So what does it all mean?  What do we do in practice?  Here’s an example.

A client recently engaged with us to conduct a review of their risk framework for two key purposes, firstly to ensure that what they had in place was robust, broad enough in its scope, fully integrated within the organisation’s wider strategy and would stand up to the scrutiny of a GFSC PRISM review.  Secondly, to ensure that they had independent oversight of their preparations for the implementation of the local GDPR legislation in May 2018.

Our CISSP and GDPR Practitioner qualified team conducted a detailed audit of their GDPR readiness over three days, producing a RAG rated report indicating the areas where the greatest compliance gaps occurred, and recommending remediation actions.  The organisation then had the option to undertake this prioritised ‘GDPR Readiness Project’ themselves, or utilise our skills and resources to assist on a work package basis.

We also reviewed the Business Risk Assessment document, Risk Register and any available general strategic output from their regular strategy meetings, in advance of a scheduled PRISM visit.  Although the BRA and Risk Register were well maintained they didn’t cover the full spectrum of risk prescribed within the PRISM framework, and it was clear that risk had developed as a silo function within the organisation, rather than being fully integrated into the organisation’s strategic objectives.

Our recommended solution was to review their organisational risks in light of the PRISM framework, broaden the scope of their risk awareness where necessary, design and implement any measures and controls not already in place, and use a technology tool to track their KRIs in a more intuitive, visually appealing and meaningful way.

We also recommended the client undertake a full strategic review, as it was clear that they lacked a consistent strategic approach, and that supposedly strategic discussions were rarely held or successfully propagated.  As a simple validation of the organisation’s perceived lack of strategic maturity we conducted an EFQM Quick Assessment, a short process designed to benchmark the performance of an organisation by looking at its approach to a number of strategically important variables such as Leadership, People and Processes.  This led to the recognition of a number of strategic hotspots within the organisation.

We conducted a PESTLE and SWOT analysis, widely recognised as best practice tools for the scanning of internal and external environments to help inform the development and implementation of strategy.  Using the output from these tools we were then able to work with the organisation to create a Group level organisational Strategy Map.  This highlighted, in a clear and concise way, not only the aims of the organisation as a whole, but also the strategic priorities required for achieving them.  The cause and effect nature of the strategy, from continuous improvement actions within the organisation, through to the strategic objectives designed to achieve the client expectations that lead to the financial results, and ultimately achievement of the vision, can be easily demonstrated in this manner.

Supporting this was a Balanced Scorecard, identifying the KPIs that need to be tracked in order to demonstrate progress towards the strategic priorities, and a number of strategic initiatives with clear ownership assigned, outlining what needs to be done, and by whom, to achieve the strategic objectives.

Finally, this was migrated into a simple to use technology solution that allows the ongoing visualisation, tracking and management of the organisation’s strategy, risk, and performance management frameworks.

The benefits of undertaking this process were clearly visible from the outset, and this led to us conducting a similar process for each of the organisation’s overseas jurisdictions.  In doing so we have created a clear strategy cascade from Group level, across each of the jurisdictions, ensuring that the organisation as a whole is entirely aligned in its strategic goals.