SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE

Transcription

1 SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE PREAMBLE The purpose of the IT Governance Committee is to ensure that IT is effectively governed at SABPP in accordance with the King III Code of Governance and the business strategy of SABPP. In addition, the IT governance committee should focus on managing all IT risks, and to leverage opportunities for positioning IT in adding value to the overall business strategy of SABPP. The vast majority of all SABPP functions operate on IT systems, thus, IT governance is of utmost importance for all SABPP activities. SCOPE The IT Governance Committee oversees all aspects of information management and technology used at SABPP, and therefore covers the following key components of IT: Management Information System Hardware and software, including devices used by SABPP staff, committee and board members Electronic communication platforms such as and social media All IT equipment used All policies needed to govern IT and social media PRINCIPLES The following principles guide the SABPP IT Governance committee: The board should be responsible for IT governance, but the IT Governance Committee will provide guidance to the Board in making decisions about IT investments, governance and strategy; IT Governance should be aligned with the sustainability and performance objectives of SABPP; The board should delegate to the CEO and management team the responsibility for the implementation of an IT governance framework; The board should monitor and evaluate significant IT investments and expenditure; IT should form an integral part of SABPP s risk management; The board should ensure that information assets are managed effectively; Cost effectiveness; IT security is key to the success of SABPP; Fit for purpose and effective IT systems to enable the achievement of business targets. SABPP IT Governance Committee 1

2 Compliance with all IT and electronic laws, codes, rules and standards. IT Capacity building opportunities for all staff. STATUS OF THE COMMITTEE The IT Governance Committee is an official sub committee of the Board of SABPP. COMPOSITION OF THE COMMITTEE The composition of the Committee is as follows: Persons with appropriate background and experience, including but not limited to academics, thought leaders and HR practitioners, and IT practitioners or providers may join the committee; The IT Governance Committee will meet at least three times a year, or at more regular intervals where required; A Chairperson and Vice Chairperson will be elected on an annual basis. Additional members, or sub committee/working group members, may be co opted where required. FUNCTIONS OF THE IT GOVERNANCE COMMITTEE An IT governance committee is formed to guide the SABPP board on IT governance. The IT governance committee will fulfill the following functions: The IT governance committee will provide independent oversight over the IT strategy, systems, processes and controls of SABPP. The IT governance committee will ensure that the SABPP IT strategy is integrated with the strategic and business processes of SABPP. Hence, IT is seen to add value by enabling the improvement of the company s performance and sustainability. The alignment between IT and business processes involves: ensuring that business and IT plans are integrated: delivering, maintaining and validating the IT value proposition; and aligning IT operations with overall business operations. The IT alignment process is essential during the development of any business plans (whether at strategic, management or operational levels) and plays a key role in determining and executing the business arrangements supporting the strategic objectives of SABPP. The committee should ensure that there is a robust process in place to identify, and exploit where appropriate, opportunities to improve the performance and sustainability of SABPP in the triple and integrated reporting context through effective and efficient IT use and optimisation. The IT governance committee should ensure that IT outsourcing is managed effectively and that clear needs are communicated to IT service providers, and that service level agreements are appropriately managed. SABPP IT Governance Committee 2

3 The committee should exercise care and skill to design and develop appropriate IT strategies and systems, and advise the CEO on the implementation and maintenance of sustainable IT solutions to ensure the achievement of strategic objectives. ROLES AND RESPONSIBILITIES The board of SABPP should take responsibility for IT governance, including the following elements: IT is essential to manage the transactions, information and knowledge necessary to grow and sustain SABPP and is therefore an integral part of SABPP. The SABPP board takes responsibility to identify, understand and manage the risks, benefits and constraints of IT. Thus, the board understands the strategic importance of IT, assume responsibility for the governance of IT and place IT governance on the board agenda. IT governance can be considered a framework that supports effective and efficient management of IT resources to facilitate the achievement of SABPP s strategic objectives. Hence, IT governance is the responsibility of the board. The SABPP IT governance framework includes relevant structures, processes and mechanisms to enable IT to deliver value to SABPP and mitigate IT risk. The IT governance framework must be appropriate and applicable to the strategy and operations of SABPP. It should facilitate and enhance SABPP s ability to reach its objectives by making the most appropriate decisions about incorporating IT into its operations, programmes and services in a secure and sustainable basis. As part of the IT governance framework, the board should ensure that an IT governance charter and policies are established and implemented. This charter and policies should outline the decision making rights and accountability framework for IT governance that will enable the desirable culture in the use of IT within the company. The board should oversee the cultivation and promotion of an ethical IT governance and management culture and awareness (measured through levels of governance and management skills and competencies) and of a common IT language. The board should provide the required leadership and direction to ensure that SABPP s IT achieves, sustains and enhances the strategic objectives of the organisation. IT governance is therefore seen as an integral part of the overall governance of SABPP. IT governance should focus on the governance of the information as well as the governance of technology. The board should ensure that an IT internal control framework is adopted and implemented and that the board receives independent assurance on the effectiveness thereof. The board should take the necessary steps to ensure that there are processes in place to ensure complete, timely, relevant, accurate and accessible IT reporting, firstly from the CEO to the board, and secondly by the board in the integrated report. The Chair of the IT Governance Committee (with the support of a Vice chair) is responsible for the following aspects of IT Governance: SABPP IT Governance Committee 3

