Category Archives: business

business, security

ISO 27001: Navigating Regulatory Compliance and Global Business Growth

In international business, where regulatory landscapes shift as quickly as market trends, robust and internationally recognized security protocols are vital. For companies actively pursuing regulatory licensing in multiple countries, one certification stands out as a beacon of trust and compliance: ISO 27001.

ISO 27001 and Its Relevance to Regulatory Licensing

  1. Understanding ISO 27001: It is an international standard governing Information Security Management Systems (ISMS), providing a systematic approach to managing sensitive information.
  2. Regulatory Landscape: By expanding across different jurisdictions, businesses face the challenge of complying with various regulatory requirements related to privacy, consumer protection, and financial oversight, such as the European Union’s General Data Protection Regulation (GDPR).

Alignment with Regulatory Requirements

For businesses handling valuable digital assets and financial information, ISO 27001’s alignment with regulatory requirements is pivotal:

  1. Common Language Across Jurisdictions: This standard’s universal framework often corresponds with various regional financial regulations (e.g., BASEL III in Europe), making compliance more consistent.
  2. Risk Management and Compliance: ISO 27001’s risk management approach is essential in an industry characterized by rapid changes. It promotes a culture of preemptive risk identification and mitigation.
  3. Data Protection and Privacy: The standard’s emphasis on data integrity aligns perfectly with global data privacy laws, ensuring that sensitive financial information is handled with utmost security.
  4. Audit Trail: ISO 27001’s requirement for detailed documentation and robust auditing practices aligns with regulatory demands for transparency in financial reporting.

Simplifying the Journey to Regulatory Licensing

Adopting the discipline and process required by ISO 27001 can significantly ease the path to global regulatory licensing:

  1. Holistic Approach: Rather than isolated compliance efforts, ISO 27001 fosters a unified, company-wide perspective, potentially cutting down time and expenses.
  2. Building Trust with Regulators: The certification can demonstrate a firm commitment to international best practices in information security, possibly expediting licensing procedures.
  3. Continuous Improvement: The refinement process ensures adaptability to ever-changing financial regulations and standards.

Conclusion

In a world where regulatory expectations and security needs are evolving, ISO 27001 certification is more than just a security measure. It aligns closely with the multifaceted demands of global regulatory compliance, particularly for businesses dealing with diversified portfolios and digital assets.

The integration of ISO 27001 can act as a cornerstone in global expansion, streamlining compliance, and building a resilient foundation for growth. It’s a pathway marked with clarity, efficiency, and trust that resonates with regulators, clients, and partners alike.

By embracing ISO 27001, businesses are empowered to traverse intricate regulatory terrains with assurance, utilizing globally recognized standards to forge a distinct advantage in the multifaceted and interconnected world of finance.

business

Stop the Madness!

Today, I want to address a common trend that I’m sure many of you can relate to—the barrage of connection requests from unknown individuals without so much as a simple introduction. You know the ones I’m talking about; the vague messages promising “synergies” and “mutually beneficial opportunities” without any natural substance or context. It is time to call out this practice for what it is—a time-wasting turnoff that rarely leads to meaningful connections.

The Cold Selling Conundrum

While I understand that LinkedIn is a platform for networking and business opportunities, it is essential to remember that authentic connections are the backbone of successful professional relationships. Cold selling and generic connection requests miss the mark, leaving a negative impression on the recipient. It’s like walking into a networking event and immediately shoving your business card in someone’s face without even saying “hello”— it is impersonal and off-putting.

Why It Doesn’t Work

Let’s be honest; does the “spray and pray” approach yield desirable results? Rarely. Recognizing that genuine business relationships are built on trust, mutual respect, and genuine interest is crucial. Sending a connection request with a thinly-veiled sales pitch rarely fosters those qualities. It can even damage your professional reputation and brand.

The “Business Development” Turn Off

A particular group seems more notorious for these cold selling tactics—individuals with “Business Development” or “Sales” in their job description. While I respect the role of business development professionals, the constant bombardment of generic connection requests without any effort to build a genuine connection is disheartening. It leaves us questioning whether they are genuinely interested in networking or merely in pursuit of meeting their sales targets.

The “New Kid on the Block” Ignore

Another aspect that’s an instant turnoff for many is the flood of connection requests from individuals who have recently joined a new company and are eager to sell us “the next best thing.” Don’t get me wrong; I’m sure that everyone appreciates innovation and exciting products or services. But when someone we barely know dives into a sales pitch about a service or product they’ve just started selling, it raises a red flag. It’s hard to trust that their recommendation is rooted in experience and understanding of the service or product’s value.

