What is your current maturity level and your future ambition level?
We need to know where we are in order to determine where we want to go. A baseline helps us to determine where we stand (the maturity level) and where we want to go (the ambition level). You could say that a baseline objectifies qualitative positions and goals.
There are a whole range of baselines. Sometimes the baselines are so well established that we regard the baselines as standards (eg number series, units, or practically, container dimensions or track width). The legislator increasingly obliges companies to account for the organization of compliance with legal requirements, for example for taking appropriate and effective control measures aimed at protecting data. Such requirements are also contractually imposed by a company on its information service providers.
What are appropriate and effective controls included in business processes supported by IT systems? With the help of baselines, a company objectifies the requirements for the business processes.
How can we help you?
Do you have questions about organising, implementing or expanding your compliance operations? Our service owner, Caroline Willemse AA RE RFG or her colleagues, would be happy to discuss your specific case.
Embrace standards and baselines
Baselines are created within all kinds of different forums. Sometimes it is standardization institutes (eg ISO, W3C, OASIS, NIST, NEN or many other organizations) that develop and maintain generic standards and baselines. Embracing standards and baselines makes it easier to organize business activities and collaborate with other companies and exchange data meaningfully. It is wise for the management to consider each year which standards and baselines may be used by the company for organizing the company’s activities.
Applying the standards, and in particular baselines, is a group process with the aim of determining the maturity and ambition level. Using this information, the employees build step by step towards achieving the ambition level using a “plan – do – check – act” cycle.
Managing and managing the standards and baselines could be an activity of the business compliance function.
Drawing up and managing (company-specific) baselines
Depending on the business activities, the company management chooses the standards and baselines. The legislator can ask the company to apply standards, customers can require the use of standards and baselines from their supplier(s) and the organization of business activities can be more effective and cost-efficient with standards and baselines.
We can identify baselines when organizing business activities. Some examples.
- Organizing the information infrastructure: The information infrastructure often consists of a network, databases and systems with which a company’s employees communicate with each other and with the outside world. Companies are increasingly using cloud suppliers to organize their information infrastructure. This does not alter the fact that the company must manage these infrastructures or have them managed. Baselines are available to make purchasing and managing these infrastructures easier. Think of ISO, NEN or NOREA models.
- Organizing IT systems to support business processes: The management sets functional and non-functional requirements for IT systems, which support business processes with included control measures. When the IT systems are developed, the requirements are reflected in user stories and otherwise the requirements are reflected in a baseline that is used in a package selection.
- Making agreements: For making agreements, baselines are practical and effective. With a request for information, the baselines grow and with a request for a quote, the baselines form a practical testing framework. During contract management, the baselines help to manage mutual expectations.
The baselines give a feeling that no essential functionalities have been forgotten. It is also avoided that double functionalities are agreed upon. The baselines are not static because laws and regulations, contractual agreements and policies can change the baselines.
Companies use the baselines when managing changes in the organization of business activities.
Before we can start, we need an overview of the responsibility and liability domain, and insight into the business activities of organizational units.
- Compiling and making company-specific and, if desired, managing baselines: Based on the current picture of applicable laws and regulations, contractual agreements and policy, we compile company-specific baselines in collaboration with employees. In doing so, we use available and proven sector- and segment-specific baselines as much as possible. The baseline can relate to technical information infrastructure or functional and non-functional requirements for IT systems. It is also possible that a baseline relates to a theme, for example the processing of personal data.
- Applying baselines: We use baselines in change and selection processes. We use a baseline to “measure” where we are (the maturity level) and where the organization wants to go (the ambition level). The chance of a successful change process increases if the change capacity of the employees is in line with the change steps towards maturity. The IT systems to be selected that support the business processes must be appropriate for the change process to be undertaken.
- Maintenance of the baselines: Changing business activities, legislation and IT systems require maintenance of the baselines. By working with general baselines as much as possible, maintenance can be limited.
It is obvious that the business compliance function manages the agreed standards and baselines and helps the functional departments to apply the standards and baselines effectively.
It sometimes happens that a company hires external professionals to manage parts of the standards and to apply the standards and baselines. An example is MYOBI’s TTP policy, which includes the code of conduct aimed at protecting personal data and information security. The maturity levels are reflected in the Accountability Seal.
The involvement consists of:
- Based on the research, it is determined which steps must be taken to be (demonstrably) compliant with the baselines; and
- The justification for an outcome must be documented to demonstrate compliance.
We use a methodology for compliance with baselines. The results of such a methodology are a report of findings and other reports. Based on this, operational improvements can be initiated.