on for just one more minute i still see attendees joining us today so we're gonna have a good crowd yeah let's see if they're lively on this tuesday morning afternoon to post some questions we have we've had some really really lively ones lately so i'm hopeful right all right well we have 15 attendees i'm gonna say let's go ahead and get started so we don't lose any time so take it away teresa great thanks so much and hello everyone good morning good afternoon or good evening depending on where and when you're joining us i'm here today with dorian kojis who is co-founder of unified compliance and the primary architect of the unified compliance framework and its sas portal the ucf common controls hub dorian serves as an advisor or working group member to the payment card industry council the financial technology forum and other industry organizations he served as an ab jump to professor of technology lecturing and serving on the board of advisors for the university of delaware college of human services education and public policy as an award-winning speaker and well-respected author of 12 books and two certification programs he has extensive knowledge in all areas of information technology before i turn it over to him i just want to talk a little bit about the newest enhancements to grc that we've been talking a lot about i can go to the next slide dorian um it's been helping you comply with regulations like nist rmf using our continuous authorization and monitoring application or best practices through the cis controls accelerator we've also got enhancements in november to help you keep pace with the ever-changing regulatory landscape using the new regulatory change application and the thomson order intelligence feed so we've got a lot of things happening here in the paris release which is why we have this beautiful monument here but before you can begin planning your compliance programs you must understand your organization's structure and communication patterns so on the next slide we're going to kind of get into this without a clear understanding of organizational structure you won't be able to identify the appropriate authority documents and understand which parts apply to your organization's situation and which don't it will definitely influence the communication plan and your overall success strategy if you're unsure of where to start we have dorian here to explain the answers to three essential questions designed to help you properly map your compliance strategy dorian can you tell us a little bit about that absolutely and good morning good afternoon and good evening everybody i'm dorian coges as she said and and we're going to really talk about three things today this isn't about our software about any other software because before you can put any software into place before you can put any compliance program into place you have to understand that when we say we are complying we means you it means your organization and as a compliance professional you have to move your compliance plan through your organization now you notice i've got three urls down here on the bottom of this there's a course based around this a free course that you can take that's the top url the middle url is an organizational structures questionnaire that we're going to show you in the middle of this to help you create your compliance plan absolutely free both of those and on the bottom of this there's a document called framework from grc schema that we're sharing with which has this in an online ebook format along with a more what i call a master's course in understanding organizational structures and organizational communication so i wanted to put those three things for you up front so let's begin this is a very very simplified version of a compliance awareness plan you've got to have one you've got to understand how to communicate compliance to your organization you've got to have a plan to say hey look this is how we're going to move this forward because if you don't have a plan you're going to fail so how do you put one of those things together well you got to answer three questions the first one begins with what are the most common organizational structures okay so this is probably you might have or not have seen this this is what's called a circle or a circular organizational structure while might appear drastically different from other organizational structures you've seen the circular structure still relies on a hierarchy with the higher level employees occupying the inner rings of the circle and lower level employees occupying the outer rings then there's the customer or market focused okay certain industries will organize by customer type this is done in an effort to ensure specific customer expectations are met by a customized service approach then there's the divisional focus the one that we've you know most of us have seen larger organizations that operate across horizontal objectives will sometimes use this organizational structure under this structure each division essentially operates as its own company controlling its own resources and how much money it spends on certain projects or aspects of the division then there's divisionally then there's divisional geography focused where within this structure divisions can also be created geography you know with the company having divisions in fredonia upper slavoya lower slavovia by the way if anybody's never seen the marx brothers that's where fredonia and slobovia come from uh an old marx brothers movie which which i love one of the things i want to say going through this guys if you have and gals if you have questions i'm not the type of presenter who wants them all held at the end as we're going through this if you have a question ask the questions to them have them interrupt me because i i want to get your questions answered as we're going i want this to to be a give and take between us so we've got the geography focus there's also the market focused okay it's another variety of divisionally organized structures it's the market-based structure where the divisions of an organization are based around markets industries or customer types then there's divisional product focus okay this is another common structure where each product falls within the reporting structure of an executive and that person oversees everything related to their product line i don't know if you've ever seen this one before but it's what's called a flat arche okay this is a blending a functional structure and a flat structure which allows for more decision making among the levels of the organization and overall flattens out the vertical appearance of the hierarchy funny enough this is this this flat arche is how our company unified compliance works then there's the functional functional structures are based on organizations being divided up into smaller groups with with specific tasks or roles common departments such as human resources accounting and purchasing are organized by separating each of these areas and then managing them independently of the others then there's the matrix matrix is a blend of functional organizational structure and a productized or projectized organizational structure in the matrix structure employees may report to two or more bosses depending on the situation of the project a matrix structure up