CHAPTER 5:
WHAT IS IN AN IT GOVERNANCE FRAMEWORK?
An IT governance framework consists, essentially, of a set of principles, a decision-making hierarchy and a tailor-made suite of reporting and monitoring processes.
There are eight key decision areas for designing an IT governance framework:
1. IT governance principles and decision-making hierarchy. There are two types of principle in this context:
a. governance principles, to do with how IT is to be managed in the enterprise, and
b. implementation principles, to do with how IT is to be used to achieve the business strategy.
2. The information strategy (which must be derived from the business strategy):
a. What information do we need, where does it come from and what are we going to do with it?
b. Out of the information strategy comes the ICT strategy, which is made up of:
i. application,
ii. architecture, and
iii. infrastructure/technology strategies.
3. IT risk management – within the context of the organization’s overall risk management framework, risk to information and ICT needs to be treated in line with organization-wide criteria. These criteria should be reflected in the controls developed as part of the IT governance framework and the reporting and monitoring processes.
4. Software applications – how business applications are specified, developed, authorized, acquired, managed.
5. ICT architecture – including the integration and standardization requirements – that will meet the requirements of the information and applications strategy.
6. ICT infrastructure/technology:
a. How are IT services (including hardware and communications protocols) specified, developed, authorized, acquired and managed?
b. What services should be outsourced, how, why and to whom?
7. ICT investment and project governance – given the ICT strategy,
a. which IT initiatives (including outsourcing initiatives) should be implemented?
b. how should they be prioritized?
c. how should they be project managed?
d. what returns should be expected?
e. how should the portfolio of projects be managed?
f. how should any resultant business change be managed?
8. Information compliance and security:
a. What are the criteria for securing information?
b. How do we demonstrate legal/regulatory compliance?
c. How should this be measured and demonstrated?
d. How is IP protected?
e. What audits are required?
IT steering committee
IT governance is as much about IT leadership as anything else. The board needs to create a mechanism through which it can provide the business with technology leadership. Technology or IT leadership requires a specific mechanism, in a way that, for instance, neither HR (Human Resources) nor Sales do, for two reasons:
1. HR, sales, marketing, etc, are usually already dealt with effectively as part of the existing board agenda; most board members already understand the issues around sales and marketing and the people involved in making sales happen already get a great deal of informed attention. The organization almost certainly already has well-developed governance frameworks for these key activities. No additional benefits would accrue to the organization through the creation of additional leadership mechanisms for these activities.
2. IT, in contrast, is not as well understood at board level and there are usually no established IT governance frameworks inside organizations. It is not well understood, but it is critical: on average, investment in IT represents more than 50% of every organization’s annual capital investment and, typically, more than 30% of its cost base is in IT – for most businesses, the direct cost of IT operations is now second only to staffing as an expense item. There is, in other words, a gap between the importance of IT and the understanding of IT: an IT governance framework closes that gap, providing all those with a limited understanding of IT in the enterprise with a framework within which they can improve their understanding to a level appropriate for this critical contributor to their competitive position.
The board-level IT steering or strategy committee has a number of functions, some of which (depending on the size, structure and complexity of the organization) may be dealt with through subcommittees.
This committee takes the lead in dealing with IT governance principles (including the decision-making hierarchy), strategy and risk treatment criteria. The board also has a key monitoring and oversight role across the whole of IT, and particularly in respect of project governance. This monitoring component means that the board IT committee has similarities to the audit committee and, given the extent to which IT governance issues impinge on audit issues (particularly around internal control, eg, Sarbanes-Oxley) there is some sense in having a number of members of each committee in common.
They are not the same committees though. In some organizations the monitoring component of the IT governance framework will be included in the agenda of the audit committee, in order to ensure a clear segregation between those responsible for determining the ICT strategy of the organization and approving investment, and those responsible for monitoring and overseeing the appropriateness and effectiveness of those decisions.
Composition of the IT steering committee
The composition of the board steering committee should be straightforward. The chair should be selected on exactly the same basis, following the same rules, as the chair of the audit committee. There should be a majority of outside directors on the committee, and key executives should be invited to attend: the CEO, the CFO and the CIO (or equivalent) would be included as a minimum. In some organizations, it would be appropriate to include the CCO (Chief Compliance Officer) as well.
The other key business heads in the organization (whether production, procurement, retail, sales, marketing, etc, depends on the sector, the organization and the existing management structure) – the ones who would be included in any business strategy committee – should be included in the IT steering committee.
The CIO’s position and level of accountability should be clear. The CIO should be on the same level, and have the same status, as the CFO and the other functional heads (eg, sales, marketing, etc), with direct responsibility for managing the IT operations and personal accountability for the success of organizational IT activity.
