What is IT Governance?
Information technology governance is an element of corporate governance that is aimed at improving the overall management of IT and deriving improved value from investment in information and technology. Corporate governance, as defined by The Governance Institute, is:
“a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders are balanced.”
Establishing a framework for corporate governance of information technology can help an organization comply with requirements of laws and regulations for business, such as the DPA (Data Protection Act) 2018 and the GDPR. IT governance planning in an organization will help you to define and maintain appropriate policies and procedures that will help you to meet these requirements for data security and privacy.
It can also help to maximize the return on your investment in IT. It does this by helping you to evaluate, prioritize, and select which investments are most likely to give you the best returns, and ensuring that and ensure that IT purchases and activities are aligned with overall business objectives.
Planning coupled with the proper structure can help to ensure that IT is operated in an effective, efficient, safe, and regulatory compliant way. Establishing a framework can also help with the management of IT-related risks, for example, through using IT security governance to manage the risks from cyber-attacks.
Technology governance as a part of IT governance can reduce the costs of IT support by encouraging the use of a standard set of technologies. Through the application of frameworks such as COBIT, it can also be used to standardize all IT-related processes, reducing costs and improving customer service. Other benefits include:
- Demonstrating measurable results arising from the use of IT.
- Assuring stakeholders that they can have confidence in your IT services.
- Facilitating increased returns on IT investment.
- Complying with any corporate governance requirements.
The History
The history of this discipline started a long time ago, at the dawn of computing. Ways were devised to control which developments would get funded and to ensure the quality of deliverables, but this early IT governance was not recognized as a separate discipline within IT. The formal history first emerged in 1993 as a derivative of corporate governance. This provided a focus on linking IT management with the organization’s strategic objectives and business goals, highlighting the importance of value creation and accountability for IT.
Following some high-profile governance failures involving corporate fraud and deception, in the 1990s, several countries decided to establish some formal codes and regulations for corporate governance. These include:
- Committee of Sponsoring Organizations of the Treadway Commission (USA).
- Cadbury Report (UK).
- King Report (South Africa).
- Gramm–Leach–Bliley Act (USA).
- Sarbanes-Oxley Act (USA).
These led to a realization that governance of IT systems and management were essential to support strong corporate governance, as IT underpinned the daily operations of most businesses. IT was seen as an enabler of corporate governance and a value creator that required stronger governance.
This led to the development of a standard, the AS8015 Corporate Governance of ICT, which was published in Australia in January 2005. In May 2008, this was used to fast-track the publication by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) of an international standard for IT Governance, ISO/IEC 38500. Publication of this standard was a milestone in the history of IT governance. It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.
IT Governance Objectives
For good IT governance developing a successful strategy is crucial. IT strategy and governance must be tightly coupled, as following a technology-based strategy alone is unlikely to meet the organization’s business objectives.
Objectives should not sit in isolation; they should be a key part of the overall IT strategy that should be part of the organization’s corporate strategy. IT governance exists within organizations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:
- Align IT to support business operations and deliver value.
- Use IT resources responsibly.
- Identify and manage risks related to IT.
The goals and objectives for any organization should include the following aspects:
- Alignment: The governance must ensure that the IT services and developments are fully aligned with the organization’s business strategy. Lack of alignment between the IT strategy and the business strategy can cause adverse business issues.
- Value delivery: The governance must ensure that the maximum business value is obtained from the IT systems.
- Risk management: All IT-related risks must be sufficiently controlled or mitigated, including the risks of investments as well as operation.
- Resource management: The governance must ensure that the IT capabilities and resources are always sufficient to meet the current and future business objectives through appropriate sourcing of new and use of existing IT resources.
- Performance measurement: The contribution of IT to achieving the organization’s strategic objectives should be measured. This will demonstrate how IT governance adds value to the business.
Embracing these objectives will help to deliver optimized business value and facilitate gaining and maintaining the trust of key stakeholders.
