Subscribe

A joint effort

IT governance takes the co-operation of IT and business, and while it is universally agreed that IT governance should leverage and enable business decisions and processes, it is clear that one size does not fit all.
By Kaunda Chama, ITWeb features editor
Johannesburg, 06 Jun 2005

Meshing IT governance with business governance sometimes increases the difficulty of designing appropriate arrangements for decision-making. Those arrangements embrace styles and mechanisms most appropriate for the IT decision domain and the enterprise`s business orientation. Indeed, they support more effective business governance.

Governance of IT is about more than just protecting your company`s data against malicious attacks from within or without the organisation.

More to it

A major challenge in designing IT governance and business governance is resolving boundaries between the enterprise and its business units.

A recent Gartner report states that enterprises can be divided into three major business orientations: synergistic, agile (able to work with others) and autonomous. One orientation generally predominates. The key to effective IT governance is to use business orientation to design IT governance styles and mechanisms.

Today, most IT departments face a series of challenges created by changes in the economy, regulations and IT products and services. As a result, most IT departments are subject to increasing pressures.

According to the report, the good news is that the world economy is improving, encouraging executives to focus on growth again. In most sectors, continuing competition maintains the downward pressure on costs. IT systems can, by automating business processes, enable the company to do more while spending less.

<B>Governance framework</B>

There is no one absolute way of formulating an IT governance framework. However, the rule of thumb is to define governance needs in terms of the following, at least:

* Application acquisition/development
* Application management
* Software licensing
* Change control (environment and applications)
* Logical and physical security
* Backup and restoration
* Systems availability.

The increased automation of the servers and networks that comprise the IT infrastructure enables the IT organisation to become more efficient. The prospect of economic growth provides new money for IT investment and opportunities for the IT organisation, it says.

Gartner adds that paradoxically, a further opportunity comes from the increasing burden of regulations. Government regulations such as Basel II and Sarbanes-Oxley set non-negotiable requirements for transparency and new processes, many of which must be met using IT. This means more work for the IT organisation, much of it focused on business processes.

However, the bad news is that in most enterprises, the bulk of IT spending is devoted to operations and user support. Although in-house IT departments can provide these services, top executives are increasingly aware that offshore service providers offer exceptional value and often a more disciplined approach to customer service.

They`ve begun to ask why they shouldn`t outsource all routine IT activities. The negative effects of complying with new regulations will only add emphasis to this question.

In addition, since the e-business gained ground, top executives have accepted the strategic importance of IT. Their expectations of IT have increased, but many believe the IT department is unable to meet those expectations. These executives believe the IT organisation is able to deliver everyday services, such as user support, data centre operations and applications development, but is unable to take the business forward by contributing to strategy or leading innovation.

Gartner predicts that these feelings may be exacerbated by the work supporting regulation. Because of the time it takes to change IT systems, it is expected that the proportion of deficiencies in compliance attributed to the IT organisation will have doubled by 2008.

Good business

Unlike constantly upgraded or new applications with funky interfaces and marketing campaigns, IT governance is a decidedly boring subject, but one IT managers and non-IT executives need to be intimately involved with.

"Governance is all about documented, auditable processes being performed consistently by trained people," says Allan Wattrus, practice director of Global Infrastructure Services at Unisys Africa. "And regulatory compliance with good corporate governance practice is not going away, but is going to become more of an issue for non-compliant companies in the coming years."

To demonstrate good governance, companies need to prove they employ a consistent process for delivery and in order to achieve this, they need to map or document their processes. It is important to understand two measures related to these processes: the process maturity and the relative importance of the process, he adds.

Maturity is rated typically from zero, where there is no discernible process, to the highest level, where there is a clearly defined and documented process that can be considered a global best practice. The processes also need to be rated in terms of their importance to the organisation to assist with prioritisation of effort and spend.

