How CobiT faces IT governance challenges

Information and the technology that supports it represent companies` most valuable assets. What is even more important is that today`s competitive and rapidly changing business environment requires increased quality, functionality and ease of use from organisations` IT systems.

Peter Hill, managing director of Info Sec Africa, looks at the increasing importance of IT governance and how CobiT can simplify companies` transition to an organisational structure that seamlessly integrates the business objectives with IT.

Many believe that IT will be the major driver for economic wealth in the 21st century.

While this is open for debate - particularly when looking at the South African scenario - it is already clear that most enterprises rely on IT for their competitive advantage and cannot afford to devote anything less to it than, for example, financial supervision or general corporate governance.

Therefore, the time has come for company board members to create committees that proactively take charge of IT governance.

As Alan Greenspan, chairman of the US Federal Reserve Board, put it: "A firm is inherently fragile if its value-added emanates more from conceptual as distinct from physical assets. Trust and reputation can vanish overnight. A factory cannot."

At its core, IT governance has two responsibilities: it must drive and enable business value, and mitigate risks.

However, it is important to remember that IT governance is not a "unique" discipline - it is essentially a component of corporate governance.

By applying the principles of corporate governance, IT governance can, for example, focus on the alignment of IT and business strategies, thoroughly review potential IT investments and measure performance.

The key responsibility, however, in realising IT governance lies with company`s board members.

This doesn`t necessarily mean that they must become technology buffs overnight. What it boils down to, is that these members must equip themselves with a high-level understanding of their changing roles regarding IT and should consider attracting more IT-related business skills to the boardroom.

According to recent predictions by leading analysts groups such as Giga, Gartner and Compass there has already been a recent shift towards the following IT governance responsibilities:

* Strategic alignment - focused on aligning IT with business and collaborative solutions;

* Value delivery - concentrating on optimising expenses and proving the real value of IT;

* IT asset management - focusing on knowledge and infrastructure; and

* Risk management - safeguarding IT assets and implementing a disaster recovery strategy.

In theory, IT governance might seem like just another important agenda point, but in practice there lies a great deal of challenges ahead for many companies.

And this brings us to Control Objectives for Information and related Technology (CobiT).

First published by the Information Systems Audit and Control foundation (ISACA) in 1996, CobiT - now in its third edition - is supported by the likes of IT Governance Institute, Meta Group and Gartner.

CobiT aims to bridge the gap between business risks, control needs and technical issues - presenting IT activities in a manageable and logical structure.

One of the greatest strengths of CobiT is its ability to provide clear management guidelines.

According to CobiT, managers need to understand the status of their IT systems and decide what security and control they should provide. What this essentially means is that there is a need of continuous improvement in IT security and control - deciding how much, however, is the challenge.

By implementing CobiT Management Guidelines, companies can for example benchmark and measure their process against peers and enterprise strategy, achieving a competitive level of IT security and control.

CobiT also focuses on performance management by utilising the principles of the Balanced Business Scorecard. Through tools such as Key Goal Indicators and Key Performance Indicators, organisations can measure the outcome of their processes and assess how well it`s performing.

CobiT answers the perpetual question: "What is the right level of IT control in order for it to support enterprise objectives."

Theory is one thing, but putting it into practice is another. Currently, CobiT is utilised by a number of well-known local and international organisations.

Phillips International uses CobiT as part of a company-wide quality improvement programme and has, for example, developed a scoring process that uses the framework`s maturity models to reflect is own organisational and process needs.

Brussels-based global messaging services and interface software developer, SWIFT, introduced CobiT as part of the development process for a new systems planning group - all to implement sound mission objectives.

Lastly, research authority, Meta Group recently commented that 30% to 40% of Global 2000 companies deploying new technologies and entering new markets with e-products in 2003 will adopt a CobiT-like risk assessment and balanced risk/reward reporting process.