A strategic plan should deliver more than just a document that sits on a desk collecting dust – it should deliver a strategy that drives real action and real change. It’s about bringing stakeholders – management, staff, vendors and customers – together in more efficient and effective ways. It’s about delivering better, more innovative tools and technologies that better serve stakeholders. Strategic planning is about much more than a planning document – it’s about strategic change and action.
At Smartpro Solusi Asia Consulting, we use our methodology for strategic planning and execution. It serves as a framework to help organizations create strategic plans that lead to action. Below is an image of our framework.
The five steps of strategic planning, shown in the framework above, usually take eight weeks to 12 months to be carried out. The timing depends on the complexity of the organization and the number of stakeholders to be involved. Below is a brief summary of the five steps:
- External Assessment – focuses on gathering information on outside factors that impact the organization. This step includes identifying relevant trends, improvement opportunities and potential threats that will shape the organization’s ability in fulfilling its mission.
- Internal Assessment – focuses on gathering information about the internal processes and capabilities that enable the organization to provide products/services to its customers. Strategic plans are more likely to be implemented successfully when the internal organization is well-positioned to support it.
- SWOT Analysis – data gathered during the previous two steps will be used as input into the SWOT analysis. The SWOT is a simple and practical framework for analyzing an organization’s strengths and weaknesses as well as the opportunities and threats it faces. It will help the organization focus on its strengths, minimize threats, and take the greatest possible advantage of opportunities available. The SWOT will also be used as the basis for the next step, Strategy Development.
- Strategy Development – focuses on clarifying and building consensus on the purpose of the organization, where the organization wants to be in the future and how it is going to get there. The key outputs from this step are the organization’s mission, vision, values, strategic issues, parameters, goals & objectives and organization-wide strategies.
- Action Planning – is the last step of the strategic planning process and is an important link to strategy execution. This last step is critical to ensuring the organization’s newly developed strategy is implemented and measured. Innovation workshops can provide the necessary platform for new, divergent thinking on how the organization can implement organization-wide strategies that were identified during the previous step.
The five playbooks of strategy execution are used in following months and years to execute the newly developed strategy. Our strategy execution is centered on change management best practices that are integral to executing strategy and transformational changes. The playbooks are:
- Visible Sponsorship – focuses on identifying and preparing highly influential stakeholders to take an active role in visibly (and effectively) sponsoring the strategy at various levels of the organization.
- Proactive Communication – aligns the strategy with the project phases and key milestones to ensure that the right messages are delivered to the right people at the right time using the most appropriate method.
- Distributed Learning – utilizes on-demand, distributed learning strategies to ensure that all stakeholders impacted by change have anytime, anywhere access to the requisite knowledge and information they will need in order to adapt and perform in their new environment.
- Supportive Culture – defines the cultural implications of the strategy and provides solutions to align the organization’s needs with the future-state design.
- Meaningful Measurement – provides processes and tools to measure and track the strategy change progress.
It is important to remember that strategy execution is fluid – plans can be and are often modified to fit new and changing environments, but it’s important to keep focus and not loss momentum. Organizations spend a tremendous amount of time creating and fine-tuning strategic plans so it’s critical that they include well-laid action plans to ensure real change occurs.
GRC (Governance, risk and compliance) is an on-going process requiring continued monitoring of your network security posture. Today’s typical mishmash of siloed technologies and processes leads to inefficiency, increased costs and higher risks to the organization. Security managers, risk managers, and CISOs are asked to deal with ever-increasing and multifaceted threats, but are at the same time challenged to provide increased capabilities and support increased agility to the businesses. These business imperatives, together with increased regulatory pressure and customer demands are forcing many CIOs and CISOs to adopt a unified, structured, enterprise-wide approach to align various governance, risk management, and compliance initiatives. Governance, Risk Management, and Compliance (GRC) is an integrated approach to several overlapping and related activities within an organization, e.g. internal audit, compliance programs like Sarbanes Oxley (SOX), enterprise risk management (ERM), operational risk, incident management, etc.
Achieving a position of control in a world of increasing regulatory and legal compliance can be a tough job that is further complicated by an organisation’s need to maintain effective policies and procedures, and disseminate information through awareness programmes. Connet recognizes that decision makers find it challenging to take time out from business priorities to understand complex compliance changes and how this impacts technology, people, processes and premises. Our compliance and security services are designed to help organisations quickly achieve and maintain compliance. For many years the team at Connet have been successfully enabling customers to meet their regulatory compliance responsibilities and manage their information risks. Typical compliance activities supported by our GRC service include:
- IT and information security assessments
- Policy exception management
- Sarbanes-Oxley reviews
- IT and InfoSec audits
- PCI DSS reviews
- Physical security reviews
- Vulnerability analyses and penetration testing
- Awareness training
Whether it’s guiding you through your compliance programme or managing specific areas of security infrastructure, we can provide you with advice, knowledge and recommendations for best practice. Our portfolio of carefully selected latest security solutions enables us to deliver the technology, processes and education that you need to remain secure and compliant.
