Learning from Conway’s Law for Internal Audit

Any organization that designs a system will produce a design whose structure is a copy of the organization’s communication structure. — Melvin Conway

This is known as “Conway’s Law", basically Conway noticed that organisations with very hierarchical and complex communication structures would produce IT systems that were reflective of this with complex design and integration structures. Conversely a more simple organisation with clearer communication will produce a technology system reflective of this.

This law is often discussed and many examples are used to explain it. A simple way of thinking about it would be an organisation with two large separate IT development teams is more likely to build a system that consists of two large separate applications.

“Organisations often produce web sites with a content and structure which mirrors the internal concerns of the organisation rather than the needs of the users of the site.” –Nigel Bevan

The Inverse Conway

As the concept has become more well known people have suggested that something called the “Inverse Conway” might be possible.

The ‘Inverse Conway Maneuver’ recommends evolving your team and organizational structure to promote your desired technology architecture.

This correlation between organisational structure and communication and technology design reminds me of how internal audit teams can be very reflective of the organisation they serve. Despite the independent status of IA, we often can’t help but develop organisationally and culturally as a mirror of our organisation.

Some examples…

• IA teams split into silos reflecting business divisions or business units without understanding the wider organisational context.
• IA work prioritised in isolation between teams, similar to lack of strategic coordination in the wider organisation.
• An IA function that mirrors the deliver-at-pace focus of the wider organisation and becomes overly focused on output of work items (audits etc.) rather than outcomes.
• An organisation is very bureaucratic, with very slow moving decision making, so the IA function mirrors this with lack of empowerment and decision paralysis.

If the aim of the IA function is to make positive change in an organisation (and it should be) perhaps a look inwards at how we work can help us identify how we embody some of the challenges our stakeholders face.

Would a conscious effort to transform the organisation of an audit function help us to reflect a positive culture into our organisation. Removing bureaucracy, empowering teams, and thinking strategically are all activities that will help our teams provide more valuable insight to our stakeholders and model effective organisational practices. Conway suggests that the decisions we make in setting up a design team implicitly impact the design we will get. I would argue that this is try of audit, decisions we make in setting up an audit organisation implicitly impact the type of assurance we can give.

“the very act of organizing an design (assurance) team means that certain design (assurance) decisions have already been made, explicitly or otherwise” — Melvin Conway

One of the really cool things about IA as a small (in relative terms) independent function is the ability we have to organise ourselves in the way we want. No other area in an organisation has the same freedom to develop culture and working practices outside of the existing culture and processes.

How can an Internal Audit team “Inverse Conway” their organisation.

• Internal Auditors who are organised and operating in a manner linked to the long term strategic success of the organisation can better provide insight into the likelihood of the organisation achieving the strategy. This mindset will come through in our work and will help the wider organisation to think strategically.
• IA teams that focus on implementing impactful communication methods that are focused on the needs of the users (Exec’s / Board etc.) will develop a mindset of focusing on user needs. They will then be better able to provide insight into the alignment between the wider organisation and customer needs.
• IA teams that break down silos internally will understand organisational context better and in turn be able to communicate in a strategic context with stakeholders and break down silos within the organisation.
• IA teams that focus on being lean and removing bureaucracy internally will develop the appropriate mindset to see the risks of bureaucracy in our organisations and suggest solutions to benefit other areas.

What you do is who you are.

Ben Horowitz’s Book “What you do is who you are: How to create Your Business Culture”, clearly explains the key to culture is action, the things we do are the things that create our culture. Talking about our values is not where near as powerful as living them. Internal Audit, with our enterprise wide focus has the ability to do vs tell across the whole organisation so we should consider how what we do impacts the culture positively or negatively

When you think about it the concept is pretty obvious it’s the old adage of “be the change you want to see” but thinking about the very real correlation between organisation structure and system structure can really help to illustrate how the way we work within our IA function can have a real impact on the organisation as a whole.