A Picture Is Worth a Thousand Words

Every single thing we do each day is defined as a process. When you get up in the morning until you go to sleep at night, each thing you do is a process. The routine you go through getting ready for the day: dropping the kids off at school, dialing the phone, typing an email, preparing for a meeting, analyzing risk... each and every one of these activities encompasses one or more processes. How well each step of a process is executed determines the effectiveness of the outcome.

Most organizations have done little to truly define and map their processes. Enterprises expect new hires and existing staff to learn “how we do things here.” They expect compliance with policies and procedures without ever providing a true picture of what to do, when to do it, with whom you are expected to coordinate, or the issues that arise if the policy is not followed.

Yes, written proses in most organizations establish policies and procedures for the enterprise. Yet the frequent lack of compliance and violation of policy indicates that no one really reads them. Most just sit on the shelf and gather dust or, if they are online, few ever click on them. If they are read, many times they aren’t understood or worst case, they are simply ignored. Ask yourself: How often and how thoroughly have you read every policy and procedure that affects your enterprise and department, those with which you are expected to comply or that you are tasked with enforcing? Do you thoroughly understand your responsibilities, the expectations of each policy and procedure, or the consequences you, your department or the enterprise face for non-compliance?

The best solution to gaining control of an enterprise’s processes and ensuring broad compliance to the greatest extent possible is to map each process. Like the old saying goes: “A picture is worth a thousand words.” Process mapping produces defined process flow charts and yes-no decision trees. It not only simplifies educating personnel on what is expected, but enhances compliance with how an enterprise wants or must have things done. It also assists in readily identifying where processes can be enhanced or streamlined. When things do go wrong, it also makes it much easier to identify at what point someone deviated from the process or where it failed and to implement necessary changes as part of a root-cause analysis process.

One of the best examples of the value of process mapping and yes-no decision trees can be found in use with guard force procedures. At most enterprises, general instructions alone for the guard force are typically volumes long. On top of that there are numerous post-specific instructions for each location a guard or receptionist is assigned. The first time I deployed process mapping and yes-no decision trees to replace post orders for guards was in the late 1980s, and I was astonished with the results. We went from frequent complaints on the guards failing to do their job to a high number of compliments. We witnessed nearly a 99.9-percent accuracy level on the guards completing their tasks and doing so according to the defined process. We also found that training of new guards was dramatically enhanced, job satisfaction soared and complaints nearly vanished.

If you have a “best practice” or a method you have deployed that was particularly effective, I would appreciate it if you would share it with me. I am looking to potentially highlight them as part of the SECURITY 500 events that I emcee in the Spring on the West Coast and the Fall in Washington D.C.

Lynn Mattice is Managing Director of Mattice & Associates, a top-tier management consulting firm focused primarily at assisting enterprises with ERM, cyber, intelligence, security and information asset protection programs. He can be reached at: matticeandassociates@gmail.com

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.