By Norman Marks
MAY 19, 2009 12:30pm ET

Related Links

Battening Down For Data Breaches
February 7, 2012
Biting the Bullet for a Core Upgrade
February 6, 2012
CA Takes Data Model to the Cloud
February 2, 2012

Web Seminars

Why Getting Started in MDM Doesn't Have to Be Difficult
February 29, 2012
How to Narrow the IT/Business Communication Gap
March 21, 2012
Selling Information Governance Internally
Available On Demand

Governance without Bureaucracy

Print
Reprints
Email

In its early years, I came across all kinds of bureaucratic absurdities in the name of Sarbanes-Oxley. Accountants said that SOX required a financial analyst to approve all purchase requisitions, the facilities staff insisted that all discarded documents be shredded and the IT security staff demanded a vice president approve email accounts. I once joked that SOX probably required that we all park our cars facing south.

Fortunately, we moved on from those crazy days. Leading companies have progressed from restrictive and onerous controls over everything to focusing on the constraints that really matter. Controls are only audited where there is a real risk of a material misstatement of the company's filings with the Securities and Exchange Commission. A top-down and risk-based approach is used to identify those risks.

We have reduced the level of unnecessary bureaucracy from IT's SOX compliance activities, but can we do the same for all areas of governance? Before answering that question, we must address what is meant by the term "governance" and how it relates to IT governance. 

Curiously, there is no single, comprehensive, universally accepted definition of organizational governance. The Organization for Economic Co-operation and Development (OECD) developed a commonly used definition stating that organizational governance is a set of relationships between a company's management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set and the means of attaining those objectives and monitoring performance are determined. 

It is important to note that governance is not the same as compliance. While there has been a tremendous focus on compliance in the wake of SOX, governance is as much about achieving performance objectives (typically focused on strategy, value creation and resource creation) as it is about compliance objectives. 

IT governance necessarily flows from enterprise governance. As the IT Governance Institute states: 

Boards and executive management need to extend governance to IT and provide the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategies and objectives. IT governance is not an isolated discipline. It is an integral part of overall enterprise governance. The need to integrate IT governance with overall governance is similar to the need for IT to be an integral part of the enterprise rather than something practiced in remote corners or ivory towers.

In my years as an internal audit and risk management practitioner, I have seen many different charters for IT governance functions at different companies, ranging from responsibility for IT security (including contingency planning and the coordination of SOX compliance activities) to ownership of IT standards, performance reporting, risk management and regulatory compliance. So, just as there is no single, comprehensive, universally accepted definition of organizational governance, there is no commonly accepted definition of IT governance. For the purpose of the discussion in this article, I will use the following definition:

IT governance is the responsibility of the CIO and the organization's executive management team in partnership with other governance functions (such as the chief risk officer, compliance officer, etc.). It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the IT function sustains and extends the organization's strategies and objectives.

An effective set of IT governance processes and systems will ensure achievement of the following objectives: 

  • Cost-effective, timely and high quality delivery of the services and facilities required for the organization to achieve its strategies and objectives. This area would include the continuous delivery of good technology infrastructure, applications and other services, as well as the ability to monitor enterprise performance against objectives. 
  • Appropriate and effective management of risks to organizational objectives. Risks addressed within IT governance include direct risks specific to IT technology (e.g., data privacy) as well as indirect risks, where the business's response to a risk (e.g., noncompliance with environmental regulations), is dependent on IT services. For purposes of this discussion, noncompliance with laws and regulations are considered risks that need to be managed similarly to the way operational risks are managed.

How can these objectives be achieved with a minimum level of cost and bureaucracy? The trend among leading-edge governance, risk and compliance functions is to follow a top-down and risk-based approach: 

  1. Understand the enterprise strategies and objectives, and the extent of their reliance on IT. 
  2. Determine where a failure within the IT function could negatively affect the achievement of the enterprise strategies and objectives.
  3. Assess the likelihood of these failures and the magnitude of the impact of a failure. 
  4.  Ensure that IT processes, systems and controls efficiently and effectively manage the risks. 
  5. Take prompt action to correct any deficiency in IT processes, systems and controls. 
  6. Question all activities that are not required to achieve enterprise strategies and objectives, including the management of related risks. 
  7.  Apply these steps both to management of the IT function as a whole and to management of individual projects and functions within IT. 
  8.  Continuously monitor and improve all of the above.

Step by Step  

The CIO and his team are generally involved with the rest of the executive management team in establishing the projects and organizational priorities to achieve the objectives approved by the board. Many of these rely either directly or indirectly on IT. For example, there may be an initiative to expand to a new geography that would require new currencies being supported by the financial applications. Sometimes, the full extent of reliance on IT is not immediately clear, so the IT management team has to ensure they partner effectively with the business owner to understand all the issues. It is possible, for example, that the business expansion just mentioned also requires additional IT support for the cash management and hedging programs that will be initiated to support the new geography. 

Filed under:
Data Governance
GRC

Advertisement

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Slide Shows

9 Enterprise Mobile Security Essentials
Most Read
Most Emailed

Information Management Discussion: Master Data Management

Twitter
Facebook
LinkedIn

Analytics

Business Intelligence

Customer Experience

Open Source

Predictive Analytics

Data Governance

Data Integration

Data Management

Login  |  My Account  |  White Papers  |  Web Seminars  |  Events |  Newsletters |  eBooks
FOLLOW US
Please note you must now log in with your email address and password.