What I Know It’s About Experience

The concept of Accountability

A cornerstone of Risk Management in an enterprise is 'Accountability'. Maybe you have heard the term spread around like butter on a slice of bread. What does this mean? Well, depending on who you talk to, it means different things to different people. Similar to 'different strokes for different folks'. In my experience the understanding depends on how high you are in the food chain. Yep, it all comes to where you are on the corporate ladder. As a system administrator, your manager holds you 'accountable' for the availability of the system you are 'responsible' for. His/her manager holds him/her 'accountable' for your performance and so up the food chain. This is where it gets interesting, how is it possible to be 'accountable' if you are only 'responsible' for the system. What about 'Ownership' and 'Authority' surely, these two play a major role in the 'Acountability' framework. Yes they do, how can you be accountable for the availability if you do not have the 'authority' to purchase new hardware or the 'ownership/authority' to tell people what they may or may not do on the system. Again, my experience has taught me that while management expects 'accountability' they are hesitant to give 'ownership' and 'authority' due to potential 'political' repercussions, one of them being financial. Another matter is that there is the expectation that a document, whether it be a Policy, Process, Procedure, Control or Standard enforces 'accountability' is again up to debate. A legal policy does, provided there are certain controls in place to ensure or at least measure awareness and conformance. However, I have found that a policy that governs the administration of a system does not deliver 'accountability' as there are too many reasons as to why something was not done unless it is written in a Standard. The standard is however based on the 'business' requirements accepted by management. In a nutshell, 'ACCOUNTABILIY' can only be enforced if there is associated documented proof of 'OWNERSHIP', 'RESPONSIBILIY' and 'AUTHORITY'. In other words, the explicit not the implicit, ownership and authority usually found in job descriptions.