their IP addressing schemes and Visio diagrams were secret. Huh? As soon as I retrieved my jaw from the floor, I went over their heads and arranged for delivery of the requested information. These events created suspicion and hostility that weren’t required.
In two organizations I contracted with, staff members claimed their Security Policies were secret! How does that work? These sorts of behaviors are indicators of significant departmental and organizational problems.
Prepare documentation in advance
All documentation including policies, procedures, infrastructure documentation, logs, hardware and software inventories, PSA system reports, etc. should be readily available for the consultants. They will ask to see it. I generally ask for all this information before I go on site for the first time and I am always appalled by the number of organizations that have none of the documents that are generally accepted to be components of a solid Information Technology Governance program. Sometimes these data dumps include reams of irrelevant information in the hope that I won’t find the smoking gun.
Auditing for organizational culture
I include a frank assessment of departmental and organizational culture in my reports and it is sometimes less than flattering. Delivering this information to executives and managers generally creates a tense silence while they try to chew and swallow that particularly tough piece of meat. They rarely argue because they know it’s true, but few have dared to state the obvious out loud. A realistic and objective assessment of company culture is required to address the root causes of problems. Bad management, inefficiency, malfeasance and incompetence have often been enabled for years before an audit is finally initiated. Interdepartmental politics, turf wars, jealousy, meddling and backstabbing all contribute to the problems at hand and managers throughout the organization are responsible.
In many cases, executives and managers have worked in large, bureaucratic organizations for their entire careers and they can’t see the signs of broken company culture. They think bad behavior and dysfunction are the norm.
The final report
If the final report is not a testimonial of glowing praise for your IT operation, I urge you to sit back and reflect carefully before lashing out. The report is a mixture of data, facts, and input from your coworkers and end users. I always base part of my conclusions on both formal and informal interviews with end users and managers from every department in an organization. What ends up in the report is a reflection of what your colleagues really think about your operation. My career started with a four-year stint in army intelligence and I actually do cross examine and interrogate. The natural inclination of some IT Directors is to argue and pick apart every statement and conclusion in the report, but this is definitely the wrong approach.
A nearby local government entity with which I am familiar recently received a failing audit from a state regulatory agency. It wasn’t a first-time fail and the endemic problems have been simmering for decades. Several executives from this entity made statements to the press that the audit “was a gotcha audit. It’s all about paperwork and there is nothing real here. We’re providing excellent services.” Talk about denial! I believe they will come to regret those statements since the infractions were extremely serious and they will likely have to return millions of dollars to Medicaid. They may call a missing signature “a gotcha,” but Medicaid calls it fraud. Their culture is so broken that they really need a turnaround expert and complete replacement of the management, but they haven’t reached rock bottom yet, apparently.
The correct response to a failing audit is to contemplate the report carefully and develop a proactive remediation plan immediately. Humility may save your job, but you can’t step off onto the recovery road until you admit you have a problem.
Ask for help. Operations that have been dysfunctional for years can’t be turned around overnight. Organizational culture may inhibit a turnaround and objective, external assistance may be required.
Listen to what your colleagues and objective auditors had to say and take it seriously. Don’t go swimmin’ in denial.
If you would like to discuss an audit for your organization’s IT operation, e-mail me at firstname.lastname@example.org.
This article was first published on CIO.COM at: http://www.cio.com/article/3082124/leadership-management/surviving-a-management-audit.html
© Copyright Jeffrey Morgan, 2016
The Ultimate Manager
By Jeffrey Morgan
My English Shepherd, Birdie is the ultimate manager. Now that lawn and garden season has finally arrived, he is always barking at the crack of dawn. “Up and Adam! Time to get working in the garden. Hop to it!” As soon as we are hard at work, Birdie digs a hole so he can snooze in the shade while we work up a sweat. That could be you! Birdie knows that each season brings different projects on which we have to focus. Our activities change quarterly and our short-term goals and objectives must change with them.
Are your employees and managers coming to work every day with a fire in their belly to produce results? Do they have a daily action plan to propel them to achieve ambitious goals by the end of the quarter?
If Birdie was a manager in your organization, he would insist that you abolish your ineffective Annual Performance Reviews and switch to Quarterly Goals and Objectives, also known as OKRs (Objectives and Key Results). I worked for a Fortune 500 company while I was in graduate school and the company was using them to drive productivity and achieve results as part of their Total Quality Management (TQM) program. They are an incredibly effective management tool!
“Jeffrey,” you say, “Hold the phone! That’s crazy talk! I don’t have time to meet quarterly with all my managers to establish goals and objectives.” Frankly, you don’t have time not to. Consider it a small investment of time that will reap huge rewards for your county or municipal organization.
