In the past 10 years, interest in Corporate Governance has grown tremendously. Corporate scandals, environmental concerns and globalisation have played their part (Adbo & Fischer 2007). These explicit or noticeable events have focused attention on Corporate Governance. Business is changing, methods of conducting business are changing, businesses are increasingly relying on information technology (IT) and it is no longer sufficient for board level executives to defer important IT decisions to IT professionals. This change in IT affects business gradually, possibly unnoticed. Now is the time to consider IT Governance before the “next” IT scandal occurs. This article discusses IT Governance and highlights what needs to be considered when implementing good IT Governance practices.
What is IT Governance?
Information Technology (IT) governance is a subset discipline of Corporate Governance, which receives little exposure. Various definitions exist, with the underlying principle being to create a framework to direct, manage and control the use of IT by encouraging an ingrained pattern of worthwhile behaviour for administrators and users alike with regard to acceptable practices, which sustain and extend an organisation’s strategies and objectives, while also mitigating IT related risks. It focuses on the implementation of structures and processes in an IT system (Weill & Ross 2004a).
Why is an IT Governance framework important?
IT professionals implement control techniques to address business and control objectives. This results in a process or system. These control techniques depend on the context created by the environment, and can be automated or manual, either preventative, detective or remedial in nature, in order to reduce risk to an acceptable level. However, implementing these control techniques on their own is merely ad hoc, if not linked to a proper control framework (that provides insight into managing the system, its controls and risk, effectively) or model (that focuses on the design, implementation and maintenance controls). Control techniques are implemented by IT professionals, whereas management implements a control framework and models. This creates a problem, as management does not understand the control techniques and technology, whereas IT professionals understand neither the model nor the framework (commonly referred to as the IT-gap). It is this ad hoc implementation of control and gap in a frame of reference that creates weaknesses in any system. Risks and weaknesses are not introduced to a system because there are no policies and procedures or because no controls are implemented but rather exist because management and technical policies and procedures do not merge into one risk management unit (Lamprecht 2004).
Which IT Governance frameworks are available?
In implementing an IT Governance framework, it is not necessary to reinvent the wheel, as there are various supporting frameworks that can assist with the implementation of IT Governance. Two examples include:
- Control Objectives for Implementation and Related technology (COBIT): COBIT is used by managers, auditors and IT users with a set of generally accepted best practices framework to assist them in developing appropriate IT Governance and controls in a company that links IT to business requirements. It provides tools in the form of high-level objectives, to assess and measure the performance of IT processes covering four domains: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. For more information and the latest version of COBIT (v4.1) refer to www.ISACA.org.
- Information Technology Infrastructure Library (ITIL): ITIL is a collection of best practices for IT service management, focusing on providing a framework to structure IT-related activities and the interactions of IT personnel, customers and users. ITIL provides guidance on implementations as a support to the business, defining the operational attributes that need to be in place for operation’s service support and delivery management to be fully optimized.
For more information, please refer to
www.ITIL-officialsite.com.
These and other available frameworks can be used individually or integrated with another. COBIT provides guidelines on best practices (or benchmark) of what will ensure good IT Governance, however, it does not state how this should be achieved, nor provide details on how to implement these practices. COBIT is based on an established framework, focuses on goals, and measures progress. It acts as an integrator at a high-level, with a broad focus on high-level IT Governance. ITIL provides guidance on how to achieve the best practices detailed in COBIT, by providing a set of guidelines for the design, structure and operations of the IT function. It provides the details not provided by COBIT. For example, COBIT asks whether changes to the system have been tested ITIL gives guidelines on what a change is. It however does not cover all the areas covered by COBIT, rather focusing on service management with a narrower view.
Various resources are freely available online, outlining these and other governance frameworks. The IT Governance Institute in the United States has issued a mapping document which maps various IT Guidances to COBIT and is available online at
www.ISACA.org (Author unknown 2006). Governance frameworks are not limited to IT and service management. Other frameworks also exist, for example, for project management, such as Projects in Controlled Environments (better known as Prince2).
What needs to be put into place?
Now that the available frameworks have been touched on, and before a standardised policy is created, the following need to be considered and implemented:
- Goals and objectives: First, a goal and the priorities for the computer system must be created in writing, taking into account the long-term view on the organisation and the infrastructure required. These should align the IT and business strategies, and ensure that the organisation’s IT sustains and extends the organisation’s strategy and objectives. These goals and objectives must be clear and specific, and explain what and why the IT function is trying to achieve in the business, strategic and operational context in which the IT system is operating. The governance principles must be driven from the top, but all stakeholders (Board, IT, finance, end-users) must give the necessary input and show commitment. These goals should be reviewed regularly, however, there should not be changed too frequently.
