Information Technology Governance

Transcription

1 Information Technology Governance -- Governance as a tool to effectively manage an organisation s information technology infrastructure Ramakrishna Prasad Kodali, MBA-Tech. Mngmt., CISA, PMP, ISO/IEC Auditor, Six Sigma Green Belt Director IT & Prepress, Pragati Offset Pvt Ltd 1.1 Governance We are all familiar with governance as such and relate governance with running a country, state, district and local body. We are also familiar with how organisations -- both non-profit and business organisations are being governed. Governance can be defined as the exercise of economic, political, and administrative authority to manage the nation s affairs at all levels. It comprises all the mechanisms, processes, and institutions through which the citizens and groups articulate their interests, exercise their legal rights and obligations and mediate their differences. Governance is not the sole domain of government but it transcends government to encompass the business sector and civil society. 1.2 Corporate Governance The concept of Corporate Governance came into prominance for the last few years and many large and top companies have already adopted this. Corporate governance came into limelight few years ago as a mantra to not only run businesses effectively, but also to take care of all strict legal & corporate law compliance, by following very tight and disciplined controls 1

2 internally and voluntarily. Corporate Governance has become one of the most important area to concentrate on for the Board of Directors. Corporate governance is about commitment to values and about ethical business conduct. It is about how an organisation is managed. This includes its corporate and other structures, its culture, policies and the manner in which it deals with various stakeholders. Accordingly, timely and accurate disclosure of information regarding the financial situation, performance, ownership and governance of the company is an important part of corporate governance. This improves public understanding of the structure, activities and policies of the organisation. Consequently, the organisation is able to attract investors, and to enhance the trust and confidence of the stakeholders. 1.3 Enterprise Governance Enterprise Governance is a very new term and is just coming up as a new concept for governing organisations. According to a report prepared by The Professional Accountants in Business Committee (PAIB) of IFAC, Enterprise Governance is defined as the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organisation s resources are used responsibly. Enterprise governance constitutes the entire accountability framework of the organisation. There are two dimensions of enterprise governance conformance and performance, that need to be in balance. Conformance is also called corporate governance. It covers issues such as board structures and roles and executive remuneration. It has had significant coverage in recent years following the various corporate governance scandals. Codes and standards can generally address this dimension with compliance being subject to assurance/audit. There are also well-established oversight mechanisms for the board to use to ensure that good corporate governance processes are effective in an organisation, eg, audit committees. 2

3 The performance dimension focuses on strategy and value creation. The focus is on helping the board to: make strategic decisions; understand its appetite for risk and its key drivers of performance, and identify its key points of decisionmaking. This dimension does not lend itself easily to a regime of standards and audit. Instead, it is desirable to develop a range of best practice tools and techniques that can be applied intelligently within different types of organisation. Unlike the conformance dimension, there are, typically, no dedicated oversight mechanisms such as audit committees. At the heart of enterprise governance is the argument that good corporate governance on its own cannot make a company successful. Companies must balance conformance with performance. 1.4 IT Governance Information Technology has come a long way in the last 6 decades, initially with huge analog systems and then to powerful mainframes based on semi-conductor technology and later to micro-processor based desk top systems in early 80s to current network and grid computing. In the past, and even now in many cases, Information Technology is always seen as a luxury for a business. IT always worked as a support function separate and distinct from the business and is always seen primarily as a cost center. However, over the period of time, organisations began to realise the importance of IT in their business and the increasing reliance IT systems which drive their businesses. Evolving from a cost centre, IT is taking on the character, rigor and practices of a business within a business ie. IT organisation within an Organisation. 3

4 Like electricity, IT powers business, but unlike electricity, which enables the operation of equipment according to immutable physical laws, IT enables the operation of businesses through a highly complex and ever-changing dynamic involving priorities, processes, and people. With this realisation came the idea of managing IT the way we manage our businesses. IT governance as a concept is emerging for the last few years and will soon take centre-stage on everything we do related to IS/IT. Some of the new laws that are enacted in US and other countries made things much more complicated for organisations. Unless otherwise companies have a clear view and plan on how to manage and govern their Information Technology setup, it will not only be a tough task to efficiently manage IT operations but also very difficult to be fully compliant with the stringent Acts which require organisations to maintain data and transaction details for complete audit trail. IT is essential to manage transactions, information and knowledge necessary to initiate and sustain economic and social activities. These activities increasingly rely on globally cooperating entities to be successful. In many organizations, IT is fundamental to support, sustain and grow the business. While many organizations recognize the potential benefits that technology can yield, the successful ones also understand and manage the risks associated with implementing new technologies. Some of the enterprise's challenges and concerns are: Aligning IT strategy with the business strategy Cascading strategy and goals down into the enterprise Providing organizational structures that facilitate the implementation of strategy and goals Insisting that an IT control framework be adopted and implemented 4

