What should management meetings cover? What if you don’t have a Board of Directors?
The best practice library, says you should have operational management meetings for individual teams, Senior (exec) management meetings for org-wide review across all teams, and a Board of Directors for independent oversight. Company-wide meetings are like an exec management meeting that includes the broader employees and may be one way (communicating to employees) or two-way (also seeking feedback and open discussion).
This library or cookie cutter approach can be different for organisations of different sizes. At the smaller end, the Exec team may be the operational management, the senior management team, AND playing the role of the Board. In larger organisations there can be various committees and sub-groups and “management” meetings all over the place. Whichever structure fits your business is best. Too many meetings can undermine the effectiveness of each one, and not enough can leave the governance lacking in your organisation (see our Best Practices: Governance)
- What’s the purpose of each meeting?
- What should be covered?
- Which approach is best for your company?
Operational management meetings
From an InfoSec perspective, it’s the security, development and operations teams that are the most important operational teams. The management meetings serve the purpose of checking the team is aligned, any vulnerabilities, incidents, development priorities, are addressed appropriately, and that the practices continue to be revised and improved to evolve with the growing company and challenges faced in operation. Without these meetings it’s common to see things slip through the cracks. An agenda is worthwhile but more important is the “minutes” or actions that arise out of the meeting; to be able to follow through in the subsequent meeting. That adds a cadence for checking back on past action, confirming resolutions and outcomes, or identifying any blockers that need attention.
Senior management meetings
Often called the Senior Leadership or Executive Management, this is a critical function for aligning the individual teams activities to the company level goals and strategy. Without the teams talking at this highest level, the business operates in silos and things fall apart. That’s not to say this meeting is the only way to work effectively together. But it’s a catch all forum to monitor the teams’ performance, identify areas of improvement, set and align the teams to objectives, plan operational resourcing requirements, perform risk assessments, troubleshoot control or process failures and various other matters that arise in the usual course of business. Keeping a record of agreed actions is important for accountability, a trail to retrospectively look back on as needed, and ensure everyone is on the same page with what was actually discussed and agreed in the meetings.
The Board of Directors
The purpose of a Board of Directors is to apply independent oversight of the business. In many earlier stage businesses; it doesn’t make sense or isn’t viable to have a fully formed board of Exec and Non-Exec Directors. But the principles are the same whatever the size of the company. The Board should review the senior management roles, responsibilities and performance to ensure there’s accountability at all levels. They should monitor company performance and in particular the integrity and ethical values of the business, to ensure the long term goals and obligations to the public are being adhered to. Beyond that, each Board can have a varying scope on the level of detail they look at. Some Board’s review the risk management outputs, internal control effectiveness with outputs from intents audit functions and external audits conducted (like SOC 2 and ISO 27001). They can get into approval of company objectives, resourcing requirements and plans, budgets, and various other more operational matters.
Company-wide meetings can be a powerful governance tool as well. It’s like a bridge between the management meetings for governance, and the general operational practices of the business. It helps all employees understand where they fit into the broader company and how they support its goals. It re-enforces expectations, raises awareness of the company goals, processes, operating changes, risks and the vision and values of the company. This makes it a great "catch all" forum for various processes and updates.
The SOC 2 Perspective
These management meetings form an important part of the control environment, and support the internal communications criteria. Depending on the design and scope they can also play a role in the risk assessment, monitoring of controls, control activities, system security, operations and change management sections of the SOC 2 criteria. They can be very broad "catch all" control activities that support your InfoSec assurance in various ways if designed to be used in that way.
COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
AssuranceLab's Best Practices Series
AssuranceLab's best practices series, is about highlighting the "real operational benefits" that comes from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 1, SOC 2 and ISO 27001.