Wattrus explains that once this has been achieved, companies will have taken care of the three primary concerns for businesses at the moment:

* Aligning the IT and business strategies
* Dealing with governance
* Service-level delivery

"It is this process of becoming compliant that gives companies the opportunity to drive down the cost of IT and therefore the organisation around it," Wattrus adds. "The best drivers of this system of performance management and enhancement are found in frameworks such as ITIL and Cobit."

Guiding the process

<B>ITIL and IT governance</B>

Some feel ITIL (IT Infrastructure Library) provides the formula for successful compliance.

As IT governance continues to be the system that facilitates the steering and control of IT within an organisation, more organisations are turning to service management techniques to manage their IT environments and to meet the requirements of IT governance initiatives.
Many are using best practice ITIL as a starting point, says Charles Osburn, a director of Quintica, the local representative of Marval and the Marval Service Management application based on ITIL.
He says ITIL has evolved from a recommended best practice to a global industry "given" for aligning IT services with business requirements. The key to this is the delegation of responsibilities and authorities to different players within an organisation - such as the board of directors, business and IT managers.
"ITIL is able to create a framework within which IT objectives can be predetermined and IT governance techniques are applied to ensure long-term success. ITIL also facilitates the monitoring of the results and the fine-tuning of strategies along the way.
Osburn maintains that one of the reasons so few companies (less than 10%) have effective IT governance initiatives in place is that many service and asset management tool vendors lack the infrastructure and training abilities to help customers act upon the delivery and execution of ITIL tasks from an IT governance perspective.
"Creating a strong alignment between IT and business - as is required by IT governance initiatives - will also help companies to do more with less, reduce budgets, cut costs and increase IT resource productivity," he adds.

The IT Infrastructure Library (ITIL) is a consistent and comprehensive documentation of best practice for IT service management. Cobit, issued by the IT Governance Institute, is a generally accepted and applicable standard for good IT security and control practices that provides a reference framework for management, users and information system audit, control and security practitioners.

"It is important to realise that we are not reinventing the wheel here," Wattrus explains. "IT governance, as guided by ITIL and Cobit, does not mean throwing out the blueprints and starting again, but should be considered as part of the normal process of business."

IT governance should be seen as a continual progression. Each phase of the programme must deliver additional benefits to the company, either in the form of performance increases, cost decreases or improved transparency - or a combination of these. To achieve this, short-, medium- and long-term benefits should be established upfront, according to specific company needs.

IT governance is not something IT people can learn as they go. It requires formal training and the appropriate tools if corporations are to successfully manage their technical performance.

"The training companies will need to put their executives and staff through is not an MCSE-type course where one size fits all," states Wattrus. "It must be client-specific, include Cobit training, the required tools and a dedicated consultant working with the team. The consultant should ideally move from the classroom into the customer`s workspace to ensure the practices are embedded."

While all the recommendations of reports such as King II have not yet evolved into legislation, companies that are becoming compliant stand to benefit from the savings that compliant systems and best practice processes offer.

According to Andr'e Zitzke, solutions specialist at SAS SA, there will probably never be a single, globally accepted model of good corporate governance when regulatory pressures like Sarbanes-Oxley, Basel II, King II and the numerous accounting standards that are all aimed at good corporate governance are treated with a silo approach to compliance.

Recent high profile corporate collapses have turned the world`s focus to good corporate governance, of which financial transparency, accountability, predictability and participation with, and by, stakeholders are among the major requirements.

"Companies of all sizes are under increasing pressure to meet these requirements, in addition to complying with the various pieces of regulatory legislation," says Zitzke. "Within organisations, this is forcing a convergence of functions, from financial operations and risk analysis to corporate performance management, auditing and compliance."

From a management and control point of view it makes sense to integrate them and the only way an enterprise can bring it all together is through the use of technology.

Ken van Sweeden, director of underwriting, Camargue Underwriting Managers, says in the last 20 years, IT has also been identified as an operational risk of growing concern, able to profoundly affect a company`s operations.

Should these systems fail, all who rely on IT systems for their daily operations face serious consequences. There are various options open to business owners who face this risk, depending on whether their IT functions will be outsourced or run in-house.

To outsource or not?