4 Chair IT Governance Committee meetings and task teams. Advise the CEO regarding the implementation of the IT governance framework and strategy. Provide independent oversight over IT decision making, policy, governance and strategy. Ensure that frequent IT needs analysis is done and appropriate recommendations made. Inform the Board and Audit & Risk Committee of any IT risks facing SABPP. The CEO is responsible for the following aspects: The implementation of all the structures, processes and mechanisms to execute the IT governance framework. Effective IT frameworks and policies, as well as the processes, procedures and standards implemented with the view to minimise IT risk, deliver value, ensure business continuity, and assist SABPP to manage its IT resources efficiently and effectively. Inform the board about whether SABPP s IT function is on track to achieve its objectives, resilient and agile enough to adapt to strategic needs, adequately protected from the risks it faces, and such that opportunities can be pro actively recognised and acted on. Delegate operational IT tasks to heads of departments and other staff members. DECISION MAKING Decisions are made according to the following governance mechanisms: A quorum of three members must be present for decision making at the meeting. For daily matters, the Chair, Vice chair and CEO constitute the Executive Committee of the It Governance Committee. Once a clear strategy is in place, the CEO in consultation with heads of departments will make operational decisions about IT. For matters impacting on the overall strategy of SABPP, the SABPP Board Exco consisting of the SABPP Chair and Vice chair together with the CEO will make the relevant decisions. GOVERNANCE REQUIREMENTS The following governance requirements will be met by the committee: Ensuring that the IT interests and needs of SABPP are advanced through rigorous IT due diligence and decision making. Ensuring that IT strategy is aligned with the overall business strategy of SABPP. Adherence to the SABPP Ethical Code and other governance requirement such as the IT governance policy of SABPP. Proper governance, record keeping and follow up in terms of minutes, proposals and reports. Monitoring of the programme and reporting back to the Board. SABPP IT Governance Committee 4

5 INFORMATION ASSETS Information management initiatives are often driven by external regulations, requirements and concerns about data privacy, information security and legal compliance. To achieve compliance with external regulations and customer follow up and satisfaction, formal processes should be in place to record enquiries by means of tracking systems, establish databases and information systems and to manage information. Information management encompasses the protection of information (information security), the management of information (information management), and the protection of personal information processes by SABPP (information privacy). Information management Information records are the most important information assets as they are evidence of business activities. The board should ensure that there are systems in place for the management of information assets and the performance of data functions including the following: Ensuring the availability of information and information systems in a timely manner; Implementing a suitable information security management programme; Ensuring that all sensitive information is identified, classified and assigned appropriate handling criteria. Sensitivity includes all references to information which is personal, private, confidential, secret or unable to be disclosed. Many of the laws provide for offences and penalties where there has not been compliance with sensitivity requirements; The management of risks associated with information and information systems; Establishing processes to ensure continuous monitoring of all the aspects of information; Establishing processes to ensure the maintenance and monitoring of quality data; and Establishing business continuity programme addressing SABPP s information and recovery requirements, and ensuring the programme is aligned with the successful execution of business activities. Data integrity management is essential as the foundation for converting data to information, knowledge and business intelligence for appropriate IT and business strategy alignment, as well as consolidated reporting to the board, board committees and other key stakeholders. Information privacy The board should ensure that there are systems in place for personal information to be treated by SABPP as an important business asset and that all personal information that is processes by SABPP is identified. Personal information should be processed according to applicable laws. SABPP IT Governance Committee 5

6 Information security The board should ensure that an information security management system is developed, implemented and recorded in an appropriate and applicable information security (ISMS) framework. The board should oversee the information security strategy and delegate and empower management to implement the strategy. The CEO is responsible for the implementation of the ISMS. The ISMS should include the following high level information security principles: Ensuring the confidentiality of information; Ensuring the integrity of information; Ensuring the availability of information and information systems in a timely manner. REPORTING The IT Governance Committee will generate reports based on an analysis of IT needs and risks to be approved by the Board of SABPP. The CEO will report back to the IT Governance Committee and the Board of SABPP regarding the effectiveness of the IT strategy and systems. MONITORING AND EVALUATION The IT governance committee should ensure that SABPP acquires and uses the appropriate information, technology, processes and people to support its business and governance requirements in a timely manner and accurately. The board should oversee the proper value delivery of IT and should ensure that the expected return on investment from significant IT investments and projects is delivered and that the information and intellectual property contained in the information systems are protected. This can be achieved by clarifying the business strategies and the role of IT in achieving them; measuring and managing the amount spent on and the value received from IT; assigning accountability for organisational changes required to benefit IT capabilities; and learning from each implementation and becoming more adept at sharing and re using IT assets. Good governance principles should apply to all parties in the supply chain or channel for the acquisition and disposal of IT goods and services. Where the responsibility for the provision of IT goods or services has been delegated to another party, all parties (including the board) remain accountable for enforcing and monitoring effective IT governance. SABPP should obtain independent assurance on the IT governance and controls supporting outsourced IT services. This assurance should be aligned to SABPP s normal assurance activities under the auspices of the risk and audit committee. SABPP IT Governance Committee 6

7 The IT governance committee and CEO should ensure that all the basic elements of appropriate project management principles are applied to all IT projects. Effective review processes by independent experts are recommended. All IT risks will be identified and managed in accordance with sound risk management principles and practices. When considering SABPP s compliance with applicable laws, rules, codes and standards, the board should ensure that IT related laws, rules, codes and standards are considered. SABPP must comply with applicable IT laws and consider adherence to applicable IT laws, rules, codes and standards, guidelines and leading practices where relevant. The board should consider how IT could be used to aid SABPP in its managing of risk and its compliance with laws, rules, codes and standards. The IT governance policy will be monitored on an ongoing basis and proposed amendments will be considered by the board on recommendation by the IT governance committee. SABPP IT Governance Committee 7