Negotiate or not?
The negotiation process can be stifling and it can be invigorating at the same time. I sometimes find I am negotiating with the people that work for me. It's not that they don't take direction well, but rather that they need to be "pulled" into the process rather than "pushed". I want to have them feel like it is a win/win.
Unfortunately, when it is something that they do not really have a choice in doing, such as the current SAS 70 audit we are participating in, then negotiating isn't the best process. (SAS 70 is the services industry process comparable to SOX. I believe it comes from SOX 404.) We have a few legacy systems for which I am responsible. These systems were developed long ago and are still maintained by the programmers. Even the controlling database tables that enable the system to function properly are updateable by the programmers. As with a lot of legacy systems, this kind of "tinkering" by the programmer was an acceptable practice. We moved away from the days when the programmers were not able to have access to production systems.
With this audit we now have to change the way in which we support the system. The process will require additional work from the teams and will also add a degree of complexity that they have never had to deal with in the support of these applications.
While it is my wish to have them want to willingly engage in doing the necessary tasks, they feel it is a cumbersome process and that it will now take them double the time to complete the simplest tasks. It behooves me to explain to them that the process is there to protect ourselves from ourselves. That we are doing this to alleviate the problems that Enron and MCI's leaders foisted upon the entire business community. I tell them it makes us accountable. It makes us "compliant". They agree with me, but there is seemingly no win in it for them.
I tell them the bottom line is that we need to document the access to the production systems. I lose this negotiation, because first it may not have been wise for me to take that tact and secondly, it simply was not a negotiable item. There was no best case scenario. There was no settlement range. No negotiable targets that could be hit.
I simply had to explain the "position" as best I could and tell them that this was non-negotiable. As I say, all too often these days, It is what it is. Meaning that we must come to terms with the reality of this problem and deal with it as best we can. We cannot ignore it. We cannot avoid it. Rather we need to own the problem (or it symptoms) and find the right solution to the root problem.
In our case, we need to change the applications so that the system does not require the programmers to have update access to "fix" the things that the business should be able to do themselves.