Skip to Main Content

insightsarticles

Assessing organizational readiness for enterprise systems

05.25.17

We humans have a complex attitude toward change. In one sense, we like finding it. For instance: “Now I can buy something from the vending machine!” In reality, we try to avoid change as much as possible. Why? Because it’s frightening. Consider this quote from Mary Shelley’s Frankenstein: “Nothing is so painful to the human mind as a great and sudden change.”

The key word in that quote is “sudden.” Because the more we prepare for change, the less painful it becomes. One crucial way to prepare for change is to assess how ready we are for something new.

Which brings us to you. The fact you are reading a blog post with the words “Readiness for Enterprise Systems” in its title suggests that you have considered, or are considering, changing your institution’s Enterprise Resource Planning (ERP) system or other enterprise software, such as LMS, SIS, CRM, etc. This change is no minor adjustment.

Enterprise systems are complex, impacting institutional activities at many levels, from managing student records, finances, and human resources, to enabling student enrollment and registration. Is your institution prepared for transformation across the organization? To find out, assess your institution’s readiness for change. To help illustrate what an assessment might entail, I’ll outline BerryDunn’s method.

Step #1: Understanding Key Indicators for Readiness
When assisting a client to determine readiness, BerryDunn begins engaging stakeholders from across the institution (e.g., staff, faculty, and students) to understand the current environment. This allows us to address seven key indicators for change readiness:

  1. Stakeholder Buy-In. The key to success in changing an ERP platform is for users to understand the value that the change will bring. “Do stakeholders know how the new system will benefit them? Or, from their perspective, ‘What’s in it for me (aka, WIIFM)?’”
  2. Executive Sponsorship. In order to obtain stakeholder buy-in, leaders have to communicate effectively with various parties about change. They will be required to display strong and consistent leadership when stakeholders are faced with challenges with vendors, timing, scope creep, or other issues. “Are leaders prepared to lead the charge? Are they committed to change?”
     
  3. Vendor Ability. Each institution has specific operational needs and programmatic objectives. ERP vendors will highlight their strengths and may de-emphasize weaknesses that may exist in their products. “Are vendors actually able to meet the institution’s functional needs and align their software with strategic objectives?”
     
  4. Business Process Redesign. As mentioned above, it can be a struggle to align operational needs and programmatic objectives with vendor software. It’s even harder to achieve this while ensuring that, in implementing a new ERP system, an institution won’t lose valuable functionality that had been provided by the previous ERP. “Does the client fully understand the impact of a new ERP system on their processes?”
     
  5. Project Management. Proactive project management is critical when changing an ERP system. Project managers need to engage institutional stakeholders, project sponsors, and vendors to keep them apprised of progress. “Are project managers empowered to maintain strong communication with all stakeholders?”
     
  6. Data Governance. Another key indicator of ERP readiness is how well-defined data management is before implementation. ERP replacement projects are jeopardized when institutions don’t understand their data assets, or don’t know what level of data migration is necessary. “Is the institution prepared for data migration?”
     
  7. Software Change Management. As ERP vendors move their products to the cloud, the software they sell will become less customizable, but more configurable. In other words, customers won’t necessarily be able to modify the base software code, but they will have more options in regards to defined fields, workflow, and user interface. Although this sounds limiting, it is actually an opportunity to streamline operations, add discipline to software update timelines, and require organizations to consider how to best complete their administrative functions. It is critical that an institution adapt its software change management practices to meet this reality. “Do the institution’s software change management practices reflect how software is delivered by vendors today?”

Step #2: Establish Agreed-Upon Metrics
Based on our analysis from Step #1, we then score these indicators of readiness based on a maturity scale from 0 – 5, using the following parameters:

0  Non-existent
1  Aware, but not ready to change
2  Aware and open to change, but lack understanding of path forward
3  Accept that change is needed, but clear action plan is not in place
4  Accept that change is imminent and is being planned for
5  Readiness for change has broad understanding, is accepted, and is being executed 

Step #3: Score the Readiness of Your Organization
When you work with a consulting firm to assess your institution’s readiness for change, you should expect tangible takeaways that will inform stakeholders and provide a baseline metric. For example, we prepare a brief report that outlines a score for each of the seven maturity indicators of ERP readiness and provides supporting information for the basis of each score.

