The New Best Practices Framework "Duo" That's Changing Our World of Business

Many of our members, who appreciate the use of one or more "best practices frameworks" as being helpful resources for their Governance Risk Compliance (GRC) or Work Excellence (WE) functions and roles, need to take note of the major change to what we have perceived to be the leading framework duo. However, in early January, 2017 a major change has changed our world of best, or good, best practice frameworks. Here's the scoop:

For more that ten years, the leading framework duo has been the COSO Enterprise Risk Management (ERM) framework which is highly complemented by, and often coupled with, the COBIT best practices framework for managing Information Technology (IT) controls, processes, systems and overall management operations.

COSO ERM was developed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is a joint initiative of the five private sector organizations which are dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. They are as follows:

1. The American Accounting Association (AAA)

2. The American Institute of CPA's (AICPA)

3. Financial Executives International (FEI)

4. The Association of Accountants and Financial Professionals in Business (IMA)

5. The Institute of Internal Auditors (IIA)

COBIT (Control Objectives for Information and Related Technologies) is another good-practice framework created by the international professional association ISACA for information technology (IT) management and IT governance. While COSO focuses primarily on Enterprise Risk Management for business professionals, COBIT focuses on the technical side of the business. The two frameworks, collectively, represent what we refer to as a "framework duo". A duo good practices (informal) framework coupling, means that the combination takes on a level of communications, control, coordination and collaboration of enterprise functions that provide significantly more Strategic Shareholder Value than either one can produce on its own. In essence, they work, together, in lockstep fashion to not only protect shareholder value and corporate assets... they also improve the resilience of the business and provide a platform for growing the business in a way that would be tough, if not impossible, without.

COSO and COBIT have been at the top echelon of all good practice frameworks globally, because of their significant importance to running a corporation in today's tough business environment. The duo is not going away, by any means. But we have a sense that they have now been superseded by another newer framework duo that have been developed, owned, managed and sustained by The National Institute of Standards and Technology (NIST).

NIST is offering the combination of the Cybersecurity Framework (NIST CSF) which is the good practices framework for dealing with the scourge of the Internet; cyber crime and cyber fraud and other malicious types of electronic attacks. In addition, their Malcolm Baldridge Business Performance Excellence framework guides businesses on work excellence for a number of industry verticles and for general business performance, no matter what industry your organization competes in.

The Baldrige Performance Excellence Program and the associated award were established by the Malcolm Baldrige National Quality Improvement Act of 1987 (Public Law 100–107). The program and award were named for Malcolm Baldrige, who served as United States Secretary of Commerce during the Reagan administration, from 1981 until Baldrige’s 1987 death in a rodeo accident. In 2010, the program's name was changed to the Baldrige Performance Excellence Program to reflect the evolution of the field of quality from a focus on product, service, and customer quality to a broader, strategic focus on overall organizational quality—called performance excellence.

The award promotes awareness of performance excellence as an important element in competitiveness. It also promotes the sharing of successful performance strategies and the benefits derived from using these strategies. To receive a Baldrige Award, an organization must have a role-model organizational management system that ensures continuous improvement in delivering products and/or services, demonstrate efficient and effective operations, and provide a way of engaging and responding to customers and other stakeholders. The award is not given for specific products or services.

More recently, NIST established the Cybersecurity Framework (NIST CSF for short) in 2014. The most recent update to NIST CSF took place in January of 2017 with the release of DRAFT Version 1.1. In the short period that this framework has been in existence it has taken off in popularity. The Gartner Group recently said, "NIST CSF is currently used by 30% of all US companies. This % will rise to 59% by 2020." (Gartner Group 10/20/16 quote). This projection represents astounding growth! 

When you realize that all countries, around the world, are in the fight of their lives to protect their country-based businesses from cyber crime, you realize that this is not a fight at all, it's a war. Every day more and more businesses are losing massive amounts of time and money fighting cyber crime. That level of loss is compounded by the losses of those private individuals in all walks of life that have no advanced cyber security knowledge, tools or knowhow. What gets us is the little real support that businesses and individuals have in dealing with the war against cyber crime. But that thought is fodder for another BLOG post. Let's get to the meat of the matter.

In any case, here is the gravitas of this framework duo topic. The NIST CSF, when coupled with the NIST Baldridge Performance Excellence Framework offers a new level of strategic shareholder value that topples (i.e. supersedes in importance, the COSO/COBIT duo. Why? It's because cyber crime prevention now overshadows all other business imperatives. What is most important is that this imperative affects all employees from the Board of Directors, through executive management, and down to every level, function and role of employee. Even 3rd parties such as customers, trading partners, contractors and all other business constituencies must be brought under this imperative. Urgency, is of significance importance as well as resource allocation for getting the good practice framework requirements met, in record time. THIS IS NOT A TECHIES-ONLY IMPERATIVE!

The NIST CSF, which is a very technical framework for very technical professionals, is now being positioned as the #1 framework for corporate boardmembers to put in place before the business incurs any more losses. Time is of the essence! Get CSF in place, NOW! Make sure the corporation is putting all urgency and resource allocations behind CSF. The NIST CSF must ripple from the top of the business to the bottom. All employees are a part of the enterprise-wide initiative. Then, once the NIST CSF framework is in place and functioning well, use the Malcolm Baldridge performance excellence framework to grow and guide the journey to business performance excellence going forward.

There's a lot more that we can tell you about the new NIST framework duo. But, what you need to walk away with, from this post, is that there is now a mission-critical business correlation between the CSF and Strategic Shareholder Value. The GRC Sphere is leading this charge with a new era of collaborative tools to ensure that all organizations can measure their organizational performance using what we auditors call a "closed-loop control architecture". That's a fancy phrase for the practice of industry benchmarking. 

GRC Sphere's new era of collaborative tools address the need for closed-loop controls by promoting the use of collaborative tools that can help your organization to institutionalize the good practices of industry-driven crowdsourcing and benchmarking. These practices are the proven approaches towards the instutionalization of "fast learning". Our tools that we are building to address the NIST framework duo are groundbreaking and we want your organization to get involved. So, now, we not only have the NIST duo to implement, but also COSO and COBIT framework duo.

Thus, the bottom line, is that we now have a quadruple set of good practice frameworks to help our companies move forward with a level of internal controls and oversight that has been missing heretofore.

NOTE: If you'd like to get access to our 3 foundation papers on the topics of industry-driven crowdsourcing and benchmarking along with our collaborative set of tools, please register for FREE and we will walk you through our our mission objectives for our Executive Think Tanks, Industry Clusters and Special Interest Groups (SIG's). We will also introduce you to our Analytical Model Repository and the 12 categories of models, templates and other content that we, Members, can share across our GRC and Work Excellence roles and functions to collaborate in totally new ways as "industry peers".


Post new comment

The content of this field is kept private and will not be shown publicly.