Enterprise IT Governance: What? Why? How?

2014 has been called the year of the breach, with organizations from Home Depot to Sony experiencing attacks.

Information technology failures are serious—to the point that companies can lose customers and market share.

Now the question is: what measures should be taken to encounter severe threats? After having a lot of experience through years of working with diverse people from multinational financial institutes, I conclude that only having effective and efficient IT governance in place can fulfill the expectations of stakeholders.
Why do we need governance?
Stakeholders expect:

• Business is secure and creates value
• The organization is responsive to changing business paragons.

What do we get from governing?
The board and executives have a better understanding of IT and have a clear picture of its performance as every opportunity and mishap are totally based on decision making. This enables them to make effective decisions regarding the investment and also assures the required IT objectives. “Effective governance” leads management toward better execution of strategies to achieve a desired behavior. “Transparency in governance” develops stakeholder confidence in responsibility and accountability, provides a competitive edge to the enterprise, and is helpful in improving the customer satisfaction level.
Enterprise IT governance provides balanced operations, which means IT can respond to the business needs and at the same time maintain and improve the stability and quality of services in a cost-effective manner. Outsourced services can be directed and controlled clearly as this approach enables effective, efficient and adaptable relationships.

Effective governance (improved return on investment and value on investment) helps to minimize failures, optimize productivity, enhance efficiency, and provide a compliance with rules and regulations by eliminating redundancy, overlap and lack of clarity.

How do we implement enterprise governance of IT?
Companies based on matured IT strategic plans that enable the business tend to be the most successful, having an established and fully integrated operating environment. With these best practices they are securing their information assets in terms of their confidentiality (reveal to authorized individuals only), integrity (confidence in data and assets) and availability (accessible when required).

So, taking all these benefits into account, how do we get started in generating, transforming and sustaining IT governance? First and foremost, one thing we must keep in mind is that we cannot adopt IT governance using a one-size-fits-all approach. Each organization is distinctive, with unique needs and priorities, so it should adapt or form its own governance model based on the nature of its business. Organizations that have no IT governance at all should take a slow start (perhaps with an advisory body, external consultant with strategic planning, standards making, and project prioritization) and add more functions to the governing body as the organization matures. Those organizations that are employing some variety of IT governance may wish to widen their body further into decision-making and performance management.

Best practices for information system governance can be evaluated within the perspective of industry-wide accepted standards, such as processes like information workflow, application and infrastructure development and maintenance, and support services (both operational in-house and external). These need to be gauged and then should be benchmarked with similar industry leaders and peer organizations of a similar size and IT infrastructure. After benchmarking, performance advancement activities can be started using industry standards and/or frameworks such as ITIL. I personally prefer and recommend ISACA’s COBIT 5 as a framework for effective governance and management of enterprise IT.

COBIT 5 has integrated all industry best practices into one framework, and this single integrated framework makes the point that to achieve alignment of best practices to business requirements COBIT 5 can be used at the highest as well as lowest level. This provides a framework for overall control based on a model of IT processes that should generically suit most organizations regardless of industry and whether private or public.

Security breaches? Their proactive/reactive defensive approaches? Strategic alignment? Value delivery? Risk and resource management? Performance measurement? The only answer to all these questions is to have effective and efficient enterprise governance of IT in place.

Organizations with highly effective IT governance prioritize and communicate the structure and essential changes across the organization. Involving both IT and business leaders and bringing them together at the upper management level is vital for ensuring how closely IT is related to business performance. Effective IT governance is a journey, but success can be realized by those who understand the path and the best IT governance practices that keep them on course.

Ali Nouman, CISA
Information Security at The Bank of Punjab, Pakistan

COBIT 5 and related documents are available for free download at www.isaca.org/cobit and http://cobitonline.isaca.org.

[ISACA]