IT governance 'not GRC'
IT governance entails a great deal more than GRC - and it's a lot more important, says Mike Jarvis, former FNB CIO and founder of governance consultancy, Oversight Solutions.
Jarvis says IT governance involves compliance, security, risk and sustainability, providing a context for the goal of driving growth and delivering business value.
The organisation, strategy, operation and control, and maturity and performance measurement components of the OverSight Solutions Framework are all key aspects of overall IT governance.
"This is very different from GRC, which is seen as a 'grudge purchase' or 'cost imposition'. Risk and compliance are just parts of what IT governance should be," he says.
Jarvis says at the heart of IT governance is the value IT delivers to business. "Often, it is difficult to quantify the baseline value of IT," he explains.
"But if you consider the value drivers of IT, including business alignment, sustainability, productivity, agility and customer service, as well as cost, then the importance of maximising the value of IT through effective governance becomes apparent."
GRC, on the other hand, has been born out of a need to audit and comply. It does little to ensure IT delivers on business objectives, says Jarvis.
In SA, many companies still feel the need to simply tick boxes and comply, he adds.
"They go so far as asking how they should comply with King III. Since King III is a set of guiding principles, not a set of laws, they cannot comply with them. They need to consider which are applicable to them, and apply these. Any company attempting to comply is batting on the wrong wicket," he says.
"The current 'tick box' approach doesn't add value," he notes.
Jarvis, back in SA from the UK for the past 18 months, actively promotes the need to develop IT governance strategies and act on them to deliver business value. "IT governance principles, practices and processes need to be built into the day-to-day operations involving IT," he says.
Achieving IT governance
This is not easily accomplished in an environment where business and IT tend to be worlds apart, and 'speak different languages'. Very few CIOs have a business mindset, although every company needs one who has, says Jarvis, and very few board members understand IT.
Jarvis suggests enterprises start "growing their own" business CIOs, by identifying potential future CIOs and posting them in various business-focused departments of the enterprise during their careers, so exposing them to the needs and goals of the business - not just IT. This, he says, enables them to give the right answers to the board.
"Often, CIOs are their own worst enemies as they can't articulate the value of IT," says Jarvis. Exposure to business language and priorities helps them to do so.
In turn, boards should appoint non-executive directors who have knowledge of IT. This would enable the board to ask the right questions, grasp the impact of IT on business, and have a better understanding of the business value of IT.
To ensure effective IT governance, IT has to be considered as part of the greater enterprise-wide governance picture.
"Doing this requires a change in mindset, for one thing," Jarvis says.
When deciding where to start, organisations can focus on the pain/gain areas, adds Jarvis. "Start where there's the most pain and the most potential gain."
The steps to take entail creating the necessary governance structures; establishing responsibilities and accountabilities; determining the key principles and value drivers; agreeing on the practical priorities; planning, developing and implementing solutions; tracking and monitoring the benefits; and reporting the results.
Jarvis will address the ITWeb Governance, Risk and Compliance conference, at The Forum, in Bryanston, from 5 to 6 March. For more information about this event, click here.