Annual Performance Reviews in Many Government Organizations
Maybe your organization is different, but from what I have seen during 23 years in state and local government consulting, annual performance reviews are treated as a nuisance that everyone tolerates. No one has any idea what their goals were from their last performance review. In some organizations, almost everyone gets a gold star every year. Even the poorest performers get stellar reviews and you have no case at all if their employment eventually needs to be terminated. After the review, the document is buried in a folder and remains there until next year.
In 1982, W.E. Deming called for the eradication of the Annual Performance Review in his book, Out of the Crisis. In his words, “the annual performance review sneaked in and became popular because it does not require anyone to face the problems of people.” He goes on to say, “A leader, instead of being a judge, will be a colleague, counseling and leading his people on a day-to-day basis, learning from them and with them.” Here we are, 34 years later and many government organizations are still using ineffective 1950’s management practices.
If you want to drive performance, you should have three sets of Goals and Objectives:
- Organizational Goals and Objectives
- Department Goals and Objectives
- Individual Goals and Objectives
There are numerous Internet resources and tools available for assistance with developing OKR’s. According to Emily Bonnie from Wrike (@Emily_TeamWrike), OKR’s must be “Ambitious, Measurable, Public, Graded, and at least sixty percent of goals should be “bottom up.”” I have previously written about the need for bottom-up and inside-out management of software projects here.
Follow Birdie’s advice: Fire your Annual Performance Review and adopt a more effective management tool that will drive your team to productivity.
If you would like to discuss performance in your organization, please e-mail me at email@example.com. Let’s talk!
This article first appeared on Careers in Government at https://www.careersingovernment.com/tools/gov-talk/career-advice/on-the-job/fire-annual-performance-review/
By Jeffrey Morgan
Paper, Like Comets
Pink sheet, Blue Sheets, One Sheet, Two Sheets. No, it is not Dr. Seuss. It is your dysfunctional business forms, practices and processes. The forms are often launched by employees who have done the same job for the last 40 years and last cracked a smile when Jimmy Carter was President. Paper drifts around the universe of your office like comets through the solar system and no one knows what purpose it serves. Boxes must be checked and initials applied. It absolutely must be done and every box must be checked, you see.
Sometimes the forms contain sensitive information like social security numbers and there is no privacy or security policy in existence. The document is stuffed in an inter-office envelope and launched to the next planet for more signatures and boxes to be checked. If someone goes on a two week cruise, the form sits on their desk until they return and get through the backlog of paper because only one person has the authority to sign. There are no delegates. Then the massively important piece of paper goes in a file where it remains undisturbed for decades.
We’ve just always done it this way. If I’m lucky, that statement will be followed up by my favorite punch line: I’ve been doing this since you were wearing diapers. I don’t need you to come in here and tell me how to do it.
Is my assessment harsh? Maybe. Is it true? Probably. Be honest. Does this sound like operations your organization?
We don’t take partial payments!
My father was in the bar and restaurant business. By the time I graduated from high school, I had done every job in those establishments. When I was tending bar, my father taught me to always take the money. If someone slapped a $20 on the bar, I rang up the tab and gave him change right away and provided it in denominations that provided a convenient opportunity for a tip. This is smart business, right? Take the money.
On several occasions, I have seen utility customers standing at a window (ironically labelled Customer Service) trying to pay their utility bill. They scrounged all their change from the crack in the sofa and from under their car seat and came in to pay their bill but they’re $1.49 short. We don’t take partial payments. You have to come back when you have the full amount. You don’t take partial payments because your system either can’t handle it or because your staff isn’t trained on the new feature that does allow partial payments.
You’ll Have to Come Back Another Day
Here’s another example I recently encountered. Standing in front of me at the reception desk in a government facility is a gentleman with his daughter.
I’m here for my daughter’s appointment.
You’re not in the system. We have no record of an appointment for today.
But, here is the stamped appointment card you gave me on our last visit.
You’re not in the system. You’re not on the calendar. You’ll have to make another appointment and come back.
But, I took the day off of work to bring my daughter to this appointment. It may be months before I can get another day off of work.
You’re not on the calendar. You’ll have to come back. Next Person Please!
If any of these examples describe your business operations, you have several issues to address. You need to work on your business processes as well as customer service. Poor customer service and inefficient business processes cost money. You can fix them and save money by doing so and you can read about it here. Improving quality of service lowers costs.
If you would like to discuss your business processes and ways to automate and improve them in your organization, feel free to send me an e-mail at firstname.lastname@example.org. You can read more about business processes and other Information Technology issues on IT Governance for Executives.
By Jeffrey Morgan
There’s nothing worse than that gut wrenching feeling of buyer’s remorse. You have been anxiously awaiting the arrival of your expensive, shiny new gadget and have high expectations. You open the box and find that it is beautifully wrapped. You unpack it, plug it in, and . . .