Here is an example of a Software Change Management section from a hypothetical ERP Readiness Report:

READINESS INDICATORS

BASIS FOR SCORE

SCORE (0 – 5)

Software Change Management

The University does have an effective software change management methodology, and a standard process for prioritizing requests to its current ERP system. This model may change significantly if a cloud system is chosen, and will require a new approach to configuration and asset management.

3


Finally, based on the weighted aggregate score of the report, BerryDunn determines the institution’s readiness for change, and provides recommendations on how to remediate low scores, and sustain higher scores.

Now for the good news. By setting a baseline early in your readiness planning, the scoring can be revisited over time to measure progress and provide project leadership with a simple, but effective, approach to tracking change management within the organization.

Next Steps
As you can see, implementing a new ERP doesn’t have to be a monstrous experience. You simply need to determine your ERP readiness, and follow a common-sense plan for change management. If you’d like to talk more about this process, send me an email: dhoule@berrydunn.com. I look forward to learning about the great changes your institution has planned.

Related Services

Consulting

Organizational and Governance

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Article
People Power: Enacting Sustainable Data Governance

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Article
Governance: It's good for your data

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

  1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
     
  2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
     
  3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

Article
Data is a four-letter word. Governance is not.

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Article
Higher education and blockchain 101: It's not just for bitcoin anymore

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.

Article
No science fiction: Tactics for recruiting and retaining higher education IT positions

Read this if you are a police executive, city/county administrator, or elected government official responsible for a law enforcement agency. 

Who you gonna call? 

Law enforcement agencies provide essential services to our communities vital to maintaining order and public safety. These critical organizations always answer the call, and they are prepared for every type of disaster imaginable: floods, hurricanes, tornadoes, blizzards, train derailments, and even... a pandemic?

Police agencies plan, prepare, and train for disasters, and are particularly adept and agile in their response to them. As an industry, law enforcement agencies are also very good at helping one another in times of need. When there is a major disaster in your community, your agency can always count on neighboring departments sending you some much needed resources―that is, unless everyone has the same problem. Then what do you do?

Although law enforcement agencies are very capable, their strength is in sprinting, not running marathons. Even the best and most-qualified police agencies struggle with the strain of long-lasting disasters, particularly when there are no other resources to help. That is when having the right patrol-schedule design can be critical. If your patrol schedule is inefficient in the first place, managing a lengthy disaster or critical event will magnify those inefficiencies, exhausting your personnel and fiscal resources at the same time.

Flaws in patrol schedule design = reduced efficiency

Flaws in the patrol schedule design often contribute to reduced efficiency and suboptimal performance, and design issues may work against your ability to maintain operational staffing during critical times of need. So, how do you know if your patrol schedule is serving you well? 

To help agencies evaluate their patrol schedules, BerryDunn has developed at free tool. Click here to measure your patrol schedule against key design components and considerations. If your agency scores low in this self-assessment, it may be time to consider making some adjustments. 

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority Calls for Service  in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Accomplishing these goals requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). BerryDunn can help your agency assess the patrol schedule, and if necessary, provide guidance and assistance on implementation of a more effective model. 

If you are interested in a patrol work-schedule assessment or redesign or a patrol staffing study, our dedicated Justice & Public Safety consultants are available to discuss your organization’s needs.

Article
Continuity of patrol operations in a COVID-19 environment

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

  • A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
  • An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

  1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
  2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
  3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
  4. Leverage others who have had success with these processes to improve process and implementation
  5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

  • Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
  • Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
  • Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us

Article
Internal audit potential for not-for-profit organizations

Read this if you are a police executive, city/county administrator, or elected government official, responsible for a law enforcement agency. 

“We need more cops!”  

