In its early years, I came across all kinds of bureaucratic absurdities in the name of Sarbanes-Oxley. Accountants said that SOX required a financial analyst to approve all purchase requisitions, the facilities staff insisted that all discarded documents be shredded and the IT security staff demanded a vice president approve email accounts. I once joked that SOX probably required that we all park our cars facing south.

Fortunately, we moved on from those crazy days. Leading companies have progressed from restrictive and onerous controls over everything to focusing on the constraints that really matter. Controls are only audited where there is a real risk of a material misstatement of the company's filings with the Securities and Exchange Commission. A top-down and risk-based approach is used to identify those risks.

We have reduced the level of unnecessary bureaucracy from IT's SOX compliance activities, but can we do the same for all areas of governance? Before answering that question, we must address what is meant by the term "governance" and how it relates to IT governance. 

Curiously, there is no single, comprehensive, universally accepted definition of organizational governance. The Organization for Economic Co-operation and Development (OECD) developed a commonly used definition stating that organizational governance is a set of relationships between a company's management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set and the means of attaining those objectives and monitoring performance are determined. 

It is important to note that governance is not the same as compliance. While there has been a tremendous focus on compliance in the wake of SOX, governance is as much about achieving performance objectives (typically focused on strategy, value creation and resource creation) as it is about compliance objectives. 

IT governance necessarily flows from enterprise governance. As the IT Governance Institute states: 

Boards and executive management need to extend governance to IT and provide the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategies and objectives. IT governance is not an isolated discipline. It is an integral part of overall enterprise governance. The need to integrate IT governance with overall governance is similar to the need for IT to be an integral part of the enterprise rather than something practiced in remote corners or ivory towers.
In my years as an internal audit and risk management practitioner, I have seen many different charters for IT governance functions at different companies, ranging from responsibility for IT security (including contingency planning and the coordination of SOX compliance activities) to ownership of IT standards, performance reporting, risk management and regulatory compliance. So, just as there is no single, comprehensive, universally accepted definition of organizational governance, there is no commonly accepted definition of IT governance. For the purpose of the discussion in this article, I will use the following definition:
IT governance is the responsibility of the CIO and the organization's executive management team in partnership with other governance functions (such as the chief risk officer, compliance officer, etc.). It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the IT function sustains and extends the organization's strategies and objectives. An effective set of IT governance processes and systems will ensure achievement of the following objectives: 

  • Cost-effective, timely and high quality delivery of the services and facilities required for the organization to achieve its strategies and objectives. This area would include the continuous delivery of good technology infrastructure, applications and other services, as well as the ability to monitor enterprise performance against objectives. 
  • Appropriate and effective management of risks to organizational objectives. Risks addressed within IT governance include direct risks specific to IT technology (e.g., data privacy) as well as indirect risks, where the business's response to a risk (e.g., noncompliance with environmental regulations), is dependent on IT services. For purposes of this discussion, noncompliance with laws and regulations are considered risks that need to be managed similarly to the way operational risks are managed.

How can these objectives be achieved with a minimum level of cost and bureaucracy? The trend among leading-edge governance, risk and compliance functions is to follow a top-down and risk-based approach: 

  1. Understand the enterprise strategies and objectives, and the extent of their reliance on IT. 
  2. Determine where a failure within the IT function could negatively affect the achievement of the enterprise strategies and objectives.
  3. Assess the likelihood of these failures and the magnitude of the impact of a failure. 
  4.  Ensure that IT processes, systems and controls efficiently and effectively manage the risks. 
  5. Take prompt action to correct any deficiency in IT processes, systems and controls. 
  6. Question all activities that are not required to achieve enterprise strategies and objectives, including the management of related risks. 
  7.  Apply these steps both to management of the IT function as a whole and to management of individual projects and functions within IT. 
  8.  Continuously monitor and improve all of the above.

Step by Step  

The CIO and his team are generally involved with the rest of the executive management team in establishing the projects and organizational priorities to achieve the objectives approved by the board. Many of these rely either directly or indirectly on IT. For example, there may be an initiative to expand to a new geography that would require new currencies being supported by the financial applications. Sometimes, the full extent of reliance on IT is not immediately clear, so the IT management team has to ensure they partner effectively with the business owner to understand all the issues. It is possible, for example, that the business expansion just mentioned also requires additional IT support for the cash management and hedging programs that will be initiated to support the new geography. 