5 Measuring IT's performance Effective and timely measures aimed at addressing these top management concerns need to be promoted by the governance layer of an enterprise. Hence, boards and executive management need to extend governance, already exercised over the enterprise, to IT. Simply put, IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. The definitions of IT Governance, according to ITGI, are: IT governance is the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives. IT governance is the organizational capacity exercised by the Board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT. Governance involves deciding what things to do and how to do them, while management involves actually getting them done. Many CIOs are beginning to see governance and management as an iterative, endless cycle of planning and execution within a framework built to keep IT aligned with the business. And they see both governance and management as encompassing all of IT s activities. 5

6 As IT budgets are getting extremely tighter in most companies, the only way additional resources can be generated or freed up is by reducing or freeing up resources that are used in unnecessary activities. Thus, both kinds of activities, strategic and routine, must be governed and managed effectively, in an integrated fashion, with common visibility and control for both. For example, effective governance requires that IT leaders be able to analyze the value from a proposed initiative, including hard and soft savings and how and when the savings will be measured. But it also requires leaders to be able to analyze how many requests are coming into IT, how much time is being spent on them, and by whom. It requires repeatable processes for provisioning new employees and managing application changes, and other routine but essential activities. 1.0 THE BENEFITS OF IT GOVERNANCE Effective IT Governance helps IT-heads handle the fast paced business and technology changes thrown-in by the new compliance requirements, large off-shoring/outsourcing, and increased complexity of the changes. New compliance requirements: Increased tighter controls and compliance requirements like Sarbanes-Oxley, etc. demand strict adherence to business policies, processes and procedures and the ability to give thorough & detailed audit trail. Outsourcing: Outsourcing and offshoring of IT activities has grown from a trickle to a huge wave in the past decade. The long-predicted death of distance has arrived with a vengeance. Offshoring without being prepared to govern properly and manage it will be suicidal for any organisation. When team members are separated by 10,000 miles instead of one inch of cubicle partition, the old ways of knowing who s doing what, and how effectively they re working, are every bit as dead as distance. IT organizations absolutely require comprehensive, real-time visibility to extract optimal value from their teams, 6

7 no matter where they work or who signs their paycheck. They must also have complete, auditable documentation of the work done on their behalf by contract employees and companies, or risk failing to meet those increasingly onerous compliance requirements. Increasing complexity and change: Not only do CIOs have to manage the greatly increased complexities of compliance and sourcing, they also face far more complicated applications, networks, and systems as well. These vital infrastructure elements are constantly changing to meet evolving business needs. If that change isn t planned effectively and executed on time, the business loses benefit. Worse, if it is bungled and takes down the system, millions of dollars can go down the drain within hours at many businesses. Effective IT governance meets the challenge of change, while forming an essential part of business technology optimization, which transforms IT into a business driver within your company and a differentiator against your company s competition. 2.1 IT change is long pending IT has changed the way we run business. Today, top management and finance departments take for granted the detailed real-time visibility and control into their financial performance provided by their Enterprise Resource Planning (ERP) systems. It s also the case that in many of the companies, top sales and marketing executives have the same information into customer issues through applications like Customer Relationship Management. So why is that the top management have not seen the same visibility and control within IT itself? If the finance department can close the books within 24 hours of quarter s end using technology, why can t the head of IT department report with certainty on the status of critical IT projects, the level of staff productivity, or IT budget compliance trends? Leading CIOs are intensely pursuing this critical goal of optimizing the value IT delivers to the business. They are seeking real-time visibility and control over IT initiatives and operations to drive out costs, increase 7

8 productivity, improve IT s alignment with business priorities. They are also focused on ensuring that IT is structured to support the imperatives of corporate governance. 2.2 Corporate Governance, IT Governance, and Compliance The controversy over the last few years on corporate governance standards is well known. However, the implications of that controversy for CIOs have not been fully understood in some quarters. Corporate governance is being significantly tightened from two directions: external regulation by governments and international bodies (exemplified by the Sarbanes-Oxley Act and Basel II), and internal controls to ensure compliance with management policies. Changes in regulations and policies normally require changes in process. Since 90 percent of mission-critical business processes have now been automated by enterprise applications, changes in business process almost always require changes to software. These changes must be managed, monitored, and maintained to ensure compliance with both externally imposed regulation and internal mandates. In the case of external regulation, the penalties for non-compliance can be severe. Assuring compliance is a key function of IT governance. Another key function of IT governance is providing the technology to deliver tighter alignment between shareholder interests and company interests. CEOs expect IT to help the business as a whole achieve a quality of corporate governance that yields improved transparency, compliance, and financial performance. Increasingly, they also expect IT itself to achieve this quality of governance, with similar, compatible processes. Overall, the clear trend is toward governing the business as a whole and IT in particular through consistent, enforceable processes. This is reflected not only in the growth of Six Sigma, CMMi, and other process-based business performance methodologies, but also in the recentralization of business operations. While business units retain profit and loss responsibility, in more and more companies they are losing the discretion to operate using self-selected enterprise applications and reporting systems that fall outside corporate standards. The need 8