The Importance of IT Governance
Why is IT governance important? To start with, it underpins corporate governance. For corporate governance why is it important to include the governance of IT? Because just about every organization today relies on IT systems in some form. The importance of it relative to the activities of the organization will, of course, vary between different types and sizes of business. But it cannot be ignored. Corporate governance failures can result in fines and even the imprisonment of Executives. Blaming IT is no defense. Hence if you consider what is corporate governance and why it is important to include IT in the scope, this should help to persuade you its importance.
IT governance provides an organization with a structure of relationships and processes that direct and control how IT is provided and operated. Using this type of governance helps the enterprise to achieve its goals by adding value from IT whilst balancing the risk versus reward of IT investments and processes. It provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives.
IT projects should also be in the scope of governance. The organization might have separate governance arrangements for projects, but where this is the case, there must be a strong link with the approach used to govern IT; otherwise, there a risk that projects may be delivered on time but not align with the necessary requirements for governing IT. This is key when considering what is project governance and why is it important.
What are the Benefits?
The benefits will vary between different organizations. For those that are in highly regulated industries, such as healthcare or aerospace, the benefits of good governance are clear. Maintaining compliance with the governance requirements of these sectors is not just something that is nice to do; it is mandatory if the organization wants to stay in business.
As well as maintaining compliance, there are several other potential benefits. Many of these are shared with what can be achieved through applying corporate governance best practices and are not unique to IT. But they all should be considered as potential benefits when carrying out IT governance planning. The potential benefits include:
- Reduced risks: As governance includes risk management, the impact of IT-related risks is reduced or eliminated.
- IT alignment: ensuring that IT aligns with and actively supports the goals and strategy of the organization.
- Improved culture: IT culture is no longer seen as different from the culture of the organization.
- Compliance: The governance of IT supports compliance with governance requirements.
- Managed projects: Governance aids improved control over IT projects.
- Successful projects: Because IT projects are aligned with the organization’s strategic goals, they are more likely to be rated successful by the business.
- IT’s profile: IT’s profile in the rest of the business will improve as it demonstrates understanding and supporting the organization’s goals.
- Managed performance: The performance of IT’s contribution to the organization is measured.
- Managed resource capacity: IT resources are matched to business demand.
- Optimized operations: IT activities are optimized to deliver benefits to the organization.
- Improved information governance: Controls can help the organization to achieve the benefits of information governance.
IT Governance Process
There is no single process that can be used to govern IT. A number of different processes and practices are required, which should be used on an ongoing basis. It is not something that you do once or once a year. It has to become an inherent part of how you operate IT, using processes that are repeatable, scalable, and controllable. They should be regularly reviewed to ensure that they continue to deliver the expected value to both internal and external customers.
It is common practice to use several different but related processes, each focusing on a different area of IT. This integrated collection is often referred to as an IT governance landscape, the scope of which includes IT systems, architectures, services, developments, networks, infrastructure, and processes. As each of these has different characteristics, they are often subject to different governance approaches linked by a common strategy. Here are some examples of the process:
- IT architecture governance: This governs the development of IT architectures by establishing guidelines that new developments have to comply with. IT architecture governance can prevent an organization from using more technologies than they can support, ensuring that the use of any new technologies is carefully considered before use and optimizing support costs. Standard architectural models such as TOGAF are often used as part of IT architecture governance.
- IT process governance: This governs the processes that are used to develop, team, and support IT products. It can be used to standardize processes across the organization, removing the reliance on single individuals and supporting consistent outcomes. COBIT is a good example of an IT process governance framework.
- Enterprise IT governance: The term enterprise IT refers to hardware and software designed to meet the demands of large organizations. While it is easier to implement governance for these large-scale systems compared to collections of smaller systems, the processes for governance of enterprise IT have to be able to cope with the scale of use and complexity that often comes with enterprise IT systems.
- Product development governance: This is for organizations that develop their own IT products. This is a specific type of IT process governance that encompasses the software development lifecycle processes, illustrating these relationships and highlighting development governance.