Why is it important to take note of specific risks associated with outsourcing IT? Firstly, because recent case studies into global practices show a rising trend of associated expenditure. E-business makes great demands on companies, and managers will often conclude that the only way to meet deadlines for new technology projects is to contract specialist services.

According to a paper by Lesley Willcocks and Chris Sauer from Templeton College, University of Oxford, "High risk and hidden costs in IT outsourcing", global outsourcing revenues amounted to $100 billion in 1998 and were projected to rise to $150 billion by last year.

According to the paper, an average of 30% to 35% of corporations` IT budgets are outsourced. Having a third of their IT under external control makes it essential for managers and business owners to have a clear understanding of the inherent risks involved with this practice and how to manage them.

A relevant example, referred to by Willcocks and Sauer, is a case study of the UK branch of US retailer, Sears. In 1996, it outsourced most of its IT on a 10-year "no-tender" basis to a single supplier. Within 17 months, coupled with the resignation of the chief executive, the board could no longer see sufficient business advantage coming from this arrangement. The cost to Sears for implementing the deal and then terminating it was $55 million. Although this is an extreme example, it illustrates the point that a project that goes wrong can and will cost a company money.

Willcocks and Sauer`s research suggests that most companies take the selective outsourcing route of outsourcing 15% to 30% of their IT budget. The trend is also to use different suppliers to fulfil specific needs. The paper further shows that selective and in-house sourcing had success rates of between 76% and 77%. Only 35% of total outsourcing deals were successful, while 27% had "mixed" results. The research also showed that a quarter of organisations encountered serious problems in total outsourcing. Moreover, hidden costs, followed by the credibility of vendors, continue to be the most prominent associated risks.

The how of IT governance

<B>Four factors</B>

Thomas Smedinghoff, information and communications lawyer, identifies a number of factors driving the development of new IT legislation:

* Heavy dependence on technology by most organisations.
* Concerns relating to the protection of confidential information and personal information.
* Identity theft.
* Ensuring accountability for financial information.

Nowadays, IT is at the heart of supporting and sustaining the growth of many organisations. While the majority recognise the potential benefits that technology can yield, successful companies also understand and manage the risks associated with implementing new technologies.

"Governance of IT is about more than just protecting your company`s data against malicious attacks from within or without the organisation. It is an integral part of corporate governance and should be underpinned by good leadership and processes, which ensure the organisation`s IT sustains and extends the business` strategies and objectives," says Mike Sewell, group executive of outsourcing at Business Connexion.

"If not properly governed, IT can increase the risk profile of the organisation. Regardless of whether the company is responsible for its IT systems or not, as in the case of outsourcing, there still needs to be a comprehensive IT governance strategy in place that communicates what can and can`t happen," he adds.

The IT governance documents typically consist of a collection of policies, procedures and standards and should regulate the behaviour of all entities involved in, for example, the case of a new implementation.

In the case of lengthy outsource contracts, the processes need to be defined and levels of authority established. Issues such as delegation of authority, and management of performance need to be considered and defined in advance.

"The contracting arena is a veritable minefield and it is important for companies to have processes addressing this. Good governance protects all parties concerned. It protects business partners in a known environment, because there are clear rules, while employees also know what is wrong or right if there are rules in place," he says.

Essentially, IT governance assists management in obtaining the right IT solutions at the right price. It also contributes to a high level of service provision as well as uniformity and standardisation of IT systems across the enterprise.

"In SA, IT governance is not taken as seriously as it is in the US, for instance, where auditors are employed to test and check performance of systems and report on them. However, it will not be too long before local firms follow global trends," Sewell comments.

Getting legal

<B>Legal drivers</B>

It is helpful to examine some of the drivers of ICT governance and their legal significance.

* Self-regulation
* Legislation and sector regulation
* Globalisation
* Intellectual capital
* Proliferation of threats to information and information systems
* Privacy
* Outsourcing
* Electronic supply chain

A question directors and senior management often ask in the IT context is: "What must we do to comply with the law?" The answer frequently given by self-styled "cyber-lawyers" is restricted to simplistic references to legislation and compliance.

