Enterprise-wide risk management (EWRM) and controls are needed to achieve IT governance as part of an organisation`s overall corporate governance process, delegates at the IT Governance 2005 conference in Midrand heard yesterday.
Cura Software Solutions CEO Avi Eyal explained that corporate governance is an organisation-wide process, which dictates the manner in which a company conducted business, and includes ethics, culture, processes and sustainability.
"The only way to ensure proper governance is through compliance and risk management. Controls based on standards and best practice are key," Eyal said.
He noted that corporate governance should seek to address what the board of an organisation wants and what the CIOs, IT managers and IT/IS departments want, and how to bridge the divide.
In terms of corporate governance standards, Eyal said these may be applied through processes such as BS 7799, Cobit and COSO, and are applied to an organisation in the form of information security, continuity, project risk management and IT auditing.
In the past five years, companies have started applying an enterprise-wide model to corporate governance, Eyal said, in an attempt to integrate controls such as design, assessment, management, review and assurance. This model can be applied to any business unit, including IT, within an organisation.
"Every requirement can be fulfilled within a business through this model. It is a consistent way of managing information," he said.
To successfully apply this model to IT governance, Eyal said an organisation`s IT unit needs to follow a five-step process.
Firstly, it needs to understand how it fits into the corporate goal of EWRM/compliance/governance and what assets or processes it needs to manage, he said.
IT managers or CIOs then need to collect and define information necessary to set common management or measurement and set up a common library or language.
"Thirdly, involve other business units through workshop to collect information, educate and obtain buy-in from other units."
The fourth step in the process involves putting into place a repeatable process that starts at the workshop and is linked to KPIs, Eyal explained.
Lastly, it is important to define concise and effective reporting, he said.
Share