IT Governance Models
IT governance models define a set of rules, regulations, and policies that define and ensure the effective, controlled, and valuable operation of an IT function. They also provide methods to identify and evaluate the performance of IT and how it supports the business. Many organizations define their own model; some widely-used models can be adopted then tailored to suit the needs of the specific organization. This is very similar to the approach used by many organizations for IT security governance, which takes the ISO/IEC 27001 information security standard model, then selects which governance controls are relevant to their circumstances.
Which of the models is most appropriate for you depends on what type of business you are. For example, an IT organization that specializes in managing the delivery of IT projects would be best suited to an IT project governance model, such as PRINCE or PMBoK. An organization that encompasses every discipline in IT might be better suited to an IT governance model based on the COBIT framework, possibly enhanced by the ISO/IEC 20000 standard for IT service management.
ISACA, a leading global provider specializing in governance, has developed some useful guidance that separates IT governance models into 5 separate domains. No organization is mandated to use all of these domains – but they are advised to consider all of the recommendations, standards, and best practices associated with the domains against their needs, compliance requirements, and capabilities.
The 5 domains are:
1. Framework for the governance of enterprise IT : Organizations need to implement an IT governance framework that stays in continuous alignment with enterprise governance and the key drivers (both internal and external) directing the company’s strategic planning, goals, and objectives. This framework should, wherever possible, attempt to utilize industry standards and best practices (COBIT, ITIL, ISO, etc.) in accordance with the explicit needs and requirements of the business.
2. Strategic Management : To be effective in enabling and supporting the achievement of business objectives, the business strategy must drive IT strategy. As such, the strategy of the business and IT are intrinsically linked. Efficient and effective business operation and growth rely on the proper alignment of the two. Some of the most effective methods for achieving this alignment are the implementation of an enterprise architecture methodology, portfolio management, and balanced scorecards.
3. Benefits Realization : IT Governance helps the business to realize optimized business benefits through the effective management of IT-enabled investments. It aims to ensure the delivery of IT benefits through the implementation of value management practices, benefits realization planning, and performance monitoring and response. Portfolio management can be used to help govern IT-enabled investments as well as the design and use of appropriate performance management methods. A culture focused on continuous improvement can also help to ensure that benefits are continually achieved.
4. Risk Optimization : The identification, assessment, mitigation, management, communication, and monitoring of IT-related business risks is an integral component of any enterprise’s governance activities. While the specific risk management activities for IT will vary widely based on the organization’s size and maturity and the industry in which they operate, it is important to develop a risk-robust risk management framework that can effectively demonstrate good governance to stakeholders and customers.
5. Resource Optimization : Good models ensure that IT can provide the resources necessary to meet business demands, including people, information, infrastructure, and applications. The models should also ensure that IT has sufficient resources available to meet current and future strategic objectives. This requires a focus on identifying the most appropriate methods for resource procurement and management, monitoring of external suppliers, service level management, knowledge management, and staff training and development programs.
About us:
We are Timus Consulting Services, a fast-growing, premium Governance, Risk, and compliance (GRC) consulting firm, with a specialization in theGRC implementation, customization, and support.
Our team has consolidated experience of more than 15 years working with financial majors across the globe. Our team is comprised of experienced GRC and technology professionals that have an average of 10 years of experience. Our services include:
- GRC implementation, enhancement, customization, Development / Delivery
- GRC Training
- GRC maintenance, and Support
- GRC staff augmentation
Our team:
Our team (consultants in their previous roles) have worked on some of the major OpenPages projects for fortune 500 clients across the globe. Over the past year, we have experienced rapid growth and as of now we have a team of 15+ experienced and fully certified OpenPages consultants, OpenPages QA and OpenPages lead/architects at all experience levels.
Our key strengths:
Our expertise lies in covering the length and breadth of the IBM OpenPages GRC platform. We specialize in:
- Expert business consulting in GRC domain including use cases like Operational Risk Management, Internal Audit Management, Third party risk management, IT Governance amongst others
- OpenPages GRC platform customization and third-party integration
- Building custom business solutions on OpenPages GRC platform
Connect with us:
Feel free to reach out to us for any of your GRC requirements.
Email: [email protected]
Phone: +91 9665833224
WhatsApp: +44 7424222412
Website: www.Timusconsulting.com