9 for CEOs and CFOs to have everyone on the same page and be able to read that page clearly and immediately is simply too important. Meeting the expectations of CEOs, CFOs, and business unit leaders requires CIOs to gain real-time visibility and control over their initiatives and operations, and be able to run IT like a business. These expectations are not dampened when parts of IT are outsourced. Indeed, many business-side leaders have discovered that major offshore outsourcing firms routinely operate at much higher CMMi levels than their in-house IT operations. These new demands and increasing complexities require a new approach to IT governance, because for most companies, the old ways aren t working and the path is only getting steeper. 2.3 For CIOs, it s all about Business For a chief information officer, mastering technology is no longer enough to succeed. Highly effective CIOs are completely business-oriented. They recognize that they cannot govern IT in a vacuum, so they concentrate on running it as a business within a business. When IT governance is properly structured and executed, executives recognize its importance. This in turn increases the CIO s importance within the company as other executives better appreciate IT s contributions to business success. IT governance must become both more coordinated and more transparent. This is especially important because in many companies business units are gaining more control over IT spending, requiring CIOs to focus more effort on explaining and selling their technology vision to business-side leadership. IT governance must reflect and incorporate business language, priorities, and processes to gain buy-in from business-side leadership, and it must include an engaging, meaningful, and transparent way for business-side leaders to participate. Otherwise, it will have little value and only add to the perception of IT as a black box. 2.0 What are the IT Governance frameworks? 9

10 Over the years, a number of frameworks have emerged, each with their own strengths and weaknesses, but also, each with their own focus and purpose. The major frameworks are currently: ISO/IEC focusing upon IT service management ITIL - a lower level framework again for ITSM ISO / ISO focusing upon information and information security Six Sigma - focusing upon operational performance and defect identification COBIT - framework for information IT management risks Balanced Scorecard - a framework for measuring a company's activities in terms of its vision and strategies Prince2 - a project management method Two of the leading thinkers on IT Governance, PeterWeill and Richard Woodham of MIT s Sloan School of Management, are clear in noting that one size doesn t fit all. Effective IT governance requires the harmonization of business objectives, IT governance style, and business performance goals. Most popular frameworks being used are: COBIT, ITIL & ISO/IEC

11 COBIT as IT governance framework Successful organizations understand the benefits of information technology (IT) and use this knowledge to drive their shareholders value. They recognize the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. To aid organizations in successfully meeting today s business challenges, the IT Governance Institute (ITGI) has published version 4.0 of Control Objectives for Information and related Technology (COBIT ). COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. It does not invalidate work done based on earlier versions of COBIT but instead can be used to enhance work already done based upon those earlier versions. When major activities are planned for IT governance initiatives, or when an overhaul of the enterprise control framework is anticipated, it is recommended to start fresh with COBIT 4.0. COBIT 4.0 presents activities in a more streamlined and practical manner so continuous improvement in IT governance is easier than ever to achieve. COBIT supports IT governance by providing a framework to ensure that: IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT risks are managed appropriately Benefits of Implementing COBIT Implementing COBIT allows for: Better alignment based upon a business focus 11

12 An understandable view of IT for management Clear ownership and responsibilities General acceptability with third parties and regulators Shared understanding among all stakeholders based on a common language Fulfillment of the COSO requirements for the IT control environment COBIT has become the integrator for IT best practices and the umbrella framework for IT governance because it is harmonized with other standards and continuously kept up to date. The process structure of COBIT, in conjunction with its high-level, business-oriented approach, provides an end-to-end view of IT that aids organizations in getting the most value possible from their IT investments. COBIT comprises six documents: Management Guidelines Implementation ToolSet Executive Summary Framework Control Objectives Audit Guidelines It has also been broadly mapped against a number of other methods and standards, including COSO, ITIL, ISO 17799, and ISO

