Mina stopped quickly for coffee on the way to the office. It would be a busy morning trying to write up her scoping suggestions before the US headquarters (HQ) team came in for the day. The audit team had been given an unusual request, at least something Mina and her colleagues had not seen before. The project governance process and supporting software they would be reviewing had to be verified for inclusion. The new chief information officer (CIO) was intent on achieving better development outcomes based on greater participation. He believed some stakeholders opted out of participating in the project process, not because they thought it was outside of their job responsibilities, but because they felt like outsiders. He wanted an audit to uncover gaps in inclusion and discover factors that targeted certain participants while discouraging others. The CIO was convinced not only that technology could drive diversity in positive ways, but that the process itself could foster better collaboration from the team. Before scoping could begin, Mina felt there had to be a foundational understanding of diversity and inclusion, and that is where she wanted to provide input.
Why Diversity Takes Work to Achieve
The benefits of diversity have long been sought after by schools of management. Diverse styles produce a broad range of ideas and approaches, which can translate to a more cohesive work environment and create a competitive edge that impacts the bottom line. Diverse work teams with inclusive mindsets can bridge gaps in understanding that help avoid rework. The classic example is strong collaboration between IT and the business, where post-development user acceptance testing (UAT) produces a go-live outcome that satisfies users. Diverse teams also make it easier to reach a wider audience by creating products and services that are broadly appealing. Technology helps make these products and services more ubiquitous.
The CIO was convinced not only that technology could drive diversity in positive ways, but that the process itself could foster better collaboration from the team.
If diversity can bring such advantages, why is it so hard to achieve? The terms "unconscious bias," "the boys’ club," "cliques" and "the inner circle" suggest that work and social groups form around what is familiar. It is easier to work within a known framework, with people and styles that feel like part of the routine. Breaking away from the known and comfortable to include new approaches and different individuals can feel risky, as any change does for those accustomed to operating within established boundaries. As Mina’s situation shows, achieving the best outcome means not only understanding how diversity should be defined for a project, but also ensuring that the technology used captures the advantages of diversity at the go-live point and during the steady state.
Mina’s Ideas on Scoping
Mina really enjoyed her work, and she did not mind being a team member from the Europe, the Middle East and Africa (EMEA)-region in a US-based enterprise. Although there were times when she wished she was at the table when some of the key decisions were made, especially around the organization’s audit plan, she liked the quiet mornings when she could get thoughtful work done before the HQ team’s day during her afternoon time. In fact, inclusion of other regions was one of her proposals for scope evaluation and process planning for this specific project. She decided the best way to highlight her points was to start with a list of key attributes that should be objectives of the audit:
- The need is to define diversity and avoid total assimilation. A narrowly defined scope can ignore or discourage nontraditional ideation, threatening to exclude valuable information. Her point is to have the team define diversity up front at the time of scoping the audit project. To define diversity properly, the team must foster awareness and understanding and think out of the box regarding how the project and software can appeal to a broad group of users.
- The scope should include a review of controls to specifically detect potential bias. Mina thinks detecting bias is only part of the challenge. She proposes that at each milestone, the audit team should look for what is missing—perhaps region inclusion, culture inclusion, technologist inclusion, age inclusion or business inclusion. She has always been bothered by the half-hearted acceptance of IT audit results by business stakeholders, but she feels strongly that such reactions are due to a lack of collaboration and mutual understanding.
- One must code for change by exploring options with a broad audience. Mina believes technology and software development can explore and operationalize the kind of unique plans that only a broad and diverse set of individuals could create. Her proposal promotes adoption of a what-if monitoring philosophy throughout the Agile process with post go-live checkpoints.
- Real time, informative recommendations should be the final point. Mina is confident this will work well with the organization’s commitment to three lines of defense, leveraging technology-enabled human checkpoints while the information is fresh and relevant.
Where Do We Need Technology as a Diversity Catalyst?
The advantages of technology are twofold. First, as Mina’s CIO believes, technology can be an enabler that enhances exposure to new ideas, allows for unique ways of viewing a problem, and improves consideration of factors that impact outcomes. Diversity starts with an integrated risk/audit approach and strives to take advantage of every idea available. Second, technology enables many to participate instead of few, through collaborative workspace programs and network technology. Even the most basic aspect of video collaboration builds better bonds between all participants, stakeholders and clients.
A narrowly defined scope can ignore or discourage nontraditional ideation, threatening to exclude valuable information.
Technology that enhances ideation and project breadth, enables full team collaboration and even strengthens relationship building can be used across a variety of industries and disciplines as a diversity catalyst. Consider the following as food for thought:
- Technology-enabled diversity in the workplace means not only considering all possibilities and advantages, but also noting and encouraging participation through the use of network conferencing.
- Technology improves education by making resources more accessible and helps technologists meet users and students of all ages and backgrounds where they are.
- Technology in government helps establish operational frameworks, despite large amounts of data. It offers controls against cybercrimes and enables the correlation of vast amounts of data as countries and municipalities seek to support their citizens.
- Technology in healthcare serves two key purposes: safeguarding privacy while recognizing and evaluating diverse populations for potential illnesses and cures. The key is to define "diverse" so that no one is left out and anonymity is secured, thereby encouraging research participation that can lead to treatments that accurately serve a variety of populations.
- Technology is blamed for unduly influencing consumer opinions and buying decisions, but this risk can be mitigated. It is critical that oversight and governance be firmly established to avoid such undue influence. When governance is in place and monitoring is undertaken with due diligence, informed consumers gain access to a breadth of products and points of view through proper use of social media and web services in general.
Ultimately, diversity and inclusion are important because of this potential to improve everyone’s quality of life.
Ultimately, diversity and inclusion are important because of this potential to improve everyone’s quality of life. There will always be inequities, especially at inflection points where the definition of diversity needs to be updated. Keeping technology as a diversity enabler is exactly where the ISACA® professional adds value. What are some of the advantages of technology in enabling diversity? These areas would benefit from professional contributions:
- Recognize areas in which inequity is seeping. Include discovery points in risk assessments and audit evaluations.
- Avoid assimilating all data. Instead, favor a framework and scope that allows ideas to flourish. Engage more participants and stakeholders early on to achieve that creative objective.
- Practice inclusion. Be the bridge between development, the business and other stakeholders. Risk and audit professionals can leverage their objective roles to operationalize requests for inclusion. Start practicing inclusion in your own department by speaking up.
- Communicate widely, with timely feedback. Consider the broader audience when communicating by using media that appeals to different groups and meets people where they are. Ensure that sure your message is not lost in translation by soliciting feedback. Test during project milestones and evaluate whether early recommendations have been used, and if not, examine communications methods to see if they need improvement.
You Have to Do It to Get Good at It
It is important for experts in the field of risk management and audit best practices, to use technology themselves to set an example for others. It might be as basic as holding virtual meetings at multiregion-friendly times with a video-on requirement. Or it might be communicating the means by which you used technology to validate the diversity accuracy for the work scope. Consistent action by audit professionals increases diverse outcomes and fulfills the promise of technology as a diversity enabler, no matter the project and no matter the final objective. More ideas faster, with accurate proof of concept, enhances digital trust and yields better outcomes.
CINDY BAXTER | CISA, ITIL FOUNDATION
Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as opportunities to learn the nuts and bolts of a business and help her clients worry less because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.