A Better Way to Connect

Before we get disheartened by the countless generic connection requests we’ve received, let’s shift our focus to a more meaningful approach to networking on LinkedIn. Let’s embrace authenticity and genuine engagement as the driving forces behind our connections.

Personalize Your Invitations: When you reach out to someone on LinkedIn, take a few moments to craft a personalized message. Introduce yourself, explain why you’re interested in connecting, and find common ground. It shows that you’ve done your homework and are genuinely interested in building a relationship.

Add Value First: Instead of diving straight into your pitch, focus on providing value to your connections. Share valuable content, offer insights, and engage in discussions. People are more likely to respond positively when they see you’re here to contribute, not just sell.

Respect Boundaries: Not everyone will be open to connecting, and that’s okay. Please respect their decision and move on. Building a network is about quality, not quantity.

Engage in Meaningful Conversations: Once you’ve made a connection, nurture it with genuine interactions. Engage in thoughtful conversations, offer support, and be a resource to others. This paves the way for meaningful collaboration in the future.

Let’s Create a Better LinkedIn Experience

LinkedIn is a platform that connects professionals from all walks of life. Let’s harness its power for authentic networking, knowledge sharing, and uplifting each other.

So, the next time you hit that “Connect” button, remember the power of genuine engagement. Let’s replace the “hope” of selling with the certainty of building lasting professional relationships that make a difference.

Please feel free to share your thoughts on this topic in the comments below.

business

Software Testing

software-testing

Delivering good news is easy

However, people who test software for a living need to do one thing really well – and that is:

have the uncompromising ability to deliver bad news.

And there are lots of really dedicated folks out there who do just that.  But there are also some who often mean well, but bend to real (or perceived) management pressure and compromise.  A deadline after all, is a deadline!

By “managing the message” – i.e. avoiding red RAG status events – Quality Assurance Managers often lull stakeholders into a false sense of security.  This can result in different types of unsavory scenarios, it does wonders for lowering overall team morale (who more often than not know the real story) and it wastes time and money.

How often have we seen elaborate test strategies degenerate into last-minute scrambling as integration and acceptance-testing cycles shrink and are pushed out to the right due to dirty data, broken functionality and environment issues? It’s a cycle that’s tough to break – but it needs to be broken.

Use The Force

Testing needs to be given the attention and recognition it deserves.  Just because it appears at the end of the food chain doesn’t mean that it’s not vitally important.

Tollgates that restrict movement of functionality from Development to System Integration Testing (SIT) through to Functional and User Acceptance Testing (UAT) and final implementation need to be strictly observed and deadlines that inevitably shorten cycle times need to be flexible enough to accommodate doing what is right, not just what is allowed.  On paper it’s all very simple, but in practice it requires conviction, courage and resolve.

Releasing untested code into UAT – or worse into Production – should be avoided. “Conditional Sign-offs” at the end of the day mean very little (as everybody ultimately forgets the conditions and only remembers the sign-off). Once bad code is implemented, operational “workarounds” are inevitable and extra work to plug the holes often prevails. Succeeding releases are delayed while bugs from the earlier release are being rectified and the vicious cycle deepens.

Over time, these workarounds are often baked-in to normal day-to-day operations and are accepted as common practice.  They linger sometimes for years; users work longer hours and overall cost increases.

Nomenclature

Once your company has adopted an agreed testing approach and standard terminology, changing the language to suit the level of tested code only leads to confusion. Where I worked, there was no such thing as “Pre-UAT” – the correct terminology was “SIT”. “Functional Acceptance Testing” may as well have been called “Failure Acceptance Testing” because that’s all that was really happening.  Don’t allow any re-branding – this only serves to mask the real issue.

So the next time you see a quantum shift in the project RAG status – have a word with the testing team; check the Traceability Matrix to make sure that all requirements bases are covered and make sure the users are happy with all testing results.  It can save you a lot of money in the long run.

For those interested in the complexities of Software Testing – you should check out the wiki page.

Photo: Courtesy of Google Images

business

Post Implementation Reviews

lessons-learned

Note: This post was originally published (by me) on May 22 2014 on Linkedin.  You can navigate to the original post by clicking here.