paul is raised to stand so somebody might want to take a look at that okay in a matrix structure provides for reporting levels both horizontally as well as vertically employees may be part of functional group i.e engineering but then they serve on teams that support new product development i.e a new album this kind of structure may have members of different groups working together to develop a product line then there's network based network structure is often created when one organization works with another to share resources or if one organization has multiple locations with different functions and leadership you might also use this structure to explain workflows if much of the staffing or services is outsourced to freelancers or multiple other businesses and funny this is how we also work with folks like servicenow because together we and servicenow get together on on how the ucf is going to integrate with their product so we have a sort of a network-based hierarchy between us and then finally there's process based whoops this wow that i did not want to scroll that up there [Laughter] process-based organizational structures are designed around end to end workflow different processes such as iron the customer acquisition and order fulfillment so in your organization okay you actually have to understand the type or types of structures that are in place now what i'm showing here is is a worksheet online in those urls i gave you a url to get to that kind of worksheet and we're going to see in a few minutes on what you're going to do with a questionnaire for that as well so this is one of the things you really need to have on hand is say hey look when i'm working with these different departments and they need to implement version you know different types of authority documents and different types of control plans what kind of structure do they have because that structure is going to affect how you talk to them and how they implement compliance all right that's structures within structures there are leadership styles that we have to understand all right and that's what we're going to go through next so groups are made up of people okay people need to communicate with each other and within every group there is some type of leadership structure that exists we're going to go through the six common elements of leadership and communication found in most organizations all right lines of authority a line of authority or chain of command is that thing that defines who reports to whom within the organizational structure this is the bedrock element of all organizational structures the line of authority can be short i.e like the flat our key is shortest of all of course or it can be pretty lengthy such as within the large divisional and geographic structures so the first thing you need to understand is what's the line of authority and how deep that line of authority is within each of the groups you're working with then there's span of control you need to understand the hispanic control or the ratio of subordinates to superiors the higher the ratio of subordinates to superiors the wider the span of control that you're going to have to deal with hispanic control is it going to be centralized or decentralized okay in centralized decision-making power is concentrated in one person the organist structure you know that this this person here decentralized meaning it's spread out it means that other people not just the person at the center up here makes the decisions but people down below can actually make decisions when i mean make decisions i mean make decisions with authority specialization high specialization uh division of labor can be beneficial for organizations because it allows authorities become masters in specific areas increasing their productivity as a result however low specialization gosh darn it me and the let's go back here low specialization allows for more flexibility as employees can more easily tackle a broader array of tasks as a piece you know as opposed to being specialized specialization comes into play especially when you're talking about complex compliance you know we have cmmc these days we have a bunch of other types of compliance where you have to you have to look at log analysis you have to look at configuration analysis you have to look at sas analysis you have to look at all that stuff how is the specialization going affect the organization whether it's low or high formality okay a formal organization structure seeks to separate the individual from the ruler of the position as the roller position stays the same regardless of who's holding it so in a formal structure you're dealing with a role not a person in an informal structure on the other hand it places more value on the person and not the role it allows for the evolution of a role or position based on an individual's preferences and skill sets and it places less importance on what team or department that individual is a part of i'm going to go back to this one for just a second okay roles versus individuals doing them when when you look at when you look at compliance if you especially if you look at this nice and you see a lot of these things they're talking about who has to do what when they talk about who they don't mean sue or joe sometimes they're talking about the role that's out there so when you're dealing with a compliance plan are you going to be assigning it to a role or you're going to be assigning it to joe knowing that joe plays a bunch of roles and that joe or sue or sandy are going to be able to carry it through and if you're assigning it to a role are you ensuring that the role itself the person in that role is trained for that role departmentalization okay if an organization has rigid departmentalization each department or team is highly autonomous there's little or no interaction between the different teams contrast loose departmentalization entails the teams to have more freedom to interact and collaborate siloed non-siloed approach when talking about compliance when bringing your compliance plan out to your organization i've i've seen programs where you you go to talk to support and you need support from from both sides and so you as the compliance person think great i need to go and deal with the support person on both sides of these things the problem is in a formalized department organization you have to go all the way to the traverse to the top to be able to talk from one side to the other in a loose for a loose departmentalization you can actually deal with like people in different groups you have to know that because what you don't want to do is you don't want to start teeing off people before you begin and i've seen it happen both ways so you've got to understand in your environment okay how is this playing out there's that second sheet in a workbook that that we have for you that you need to have on hand as you're going through when you're talking with organizations and you're talking with your organization and you're marrying up the first part of what kind of structure you have with within those structures how they communicate now i'm going to get to tying all this stuff together we're not going to leave you hanging all right so in your organization with your structures what do you do you have to then ask hey look how do we do this how do we