Life cycle approach to IT is key

Organisations should develop a life cycle approach to IT to ensure that IT governance risk, and compliance (GRC) objectives are established in collaboration with key stakeholders, and that measurable targets are set and monitored.

This is according to Gary Hardy, director of risk management company IT Winners, who spoke at the ITWeb IT Governance, Risk and Compliance conference this week.

He suggested that organisations start with the business needs, then set targets, and monitor their initiatives. “This will help them in understanding how IT governance fits into corporate governance, and how it applies to their business environment,” he said. By doing this, it will also be easier for organisations to align their IT GRC strategy with the strategic objectives.

“Organisations should identify their needs and look for current burning issues and external drivers,” advised Hardy. In addition, they should get input from management, audit, and risk and compliance, as well as agreement from executive management, he added.

“When everything is clearer, an organisation can easily put together a convincing business case for IT governance,“ Hardy argued. “They should document the business cases, stakeholders, and roles and responsibilities, as well as drivers that need to be communicated, all the time.”

When these elements have been achieved, they should then strive to understand the root causes behind any issues. He said businesses should to get up to speed with external factors like King III. “In the process, they should not forget to identify potential team members and champions.”

After this, he suggested that organisations asses their current state of governance and identify the gaps. “They should also identify what is most important to the enterprise - IT goals and processes, current risk position, or maturity of existing governance and IT processes.”

According to Hardy, an organisation should set targets to define a high-level view of what they want to achieve in a reasonable timeframe. Businesses should also assess how much change will be required and how to manage the transition, he adds.

After all this has been done, the organisation can now check whether benefits are being realised and embed new practices and organisational structures. “At this stage, a business should monitor metrics and measure achievements.”

Hardy concluded by advising organisations to always communicate positives and negatives during the process.