When it comes to governance, risk and compliance (GRC), repetitive assessments without any unique concrete implementation plans are futile.
So says Gary Hardy, leader of the IT Governance Centre of Excellence at Deloitte.
Speaking at ITWeb's GRC Conference this week, he described proper GRC implementation as a way to drive value from IT. "IT is for everybody," he said, describing IT as a transformative tool. "If we are going to transform this country's economy and the way we provide support to our citizens, all of those initiatives will probably revolve around IT, and if IT is not successful, the transformation initiatives will not be successful."
According to Hardy, it is important to get the fundamentals right - providing defined guidelines and principles, as well as stipulating the roles and responsibilities of all individuals. Stakeholder involvement is a key component of good IT governance, said Hardy. "If you unpack the cause of why things have gone wrong in the past, I'd say 99% of the time the issues can be traced back to a lack of ownership, a lack of accountability and a lack of stakeholder involvement.
"From a management perspective, decision-making and understanding the impact thereof is at the core of getting implementation right," he said, adding that, often, management is not properly equipped to make the right decisions. "A good IT governance approach is about enabling management to properly take ownership, driving a transformational programme of work."
And it is important for management to be involved, said Hardy, because without support from top-level executives, this kind of transformation cannot happen.
When talking about IT-related business risks, Hardy noted the importance of focusing on those that have the potential to negatively affect business value. "We don't want to spend valuable rands on meaningless business risks when we could be focusing on business improvements."
One of the main challenges to correct IT governance implementation is viewing IT and enterprise as separate entities, when in fact the two function together towards the same goal. "When talking about IT governance, it is not just an IT-driven thing, it is a business-driven thing that transforms how an enterprise handles its use of IT." He believes the trick is to go back to basics, by regarding IT as any other part of the business.
"If we are going to embark on implementation improvement but we don't start with a clear picture of what we are going to achieve, with guiding principles and policies, unfortunately that improvement activity could fall into the same trap as other failed IT projects of the past."
Share