put this together this is where we're going to jump out and and put this together right here by clicking this all right i just clicked a live updo this is no now look at this you know there's nothing to sign in not selling anything here somebody i i gave a lecture at university the other day somebody says oh we're trying to show no we're not look and your privacy is important to us so when you're going through take the short survey you know what are you i'm going to say my organization is a flat arche all right organizational lines of authority and communication you know use this to slow what you know narrow or broad we're you know we're fairly narrow we don't have much hispanic control uh decision making is uh is very very decentralized overall in our organization we we have a modicum of specialization uh we we don't have i'm just gonna say a little bit of formal communication and we're gonna slide that all the way down to almost no departmentalization because everybody does everything and then what you want to do is you want to understand the different groups okay now i'm going to go back to this because when you're looking at this and you're putting a plan together that plan that i was talking about was based on individual groups all the way back back where we were you're going to want you're going to want to roll this out to one group at a time so this is just an online form if you have 50 groups just do me a favor go take this stupid thing you know enough time somebody said why can't i have 10 groups well dude if you're trying to talk to 10 groups at once you're going to fail so pick the number of groups you want to start to attack give them a name all right i'm i'm going to call mine developers and who's in charge of this group i'm going to say sean is in charge of our development group how many additional people would we need to contact well you know what in in this group because it's it's sean's uh i don't need to talk to anybody else and so i'm gonna say that you know line of authority is really for this specific group is really shallow hispanic control is pretty narrow for him group decision making is going to be uh very centralized because it's one guy group specialization actually is pretty pretty mellow there group departmentization from within the groups you specified which group do you feel easiest because i said one i'm going to say it's it's it's developers because i only have one group and when i say submit it's then gonna go email me and it's gonna send me at my email address a plan and it's going to say this is what you picked this is how you put this together this is where everybody is on this okay this is the basics of a plan and it's going to send you something like this with the document here filled out this is what you need to have a beginning of a compliance plan okay this is a very very very base beginning why why do we care about why do we care about any of this the thing you're seeing here oh i love this i i wanted when i did some editing my my picture decided to move off the screen i was supposed to be pointing at it these are the elements of compliance okay this thing you're looking at underneath if you if you looked at the data structure of servicenow if you looked at the data structure of the unified compliance framework you have all of these data silos in the top left here the things that kind of look like little water drops we're going to look at that for in a second because that's what we're talking about today that that cornerstone but then beyond that how how the groups interact with authority documents how those authority documents then have citations and common controls and then go out to tied to assets working or compliance documents or roles or events or audit questions or organizational functions or records all of that ties together and it begins here because every account in servicenow has individual groups and those groups have users users of course belong to account and users of course belong to groups you've got to understand how you're going to communicate compliance to those groups and those groups are made of these structures with these lines of communication okay it's that combination that's the very very basics that you have to understand that you're then going to roll out because you see those groups and will create authority document lists from those authority documents and how you're going to communicate to those groups those authority documents is based upon your understanding and how compliance plays through all of that that's the authority document lists to the authority documents part what you don't want to do is you don't want to get the wrong authority document lists to the wrong groups you don't want to communicate compliance to your organization in a way that they're going to reel from it you want to communicate it in a way that they're going to want to accept it and move forward with it i'm going to to jump into uh so so online there is a a course that you can go through the basics of all this online also is an e-book about organizational structures here's where we've been talking about all of this stuff here is online for you guys to go through this is the basics okay this is the very very basics and fundamentals of what you need to know and the basics and fundamentals of communication that you need to know and how you can put this together into your own uh your own there's a worksheet there's the worksheet doc i was talking to you about if that's the basics one of the things you need to know beyond that then is how your organization has evolved over time and how those structures and those communication plans then fit in you have to do organizational structures 101 if you don't understand organizational structures 101 and you don't have a plan to match your compliance program with how you're going to communicate to everybody in your organization you're going to fail i guarantee it you don't have to understand it at what i call the 401 level if anybody's going to college we know the difference between 101 and 4 or 1 level okay the 401 level takes you all the way through all of these different stages early adopter stage the chasm of of of that the early majority the late majority the laggard qualify all of that stuff because believe it or not your organization i don't know if you've ever heard about it but your organization actually has a thing called an organizational character index if any of you've ever heard of myers-briggs we've worked with a a great group of people and we've adopted the organizational character index score so you can go through and you can then audit yourself and i'm going to say open this one up in a new tab you can take a myers-briggs indicator test about your organization this one's long this one's about 40 questions and when you submit that that will then help you really go on in and say hey look here's here's how it breaks down here's all the different cases and here's how to apply all of that to each of your organizational your myers-briggs okay if if your organization is an enfj this is then how you communicate you know you how they respond are they extroverted intuitive feeling judging then you have to boil you have to take those plans and here it is at the very bottom how to put it into context how to get to the point how to communicate to