Governing IT through Strategic Alignment
Many businesses find themselves stuck in the technology gap: what company boards expect from IT governance is often far removed from what IT departments comprehend as the business’s needs. Boards cannot rely on IT to understand their business needs and to bridge the technology gap, but must use business strategy as the platform upon which to develop IT strategies.
The road to here
Information technology (IT) systems and processes have traditionally been a mystery to boards of directors. For decades internal control procedures have been methodically designed to control IT input, while IT output was meticulously analysed, reviewed and checked. The inner workings of IT have typically, however, been left to the company’s IT professionals to manage.
While boards are often guilty of ‘business as usual’ and the game of commerce remains essentially the same – its rules have somewhat changed. With the rapid advances in IT and its increasing pervasiveness in business operations and strategies, good corporate governance can only be achieved by explicitly addressing IT as a cornerstone of successful business, and not merely as a stand-alone component.
Chapter 5 of the King Code of Governance for South Africa, 2009 (King III) addresses IT governance for the first time in South Africa, recommending that IT governance features on board agendas. Governing IT practices in companies means establishing an IT charter, implementing effective IT policies and procedures, as well as an IT internal control framework. Another IT governance principle introduced by King III is that IT needs to be aligned to the performance and sustainability objectives of the company. Getting IT aligned is prompting a shift away from the traditional approach of boards to IT governance. Instead of creating policies and procedures for the sake of ticking boxes, focus should shift to creating value for the company.
As part of a theoretical governance checklist, phrases such as ‘IT policies and procedures’ and ‘IT control framework’ are meaningless. IT governance will only add value once practical and understandable solutions are attached to its principles. The objective of this article is to simplify the concept of business/IT alignment and IT governance by illustrating the process the board can follow to achieve alignment and obtain real value from IT investments, while creating an environment of good corporate governance.
Business/IT alignment is achieved when IT investments and the delivery of IT services are driven by business strategies, as influenced by a genuine understanding of IT capabilities and limitations. Alignment is the degree of integration between business strategy, IT strategy, business infrastructure and IT infrastructure. This understanding of alignment introduces the idea that decisions regarding IT investment and management that traditionally were taken by IT practitioners should now be decided more strategically for corporate spending to enhance business value, growth and competitiveness. This definition also highlights that those charged with governance can no longer steer a business successfully without a clear understanding of the IT implications of strategic decisions. While the necessity of IT governance cannot be disputed, boards face the predicament of practical implementation.
Alignment remains theoretical until value-adding and understandable IT technologies are linked to business strategies. Once clear business strategies and imperatives are defined, these can be integrated into IT strategies encapsulated within functional IT design to achieve alignment and prevent inefficiently deployed IT investments. With new IT trends and technologies surfacing almost daily, directors have been randomly grabbing at fashionable technologies in an attempt to keep businesses up to date. The resulting risk and internal control nightmares have created more problems than solutions.
By following the three-step process below, boards will essentially focus on investing in technologies that add value in terms of business strategies.
1. Define business imperatives (the core of the business strategy)
2. Formulate how these imperatives affect the IT investment
3. Consider the IT architectures that are essential in achieving the business strategy.
The first step to aligning business and IT is defining the company’s business imperatives. Business imperatives are differentiated from basic business assumptions, which are generic objectives that support operational sustainability. Generic objectives include profitability, cash flow management, business continuity plans, internal control, information management and regulatory compliance.
Business imperatives, on the other hand, are set at a strategic level and drive the business to excel in its relevant industry and environment. There are those non-negotiable, essential success factors that will allow the business to achieve competitive advantage within its industry and deliver successfully on vital performance indicators.
Business imperatives are not generic across all industries, and every business, even within a similar industry, will have a unique set of imperatives. Examples of business imperatives include innovation, high profitability, diversity of products and services, reliability, mobility, productivity, minimum staff complement, collaboration and high performance teams. These imperatives should be identified on the basis that they provide the business with a definite competitive advantage within its industry.
The value in identifying business imperatives lies in that it allows boards to redefine and formulate their strategy. It is these redefined strategies that will ensure that IT investments directly relate to the needs of the business and are manageable and understandable.
The core message is that boards need to ‘get their hands dirty’ in terms of IT investment and management. This does not mean creating a mountain of checklists and paperwork, but a structured and practical approach to ensure that IT strategies and investments echo business objectives. Boards need to eliminate IT investments that do not add value to the business and focus on streamlining IT in order to maximise value. This is the key to good IT governance.
The topic covered by this article is addressed in the Masters in Commerce (Computer auditing) at Stellenbosch University, as presented by Prof WH Boshoff. ❐
Authors: Lize-Marie Sahd CA(SA), BAcc(Hons), and Riaan Rudman CA(SA), BBusSc(Hons), PGDA, MBusSc, MAcc, are both lecturers in the Department of Accounting at Stellenbosch University.
Intellectual Property Theft is Growing
Theft of intellectual property (IP) is increasing to the extent that it now exceeds physical crimes in the USA.
