Nailing the basics of IT governance has been a key step in the development of every world class IT organisation (ITO), notes a recent Meta Group report. However, the analyst firm points out, for many organisations, governance is a "nebulous" term. "The typical ITO's view of governance is a tactical prioritisation committee incorrectly termed the 'IT steering committee'."
To yield benefits, it adds, "governance" must be concretely turned into "governing" and be a set of pragmatic tools that are part of best management practices. "Those tools exist, and good managers use them, though they often do not call them 'governance' and might not even think of them as tools."
During a recent seminar organised by BMC in Sydney, Meta Group Asia-Pacific managing director Mary Ann Maxwell points out the benefits for organisations that work on getting their IT governance right, and the formidable task of doing so. IT governance, says Maxwell, is an essential business alignment and performance tool. "If it is done well, and done pragmatically, you can actually save time by cutting debates short and save money by integrating your functional silos."
IT governance combines policies like privacy and security, processes including problem management and service level management and people. "I would say, IT governance done right, ensures the right people are in the right place at the right time, doing the right things for a right-enough cost by framing expected behaviour and creating a high productivity work climate."
IT governance is closely linked to corporate governance, as IT directors play a huge role in ensuring systems are able to meet compliance requirements that have cropped up following the corporate scandals of the past two years.
This compliance effort is a major challenge for enterprises. As Maxwell points out, "Ensuring consistency with regulatory requirements particularly if you are a global enterprise is often difficult if not impossible and that's because there are so many compliance jurisdictions that may touch upon so many business areas."
While the focus per region differs - in the United States, for instance, it is Sarbanes Oxley; in Europe, Basel II; and in the Asia-Pacific, privacy, critical infrastructure protection and cybercrime, among others - common themes arise.
One of them is security. "If data is not adequately protected, then officers, auditors and managers within the organisation can't reasonably attest to the completeness and accuracy of the information derived from that data."
Risk management is another. There should be an enterprise strategy for risk management, says Maxwell. She points out one IT governance methodology, COBIT, links IT control practices to business process and provides a framework for risk.
Architecture and enterprise portfolio management is a business imperative of current compliance effort, says Maxwell. It will also provide the agility for enterprises to respond to future compliance requirements.
Records management may sound so mundane, says Maxwell, but compliance requires an organisation and its audit firm to capture a wide range and fairly large volume of structured and unstructured records. The latter include electronic communication like email, instant messaging and business processes which are transitory and not necessarily stored in a record management environment. "You really have to have clear, secure timely access to content throughout your organisation while still protecting the integrity of those records."
Asset management, she says, is another theme and refers to a combination of tools, processes and organisation interfaces that financially manage, optimise and dispose of primarily IT assets.
Carrot and stick
For an IT organisation, the "carrot" for compliance includes more effective controls, better governance and more efficient resource utilisation. The stick, on the other hand, is real, says Maxwell. "You can end up with protracted litigation, censure, fines, imprisonment or personal liability for CFOs and CIOs."
But how are these concepts applied in reality? IT executives interviewed by MIS reveal their different approaches to governing IT and working with the rest of the business units.
Steve Johansen, chief information officer, Port of Napier, says the enterprise combines concepts from two frameworks. "I have found that taking concepts from both ITIL and COBIT and using them sensibly, within the context of the organisation, and being able to explain what one is looking for with governance controls and the possible effects on our business if we did not have them, allows our technical people to understand why the control points are necessary. They do not just view them as an unnecessary overhead."
Johansen explains the internal port quality management systems are laid out following the ITIL structure. The IT team develops procedures and standards in conjunction with the user departments. "I play the role of an external auditor as procedures are developed measuring the resulting procedures to the COBIT standard and asking the questions an external auditor would making sure that control points are built into procedures as they are developed." Internal and external auditors examine the IT procedures at least once a year.
Over at Livestock Improvement Corporation, service delivery manager Les Christopher says the enterprise has been actively using the COBIT methodology for internal audits. "This enables us to work effectively with our PWC external auditors." Over the past few years, he says, LIC has invested in a data warehouse extracting and centralising data from its many operational transaction-based information systems. These investments - which include a high-end adaptive business reporting software from Actuate and end-user static reporting tool from Hyperion's Brio - aid in LIC's corporate business reporting requirements.
"When the Sarbanes-Oxley requirements arrive in New Zealand, I'm sure we've chosen the best financial reporting suite to facilitate compliance."
Ed Saul, chief information officer of Tower Group, follows a different model. "We don't use those methodologies," he says. "We are clear on what we need to do, our steering groups have a clear mandate, we meet regularly and they appear to be achieving our objectives very effectively."
Tower has an IT strategy steering group both in New Zealand and Australia, with members coming from business senior management teams and IT. Among the group's task are reviewing the IT strategy to ensure it lines up with the business strategy; and reviewing IT investment decisions and IT performance to gain a better understanding of the drivers and issues. It also has to ensure business priorities are recognised, provide feedback and direction for IT and endorse the IT strategy as well as business cases. "This has only recently been implemented and appears to be working well," he states.
Saul understands why there could be various interpretations of how to go about with IT governance - the concept is underpinned by different methodologies and practices.
"I think some enterprises struggle with the concept and for them it may be 'nebulous', whilst others are clear on the concept of governance but have difficulty implementing it in practice."
The IT manager's toolbox
Forrester says while there are a number of frameworks available that can be useful starting points in developing a governance model, there is no single, complete, off-the-shelf IT governance framework.
Most IT organisations today are "rolling their own" models but borrowing heavily from existing frameworks, says Forrester. Most of the existing frameworks are complementary, with strengths in different areas, and so, enterprises often take a mix-and-match approach.
Three of those frameworks are:
ITIL: The IT Infrastructure Library (ITIL), initially developed in the UK by the Office of Government Commerce (OGC), is gaining popularity in the global IT community. The library currently consists of seven books including service support, service delivery, security management, application management, ICT infrastructure management, the business perspective, and planning to implement service management. ITIL is focused on identifying best practices in regards to managing IT service levels. Forrester says its strengths lie in its process orientation.
COBIT: Developed by the Information Systems Audit and Control Association (ISACA), Control Objectives for Information and related Technology (COBIT) is strong in controls and metrics. It breaks IT down into a set of 34 processes in four domains: Planning and organisation, acquisition and implementation, delivery and support, and monitoring. Each process has a number of high-level control objectives associated with it. In some respects, says Forrester, COBIT tells you what to do, while ITIL can be thought of as telling you how to do it.
ISO 17799: The International Organisation for Standardisation developed ISO 17799, titled "Information Technology - Code of Practice for Information Security Management." It was first released in December 2000 and is based on the British Standard 7799 finalised in 1999. The standard aims to focus on security and aid an organisation in creating an effective IT security plan. Forrester points out an IT governance model must be driven from the top town - beginning with the board of directors and the executive management team. It must also take an incremental approach. "Any governance is better than no governance, and an incremental approach can be the best way to start. It's not as important where you begin but that you do begin."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.