3.2 Lifecycle for Accountability

The Conceptual Framework introduces the Organisational Lifecycle and introduces the Functional Elements of Accountability, which provides the reference model for this discussion.

Figure 11: Accountability lifecycle.

This lifecycle (shown in Figure 11) is organised around five phases which provide a structure to the solution development, operation, and maintenance. Specific to the Corporate Accountability scope, we introduce a sixth element, the Program Office, which provides the operational support to the governance body. Note that the first two elements (Govern and Program Office) are strongly associated with organisational accountability, while the three first lifecycle elements (Analyse and Design, Operate, Handle Exceptions) describe the lifecycle for building and operating an accountable solution. The last element (Audit and Validate) is applicable to both domains, as the assessments can be either focused on the organisation as a whole or on a particular solution or business service.

1. Govern - This corresponds to the executive roles in the organisation establishing and maintaining a framework and supporting management structure and processes, as well as accepting and providing assignment of responsibility, to meet the obligations of the organisation in an accountable manner.
2. Program Office - This is the operational body which supports the governance body in meeting its responsibilities in e.g. drafting guidelines, policies and procedures, defining the operational programs and infrastructure, and providing oversight and support for the implementation of the decisions of the governance body. This program office is typically in charge of both organisational accountability as well of the domain for which the organisation is accountable (e.g. the privacy program office or the security program office); it can either be an organisational or a logical structure.
3. Analyse and Design - This corresponds to the analysis and design phases related to the engineering of a solution. The work performed in this phase clearly separates identification of risks (based on business impact, not just technology), identification of controls, design of control implementation, and implementation of controls through technology and processes.
4. Operate - This corresponds to the operational (production) phase of the solution, and includes all the associated management processes.
5. Handle Exceptions - This set of activities, which could be considered as an integral part of operations, has been singled-out due to its specific nature and high relevance to accountability. It includes all processes for the handling of complaints and breaches related to accountability obligations.
6. Audit and Validate - This corresponds to the assessment of the effectiveness of the controls which have been deployed, the necessary reporting, and paves the way to the tuning (adaptation) of the measures deployed to ensure the obligations are being met.

Section 3.4 describes in more detail the content of each of these phases. More than a general discussion and framing of the scope, we want to provide practical guidelines for implementing accountability. We are providing a series of recommendations which can be used as a checklist. We do not claim this describes a specific methodology but provides a general guideline on integrating accountability within an organisation.

These lists are not comprehensive, and each of the points must be evaluated in regards to the size and structure of the organisation. The full list of recommendations may, in general, not be applicable to smaller groups such as SMEs. We acknowledge there are many common points between the recommendations identified below and the actions identified as required for topics like data protection, business continuity, disaster recovery, information security management, and trustworthy accounting. However our recommendations below are not intended to be a substitute for those lists of actions an organisation must address all of them in order to have a comprehensive coverage and meet its obligations. The analysis focuses on the processes to be deployed by the accountor rather than those of the accountee.