Moving towards information technology governance

Is your organization dependent on information technology (IT)? Does your IT support your business or enterprise goals? Is your IT strategy aligned with your overall strategy? How judicious are you in managing your IT resources and risks? Are you appropriately recognizing IT opportunities and acting upon them to gain competitive edge? Are you getting maximum benefits from or optimizing your IT-enabled investments? Are you measuring, benchmarking, monitoring and reporting IT’s capability and performance? Is there clear ownership and responsibilities over IT goals, risks, and processes or controls? Do you have an IT governance framework to organize IT strategy, objectives, processes, programs, projects, activities, and practices, and link them to business requirements? Has IT become a regular agenda during board or executive committee meeting?

Answers to these questions give clues on whether senior management and the board of directors are managing their IT resources well to ensure enterprise objectives are met and undesired events are prevented or the adverse impact mitigated in order to drive, sustain, and preserve their stakeholders’ value. Ensuring good corporate governance requires an effective, more extensive or mature IT governance implementation.

What IT governance is and is not?

The IT Governance Institute (ITGI) describes IT governance as “the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.”

IT governance is an integral element of good corporate governance to deliver value, manage performance, and mitigate risks.

Another definition of IT governance is the decision framework, rights, responsibilities and accountability to ensure desired behavior in the use of information and technology in support of the organization’s business goals.

Without good IT governance, a business heavily dependent on IT cannot have good corporate governance. Research organization Governance Metrics International’s 2003 study on 1,600 companies indicated that businesses with strong governance outperform those with weak ones in terms of shareholder return.

It is important to note that IT governance is not a compliance project; rather it is a continuous management program to ensure business solutions are delivered on time and within budget.

Neither is IT governance just a technology issue. It is also about leadership, people, policies, standards, processes, metrics, and goals to get the most value from IT (from cost to value creation center or strategic end) and to achieve the right balance between value, risk, and cost-effective IT performance.

Almost 90 percent of the participants in the ITGI survey IT Governance Global Status Report -2006, said that “IT is more critical to business than ever”. Majority of the respondents (i.e., about 65 percent) also reported that IT has become a regular board agenda.

KPMG study on IT governance

According to a material published by KPMG International entitled “Creating Stakeholder Value in the Information Age: The Case for Information Systems Governance Recent”, “for many organizations, governing IT and integrating it with the company’s overall corporate governance has become a confusing and daunting duty for senior executives and board members. Discussions on the subject often are disjointed, laced with lingo and muddled by unclear messages, which only serves to bewilder the very people who need to understand how to govern IT.”

Consequently, the desired value supposedly created with a well governed IT function that is aligned with overall business goals remains elusive and unfulfilled. Not a few IT heads (or chief information officers or CIOs) stand to lose their credibility with the members of senior management, especially with the view that IT has become a bottomless pit into which funds are sucked into and with a not so few failures in a number of IT-related projects.

Based on the same material, “the influence of many CIOs at the board level has declined and they often find themselves marginalized. Part of the fault for their marginalization often lies with CIOs themselves. They slip into techno-speak in discussions with non-technical CEOs and board members, when simple declarative sentences about costs, progress, and projects would do.”

Practical approach to IT governance

The KPMG paper mentioned above “stresses the importance of balancing the new requirements of controls and compliance with those of value and risk in order to assist in achieving sustainable growth. The paper concludes with some practical steps that can be undertaken by the organization to improve its IS governance as follows.

Obtain the necessary sponsorship. Creating a board-level IT oversight committee, much like the audit, risk management, and compensation committees already in place on many boards, might be the first step towards a strong IT governance. This move would elevate the importance of IT governance by sending a message to the organization, its investors, and other stakeholders that the business is aligning IT strategies, goals, projects and programs with the company’s business strategies and goals.

Understand the current IT governance environment by determining the following:

the IT governance mechanisms

business context in which IT operates

decision process on IT spending

risk management programs

level of customer satisfaction (internal and external)

rigorous and consistent processes and responsibilities for running IT, developing and improving applications, ensuring business continuity, purchasing, staff management, budgeting, business values, alignment of IT strategies with business strategies

differences between the current state or “as is” and the future state or “should be”, otherwise known as gaps. The future state may adopt the suggested processes and controls by various IT governance framework and related best practices in IT such as ITGI’s COBIT 4.1 (Control Objectives for Information and related Technologies), Institute of Internal Auditors’ SAC (System and Auditability Control), ISO 27001 (Information Security Management System), UK Office of Government Commerce’s ITIL (IT Infrastructure Library) and PRINCE 2, Project Management Institute’s PMBOK (Project Management Book of Knowledge), National Institute of Standards and Technology’s Generally Accepted Systems Security Principles (NIST-GASSP), and/or Carnegie Mellon Software Engineering Institute’s Capability Maturity Model (SEI-CMM). It is important that the practices and controls be adopted only after assessment of the significant risks that the controls would address and considering its applicability, propriety and relevance to the enterprise.

Create a design for moving to where you want to be with IT governance

Agreement on what business value is expected and how it should be measured

A list of short-, medium-, and long-term projects to improve IT governance over time

A way to increase the maturity of application development process

Ways to ensure buy-in from all levels of the organization

A schedule to meet with all the different departments and agree on how and where decisions are made for IT investments

A review of the customer feedback

A schedule to update and communicate the IT policies and procedures”

4. Perform a regular IT governance review (either through self-assessment, an internal auditor or third-party service provider) to assess and report the conditions and maturity level of IT governance and identify measures to further improve it. This undertaking can best be performed when benchmarked with IT governance framework and related best practices in IT.

Getting good at or better at IT governance takes time, persistence, and a methodical plan that starts with the recognition and acceptance that good governance is still critical for building and sustaining a great organization. While IT governance is not something that will happen overnight, nevertheless, it should continue to evolve using best practices or frameworks and be vigorously pursued if IT is to contribute strategically and deliver value for its stakeholders, while effectively keeping costs at bay and managing its attendant risks.

(The concepts, principles and approach to IT governance discussed in this article are derived from KPMG International’s thought leadership paper entitled “Creating Stakeholder Value in the Information Age The Case for Information Systems Governance and ITGI’s COBIT 4.1).

(Reginald C. Nery is a Partner in the Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. This article is of general information only and is not intended to be, nor is it a substitute for informed professional advice.  While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email [email protected] or [email protected])