Do your patrol officers complain about being short-staffed or too busy, or that they are constantly running from call to call? Does your agency struggle with backed-up calls for service (CFS) or lengthy response times? Do patrol staff regularly find themselves responding to another patrol area to handle a CFS because the assigned officer is busy on another call? Are patrol officers denied leave time or training opportunities because of staffing issues? Does the agency routinely use overtime to cover predictable shift vacancies for vacations, holidays, or training? 

If one or more of these concerns sound familiar, you may need additional patrol resources, as staffing levels are often a key factor in personnel deployment challenges. Flaws in the patrol schedule design may also be responsible, as they commonly contribute to reduced efficiency and optimal performance, and design issues may be partially responsible for some of these challenges, regardless of authorized staffing levels.
 
With community expectations at an all-time high, and resource allocations remaining relatively flat, many agencies have growing concerns about managing increasing service volumes while controlling quality and building/maintaining public trust and confidence. Amid these concerns, agencies struggle with designing work schedules that efficiently and optimally deploy available patrol resources, as patrol staff become increasingly frustrated at what they consider a lack of staff.

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority CFS in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Scheduling alternatives

One common design issue that presents an ongoing challenge for agencies is the continued use of traditional, balanced work schedules, which spread officer work hours equally over the year. Balanced schedules rely on over-scheduling and overtime to manage personnel allocation and leave needs and, by design, are very rigid. Balanced work schedules have been used for a very long time, not because they’re most efficient, but because they’re common, familiar, and easily understood―and because patrol staff are comfortable with them (and typically reluctant to change). However, short schedules offer a proven alternative to balanced patrol work schedules, and when presented with the benefits of an alternative work schedule design (e.g., increased access to back-up, ease of receiving time off or training, consistency in staffing, less mandatory overtime), many patrol staff are eager to change.

Short schedules

Short schedules involve a more contemporary design that includes a flexible approach that focuses on a more adaptive process of allocating personnel where and when they are needed. They are significantly more efficient than balanced schedules and, when functioning properly, they can dramatically improve personnel deployments, bring continuity to daily staffing, and reduce overtime, among other operational benefits. Given the current climate, most agencies are unlikely to receive substantial increases in personnel allocations. If that is true of your agency, it may be time to explore the benefits of alternative patrol work schedules.

A tool you can use

Finding scheduling strategies that work in this climate requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). To help guide you through this process, BerryDunn has developed a free tool for evaluating patrol schedules. Click here to measure your patrol schedule against key design components and considerations.

If you are curious about alternative patrol work schedules, our dedicated justice and public Safety consultants are available to discuss your organization’s needs.

Article
Efficient police patrol work schedules―By design

Good Practices Are Not Enough

When it comes to IT security, more than one CEO running a small organization has told me they have really good people taking care of “all that.” These CEOs choose to believe their people perform good practices. That may be true, but who defines good practices and how they administer them? And when? If “security is everyone’s job,” then nobody is responsible for getting specific things done. Good practices require consistency, and consistency requires structure.

From an audit perspective, a control not written down does not exist. Why? Because it can’t be tested, measured, or validated. An IT Auditor can’t assess controls if they were never defined. Verbal instruction carries by far the most risk. “I told him to do that,” doesn’t pass the smell test in court.

Why Does it Matter?

Because it’s not IT’s job to write policies. Their job is to implement IT decisions made by management. They’re not at the right level to make decisions that impact the entire organization. Why should small organizations concern themselves with developing policies and procedures? Here are two very good reasons:

1. Regulatory Requirements
2. Lawsuits

No matter how small your organization, if you have a corporate network (even cloud-based) and you store credit card transactions, personal health information, client financial information or valuable intellectual property, being aware of state and federal regulatory requirements for protecting that information is vital. It is the responsibility of management to research and develop a management framework for addressing risk.

Lawsuits happen when information is stolen and/or employees are terminated for inappropriate activities. If you have no policies that mandate what is and isn’t acceptable, and what the penalties are for violations, your terminated employee has grounds for a wrongful termination lawsuit: policy should not be written by the IT Department.