BPM is a way of looking at and then controlling the processes that are present in an organization. It is an effective methodology to use in times of crisis to make certain that the processes are efficient and effective, as this will result in a better and more cost efficient organization.
BPM is best thought of as a business practice, encompassing techniques and structured methods. It is about formalizing and institutionalizing better ways for work to get done.
Successfully employing BPM usually involves the following:
- Organizing around outcomes not tasks to ensure the proper focus is maintained
- Correcting and improving processes before (potentially) automating them; otherwise all you’ve done is make the mess run faster
- Establishing processes and assigning ownership lest the work and improvements simply drift away – and they will, as human nature takes over and the momentum peters out
- Standardizing processes across the enterprise so they can be more readily understood and managed, errors reduced, and risks mitigated
- Enabling continuous change so the improvements can be extended and propagated over time
- Improving existing processes, rather than building radically new or “perfect” ones, because that can take so long as to erode or negate any gains achieved.
BPM should not be a one-time exercise. It should involve a continuous evaluation of the processes and include taking actions to improve the total flow of processes. This all leads to a continuous cycle of evaluating and improving the organization.
An IT risk management strategy may sound boring, but managing risks is basically what data security is all about. You can spend an endless amount of money buying hardware and software. However, you will only get the benefit from them if the shopping list meets the set goals. The goals must match both the business strategy and the IT strategy.
IT risk management is part of the company’s operational risk management, focusing in particular on IT, IT infrastructure and software development. IT risk management requires knowledge of technical architecture as well as understanding of different hardware environments and system recovery. By understanding and managing IT risks, we strive to ensure the continuity of the company’s IT operations – and hence, often the continuity of the company’s entire operations.
If your business operations produce value, an interruption of the operations means that this value will be interrupted. It is vital to know at what level the company’s contingency planning is and where it should be. All related sub-components must be in balance, or else you may be paying for seeming continuity that does not really help your business. It is important to have a contingency plan that is verified and that continuity training is carried out. If the worst happens, you must know how to recover. Continuity (and continuity planning) is often divided into three distinct subareas:
- contingency planning,
- continuity planning and
- disaster recovery.
It is important to understand the differences between different terms when starting to make a comprehensive continuity plan. Contingency planning is preparing for large-scale crisis in the society, such as critical power grid or water supply problems. The purpose of contingency planning is to identify the factors affecting the business continuity of a company and to define the business priorities of a company when a disaster occurs. Disaster recovery planning includes operational instructions for maintenance, how to minimize damage during the disaster and how return to normal operation. All three sub-areas can be approached with scenario-based planning.
IT risk management helps to understand what things can go wrong. Continuity planning helps to ensure that there are clear operational models for disasters, that recovery from disasters is as smooth as possible, and that as few operational risks as possible materialize.
Our experts have extensive experience of different architectural solutions and implementation methods, as well as risk management measures and standards. For example, we produce documents that conduct IT risk management and continuity management as well as risk mapping to help our customers create a risk register. We approach continuity planning by conducting workshops with our customers so that the plan serves their business environment as efficiently as possible.
The scenarios for continuity planning can be built using threat modelling. The scenarios can utilize risks that have already been identified and, on the other hand, new risks can be identified in scenario planning.
Customer needs and challenges to be solved
IT risk management aims at identifying risks that are connected to the management of environments such as outsourcing or the company’s own server room, as well as to the chosen technologies such as cloud services, purchased systems or in-house systems development. The risks are identified, analyzed, classified and handled regularly, as in any other operational risk management. To get the best benefit out of the IT risk management and continuity planning functions, they should primarily be integrated into existing practices in the company. Thus, the work is often started by making a small survey of the current status. From there, we continue to independent document writing or workshop work with the customer.
The first tasks may include a survey of the company’s operational risk management needs, a gap analysis of existing processes, or an interview study of how well the different parts of the organization understand the concept of operational risk. We customize a road map and the contents of the delivery according to the customer’s needs, because risk management should primarily be integrated into the company’s existing practices in order to get the best benefit out of it.
More details about our methods and tools
A comprehensive IT risk management system can utilize the RISK-IT (ISACA) framework and lean on ISO27001 and ISO31000 standards. In addition to these, other standards can be utilized as needed. Standards and models can also be applied partly so that a suitable level is chosen for the company.
When a customer needs a risk management tool, we begin by presenting either an Excel template or a risk registry tool provided by Mint Security. If the customer so wishes, we also compare other tools.