Addressing IT governance is a project that's often buried deep down in CIOs' to do lists. But, says Luke Silcock, incorporating governance into all your projects will provide a better overall IT framework for the company
Your boss asks you casually about your interest in IT governance. Bosses can be good at laying traps and you walk straight into this one. Thinking at first that IT governance might be code for "promotion", you start nodding knowledgeably. Soon the air is thick with acronyms and buzzwords. All you can do is mutter unintelligibly as you are handed the task of writing an IT governance paper for your company's next board meeting.
You already have more than enough pressing issues to deal with. Getting the business team to release the people promised for UAT. Working out how to "refresh" and test your disaster recovery plan without any money. Deciding how to apply Oracle's database security patches. Renegotiating a key supplier contract. Forcing your top architect to write something down that other people can understand before leaving for England.
Is IT governance merely a distraction from these and similar pressing issues?
You should think of an IT governance framework as the spec for how your company should operate its IT management and delivery processes. Now is your chance to develop a system rather than live in a chaotic world of ad hoc work-arounds.
And if you have ever written a system spec, you already know how to develop an IT governance framework. You just need to get with the lingo.
The director's chair
Shareholders and other external stakeholders expect and require the board of directors to take accountability for overall performance of the company. The board is responsible for protecting shareholders' interests and needs to ensure that, for all risks the business takes - including IT - there are rewards available that are worth achieving.
Recently released Australian Standard 8015 on the Corporate Governance of Information and Communication Technology conveys the accountability of directors in line with general principles spanning both projects and operations. Unsurprisingly, directors should direct, evaluate and monitor IT according to this standard.
Directors seek to be assured about IT, not just better informed about the trouble spots. If raising an issue to director level, you must also present proposed solutions.
Think of directors as the 'power users' of the IT governance framework: their requirements are probably the most simple to express but most demanding to meet.
The money machine
The providers of money for IT will be seeking an optimum balance of risk and return from their investments. Key words for the investor include: total cost of ownership (TCO), funding hurdles, payback, IT asset management and project portfolios.
You'll need to understand the IT money machine. Where does money come from and where does it go? How much of next year's money is already committed to 'must do' activities and how will the leftover be allocated to discretionary initiatives?
Think of investment performance as one of the service levels that IT is expected to meet.
IT rules OK
Ensuring the right rules are defined and then applied in IT requires an understanding of externally imposed legislative and regulatory obligations and awareness of generally accepted standards of practice.
But understanding and awareness isn't enough. For the management of information assets do you aspire to reach full compliance to ISO 17799? For IT service management do you seek to simply be 'aligned' with ITIL or do you want to be measured independently against Australian Standard 8018? Is the Carnegie Mellon Software Engineering Institute's Capability Maturity Model applicable to your development functions or those of your IT suppliers and, if so, on what level of maturity will you set your sights?
Increasingly, business compliance issues - such as Sarbanes-Oxley, privacy and anti-money laundering - come with a heavy IT sting in the tail. Contemporary business compliance is founded on assumptions of compliant IT.
Think of compliance as the set of IT governance requirements that can be tested and for which a body of evidence is required.
Risky business
An IT risk is something that can go wrong with IT and cause a negative impact on the business. In what ways might your company be most severely impacted by IT failure?
In banking there is a commonly accepted demarcation of three categories of enterprise risk: market, credit and operational risk. IT is directly and indirectly implicated in each of these categories: as a potential cause of unwanted events, a part of the control environment acting to mitigate and contain risks, and providing tools that support risk identification, monitoring and reporting. However, even in banks IT risk management is rarely fully developed and in recent history Australian banks have suffered more than their fair share of IT snafus.
While banks may have 'special need' status when it comes to IT risk, in all industries it is important for IT managers to be able to articulate the probability and impact of various unwanted and unwelcome IT events in enterprise-wide terms: financial, reputational, regulatory/legal, customer and competitive impacts and losses.
You can win friends in the business risk community by understanding and being able to compute IT risk probabilities and outcomes, frequency and annualised loss expectancy.
Think of the IT governance framework and enterprise-wide risk regime as two major systems that require an integration plan.
In technology we trust
Can IT be relied upon? Manager attestation via self-assessment is necessary but not sufficient when it comes to critical systems and their management. Independent auditors seek to ensure that controls are in place to cover likely faults and flaws and that coverage is complete. When venturing into the IT field, auditors may reach for the IT Governance Institute's Control Objectives for IT framework (COBIT). Stay one step ahead by receiving this IT governance gospel first.
Think of the auditors' role in IT governance like a white hat hacking team. Their job is to find the weaknesses before the bad guy - or bad luck - does.
Driven to distractions
When the director, investor, compliance, risk and audit perspectives are all understood and you have got the lingo under control, it is time to develop the IT governance spec.
The best way to develop a spec is to talk to the users. The IT governance user group includes your normal contacts on both the business and delivery side of IT. These people will also think IT governance is a distraction from the pressing issues that were your first concern, and you may not possess the artful persuasive skills of your boss.
IT governance will simply have to earn its keep. Seeing benefits from an IT governance system in action will build champions and support for future releases and a wider rollout. Iterative development is the way to go, so seize the pressing issues and move ahead like this:
- Develop principles for IT and business engagement while escalating the lack of representative user input during UAT to the key business sponsor or project steering group.
- Rather than scoping a DRP test as simply failing-over a system or two on a weekend when no users are around, build links with enterprise risk managers and a better understanding of operational risks by proposing regular business continuity / disaster recovery rehearsals.
- Bring your IT security camp and ITIL champions together by requesting a jointly endorsed recommendation on the application of Oracle's security patches to the Change Advisory Board.
- Establish and ratify guiding principles for supplier negotiations prior to stepping into the ring.
And as for your top architect who is leaving for England? Maybe this is an issue your boss can help you with.