In 2010 some 8.7 million companies in the United States reported intellectual property (IP) theft – a higher total than instances of physical theft in that country. This is significantly higher than the 5.5 million companies lodging complaints in 2009, noted patent attorney Howard Cohn. Although similar statistics are not available in South Africa, the UBS Governance Rank, which measures corporate governance perceptions in 44 global emerging markets, recently dropped South Africa from its top slot due to poor scores in our ‘perception of corruption’ index. The South African government’s determination to tackle fraud and corruption was emphasised in this year’s State of the Nation address, but companies are also duty bound to take measures to mitigate the potential for white collar crime.
Accounting firms are seeing a definite increase in clients becoming concerned about safeguarding their IP. This expressed concern, and requests from companies in South Africa to help reduce the potential of IP theft, are both strong indicators that the threat of IP theft is a reality and is increasing.
Due to the current lack of local best practice, clients are advised to adopt internationally deployed measures to protect their IP. The most common requests we receive are to conduct employee fraud awareness sessions and to perform penetration testing, both of which are globally used practices.
Fraud awareness sessions take the format of workshops in which employee fraud detection skills are developed through interactive participation.
A penetration test is a method of evaluating the organisation’s computer security by simulating attacks from malicious outsiders to identify vulnerabilities and make recommendations for improving the system.
To assist in preventing IP theft the following preventative checklist, which provides examples of best practices have been developed:
Develop a programme for safeguarding proprietary information. This programme should include an internal policy, establish what information should be protected, and an internal team should be made responsible for the implementation and monitoring of the protection procedures. Others are:
• Conduct internal employee security awareness sessions where employees are educated as to the importance of proprietary information and common pitfalls to look out for
• Non-disclosure agreements should be standard practice when it comes to employment and sub-contractor agreements. Creating a culture of confidentiality and ownership within the organisation will outweigh the legal value of such agreements in the long term
• Commissioning of periodic penetration testing to identify vulnerabilities and provide recommendations within the organisation’s systems
• All visitors should be closely monitored, recorded in a logbook and not allowed to move about freely on the premises of the organisation
• Offices containing sensitive information should be kept locked to discourage unauthorised entry
• Security safeguards and policies should be implemented on tablets, smart phones and other portable devices to ensure proprietary information remains protected in the event of theft or loss
• Sensitive emails and file attachments should be encrypted for external and internal transmission, or at the very least password protected.
• All content should be reviewed before public presentation and employees attending trade shows and exhibits should be instructed not to say anything that competitors shouldn’t hear
• Meeting rooms should remain locked when not in use and non-essential wiring and devices removed from these rooms to guard against eavesdropping. ❐
Author: Pierre Kilian CA(SA), Certified Fraud Examiner, is Manager in the forensics department at BDO SA.
Safeguarding your Intellectual Property
Losing your company’s intellectual property (IP) to competitors can be hugely damaging, as Microsoft discovered when Apple launched its iPad.
Companies are being urged to take stock of how much they risk losing through the theft of their intellectual property (IP).
This is becoming increasingly relevant in a business environment where – through something as simple as careless talk overheard in a staff canteen or coffee bar – years of meticulous IP research and development can be washed down the drain and cause major losses.
In today’s highly competitive trading environment, employees need to be aware of the possible consequences of disclosing sensitive information to potential competitors, whether at work or while socialising.
An organisation’s value is no longer limited to the value of its tangible property, but includes the value of its IP such as patents, trademarks, copyrights, proprietary ideas, concepts, process improvements, new methodologies and potential for generating revenue.
As the value and extent of IP continues to rise, more and more companies will struggle to accurately determine the value of their IP. Another major challenge is how to protect their IP from competitors. Most organisations will only realise the extent of their loss when a competitor has successfully piggy-backed on their original idea or prototype – and implemented it.
Companies risk of losing their IP – even in unexpected and seemingly innocuous circumstances – when company employees unwittingly give valuable information away in unguarded moments. This is typified by the now legendary story of how the iPad concept came to be born, which serves as a timely reminder of the potential worth of IP – and how easily an original concept can be lost to a competitor.
According to well-documented reports, Apple’s co-founder Steve Jobs embraced the iPad idea – with some crucial technical amendments – after listening to a Microsoft employee boasting over dinner about a Windows tablet developed by Microsoft founder, Bill Gates. Apple stole a march on Microsoft by running with the idea, and making the iPad concept a reality.
Since its April 2010 launch the iPad has become one of the IT world’s hottest new intellectual properties, with global iPad shipments reaching 70-million mark by the end of 2012 and a further 100 million expected to be shipped in 2013 alone.
To be successful in ever-evolving markets, organisations must be aware of how they can lose their IP. Some of the most common ways of losing IP are:
• Lack of information security
• Accidental disclosures
• Poor controls and policies
• Commercial spying
• Deception techniques
• Physical penetration of the organisation
• Penetration of their computer systems.
It is vitally important to make employees aware of IP value and that it must be safeguarded. This is particularly relevant given that employees are not only an organisation’s first line of defence, but they are also responsible for most accidental IP losses.
Author: Pierre Kilian CA(SA), Certified Fraud Examiner, is Manager in the forensics department at BDO SA.