Establishing IT GovernanceBy
The key question for formal IT governance is how to make it transparent and ready for unexpected security risks and operational needs.
Professional accountants know that understanding technology is now critical to their performance on the job. New and emerging technologies such as artificial intelligence, blockchain, predictive analytics, and automation are entering the processes of accounting, changing the work and role of accountants. Technology changes in the organization lead to a substantial reevaluation of existing IT systems and processes. Any such change should be undertaken through the lens of IT governance.
The primary goals are increasing the value of your business services through automation (effectiveness) and reducing cost (efficiency) while also addressing risks and ensuring the outcome is in alignment with the overall strategic direction of the organization. Delivering value to your customers and shareholders needs to be the outcome. Of course you need to consider return on investment. You certainly aren’t going to be making these choices on your own. It requires a set of processes, responsibilities, roles, relationships, and a disciplined IT governance framework.
WHAT IS IT GOVERNANCE?
ITIL’s IT service management processes and the IT governance association ISACA are both committed to providing a guidance hierarchy. They both define IT governance as IT that benefits the whole organization. It’s IT that should move the organization toward its strategic goals, and that’s realized through technology enablement. This is where technology aligns with the business and vice versa. At its core, IT governance is designed to help achieve strategy by providing a set of checks and balances that help identify the right priorities, evaluate risks, ensure compliance, and measure performance (balanced scorecard). Governance in an organization requires an acceptance of responsibility or accountability, communication, empowerment, and monitoring. IT governance isn’t any different.
RESPONSIBILITY OR ACCOUNTABILITY
Company leadership, often the board, is responsible for setting the strategy and identifying the risk tolerance of the organization. The CEO then implements policies and standards and executes the strategy. This is inclusive of developing an investment IT project portfolio and increasing knowledge management. The CIO ensures that projects are timely and meet expected outcomes and costs through robust project management disciplines, ensures standardization of IT architecture, and implements an IT control framework.
Moving forward with a technology project is an organizational strategic business decision, and all departments should have a voice. They should express their IT needs—be it for projects, software, or other technologies—to meet their organization’s goals. If all parts of the organization feel they have a voice, the governance of IT becomes orderly—the IT team knows how to spend its limited resources.
The IT department must also have a place at the table. It will consider the strategy for the project while assessing the infrastructure impact, such as mainframes, servers, networks, security, and data storage, as well as disaster recovery and business continuity. In many cases, the IT department is also tasked with software licensing, software and hardware life cycle, computers, and wireless communications and devices. Decisions to upgrade or adopt new technologies will have ramifications in all of these areas.
Each party should come to the table prepared to explain what it needs in technology and why. It needs to present how this IT procurement enables the organization to meet its strategic goals. The presentation must include ROI, NPV, or some other acceptable financial measure for the entire life cycle of the project. Part of the costs should include disposition, upgrade, or replacement costs. It also requires a full evaluation of the risks associated with the project. Preliminary data about the project management needs, plans for implementation, and IT infrastructure requirements should be made available.
Some companies will ask members of the board to attend the presentations to provide guidance and act as a neutral party to minimize the “political” aspects of a decision. The official approval of the project depends on the organization. Generally it’s a combination of the executive team, the board of directors, and, depending on the organization, stakeholders. If the board or committees aren’t involved directly, then communication should be provided to them. At that point, the board should approve the funding or budget for the project. Both the board and executives should provide oversight to make sure that the project stays on track to completion or stops, if necessary.
Certain decisions should be left to the IT department. Many believe that determining how to secure software is the most important decision. The IT department should decide whether to develop or procure software, set it up as Platform as a Service (PaaS), or have it be managed in the cloud or as part a hybrid setup. These are all considerations where IT should drive the decision.
Should an individual department be allowed to choose and manage its own software? A good IT governance framework would have the IT department involved to evaluate the quality of the security of the software and determine if it’s an acceptable risk. The IT department also understands the network and bandwidth requirements needed for that software to operate efficiently. It should manage the technology as it’s in the best position to know and understand what would be best for the organization.
It’s important to establish metrics in order to ensure continuous improvements in the business activities, IT activities, and IT processes. A number of organizations provide information on IT governance. Each of these has its own point of emphasis in terms of governance.
- The ITIL framework is a set of best-practice publications intended to align business needs with software asset management, service support, service delivery, security management, and application management.
- Control Objectives for Information and Related Technology (COBIT) was initially developed by ISACA and is now issued and maintained by the IT Governance Institute (ITGI). COBIT has 34 high-level control objectives grouped into four domains of planning and organization, acquisition and implementation, delivery and support, and monitoring. There are different levels of maturity within each of these objectives.
- ISO 17799 provides governance for the practice of IT security. With the focus on security, it generally isn’t used as a source for an IT governance framework.
IT governance provides organizations with the structure to effectively manage IT business and technology projects. It’s vital for an organization to have processes that bring everyone to the table to discuss their technology needs and how they fit within the organization’s strategic goals. The process should be defined, transparent, and repeatable with consideration of factors such as risk, organization security, and operational impact. The more formal the process, the better and more cost-effective the results will be.