@ISACA Volume 16  12 August 2015

Tips for Effectively Implementing Job Rotation



For how long should an organization keep an individual in the same job? Some former colleagues and I got into a discussion recently about major policy changes coming from the organization for which we worked. They complained about the impact of the changes on their personal lives. (I also got the feeling some of them wanted to blame me for the changes.)

The changes require individuals to rotate jobs every 5 years. As I listened quietly, it was explained how the organization is only hurting itself and that the brain drain imposes a negative impact on the organization’s performance. Part of the argument against rotation is training time in the new position, extending the time it takes to execute required business processes.

I was amazed as I sat listening to the displeasure such a simple, but fundamental concept could create. Then I realized that this process is a classic example of how policy directly impacts people’s lives.

That impact begs the question, is the impact on individuals a more important factor than the organization’s need for people to move to different jobs? Many examples of fraud and other crimes, attributable directly to people who were in a job for too many years, suggest the organization can suffer. Case studies indicate the organization performs better by moving people around.

Employees also benefit greatly as a whole from job rotation. It provides an opportunity for them to grow and discover previously unknown talent.

From a corporate perspective, potential managers can be identified while developing greater production capability among a cross-trained workforce. The payoff can be enormous, often immediate, when such a rotation is implemented strategically.

Another point that is often missed when implementing job rotation is the need to address job rotation from both a local and headquarters’ perspective. The intent of job rotation requirements at the local level could be slightly different from the intent at the headquarters level.

This article focuses on the differences in the amount of time an individual can remain in a job. Organization leaders should seriously consider the following not-so-obvious points:

  1. Even the simplest of policy changes need to be reviewed to ensure employees feel involved in the process with the organization to the extent of recognizing the need for such change.
  2. Job rotation should be exercised reasonably across the organization. It should include both management and labor positions.
  3. How long an individual remains in the same position within a work group should be defined and maintained consistently, relative to the importance the organization places on the position.
  4. Where employees rotate to different work groups, similar factors apply, but management’s risk tolerance for “upsetting the apple cart” also has a significant role and rotation schedules should be identified accordingly.
  5. Identify the positions that will be subject to the job rotation policy should be identified using both organization and employee need-based criteria.
  6. Positions involved in the job rotation must require the employee to completely document the business processes needed to accomplish the tasks.
  7. The individual in the position and the organization must maintain updated contact information for people internal and external to the organization, who also contribute to task accomplishment.
  8. The perceived and actual impact on the employees should never be underestimated.

Ultimately, many management studies have shown that job rotation benefits employees and organizations. Further, these studies show advantages to the organization that far outweigh the impact on select individuals.

Still, job rotation comes with risk to the organization. A successful implementation must deliver a winning environment for both the organization and its employees.

Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


ISACA Webinar: Cybersecurity in the Era of Cloud



Cloud applications pose unique security challenges for organizations that use the cloud. To help organizations remain safe in the cloud, ISACA has partnered with Adallom Labs to bring you the “Cybersecurity in the Era of Cloud” webinar. This webinar will take place on 18 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

This webinar will examine the anatomy of attacks in cloud applications and will allow attendees to look at real-world usage reports and understand the kinds of high-risk behaviors that need to be mitigated. Yonatan Most, head of Adallom Labs, and Danelle Au, vice president of strategy at Adallom Labs, will lead the webinar. Attendees will better understand the tools and techniques attackers use in the cloud, the risk that cloud applications pose, and how heuristics and an intelligence-based approach is important for cybersecurity in the cloud.

To learn more about this webinar or to register for it, visit the Cybersecurity in the Era of Cloud page of the ISACA web site.


Annual Audit of 2014 CPE Hours


The annual continuing professional education (CPE) audit is in full swing. The deadline to provide audit documentation for those who were selected for an audit of their 2014 CPE hours is 30 August. Those who were selected for the audit were notified via email and hard-copy letter. The email notification also included detailed information on the CPE that were audited. If you were selected and have not already submitted your documentation, be sure to submit prior to the deadline.

This audit takes place yearly as dictated in the CPE policy, which states that “A random sample of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) certified individuals is selected each year for audit. Those CISA/CISM/CGEIT/CRISCs chosen must provide written evidence of previously reported activities that meet the criteria described in the Qualifying Professional Education Activities. Please send copies of supporting documentation since documents will not be returned. The respective certification committee will determine the acceptance of hours for specific professional educational activities.” Those individuals who do not comply with the audit will have their certification revoked.

Once the documentation is reviewed, a hard-copy letter confirming compliance with the audit is sent. Questions? Contact CISAaudit@isaca.org, CISMaudit@isaca.org, CGEITaudit@isaca.org or CRISCaudit@isaca.org.


Book Review:  IT Savvy, What Top Executives Must Know to Go from Pain to Gain

Reviewed by Upesh Parekh, CISA

IT savviness is a characteristic of firms and their managers reflected in their ability to use IT to consistently elevate firm performance, as explained in IT Savvy, What Top Executives Must Know to Go from Pain to Gain. In today’s digitized economy, the gap between success and failure is often a firm’s ability to leverage IT. There are new-age companies, such as Amazon and Facebook, that have business models driven by IT and its effective use. There are also traditional brick-and-mortar companies that have differentiated themselves from their competitors with an intelligent use of IT. The success stories of many such companies are shared in IT Savvy, What Top Executives Must Know to Go from Pain to Gain.

The authors of this book state that if IT is not turned into a strategic asset, it will turn into a liability. This is an undeniable fact, as many companies have increased IT spending on “keeping the lights on.” But IT-savvy companies are different. As the book outlines, IT-savvy companies are not necessarily high-tech firms.

So what differentiates IT-savvy companies? One of the most striking differentiators is a digitalized platform. The book explains that a digitalized platform is an integrated set of electronic business process and the technologies, applications and data supporting those processes. A digitalized platform is not an off-the-shelf product or technology thrown at the existing process. Building a digitalized platform involves evolving the most suitable business model for the firm and then weaving technology around the business model. IT-savvy companies have invested time, money and energy in building a digitalized platform for the firm.

The journey to IT-savvy status is described in this compact book, written by well-known authors Peter Weill and Jeanne Ross. This book contains many real-life case studies and anecdotes, and it draws heavily on the authors’ research on firms making effective use of IT. The journey to becoming IT savvy is described through 7 chapters in the book. The journey starts with 2 chapters on fixing what is broken in IT today, which the authors identify as finalizing the operating model and the funding model. The next 2 chapters focus on how to build the digitalized platform, which is at the core of the IT-savvy firm, and the last few chapters focus on how to make the most of out of the digitalized platform to derive better performance.

The book is written in simple business language, and senior management, chief executive officers (CEOs) and chief information officers (CIOs) would enjoy this book as it will help them begin the journey toward becoming an IT-savvy firm.

IT Savvy: What Top Executives Must Know to Go from Pain to Gain is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a risk and governance professional with more than 10 years of experience in banking and finance industry. He is based in Pune, India.