Data protection often ends up spread across the organisation. Customer service teams often assume the public interface; Legal often own contracts and regulatory liaison; risk and governance can be Internal Audit’s challenge; and technical controls often live under IT. Far too frequently these live in silos with minimal communication across verticals, with separate and often conflicting policies and processes.
Spontaneous, individual and improvised.
Isolated, uncommunicative and incompatible.
Some genres of jazz like bebop give musicians within a band incredible freedom to achieve their shared goal with independence.
External perception from listeners would be a song performed with capability and professionalism.
Musicians need to be aware of their bandmates’ actions and respond accordingly. With experience and trust, this succeeds. Without, there’s often conflict (“It’s time for //my// solo now!”) or feeling out of control. Failure to resolve that leads to one thing: poor performance.
The classical approach
Compare the jazz band to an orchestra – coordinated, precise, efficient. All the musicians are provided with clear instructions (the score) and a conductor ensures the musicians remain coordinated. The improvisation of a jazz band is replaced by more subtle interpretation within the confines of strict control.
Again, listeners are treated to an excellent performance.
Rather than reacting to their peers and the general vibe, the musicians can only perform a predefined and well-practised part. With structure and order comes the loss of independence.
Isn’t this a post about compliance?
What’s the relevance? Organisations that grow organically into their compliance responsibilities are playing jazz. Everyone knows they should be doing it, and have a vague idea of what it should feel like. They generally give their best, but some may not recognise the value and become an active or passive hindrance, as I’ve touched on elsewhere in this blog.
Friction grows at internal and external interfaces. Incompatible policies, processes and procedures cause delay and frustration, and staff have to ignore good practice simply to get their job done: non-compliant behaviours which leads to loss of control and potentially a significant incident.
Without central vision and oversight, budgets are harder to rationalise. Isolated policies, processes and procedures may encourage different solutions to similar problems – implementing multiple products or services for tactical solutions when better structure and communication could have led to a more strategic solution.
An orchestral organisation champions compliance from the top down. With visible and enthusiastic support from senior management, expectations are clear and there’ll be support to tackle difficult problems. With vision and strategy defined and communicated, fewer opportunities for friction exist. An aligned and optimised approach to data protection drives financial savings.
So which model is best?
If only it was that simple. Every organisation is different, and are rarely in a position to build their GRC, security and data protection capabilities from scratch.
Pragmatically, successful organisations have grown organically over time responding to a range of internal and external drivers, with a unique culture that may not have embraced their compliance responsibilities. People, culture, technology and management all present resistance.
Given there’s a little bit of jazz in every performance, here’s a few steps that can energise your transformation programme:
- Nominate a conductor - Find someone that has an innate ability to lead, give them freedom to own the podium and the baton, and let their actions demonstrate their capability.
- Give everyone a copy of the score - If you want everyone to play the same tune, they need to know the score: clear vision and strategy, easily understandable policies and processes, and tailored messaging so they know their role.
- Communicate success - When everyone makes it through those tricky few bars (or that huge CRM upgrade), let them know they did a great job and what it means in the context of the overall strategy.
- Fewer solos - With more people playing from the score, and rewards for the right behaviours, most won’t improvise. Reduce opportunities to improvise by designing your processes and procedures to detect and prevent it.
- Practice - No musician becomes an expert overnight, and you can’t expect a band, orchestra or workforce to perform well without rehearsal. Give plenty of coaching and feedback, and guide them to proficiency. Mistakes will happen; it’s how we recover from them that helps us learn.
I can’t guarantee you’ll play a symphony overnight, but your jazz band may be a little less unruly.