The following steps should be considered when implementing an IT governance framework.
- Determine IT governance objectives as well as the business, strategic and operational context.
- Obtain a full understanding of the IT governance framework(s) available.
- Assess usefulness of the framework(s).
- Understand the environment in which the governance framework is to be implemented at a process, operational, application and infrastructure level.
- If various governance frameworks are to be integrated, determine the relationships and interaction between them.
- Set simplified attainable outcomes.
- Evaluate the appropriateness of the proposed governance framework in terms of common sense.
- Implement the IT governance framework in the same manner as any project with full stakeholder participation.
- Evaluate the framework against the stated objectives.
- Assess the complexity around the implementation of the framework and if necessary re-evaluate the process.
- Risk management: A formal risk framework should be created that puts some rigor around how IT measures, accepts and manages risk around the IT system, as well as reporting on what IT is managing in terms of risk. An allowance should, however, be made for exceptions and the reporting process around these exceptions.
- Communication: IT professionals and end-users should be directed to create a pattern of worthwhile behaviour in order to achieve control. The goals around the IT system (and its use) should be well communicated to all stakeholders and create buy-in from all, and should be fully transparent. More frequent communication should be encouraged, allowing users and stakeholders to evaluate the running of the IT system, risks and weaknesses.
- Training: The culture and social change of the organisation must be taken into account in managing the IT system. Staff should be trained in (i) the administration of the network, (ii) the facilities available (iii) acceptable habits and security practices (iv) acceptable devices et cetera also providing leadership training to all managers, in order to change user behaviour and security practices.
- Accountability: The policies should foster a joint accountability between IT personnel and functional managers and users. This can be achieved by limiting the number of decision-making structures within the two business areas and forming collective structures. However, there is a need to have well-defined roles and responsibilities within this structure. All parties should understand the relationship between IT and business processes. It should, however, be noted when holding staff accountable, the appropriate frameworks and benchmarks must be agreed to by all stakeholders and have their acceptance and commitment.
- Monitoring and reporting: The operations of the IT system must be monitored continuously, and the progress should be reported to all stakeholders. Both IT professionals and end-users should be held accountable, for example, by publishing successes and failures to make staff aware of shortfalls and reward good practices. The performance should be tracked and compared to the agreed benchmarks, standards and original goals. They should be allocated functions with measurable/attainable goals to facilitate responsibility, and also the need to specify the decision rights and accountability framework to encourage the behaviour on the use of the IT system.
IT Governance, the same as Corporate Governance, is crucial, but should be approached correctly, for it is not to be just another document or policy. All stakeholders should work together towards a collective common goal. If all members of staff are given responsibility, are involved in the process and understand the objectives and risks, they can be held accountable.
Conclusion
It is not a surprise that companies that use IT strategically demonstrate stronger financial performance (Ross & Weill 2004b). How a company makes and manages its IT investment differs between companies. Strategic use of IT is only possible when companies design and communicate IT decisions, parameters and mechanisms.
At a minimum, this helps to identify areas of importance. A thorough framework put in place does not only ensure that IT is already more focused on business, but that the focus is advancing business goals.
References
- Abdo, A. & Fisher, G. 2007. Good Corporate Governance vs. Shareholder value. Accountancy SA, May 2007, pp.18-19.
- Authors unknown. 2006. COBIT mapping: Overview of international IT guidance. 2nd edition, IT Governance Institute. Available at: http://www.isaca.org. Accessed on:
14 December 2007. - Boshoff, W. 2007. IT Governance: IT Governance frameworks and their Integration. Masters in Accounting (Computer Auditing) lecture slides. Stellenbosch University. September 2007.
- Lamprecht, C. 2004. Hacker risk in e-commerce systems with specific reference to the disclosure of confidential information. South African Journal of Information Management, Vol 6(4): Dec 2004.
- Ross, J. & Weill, P. 2004a. IT Governance: How top performers manage IT decision rights for superior results. Harvard Business School Press, Boston.
- Ross, J. & Weill, P. 2004b. Recipe for good governance. CIO. 15 June 2004 Available at: www.cio.com/article/print/29162 Accessed on: 18 October 2007.
Riaan Rudman CA(SA), BBusSc (Hon), PGDA, MBusSc (Fin), is a lecturer in the Departmnet of Accounting at the University of Stellenbosch.