13 Although it has existed for a long time, CobIT's global presense has not expanded as quickly as many might expect, especially as it is fundamentally a free publication. Possibly, this may be related to ISACA's approach to market forces and third parties. It is undeniable, however, that the Sarbanes-Oxley Act has given the framework a substantial lift in popularity, as it is the favored approach by many auditors. Whether this growth is sustained remains to be seen. ITIL as IT governance framework This framework is now relatively mature, having been developed originally during the 1980's by the United Kingdom government, initially for their own use. In recent years it has been adopted widely, and internationally, and is arguably the most widely used IT management framework. ITIL covers the organizational structure and skill requirements for an IT organisation/area by presenting a comprehensive set of management procedures. These are intended to be supplier independent and apply to all aspects of IT infrastructure The IT Insrastructure Library is fundamentally a collection of eight books, the contents of which are referred to as 'sets'. These 'sets' are sub-divided into what are termed 'disciplines', each of which defines a specific subject. The current ITIL sets are: Service Delivery Service Support Planning to Implement Service Management 13

14 ICT Infrastructure Management Software Asset Management The Business Perspective Security Management Application Management Of these eight, the most widely used are the first two: Service Delivery and Service Support ITIL s Service Delivery & Service Support best practices were adopted by ISO and the new standard ISO/IEC is gaining importance in IT service management. Which way to go? Each company sets its own business objectives and seeks to enact them through a set of desirable organizational behaviors that reflect the company s culture. Companies exhibit individual IT governance styles based on how IT relates to the business units, how the units relate to the corporate structure, and how broadly decision-making authority is shared within and among the organizations. IT governance mechanisms such as committees, service level agreements, charge-backs, and the like provide the means by which the IT governance style delivers substantive results. Among successful companies, there is generally a tight focus on particular business performance goals, documented by relevant metrics. These high-performing companies harmonized all these elements to achieve superior results in line with their performance goals. For example, top performers as measured by ROA [return 14

15 on assets] were heavy users of IT councils, capital investments processes, service-level agreements, chargeback practices, and process teams. All these mechanisms were used to maximize the value derived from the firm s assets by reuse, standardization, clear agreements, and financial disciplines. Harmonizing these factors is key to implementing effective IT governance. Experience tells us that effective IT Governance must reflect individual companies structures, goals, and styles. What is common to all, though, is the need to align IT investments with business priorities, execute as efficiently as possible, and attain full visibility and control over initiatives and operations. In today s increasingly complex environment, this is extremely difficult to do with patchwork solutions of point tools. Just as financial management has evolved from an array of manual accounting systems to standardized ERP applications, effective IT governance is most effectively implemented through a single transaction systemof-record that digitizes the workflow. GE has been a leader in digitizing business processes. Instead of the old, slow processes of decisionmaking and implementation that involve redundant meetings, phone calls, and Post-It requests stuck on people s computers, GE has methodically made these processes digital, placing them into automated workflows governed by business rules. When GE s then-ceo, JackWelch, launched the program, he described it as the biggest opportunity for leveraging technology to create business value. GE s subsequent assessments have proven him correct. A comprehensive transaction system for digitizing IT processes. Digitizing IT governance not only executes the work far more efficiently, it also captures data that leaders can view in real time through browser-based dashboards or cockpits, giving them instant visibility into initiatives and operations. This enables them to control schedule and budget far more effectively than previously possible. 15

16 This IT governance transition is best made incrementally. No one wants to repeat the horror stories of disastrous all-or-nothing ERP implementations during the 1990s. The realities of daily operations make it exceedingly difficult to hot switch from current IT governance and management practices to an entirely new methodology. 3.1 Risks in implementing IT Governance: Implementing IT Governance is not a easy task and require enormous resources in terms of effort, money, etc. Some of the pitfalls we should avoid while attempting to implement IT governance: Not enough participation by Senior Management: IT managers must present a strong case for IT governance by demonstrating its link to improved business performance, or senior business management will likely regard IT governance as an IT activity and deny it the priority and support it needs. Lack of clear goals: Without clear goals, some parties involved in the IT governance process will question their participation, wonder What s in it for me? and fail to embrace IT governance as a means to achieve business goals. Governance processes not defined properly: There must be clear, practical IT Governance processes that recognize the decision-making style, culture, and practices of the enterprise and identify action steps, roles, responsibilities, and final and intermediate deliverables. For some IT organizations, this may seem daunting. But there is a straightforward path to effective IT governance that unfolds once you make the decision to get started. Conclusion Every year, information technology becomes more tightly woven into daily business operations and IT heads are responding by using effective IT governance to run IT like a business. As they align IT activities tightly to 16

17 company priorities and deliver more value to the business, one can prove to all stakeholders, that IT, governed well, not only matters, but can be the change that moves the business forward. References: 1. COBIT 2. IT Governance Journal 3. Other journals, web sites 17