Every business process has a owner, whether the owner knows
they own it or not.
There are critical business processes that cut across
multiple disciplines. This complexity often makes ownership and roles unclear. Securing a business process means finding the person that can own decisions and keep the process on track and off the rocks.
A RACI-V (responsibility, accountability, coordination,
informed, verifies) matrix can help clarify and decipher this ownership. This
post will focus on the “R” and the “A” as it applies to business process
ownership. We’ll discuss the advantages for more broad usage of these types of RACI-V
matrices in future posts.
What’s the difference between “responsible” and “accountable”
in the context of a RACI-V?
Responsible: The
responsible group or individual (“party”) is the prime mover for the business
process and owns execution of the business process.
Accountable: The accountable
party owns the definition of success and the business process outcome or
results. The accountable party is always the business process owner.
The most common errors related to “R” and “A” on RACI-Vs are
the following:
More than One Responsible
Party: Only one party can be responsible or accountable for anything.
Multiple owners is a good indicator that the business process
is not defined in a granular enough way.
Cutting/Pasting: There
seems to be a common assumption that the responsible party and accountable
party are the same. They are not always the
same.
The employee on-boarding process is a good demonstrative example
of the difference between a responsible party and the accountable owner. In a
typical organization, the responsibility for employee on-boarding lies with the
IAM team. They own the tools as well as serve as the prime mover for on-boarding
processes. That said, the accountable party or the business process owner would
be Human Resources. HR would own the definitions, metrics, and outcomes for employee
on-boarding.
Key rule of thumb:
Responsibility can be delegated but accountability cannot be delegated.
As a cyber professional trying to secure business processes,
you’ll need to identify and work with the business process owners as well as unravel
and work with any of their delegates. Perhaps business analysts have already
completed this work for you, perhaps not.
The business process owners are the linchpins of true
enterprise cyber security.
A RACI-V can help unravel, decipher, and formalize ownership
and accountability.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment