7 REVIEW OF PART A

This chapter presents a brief summary of the first half of the book. If you are the member of a governing body or a senior executive, I am hoping that you will have read the book this far. However, you might find this chapter a useful summary that you can share with your other board/executive team members by way of an introduction to the topic of the governance of IT and the benefits of implementing the international standard ISO/IEC 38500 in your organisation.

If you are an IT person and you are more interested in reading the second half of the book to get some hints, tips, tools and ideas for implementing IT governance, then you might find that reading this chapter gives you a good idea of where your governing body and senior executives are coming from and what they hope to achieve from the implementation of the 38500 standard in your organisation.

HISTORY

Contrary to popular belief, IT and information governance is not a recent topic, dreamt up in the 1990s to force the then maturing IT industry to grow up quickly. The principles around this subject area have been in play since the earliest days of civilisation.

Rulers, emperors, and other generally smart people have understood the need for access to reliable and accurate information to inform good decisions and they have understood the need for security to deter warring nations and other competitors. Even our early governing ancestors understood that survival and growth relied on putting the right people in the right roles and developing a strategic plan for using resources wisely. Having access to valuable information and having the intelligence to interpret it was a prerequisite for success as a leader. The same holds true today.

The advent of technology in the form of computers has made it possible to locate, store, process and disseminate great volumes of information. IT systems have quickly become a more and more critical part of all business, engineering and design systems. However, having more information and more technical systems and solutions at your disposal does not necessarily make you smarter or more effective and efficient at what you do. A group of us (with representatives from around the world) came to the conclusion, whilst sitting in a standards meeting in Bari, southern Italy, in 2005, that some guidance was required to help people make the best of their information and IT systems. We were in the process of fast-tracking the excellent UK guidance on IT service management to become an international standard, but we realised that putting in good process and practice for operational IT was only addressing part of the problem. My ISO study group on IT governance put forward the Australian IT governance standard for fast track in 2006, and the first international IT governance standard was published in 2008. The standard lists six principles to guide the setting up of an IT governance framework and decision-making model that will put you back in charge of your organisational information and supporting technology. And, like the ancient rulers, you will be in a good place to fight off your competitors and any other warring factions.

Since 2008, we have been working on a portfolio of IT governance standards covering related areas of particular relevance to world markets. We have draft standards to assist with the governance of IT audit, the creation of a digital forensics risk framework and the application of the governance principles to interoperability, thereby creating organisational guidelines for the bring-your-own-device era. As a market need for guidance emerges, we apply ourselves to creating relevant material in as short a time as possible. The international representation and the consensus-led ISO process together have ensured that our output has been generally applicable internationally.

THE STANDARD – 38500

In the sections on the IT governance standard we looked at the 38500 standard in detail and from the viewpoint of a governing body intending to introduce a governance framework within an organisation. The standard is short and succinct and designed for a busy, intelligent audience. The principles listed below form the backbone of the standard and the basis for any organisational governance framework:

• responsibility;
• strategy;
• acquisition;
• performance;
• conformance;
• human behaviour.

The evaluate-direct-monitor governance activities described in this section provide the basis for a continual improvement mechanism for ensuring that good governance practices are in place and that they meet the needs of the organisation.

The IT governance standard 38500 provides excellent guidance for the development of an IT governance framework for an organisation, irrespective of type or size. Where there is an existing framework and strategic planning documents, the standard can be used as a checklist to ensure that all appropriate governance activities are in place. Unlike other IT governance systems, methodologies and frameworks, such as COBIT (Control OBjectives for Information and Related Technology, a framework created by ISACA), the standard is set in the context of corporate governance and board responsibility and is descriptive rather than prescriptive.

For the directors of an organisation, the standard provides a useful set of questions to determine how well IT systems are managed. For IT managers, the standard sets an expectation of risk mitigation and best practice reporting.

Ongoing ISO work in the area of the corporate governance of IT will see the development of a series of related governance standards covering different areas of IT. Associated research by the academic members of the ISO IT governance working groups will help determine which of the six key factors identified in the 38500 standard are critical to the development of excellent IT governance practices. Already we are seeing that the sixth principle, human behaviour, seems to be the most important of the set. So, despite our focus and reliance on technology, we are fully dependent on the human who developed the technology and the human operative.

BENEFITS

In the section on benefits, we not only looked at the positive outcomes from implementing the IT governance standards in your organisation, but we looked at the negative outcomes that have been observed across organisations with no formal IT governance structures in place. We listed the positive outcomes as follows:

• cost reduction;
• performance improvement;
• ability to react quickly to market changes;
• increased customer satisfaction;
• increased revenue per dollar cost;
• general workplace benefits for your board, management and staff.

Even if you are not fully persuaded by the positive outcomes, I hope that the risk of the negative outcomes will encourage you to look into this subject further. These negative outcomes can include combinations of the following:

• security breach;
• financial loss;
• nasty surprises;
• general reputation loss;
• loss of business.

In the last few years, since we started work on the standard, I have seen organisations with poor IT governance models in place fail to the point of ceasing to trade and I have seen directors and other members of governing bodies face dismissal and other more serious consequences for negligence in IT matters.

In summary, the benefits of having a good IT governance framework in place are ‘no nasty surprises’ and efficient and reliable, safe and secure IT services and systems. Bear in mind that it is not always obvious with IT systems when things are not going well, and the bad activities can stay invisible for a surprisingly long time.

If you are a director or on the governing body of an organisation that relies on IT and technologically administered information assets, then taking on the advice in this book could be a turning point for your organisation.

WHERE TO GO FROM HERE?

You have reached the end of the first part of the book. So far, we have talked about the history of IT governance, the benefits of implementing the 38500 standard and the dire things that can happen without an IT governance framework in place. We have introduced the principles of the standard and explained the important contribution that each one can make to the health, success and happiness of your organisation. We have looked at the director’s IT governance activities – evaluating internal needs and external business pressures, directing IT activity and monitoring output and outcomes from IT systems and solutions.

To proceed from here, the governing body needs to adopt the principles, tailoring them to the organisation in a way that will be meaningful for the management team who will have the task of implementing the governance framework. Tailoring will involve using terminology that is familiar to the organisation, and elaborating the principles to help the management team focus on areas of particular importance to the governing body. Some thought also needs to be given to how the governance activities of evaluate, direct and monitor will be carried out in a consistent way by the governing body.

One final task of the governing body is to set up a steering committee that will guide you through your governance implementation. The set-up and structure of this steering committee should follow the same pattern as the set-up and structure of the groups that steer your other organisational governance initiatives. The key aim for developing the framework is to ensure that the governing body is supplied with the information in the format and to the quality required to make excellent decisions around the adoption and use of IT and information across the organisation. Therefore, to set up a steering group without representation from the governing body is nonsense. On the other hand, you do not want your entire governing body to be preoccupied by the programme of work or too hands-on in providing advice to the CIO and the executive team. They will be filled with excellent ideas for the development of the framework. However, it is essential to have a member(s) of the governing body at the helm of the group to ensure that long-term governing body organisational objectives are held front of mind at all times.

There is a fine balance, and I am sure that if you look back through the history of your organisation, you will find records of a structure set up for a similar programme that ended well. My advice is to copy it.

If you are a director or a member of a governing body, I expect that you will be ‘leaving us now’. Please take a moment to speed-read the second part of the book, Part B, before placing the book firmly in the hands of your CIO, your IT managers or key IT team, and telling them to ‘make it so’. Think through carefully how you are going to assign the task ahead, and how you are going to act as mentor, sponsor and management-board conduit when a board decision is required. Are you going to hire the services of an independent consultant to assist and guide the internal IT team? Your CIO or equivalent will be able to own and manage most of the framework development process, but you will need somebody outside of the team to run the initial gap analysis. The only helpful advice I can give you is to choose that external person very carefully.

I hope this book will help you towards clearer interactions with your IT team, as they understand where you are coming from, the risks that you are working to address, and the overall business delivery goals that you want to see achieved; and you understand the challenges they face in their attempt to deliver highly available, secure and safe systems in a constantly evolving field, where technology and professional practice is still on a fast growth curve.

The de-jargonised review of Part B in the final chapter is designed to be a useful resource for you to print out for your fellow directors. If your IT team are particularly technology- rather than business-oriented, then, hopefully, this book will open up some new meaningful conversations for the eternal benefit of your business.

Part B covers the full implementation of the standard from developing a plan through to execution. We then cover managing the IT governance framework on a day-to-day basis and keeping it current. Then we discuss the optimisation of the IT governance system and how your team can develop and adopt a mindset of continual improvement. Finally, the section ends with a list of resources – tools, templates and other useful artefacts that I have used or seen when implementing the 38500 standard at client sites, and a list of references for those of you eager to find out more about the concepts and topics covered in this book.