them you can't do any of this you can't get to that master's level of communicating your compliance plan if you don't start here and understand the lines of authority and understand the organizational structures and that's what this is about the folks at servicenow are here to help you to do this we're here to help you to do this if i can ask anything of you it's understand your organization understand who you're communicating with understand how they wanted to be communicated with before you start running around saying this is what we need to comply with because you have to tailor that message to each of those people and with that i'd i'd really love to ask uh answer some questions i don't see anything in the chat right now but this was this was incredibly educational i actually put the uh document that you sent along in the community post out on our grc community which um i put the link to in the chat window here but um but this was just fabulous so then i'm gonna ask you guys in the audience that that that are here uh and and i want anybody to jump in on on chat or or questions have you has anybody out there yet actually thought about going through and saying hey look what kind of organization do we have and and how are the the the communication structures formed in our organizations just raise your hand how many people because we could do a hand raised thing right is is there a way people can uh can let us know yes and no yeah they can just put it into the chat i don't think um on the webinar version of zoom we have the hand raising oh okay so i'll tell you what then go into chat and uh and answer me this the the folks who are still here how many of you say yes or no in in chat uh to and make sure it's to to all part i don't know if you can do it all participants are all panelists okay all panelists and we'll do a count so i i've got one yes that i've gone through and and you know that somebody's gone through and said yes i'm i'm marrying or i understand how my organization is structured and i understand the communications flows one yes and one no so far wow lots of options there's a few questions well that's good outstanding so from you yeses i and now i'm gonna i'm gonna i'm gonna ask you for a second as you're communicating for so for those of you who have gone through and understood has understanding the communication structure allowed you to to tailor your presentation of compliance to your organization yes you sound like talking to my dad looks like it has it has okay it helps it helps it it absolutely it absolutely helps have any of you and here's another question have any of you tried tried to send put a compliance plan through your organization without understanding your organizational structure and then all of a sudden got shot down by the people you're talking to simply because you you got the audience wrong indeed but i have a chance of being an external advisory so i always have to learn the company customer and its organization first yeah absolutely yeah and reading that from from from the chat absolutely you know i i'm also an external advisor i you know i as i started doing compliance i had i had gotten out of a different organization and left the military got out of addition different organization and started doing it as an advisor and i got to tell you the the first the first massive failure i ever encountered was down at honeywell and and i don't you know i'll own up to it i went down to honeywell and boy i thought i knew what i was doing you know just i was i was a senior officer in the military honeywell was very structured i figured this is going to work great i went on in there in my very structured approach and sat down with their cio council and said this is the way we need to do things and this is the way we and and they looked at me and they said okay that would work if we were a divisional organization but even though we're a divisional organization on the outside to everybody we're not we're a functional organization that has cross communication between everybody so why don't you just chill the heck out and give us a compliance plan that's based on how we work and and you know we have these centers of excellence here where these people will work across the board in fram and and the nasa side the jbl side of honeywell on configuration these people will work on how schemas get rolled out for data these people will work on information flow and i started laughing at myself said yeah screw that one up didn't i and went back that night licked my wounds drank a bottle of whiskey went back the next day and said hi everybody how are you my name is dorian kojis let's start again how many functional people do we have in here and and uh so yeah you know and and so i i got in in chat uh it's not full science so yeah we fail but we learn from it and we fail less absolutely and those who go for without understanding the organization the sponsors and the breakers they're going to fail even more and and that is that is absolutely the truth this is you know i'd love to say that that rolling out a compliance plan is is science it's social science at best it's understanding people and how to communicate with people in in a very legal way in a very technical way at times but it still has to be a communication with people and and it's it's funny i'm gonna go down to to this part if if you took a look at this mars briggs indicator test and you went through this and answered it honestly it will tell you the personality of your organization and then you can marry that personality of your organization with all of the ways to roll this stuff out and then what you have to do is i'm gonna go back to my to my deck here you've got to make sure that you have the right groups in that organizational structure and the right users in that organizational structure in your servicenow product so that you're communicating the right authority document lists to them and as you're communicating it you're taking and you're then marrying what you have in servicenow and those groups with that communication plan because all of them come down to maybe a five or six point communication plan people are simple they want to be communicated with in a simple way and if you can boil down how to talk to them with saying look you know for these guys they want real data some people want fluff some people don't want fluff some people want uh uh you know numbers and they want plans and they want you know whose gunners and all those other things and then others just want time for listening to other to the to the perspectives of the team that's what rolling out compliance is about you have to marry it to the groups the authority document lists that you're going to communicate do we have any any other i don't see any other questions okay again i think this was really amazing extremely good information and i if you if you scroll up in the chat for all the participants there you'll see the link to the community page that has the document on it so dorian thank you so very much for being here for talking to us we really appreciate it again learned a lot and this will be up on the ask the experts youtube channel so that people can continue to watch it and you can pass it along to your co-workers thank you everybody and thank you for your time awesome thank you all so much