In reality, IT governance and corporate governance are often managed separately, admitted Ben Pentz, an information risk consultant with First Rand Bank, on the first day of the IT Risk Management Symposium in Sandton today.
Pentz said IT governance is a subset of enterprise (or corporate) governance, and the two areas "drive and set" each other, but this ideal is often not followed in practice. "We must keep at it," he urged. "IT is a young industry, and we haven`t had centuries to refine its governance. It will come."
How it should be done
Pentz said organisations must decide on an IT governance framework, such as IT Infrastructure Library or ITIL, Cobit, the framework of the Universities of California and San Francisco, SPORT and others, and adapt it to the enterprise`s needs.
"ITIL, for instance, has a lot of documentation, but it is highly regarded," he said. "The main thing is that corporate and IT governance must operate together."
Pentz commented that the board, which bears responsibility for governance, must view IT as an enabler of business and a creator of new business. "They must increase focus on IT`s alignment with business, its value delivery, risk management and performance measurement."
Pentz added that governance issues were more important than the framework eventually chosen. "To ensure non-IT staff and the board understand their responsibilities, IT staff must discuss issues in business language," he said. "For the board to determine the risk appetite and tolerance of the organisation, the language of IT risk must be demystified.
"For instance, you`ll get a blank look from any senior executive if you talk about 'RAS-ing into the server`. And I`m not sure that executive will care much either [unless you explain it]."
Pentz concluded by saying a successful IT governance framework, part of which depends on its alignment with business, is flexible, employs central IT staff, defines reporting to central management, provides operating infrastructure support and delivery of applications, and is project-managed as a portfolio. "Standards are enforced in such a scenario," he said.
Share