Nothing. It’s a dud!
If you bought it from Amazon, you can just send it back for a refund. If it’s your IT Director, there’s no return shipping label enclosed.
Hiring is always a risk, but there are several qualities you can look for to improve your probability of success. Your new, amazing IT Director will have the following six qualities:
Fluency in the Language of Business
There is no such thing as an IT project; there are only business projects. In the interview, your potential IT Director should want to discuss Executive Goals and Objectives, Return on Investment, Total Cost of Ownership, Vendor Management, Service Level Agreements and Key Performance Indicators rather than speaking in technical jargon. He or she must possess expert knowledge of the business processes that drive your organization in addition to having a solid understanding of the required underlying technology. You can contract outstanding technical skills, but someone with the vision to make it all work together for the good of the business is a rare gem.
Passionate about Customer Service and Productivity
There is no longer a place in the industry for IT operations that don’t deliver outstanding, high value customer service. Your new IT Director must know how to make that a reality with leadership, service level agreements, metrics and measurable goals. Look for a history of customer facing experience. Making angry customers happy is a more important skill for an IT Director than writing brilliant code in a locked office.
Obsessed with Quality
Improving quality of services always lowers costs and your new IT Director understands this. He or she will strive to perfect the delivery of services across your organization and understands a continuous cycle of improvement.
Collaborates Rather Than Dictates
Your new IT Director should be listening 90% of the time and talking very little. County & Municipal organizations are complex operations that may have 2 dozen or more independent Line of Business operations, each with its own regulatory compliance issues and special requirements. In order to provide effective solutions, your new IT must be able to hear what his or her customers are saying and translate that information into solutions that meet the customers’ business criteria. Your departments, business processes and requirements will drive your IT Director.
Your new IT Director must be open to achieving business goals and objectives by exploring all available solutions, processes and technologies rather than throwing the same tired and ineffective products at every new business problem.
Love’s Industry Standards, Policies, and Procedures
Industry Standards and organizational policies and procedures are fascinating and glamorous; or so your new IT Director should think. There are numerous, proven standards, methodologies, and best practices available and your new IT Director will take advantage of this huge body of knowledge. There is no need to reinvent the wheel. He or she should be comfortable discussing standards like ANSI/TIA/EIA-568, ISO27001, HIPAA, ITIL, and others. Failure to understand and follow proven standards and methodologies is expensive. Your new Director should also be ready to collaborate with your HR and Legal Teams to ensure that appropriate policies and procedures are in place.
If your IT Director has the appropriate combination of all these skills, you are all set for a productive relationship in the years to come.
This was first published on Carreers in Government at:
Municipal IT Director: 6 Must Have Qualities
Copyright © Jeffrey Morgan 2016
By Jeffrey Morgan
At my first permanent duty station in the Army, I was assigned the task of putting on a training session for the large Military Intelligence Company I was assigned to. My platoon sergeant suggested I check out a training film for the event and I followed his advice.
I was all set. I had everything ready, did a short introduction, and started the film. A few minutes into the training, the film burned up in the projector and I was standing there like a doofus without a Plan B. I was counting on the film to take care of the training session and the technology let me down.
It was a humiliating experience that shaped the way I have approached work and life ever since. I was jeered and taunted by my colleagues for weeks – until some other unfortunate soul screwed up publicly and had to bear the brunt of everyone’s ridicule. The army isn’t a touchy feely environment and humiliation is a standard component of the training and behavior modification process.
My first inclination was to blame my platoon sergeant for not mentoring me on how to do the training, but I quickly came to the realization that I owned it.
Here’s what I learned from that experience and four years in the Army:
- Always have contingency plans; Plan A, Plan B, and Plan C. The more the better. Things rarely work out the way you expect them to so be prepared for Plan A to fail so you can jump right into Plan B.
- Accomplish the mission. Do whatever it takes to get the job done.
- Take ownership. If you screw up, fess up. Immediately. Don’t blame anyone but yourself for your failure. Blame is never productive; finding solutions is.
- Always do the best possible work you can whether the work is mopping the floor, cleaning your weapon, or developing plans for a major operation.
- Make your boots sparkle, keep your uniform pressed, and keep your hair cut short. Appearance matters.
The next time I was tasked with a training presentation, I sat down and read the Army Field Manual on training. Yes – the army has a manual for everything. I spent several evenings putting together the presentation, making flip charts, studying the material, and practicing my presentation. Instead of jeers, I got compliments and questions on how I did such a great job.
Jeffrey Morgan is President of e-volve Information Technology Services, LLC and has provided transformational business and technology services to County and Municipal Governments, Small to Large Businesses, and Non-Profits since 1993.
Copyright © Jeffrey Morgan 2016