What is IT Governance?

For corporates considering a new IT governance programme, the first requirement is to agree upon what it means, what it involves and who is responsible for its implementation and oversight. This includes ensuring that external IT service are also following accepted It governance guidelines so that best practice is maintained throughout the IT environment whether in-house or outsourced.

Inadequate IT governance is not the exception, especially in mid-sized enterprises, but perhaps more surprisingly it is also a condition common to many large enterprises as well.

One of the root causes for these challenges is that those people who are responsible for the success of IT initiatives often use the term “governance” loosely, without sharing a common understanding of the term and without completely comprehending what it actually involves. In these cases the first imperative to implementing a coherent corporate governance environment is to define what the term “governance” actually means.

The next step is to identify the key distinctions between good and poor governance and having done so, to then determine the path from poor to good governance over a pre-determined and realistic period of time.

What is governance?

A good place to start in our quest for a clear definition is the World Bank, which has described a common understanding of governance. It is defined as: ‘The rule of the rulers typically with a given set of rules’.

Or more simply put, governance is the process by which authority is conferred on rulers, by which they make the rules and by which those rules are enforced and modified.

How does the World Bank concept of governance translate to enterprises?

Corporate governance (the rules) refers to the formation and steering of the rules and processes of an organisation by which businesses are operated, regulated and controlled for effective achievement of corporate goals. Corporate governance structures (the rulers) are those bodies or councils which are specifically concerned with governance, while the Board of Directors are finally accountable for the application of good governance. Typically, they carry out their governance duties via committees that oversee critical areas such as audit, compensation, acquisitions and so on.

To complicate matters, different corporate governance guidelines and regulations are used by different countries. One of the most commonly referred is the OECD Principles of Corporate Governance. Another is the Sarbanes Oxley Act, a United States Federal law on accounting reform. There are also industry specific regulations like Basel III for Banking, HIPAA for Health Insurance, and so on.

The importance of IT governance

Since organisations are increasingly dependent on IT for their operations and profitability, the need for better accountability of technology-related decisions has become a key part of corporate governance, making IT governance a highly strategic subset of the overall enterprise governance.

In the case of IT, governance – or the rules – links IT strategies to the overall enterprise goals and strategies. It also institutionalises best practices for planning, acquiring, implementing and monitoring IT performance; it manages the risks that IT poses to business and it ensures accountability of IT costs.

The IT governance structure

An organisation’s IT strategy committee, or the equivalent, is typically composed of board and non-board members which together form the governance structure that oversees IT governance. They are the rulers who may in turn have sub-committees or groups who are responsible for specific areas of IT governance.

Over the years multiple industry standard IT governance and control frameworks have evolved and are available for enterprises to adopt. The most commonly referred to are: ISO/IEC 38500:2008 Corporate Governance of information technology and the Control Objectives for Information and Related Technology (COBIT).

In addition to these there are also many other related frameworks and methodologies which help enterprises to address specific aspects of their IT governance. Fortunately the Calder-Moir IT Governance Framework has drawn upon and integrated the wide range of management frameworks, standards and methodologies that exists today – some of which overlap and compete – into a conceptual approach that provides an effective visualisation of IT governance.

Where does IT outsourcing governance fit?

Most enterprises today outsource at least some, and in many cases all, of their IT or IT-enabled business services to third parties. Because IT is now such a prominent driver of business success and efficiency, it has become vitally important for organisations to accept that while they may outsource their IT service delivery, they must continue to be accountable for the service delivery to the business. Organisations need to know their third party service providers are following the accepted principles of good governance to ensure they are in a position to effectively manage the risks and continue to deliver value to their corporate customers.

This specific focus, called ‘outsourcing governance’, is essentially a sub-set of IT governance and its primary focus is regulating the interface between the enterprise and the outsourced service provider. One crucial consideration when considering outsourcing governance is that given the close interrelationship between the in-house and outsourced IT environment, focusing on IT outsourcing governance invariably proves inadequate – it must be considered within the context of IT governance as a whole.

by Paul Michaels, CEO of ImprovIT, and Navin Anand, Managing Partner & Sudha Iyer, Consultant at WhiteBox Business Solutions 

IT risks—a director’s perspective

(Extracted from PWC’s ‘To the Point’ series – Spring 2011)

Some directors may be uncomfortable with the subject of information technology. Given how complex companies’ enterprise systems are, directors may be unclear about the questions they should be asking or the answers they should expect. But for some companies, where IT enables the company’s operations, it represents a major risk that boards should oversee.

How does a director know whether to step up the level of IT oversight? Much depends on the company and its complexity. Greater director oversight of IT is likely warranted if your company:

  • has a high volume of transactions; for example, a financial services company
  • collects and stores sensitive data about third parties (customers, patients)
  • has an open access network or open databases, allowing entry to the system by outsiders
  • maintains proprietary know—how, processes, procedures, or other intellectual property
  • has a multi—national scope

Even if your company doesn’t have these environmental factors, you should consider the need to increase director oversight when the level of IT risk increases, such as when:

  • major IT projects are underway—new systems, technologies or platforms
  • integrating programs from more than one platform—using “best of breed” products from different providers that require “bridging” programs to pass data from one platform to another
  • integrating an acquired business—especially one on a different IT platform
  • technology is enabling a new corporate strategy

So, how can boards be comfortable they are in a position to oversee IT risks that are important to the company? By

  • having someone on the board with reasonable technology skills,
  • asking the right questions and applying skepticism when considering the answers, for example, by asking follow—up questions and seeking corroboration through other sources, possibly an independent board advisor
  • understanding the full cost of technology, including the consulting fees to install the systems, as well as the licensing fees, equipment, training, maintenance, etc., and assess the implications of any cost variability
  • getting regular updates on project status and understanding the factors that would signal when a project is in trouble

IT oversight often falls to the audit committee, though strategically significant technologies might be overseen by the full board. And it’s important to realize technology oversight doesn’t end with major systems as we’ve discussed here. Directors should be aware of and comfortable with the company’s web presence, as well as its use of social media and its policies governing such use (see also To the Point, “Social Media: What Directors Need to Know,” Summer 2010).