Governance Risk & Compliance (GRC): People, Skills & Competencies

People, Skills & Competencies in Governance, Risk & Compliance

What direction is being given regarding people, skills and competencies?

All business objectives have a dependency on people, no matter how clever we are with the technology.

Do we have the skills and competencies that we need to perform each role and achieve business objectives? It’s normal to have gaps but these should be identified as risks, with clear decisions over priority, which risks will be accepted, which ones we will try to mitigate and how this will be managed.

We need two data sets to carry out the risk assessment, so we can compare the ‘skills we have’ with the ‘skills we need’.

Many organizations are required to achieve and maintain compliance with International standards. What do the Auditors expect to see? What do we need to show them when it comes to skills and competencies?

Whether you are aligning to, or being audited against, any International standards, most are built on the principles of the ISO9001 quality management standard. Even if you’re not trying for certification, these principles represent accepted good practice, and will help protect your organization. The quality management system describes how you operate your business, covering all processes of the organization. These principles are reflected in other standards covering specific disciplines. To consider capabilities, you need to assess what they currently are – whether they are internal or external capabilities, resources or people.

Role Profiles and Job Descriptions, and any other requirement, whether that’s projects, sprints or tasks, have to describe the required competence. Therefore the knowledge and the skills, including education, training and experience. Individuals have to be assessed, to determine the current competencies – a skills profile for each person, so that you can compare with the required competencies and see any gaps. Development Action Plans are required, stating the required competence, and evaluating the effectiveness of the action.

Auditors will expect to see some documentation to support this – skill profiles for each person, role profiles / job descriptions, plus development action plans, as well as certificates and other evidence.

Qualification isn’t just theoretical knowledge – it has to include the application of the Knowledge and Skills, with suitable experience as well as Education and Training. It is not enough to have a list of technologies or training certificates. We need to recognize ‘knowledge’, but also move beyond it to capture ‘Skill Proficiency’ and ‘Professional Competency’ – what we do, not just what we know.

A Common Language and agreed set of definitions for skills and competencies is vital, so everyone understands clearly, and consistency is there for identifying each skill and competency.

What skills do we have now? Would an auditor accept that you don’t know which services you provide and what assets you have? Your people and their skills and competencies are critical assets to success. You must document which skills you need, and keep it up to date as your skills change. With these two sets of data, ‘what you have’ and ‘what you need’, gap analysis can be performed, decisions can be made and prioritized, and reflected in development action plans – at individual level, team, department, and whole organization.

Accurate skills data is needed to support informed decision making. So you need to know ‘what skills you have’ and ‘what skills you need’, and compare them to make decisions on whether you: build skills in your existing resources; whether you mobilize skills that perhaps are within your organization, but perhaps not in the right place; whether you need to buy them in through recruitment; or whether you borrow them from third-party suppliers, vendors, service providers, or contractors or contingent workers.

Level 4 is the minimum level organizations should aim for to meet these governance, risk and compliance needs. You need to know the skills you have, the skills you need, identify the gaps and the risks that you have, make some decisions, and be shown to be taking action. The path to getting to the required level of maturity, is often shorter and easier than many people think. There’s support available to do the heavy lifting, lots of automation, job/role templates.

We need to get the message across to people that are going to be involved, on why we’re assessing their skills, and what we’re going to do with that data. Build skill profiles for each person, and therefore a skills inventory for the organization. We can have a level of review, approval, and independent assessment – all of those things as well. We need to define the skill requirements, we need to do the analysis, and then make some decisions, and put some actions into place. This can be achieved in less than two months with most organizations.

A great place to start for any organization, is to invest the 10 to 15 minutes it’s going to take to carry out a quick Digital Skills Management Maturity assessment – so you know where your organization is on the maturity scale. The report that you get also gives you some comparison, some other data and advice and guidance on how to get from where you are now to where you need to be. The document can be great in supporting your internal business case, but it’s also evidence for the auditor that you’re taking this area seriously, and that you’ve started taking some action.