While this is often the answer that management wishes to hear, the true answer goes well beyond legal compliance and includes the obligation to act reasonably.

According to Mark Heyink, information attorney, the implementation of ICT has brought enormous benefits to many organisations. Yet, he says, few will argue that to unlock the true benefit of the technologies deployed, the organisation needs to make significant changes to the way it conducts business within itself. It is axiomatic that significant change increases risk profiles exponentially.

He explains that the management of these risks may vary from organisation to organisation. Standards and methodologies have been developed that offer excellent guidance in this task. Directors and executive management should be aware of these standards and champion their use. Appropriate implementation of information security practices is the key to avoiding or founding legal liability relating the use of modern ICT.

Thomas Smedinghoff, one of the pre-eminent jurists in information and communications law globally, in a recent article entitled "Trends in the law of information security" observes three principal trends developing in this sphere:

* An increasing recognition that providing information security is a corporate legal obligation.
* Emergence of legal standards against which compliance will be measured.
* A duty to disclose breaches in information security.

In dealing with the emergence of legal standards, Smedinghoff points out that new legislation does not seek to establish specific security measures. Rather, in a dynamic and continuous process of risk assessment, it seeks to ensure the effective implementation of appropriate security measures, which are responsive to identified risks.

He indicates that increasingly there is a duty on organisations to disclose material information security failures. It has been a feature of the majority of information security breaches to date that they are hushed up for fear of potential reputational damage. However, this silence also holds the danger of further damage being suffered by investors and those parties whose information may be compromised.

Heyink comments that the elements of care that should be exercised by the reasonable person are echoed in this approach. "For many years, my advice to clients has been to look to emerging information security practice as a guide to fulfilling the legal obligations incumbent on them."

This approach allows proactive action, measurable against accepted standards. Unfortunately, in many instances this advice has been disregarded, sometimes to the cost of the client.

The law will probably lag behind commercial reality. This makes the role of lawyers all the more important in advising how corporates may apply technology. To do so, lawyers will have to understand both the existing law and those elements of the new environment that are likely to have an impact on the way the law is applied.

In the context of IT governance, information security will remain key to leaders` endeavours.

Smedinghoff observes: "Many businesses recognise that information security is a key technical and business issue, but it is important to recognise it is also a legal issue."

IT governance is no longer a "nice to have". It has become a vital element of corporate governance and is gaining recognition as a legal obligation. Within the context of IT governance there are imperatives that leaders will need to observe, many with significant legal implications.

The compliance challenge

Compliance has not been clearly defined.

Jan Dry, sector manager, Sun Microsystems

Jan Dry, sector manager for public sector and financial services at Sun Microsystems for sub-Saharan Africa, says compliance is the new red flag in corporate IT these days. Everyone is talking about it, but it seems as though few are doing much about it.

"The reason for this is that compliance has not been clearly defined," he comments. "We all know our businesses have to comply. The question is - comply with what, and how? And what does this have to do with IT?"

Let`s start by considering what is meant when one sets out to meet compliance requirements.

Perhaps it`s somewhat unfair to place the blame for the intense compliance spotlight at the door of the errant directors of the Enrons, WorldComs and Parmalats - and closer to home, the MacMeds, Leisurenets, Regals, Saambous and their ilk.

Many would suggest they have spawned a whole new industry: the industry that has grown up around "corporate governance" and all the elements required to comply with the myriad regulations and legislation that impact this business imperative.

With corporate governance requirements having been elevated from a cursory, obligatory mention in annual reports to a core concern of regulators, lenders, investors, directors, employees and virtually any stakeholder in any business enterprise, companies have to ensure they are able to comply with all the elements that constitute corporate governance.

Corporate governance and compliance are two sides of the same coin. Without an effective and efficient IT system, this compliance - and indeed, corporate governance - would simply not be possible.

At its most basic, corporate governance is the system by which businesses are run, including the director`s duty to ensure the business is properly and honestly managed.

Share