Once reliance on IT to achieve objectives is understood, a risk assessment process is performed to understand how a failure by IT might affect achievement. The risk assessment should be sufficiently detailed to identify all the functions and services involved, so that ownership of risk management activities can be assigned. This includes not only tasks and projects such as the addition of a currency to the financial applications, but also the continuing processes, systems and controls that address the risk areas such as information security and data privacy. Continuing with the business expansion example, ownership would be assigned to the IT managers responsible for the financial applications (including the hedging program), the network and phone services for a new international office, any related business intelligence platforms, and related information security and continuity concerns. The level of resources dedicated to addressing potential service failures should be determined by the likelihood and potential impact of a failure.

The owners of the IT services, projects and processes required to address these risks should verify that their procedures and controls are sufficient. If not, prompt action is required. All actions should be clearly assigned and their completion monitored. 

Some organizations will assign monitoring and overall management of the mentioned steps to a single individual or team, which could be an IT governance function. While there is a need for the CIO to have assurance that these activities are properly performed, each organization should determine whether it needs such a function or can rely on the team of responsible managers.

Questioning (Step 6) is critical to limiting the level of bureaucracy. Every organization and every IT function continue to perform tasks after the initial need has disappeared. Years ago, a financial services company that I worked for decided to test whether the (literally) pallet of reports it shipped to the finance department was necessary by stopping delivery. Nobody complained. The information was available more readily to the accountants online, and the hard-copy reports were no longer necessary. 

Every project and every activity in normal IT processes should be examined to confirm its necessity to achieving an enterprise objective. This is especially important for compliance-related activities. For example, every employee at a large software company (including executives up to and including senior vice presidents) has to complete weekly time reports. The justification is that this is "required by SOX," but a re-examination would show that the activity (and maintenance of the related application) is not necessary. 

This top-down and risk-based approach should be applied across the IT organization as a whole and to each IT project. Limiting employee and management focus to activities that really matter will result in a reduction of unnecessary red tape and bureaucracy. 

The IT governance program needs to be monitored continuously and upgraded as objectives and priorities change. New or improved technologies can also improve the ability both to deliver required IT services and manage IT-related risks. This technology may apply to the whole enterprise's governance and risk management processes or to a specific IT activity. 

Governance and other technologies (including governance, risk and compliance as well as BI solutions) have progressed over the last year and can be used to improve both the efficiency and the effectiveness of enterprise and IT governance activities. Some are:  

  • Strategy management applications help organizations manage objectives in a consistent fashion across the enterprise. They link objectives to related initiatives and provide performance metrics so that resources can be prioritized. 
  • Business intelligence solutions enable progress to be monitored. Leading products have a level of integration with management, enabling performance metrics included in the strategy management application to be derived directly from enterprise data. In addition, BI can be used to improve the efficiency of management's monitoring and control practices across the enterprise. For example, the enterprise's BI can be used by finance for monthly quarterly management reporting; by sales to monitor the pipeline by product, region or sales executive; and by IT to monitor the level of aged application change requests. 
  • Risk management products link to strategy management solutions in best-of-breed cases. They enable identification, assessment and monitoring of risks to enterprise objectives. This includes the management of responses to risks, such as IT and business managers actions to improve processes and controls. 
  • Control automation software can be used to drive efficiencies in the organization's system of internal control, including controls performed within IT. For example, the software can be used to monitor enterprise resource planning configuration changes and provide reports to appropriate IT management. The same software can be used by management and auditors (internal and external) to test controls already established. 
  • Access control products supplement the security provisioning capabilities supplied with the organization's ERP. They can deliver significant improvements to the ability to manage the risk of inappropriate access to, change, or theft of enterprise information assets. User provisioning is not only better controlled, but the process is more efficient (less bureaucracy), with a swift ROI.

While it is necessary and important to have effective governance processes across the organization, including within IT, the critical objective of running the business efficiently will not be achieved if governance is excessive. The bureaucratic red tape can entangle important business activities, adding cost, delay and diverting scarce resources. That red tape can be cut if governance activities are focused on what really matters, derived from a top-down and risk-based process, and enabled by today's technology.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access