Where I now work (and in several places past), a Post-Implementation Review (or PIR) is routinely performed by the Program or Project Manager, assisted by PMO, after every reasonably-sized project has been implemented – and then the “Lessons Learned” from that effort are meticulously applied to benefit subsequent projects. At least, that’s the theory…

The PIR process – which is rarely a trivial exercise – typically seeks to identify, document and highlight several things:

  1. Determine “Lessons Learned” – how can future projects benefit from mistakes made or new “best practices” that have been identified as part of the current effort?
  2. Determine whether or not the project was “effectively managed” and was run according to pre-agreed standards (these tend to vary, but invariably follow the same set of precepts).
  3. Determine whether or not project objectives were met and anticipated benefits were ultimately delivered.

“All good stuff” you might think. And it is. But this is where the fun begins.

When the next project is kicked-off, we expect everyone will automatically be familiar with the updated list of “Lessons Learned“, that people will actually fine-tune their future behavior to incorporate the findings and we also assume that the larger problems identified in the PIR will have been addressed as a matter of course.

We are often disappointed.

Ground-hog Day

The problem is, some of the bigger problems identified such as:

  • Data Ownership / Data Issues
  • Language/Taxonomy Issues
  • Environment Availability/Setup Issues
  • Configuration Management
  • Production Support

are more than likely large enough to warrant their own remediation projects if deemed insufficient. These remedial projects rarely happen given the already full “book of work” and so the same problems tend to persist. They wreak the same havoc on project after project – time and money are invariably wasted.

Additionally, recommended behavioral modifications with regard to (for example):

  • Inadequate Planning
  • Discipline regarding Requirements Traceability

which would normally dictate additional training, are often overlooked. A major false-economy in my opinion.

Benefits are also sometimes difficult to gauge when only a 90% solution has been delivered. Hidden work – and hidden costs – plus antiquated systems persisting past their life expectancy – along with tactical workarounds (some manual, some automated) make an accurate benefits assessment subjective at best. Constant flux provides the real challenge.

Are Lessons Really Learned?

From my point of view, collating the “Lessons Learned” is often one of the only objectives that is ever effectively realized and this is where it gets really tragic (and interesting).

Companies spend vast amounts acquiring tremendously powerful knowledge and – despite the recommendations of every Project Management framework – then ignore it when it’s time to actually leverage that knowledge.

Would you, using some extreme examples, attempt to walk/run across the Sahara or swim the Channel without intense preparation, research and training? Not likely. So why do so many Project Managers ignore this crucial first step of discovery?

So – how do we become more effective? How do we really incorporate “Lessons Learned” and break the vicious cycle?

At a minimum, scouring the Firm’s knowledge-base or PIR Repository (assuming you have one) should be the first order of business when embarking upon any new project. If you know what you’re up against, you then at least have a fighting chance. Bake this discipline into your Project Initiation schedule and promise yourself never to short-change the effort.

What do you think? What happens where you work? Please feel free to comment.

Photos: Courtesy of Google Images

business

CEAVOP

17372572-Audit-Assertions-word-cloud-with-data-sheet-background-Stock-Vector

I first heard about CEAVOP a year or so ago.

After he had looked through a presentation the team had prepared, my previous manager, an accountant by trade, gave us insight into how he thinks by explaining and then challenging each dimension of the presentation per his CEAVOP ‘method’. I left the meeting having learned something new – always a bonus!

I have been working in Financial Services for many years and as far as I can remember, I had never heard the term up to that point. I was intrigued – so I Googled it and was really surprised to find a relatively small number of results (the search yielded 1110 results at the time of writing this article, with most results not really being that applicable).

In a nutshell, “CEAVOP is an acronym used to represent assertions of a control in financial auditing”. It stands for:

  • Completeness
  • Existence
  • Accuracy
  • Valuation
  • Ownership
  • Presentation

If you think about it, it is not a bad system to apply to most pieces of work. From my point of view, its value is not just limited to audits. For example: It can also be applied to pretty much any document/specification or even a Project Plan:

  • Is the specification/plan Complete?
  • Are all requirements/tasks represented (Existence)?
  • Are all requirements/tasks Accurate?
  • What Value will the initiative add?
  • Has Ownership been determined for all work, risks, issues, dependencies and any next steps?
  • Has everything been adequately and clearly Presented in the specification/plan?

Try it out on your project – think flexibly when using it. Chances are, after challenging your efforts by applying even some of these assertions, you will have created a greater quality product.

Photo: Courtesy of Google Images

Note: This post was originally published (by me) on March 24 2014 on Linkedin.  You can navigate to the original post by clicking here.