If confidential data you are responsible for is stolen and clients sue you, standing up in court and saying “We don’t have any written policies or procedures,” is a sure way to have both significant financial losses and a negative impact on your reputation. For a small organization, that could mean going out of business.

Even if data is stolen from a third-party vendor who stores your data, your organization owns the data and is responsible for ensuring the data is secure with the vendor and meets organizational requirements. Do you have a vendor management policy? If you work with vendors, you need one.

Consider, too, that every organization expects to grow its business. The longer management doesn’t pay attention to policies and procedures, the more difficult it becomes to develop and implement them.

Medium and Large Organizations Need to Pay Attention, too

A policy document provides a framework for defining activities and decision-making by everyone in the organization. A policy contains standards for the organization, and outlines penalties for non-performance. The organization’s management team or board of directors must drive their creation.
Policies also maintain accountability in the eyes of internal and external stakeholders. Even the smallest organization wants their customers and employees to have confidence the organization is protecting important information. By defining the necessary controls for running business operations that address risk and compliance requirements (and reviewing them annually), your management team demonstrates a commitment to good practices.

Procedures are the “How”

Procedures don’t belong in a policy. Departments need to be able to design their own procedures to meet policy requirements and definitions. HR will have procedures for employee privacy and financial information, finance must manage credit card, student, banking or client financial documentation, and IT will need to develop specific technical procedures to document their compliance with policy.

If all those procedures are in a policy, it makes for unwieldy policy documents that management must review and approve. Departments need to change and update their procedures quickly in order to remain effective. For example, a policy may mandate the minimum number of characters in a password, but IT needs to develop the procedures to implement that requirement on many platforms and devices.

What is a “Plan” Used For?

Consider that organizations commonly have a Business Continuity Plan as well as an Incident Response Plan. How is a “plan” different from a policy or procedure?

A plan (for example, an Information Security Plan, or Privacy Plan, etc.) is a collection of related procedures with a specific focus. I have seen these collections called “programs,” but most organizations use “plan” (plus, the Federal government uses that term). The term “program” implies a beginning and an end, as well as tending to be a little too generic (think “School Lunch Program”).

Three Ways Not to Develop Policies, Procedures and Plans

1.

Getting templates from the Internet. Doing a Google search delivers an overwhelming number of approaches, examples and material. Policy templates found online may not be applicable to your organization’s purpose, or require so much editing they defeat the template’s purpose. 

2.

Alternatively, going to organizational peers can endlessly replicate one poorly developed approach to documentation.

3.

Writing policies and procedures totally focused on meeting one regulatory requirement frequently necessitates a total re-write as soon as the next regulation comes along.

Consider the Unique Aspects of Your Organization

What electronic information does your organization consider valuable? During an assessment with a state university, we discovered that the farm research the agriculture school was performing was extremely valuable. While we started out with questions about student health and financial information, the university realized the research data was equally critical. The information might not have federal or state regulations attached to it, but if it is valuable to your organization, you need to protect it. By not taking a one-size fits all approach to our assessment, we were able to meet their specific needs.

Multiple Departments or Locations? Standardize.

Whether your organization is a university, non-profit organization, government agency, medical center or business, you frequently have sub-entities. Each sub-entity or location may have different terms for different functions. For example, at a recent engagement for another university, Information Security “Programs,” “Plans” and “Policies” meant different things on different campuses. This caused confusion on the part of all stakeholders. It also showed a lack of cohesion in the approach to security of the university as a whole. Standardizing language is one of the best ways to have everyone in the organization on the same page, even if the documents are unique to a location, agency or site. This makes planning, implementation, and system upgrade projects run more effectively.

Demonstrate Competence

No matter what terms your organization chooses, using consistent terms is a good way to demonstrate a thoughtful approach. Everyone needs to be talking the same language. Having documents that specify management decisions provides assurance to internal and external stakeholders. Good policies, procedures and plans can mean the difference between a manageable crisis and a business failure.

To receive IT security updates, please sign up here.

Article
Policies, procedures, and plans—defining the language of your organization