Am I the only one with security fatigue these days? I can’t access many of my online membership portals anymore with just a password. I enter my password, then the site sends me a text, emails me, or messages my authenticator with a code I then need to enter to verify my identity and gain access. The other day I had to verify via both text and email! Still, I agree we need those security measures. I’m the type of person that thanks the teller at the bank when they ask to see my ID.
But I’m not content with just knowing that security procedures are in place. I have anti-malware software on my computer which should prevent viruses, trojans, and other nasties from gaining access to my data and equipment, but I still regularly run a scan to confirm my system is clean. In other words, although I have plenty of measures to protect my system, I need to know the protection actually works. Assuming all is well just because I have protection can lead to being blindsided.
I expect that most persons sitting on boards have similar concerns for their computer systems. Why then, do so many boards not apply that rigor to the organizations they govern?
Consider a board that tells the CEO (and consequently, all under her authority) not to retaliate against staff for non-disruptive expressions of dissent. Instead of reviewing evidence this has not happened, the board accepts a statement that there is an internal policy to that effect which applies to all staff. In other words, the standard operating procedure is offered as proof of compliance. But, the board doesn’t know if there has actually been any retaliation for non-disruptive expression of dissent.
For that matter, The CEO also might not be aware if this has happened anywhere in the organization. Another example – the board directs the CEO not to write off receivables without first aggressively pursuing payments. If the CEO reports the standing operating procedure for those situations, does that assure the board aggressive pursuit of receivables has taken place?
It’s smart for CEOs to establish standing operating procedures. It’s an efficient and consistent way of instructing staff.
However, standard operating procedures are insufficient to show that actual conditions align with the board’s policies, unless of course the board’s expectation is only to know such standards are in place. The board should carefully consider: does it only want to know if malware protection is in place or that the protection actually works?
Whether you’re a board member or CEO, if you want to learn how to move past reports on standard operating procedure to reports that show whether there is compliance with your policies, contact us.