How to set up an iam steering committee (scope)
Are you about to embark on a journey in the world of Identity? Or are you looking to atone for past IAM or IAG sins? If so, once you have an IAM Roadmap in place, one of the first steps we recommend our customers to thoroughly think through is IAM Roles & Responsibilities. In general, there are 5 bodies a good identity program will assemble: an IAM Advisory Committee, IAM Project Team, IAM Core Team, Business Stakeholders and IAM Operations.
In this article, we are going to focus our attention on the IAM Advisory Committee, sometimes referred to as an IAM Steering Committee or IAM Program Committee.
Here at Identropy, we’ve been aiding organizations deliver on IAM programs for over 10 years. Throughout that process, we have been fortunate enough to work with hundreds of organizations from beginning to end. One of the key insights that we've picked up along the way: IAM Programs are rarely successfully delivered without an IAM Program Committee.
Document In-Scope Topics (What is in of scope for committee decision making?)
The raison d'etre of an IAM Program Committee is top-down decision making and program governance. Often times, IAM Programs can become plagued with indecision and disagreements, especially where business process changes are concerned - since multiple business units may be affected by the decision. When this happens, it's handy to have a committee in place to settle disputes.
But that’s not the only area of the concern for an IAM Program Committee. IAM Program committees also:
- Approve updates to the IAM Roadmap: Typically, IAM Programs are multi-year endeavors and corporate priorities can and do change. The committee should regularly review corporate goals and review if IAM Roadmap changes are warranted.
- Communicate Upstream: Bi-directional communication with company executives, typically the CIO (if the CIO is not part of the committee)
- Review metrics: IAM Program metrics are absolutely critical to track to ensure that the program is having the intended impact on the organization. (Here is a list of IAM Metrics to track).
- Provide Financial Oversight: IAM Programs have large budgets, and it’s important for an oversight committee to keep track to ensure projects stay within budget.
Also Document Out-of-Scope Items
In addition to documenting in-scope topics, it is important to explicitly document topics that are out of scope. In order to prevent IAM Steering Committee overreach, day-to-day tactical decisions should be made on the IAM Project Team level (see the middle tier of the diagram above). Here are a few examples of topics that should be out of scope:
- Technical architecture: The steering committee may require, as part of IT best practices, that the enterprise architecture group to approve the IAM design document. While this is acceptable, it’s a tell-tale sign that your IAM Steering Committee has gone too far.
- Line-Item Project Plan Reviews: The steering committee should avoid spending time pouring over each line of a project plan. Their focus should be at the Roadmap level (for example, deprovisioning for these 10 applications is expected to go live by end of Q1, etc.) rather than the level of project plan line-items (for example, the connector for AD is set to be completed in DEV by February 12th).
Documenting both in-scope and out-of-scope topics for IAM Steering Committees is a relatively painless task that can provide invaluable guidance that maximizes your committee’s efficiency and limited time. So why not block off a few hours this week to write your IAM Steering Committee Scope Document?