Loading...
 

IT Governance


Opportunity and risk come in pairs

IT Governance

IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG - what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG - how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.

Historically, board-level executives deferred key IT decisions to the company's IT management and business leaders. Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established. IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators. An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of information and related technology to create value and manage the risks associated with using information technology.

Organizations today are subject to many regulations governing the protection of confidential information, financial accountability, data retention and disaster recovery, among others. They're also under pressure from shareholders, stakeholders and customers.

To ensure they meet internal and external requirements, many organizations implement a formal IT governance program that provides a framework of best practices and controls. IT governance is merely a subset of enterprise regulation, which ensures that the organization's IT sustains strategies and objectives. The need to oversee technology investments is even more important, at a time when many high-ranking officials are blatantly violating set norms. Information security accountability is dependent only on effective management and adherence to legal and regulatory norms. The CXO challenge is not to understand every aspect of technology infrastructure, but understand its role as a strategic business driver.

The Importance of IT Governance
* Compliance with regulations
* Competitive Advantage
* Support of Enterprise Goals
* Growth and Innovation
* Increase in Tangible Assets
* Reduction of Risk

IT Governance

How does IT Governance create IT Value
IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value. The overall objective of IT governance is to understand the issues and the strategic importance of IT, so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:
* Alignment of IT to support business operations and sustain advantages;
* Responsible use of IT resources;
* Appropriate identification and management of IT-related risks;
* Facilitation of IT's aid in exploiting opportunities and maximizing benefits.

A structured IT governance committee or policy along with corporate managers combine to ensure that IT is synchronized with the business and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans. Firms typically make five types of IT decisions:
* IT principles decisions dictating the role of IT in the enterprise.
* IT architecture decisions on technical choices and directions.
* IT infrastructure decisions on the delivery of shared IT services.
* Business application requirements decisions for each project.
* IT investment and prioritization decisions.

IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm's goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the firm.

How do you implement an IT governance program?
The easiest way is to start with a framework that's been created by industry experts and used by thousands of organizations. Many frameworks include implementation guides to help organizations phase in an IT governance program with fewer speedbumps.

The most commonly used frameworks are:
1. COBIT: Published by ISACA, COBIT is a comprehensive framework of "globally accepted practices, analytical tools and models" (PDF) designed for governance and management of enterprise IT. With its roots in IT auditing, ISACA expanded COBIT's scope over the years to fully support IT governance. The latest version is COBIT 5, which is widely used by organizations focused on risk management and mitigation.

IT Governance

2. ITIL: Formerly an acronym for Information Technology Infrastructure Library, ITIL focuses on IT service management. It aims to ensure that IT services support core processes of the business. ITIL comprises five sets of management best practices for service strategy, design, transition (such as change management), operation and continual service improvement.

IT Governance

3. COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO's focus is less IT-specific than the other frameworks, concentrating more on business aspects like enterprise risk management (ERM) and fraud deterrence.

IT Governance

4. CMMI: The Capability Maturity Model Integration method, developed by the Software Engineering Institute, is an approach to performance improvement. CMMI uses a scale of 1 to 5 to gauge an organization's performance, quality and profitability maturity level. This allows for mixed mode and objective measurements to be inserted is critical in measuring risks that are qualitative in nature.

5. FAIR: Factor Analysis of Information Risk (FAIR) is a relatively new model that helps organizations quantify risk. The focus is on cyber security and operational risk, with the goal of making more well-informed decisions. Although it's newer than other frameworks mentioned here,it's already gained a lot of traction with Fortune 500 companies.

How do I choose which framework to use? Most IT governance frameworks are designed to help you determine how your IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from its investments.

Where COBIT and COSO are used mainly for risk, ITIL helps to streamline service and operations. Although CMMI was originally intended for software engineering, it now involves processes in hardware development, service delivery and purchasing. As previously mentioned, FAIR is squarely for assessing operational and cyber security risks.

When reviewing frameworks, consider your corporate culture. Does a particular framework or model seem like a natural fit for your organization? Does it resonate with your stakeholders? That framework is probably the best choice.

But you don't have to choose only one framework. For example, COBIT and ITIL complement one another in that COBIT often explains why something is done or needed where ITIL provides the "how." Some organizations have used COBIT and COSO, along with the ISO 27001 standard (for managing information security).

How do you ensure a smooth implementation and positive results? One of the most important paths to success is with executive buy-in. Calatayud recommends forming a risk management committee with top-level sponsorships and business representation. "To ensure it's an effective program, it needs to be supported by a broad set of line of business leaders." He also recommends sharing results with the board or audit committee to "develop real attention when items begin to get ignored."

As with any significant project, you should always keep communication lines open between various parties, measure and monitor the progress of the implementation, and seek outside help if needed.

Our experts partner with clients on corporate planning, providing perspective not only on immediate value and impact, but on long-term implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact, and actively support implementation and skill building.

Featured Experts - IT Governance

Senior multi-disciplinary corporate and finance professionals with diverse geographic, sector and transaction focuses
Nav Kaplish
Nav is a seasoned business and technology executive with 18+ years of global corporate and entrepreneurial experience in building and managing digital teams and in leadership roles spanning Governance, Risk & Compliance, Audits and conceptualisation and delivery of Blockchain products.

Nav
Kaplish

Partner Digital, Blockchain & Risk
London


Preethi Hari
Preethi is a versatile senior-level corporate professional with 18+ years of experience in Risk Management, IT Governance, IT Security, Business Continuity, Audits, Compliance and Regulatory. She specialises in COBIT/ COSO framework, ITSM (ITIL), 6-Sigma, SOX etc in Banking, Insurance, Oil & Gas, Shipping, Mining, Logistics, Telecom and Commercial Real Estate.

Preethi
Hari

Partner Risk Management
London


Contact us
Print page