1. The IT steering committee needs at least one outside director who has the right mix of business and IT experience and sufficient gravitas to lead the board’s IT governance efforts.
2. All the other directors should be prepared and determined to question every aspect of IT planning and activity.
3. The executive – particularly the CIO and the IT management – should be banned from using IT jargon, and forced to express everything they have to say about IT in a format that focuses on comprehensible (to the non-IT specialist) opportunities, issues, risks or plans.
4. Employ outside experts (strategic IT consultants) as board advisers with the specific brief of confirming that what the board has been told is accurate, complete and true and, if not, what has been left out.
Enterprise IT architecture committee
A critical component of a useful IT governance framework is the enterprise IT architecture. The determination of this architecture can only take place in the context of the business and information strategies, in line with the key IT implementation principles and taking the security, compliance and risk treatment criteria into account.
The enterprise IT architecture is a set of organizing principles that determine the way in which the organization’s information and communications technology will interact with its operating systems, applications and data.
The architecture should (for instance, if the key principles adopted allow it) ensure technical integration, minimising inter-system hand-offs (which is where significant cost and risk reside) and allowing the IT organization to cost-effectively respond to businesses needs.
The ongoing role of this committee is to ensure that all ICT deployments (including outsourcing proposals) are in line with it, fiercely warding off attempts to deploy non-standard hardware or systems – unless the architecture itself is adapted, taking into account the ramifications for existing installations, future upgrades and current projects.
This committee might, in larger organizations, be led by a Chief Architect, who would also be responsible for the formalization and communication across the organization of the architecture.
Key members of the committee, alongside business delegates who understand the organizational architecture, would include senior managers with expertise in systems, data, security and infrastructure. The organizational risk manager should also be involved with this committee.
IT audit
The second area in which most organizations are inadequate, where IT is concerned, is oversight. ‘Oversight’ must include oversight by the board and must cover more than internal financial controls. Every board needs to empower either the IT Committee or the Audit Committee to deal with IT oversight.
An IT audit plan needs, just like a financial audit plan, to reflect the organization’s key risk areas. It must review regulatory compliance, information security, IT project progress and technical implementation, as well as the skills and competences of the specialized staff employed in the organization.
Its objective is to provide the outside directors with real, technical assurance that the IT implementation principles and the governance framework are being applied, and to identify any areas of non-conformance that need to be drawn to the attention of directors.
Use qualified IT auditors for this work, and insist that they work within your organization’s risk and IT governance framework. Pay no attention to non-conformance reports that are based on anything other than your own framework.
Third-party standards
There are a number 15 of information- and IT-related external management standards that an organization may choose, be required or be mandated to deploy. The best known and most widely used are:
• CoBIT (Control Objectives for Information and Related Technology), which is ‘increasingly internationally accepted as good practice for control over information, IT and related risks. Its guidance enables an enterprise to implement effective governance over IT’. 16
• AS 8015-2005, the Australian standard for the corporate governance of information and communication technology.
• COSO (Committee of Sponsoring Organizations of the Treadway Commission) – an integrated framework for internal control.
• GAISP (Generally Accepted Information Security Principles) – a failed attempt to unify and harmonize information security principles and to measure their success.
• ISO 17799:2005 (the international code of best practice for information security) and ISO27001:2005 (against which an organization’s information security management system can be certified as conforming.
15 See, in this Pocket Book series, IT Governance Frameworks, and Information Security Frameworks.
16 www.isaca.org.
• ITIL (IT Infrastructure Library) – an integrated set of best practice recommendations for IT management. ISO 20000 is the international standard for IT service management and is heavily based on ITIL.
Each of these management systems is sponsored by a different organization and, while there is substantial overlap, each has a slightly different objective and none provides a complete IT governance framework. CoBIT or COSO, for instance, are important for Sarbanes-Oxley compliance but may be more than organizations in many other jurisdictions require immediately.
ISO 27001 is increasingly important for organizations seeking to win outsourcing contracts, particularly those to do with call centres and other activities dealing with personal information. In many jurisdictions, the fact of conformity with a management system such as ISO 27001 will be taken as evidence that the board has properly discharged its responsibilities in respect of information security and data protection.
External systems are all useful, if you identify those that you actually need and you ensure they are effectively integrated. Other systems and standards – such as CMMI and six sigma – are also important, and individual industry sectors (eg, healthcare, financial services) sometimes have their own specific requirements around information security and internal control.
The IT governance framework has to be designed in such a way that, where more than one of these systems is required, they are successfully and – to the greatest extent possible – seamlessly integrated.