There have been many attempts to better manage information and technology (IT) with a range of different models over the past three decades. Management by Objectives (MBO), Total Quality Management (TQM), ISO 9001, Six Sigma, LEAN are some of the approaches used by companies seeking to improve effectiveness and drive efficiencies. Now it’s the turn for «IT Governance».
Zwei Awards für das ISACA Switzerland Chapter
2011 war ein herausragendes Jahr für das Schweizer Chapter. Wir durften den K. Wayne Snipes Award entgegennehmen als Anerkennung für das beste sehr grosse Chapter in Europa/Afrika. Gleichzeitig erhielten wir in der gleichen Kategorie eine Auszeichnung für die höchste «Erneuerungsrate» (87,3%) der Mitgliedschaft. Wir freuen uns sehr darüber und hoffen auf weitere aktive Mitarbeit im Vorstand und unter den Mitgliedern. Mehr Informationen finden Sie auf
www.isaca.ch über uns.
What is IT Governance?
IT Governance is about the stewardship of information and technology resources by a company’s board of directors on behalf of all stakeholders. As with any other strategic resource, a company’s board must ensure that the stakeholders receive the expected benefit from the investment in and use of information technology. While the board is accountable for the corporate governance of information and technology (IT), the board delegates responsibility to executive management to implement an IT governance framework and deliver value.
What is an IT Governance Framework?
An IT governance framework provides the conceptual structure to establish accountability for the management processes and decisions the affect the success of IT supporting the effective and efficient management of IT resources to facilitate the achievement of an organisation‘s strategic objectives. It creates clarity about who has what decision-making authority regarding the use of IT and it enables the board to hold those with decision-making authority accountable for using IT to achieve the organisation’s strategic objectives. An IT governance framework comprises three levels of decision-making authority and accountability for the efficient and effective management of IT resources.
At level 1 (strategic), the Board (or a sub-committee of the board - an IT Steering Committee) governs IT by:
- Evaluating - the current and future use of IT by examining strategies, proposals and supply arrangements for IT (internal, external, or both).
- Directing – the responsibility and priority in preparing and implementing a management system of plans, policies and processes so that the use of IT supports business objectives and the achievement of agreed strategic outcomes (via an IT governance charter).
- Monitoring – receives reports about:
› the current and future use of IT,
› progress towards delivering the performance expected from IT measured against agreed plans and business objectives, and
› the use of IT is in conformance with internal policies and external obligations (regulatory, legislation, common law and contractual).
Also at level 1, the Audit committee (another sub-committee of the board) will govern IT by:
-Evaluating, directing and monitoring the management of risks associated with the use of IT as they relate to financial reporting; and
the Risk committee will govern IT by:
-Evaluating, directing and monitoring the management of risks associated with the use of IT as they relate to achieving strategic, operational and compliance objectives, but excluding those related to financial reporting (unless the Audit committee and Risk committee are combined).
At level 2 (management), one or more oversight authorities govern by overseeing the management lifecycle:
-Plan – design efficient and effective processes, implementation plans and governance mechanisms to achieve the desired outcomes,
-Implement – organise and lead the implementation of the organisational structures, processes and working practices; configure, customise and maintain process artefacts,
-Operate – execute the tasks and respond to issues affecting the desired outcomes; analyse the efficiency and effectiveness of the processes and practices deployed,
-Act – to correct deviations in performance that will impact the desired outcomes.
At level 3 (operational), IT management delivers by:
-Tracking – the activities being executed with the aim of achieving stated goals,
-Supervising – organising and re-organising IT activities so that there is increased reliability in achieving the stated objectives,
-Checking – analysing performance and risk management across IT,
-Controlling – detecting and correcting inefficiencies and poor performance and remediating risks found within IT.
The Accountability Framework
Governance occurs at the strategic, management and operational levels through the assignment of decision-making responsibilities and authority to encourage desirable behaviour in the use and provisioning of IT. While the CIO has overall responsibility to account for the use and provisioning of IT, individual IT managers have responsibility to render reports about their specific areas of responsibility.
The primary purpose of the Accountability Framework is to communicate to IT and business managers who have which responsibilities to render reports about what has been achieved from the work performed. Because there is overlap within and between IT and business processes, there is always the risk that two managers may have the same accountability, no manager is allocated accountability to render reports, or a manager is assigned accountability for areas and actions over which he/she has no responsibility. Typically, a process reference model (e.g. CobiT or ITIL) is used to identify and clarify responsibilities for information and related technologies.
As processes describe a structured set of activities organised to achieve specific purposes, process descriptions provide a useful reference to determine which managers are responsible for which outcomes and which activities within these processes are important to delivering these outcomes. Consequently the Accountability Framework summarises the key roles within the organisation and the respective responsibilities of the managers responsible for these roles.
Role and Job Descriptions for IT Personnel
Role and job descriptions are a cornerstone to governance. They usually provide the detailed descriptions of individual responsibilities, working relationships and performance measures. Mapping role descriptions to a process reference model provides the CIO with assurance that responsibilities for key process-level activities are assigned, gaps are identified and duplications are removed. This ensures that individual performance measures are related to specific process responsibilities and outcomes necessary for the process to achieve its purpose. Senior managers are typically responsible for a number of processes, whilst managers have specific responsibilities within individual processes. Senior managers are primarily responsible for the process outcomes achieved, whilst managers have responsibility for specific process and sub-process areas. Senior managers are accountable for their processes (i.e. they are required to render reports regarding their successes) whilst managers are responsible for the execution of the process and key activities within the process.
An Accountability Framework assists identify any gaps, duplication and work overload in the assignment of responsibilities. Issues are resolved by adjusting the individual role descriptions and assignment of individuals to roles. New role descriptions are determined from an analysis of each process and the level of responsibility (i.e. «senior manager» = process owner, «manager» = process manager and «supervisor» = team leader) is clarified.
Performance measures are derived directly from either the process outcomes or the responsibilities assigned to the specific role (i.e. owner, manager, team leader). Consequently managing individual performance drives the achievement of process, IT, business and strategic objectives.
The Management System
The objective of a management system is to continually improve the operational processes whilst operating and executing the daily activities of each process. ISO 9001 and ISO 27001 are examples of management systems for quality and information security. Each comprises the lifecycle approach of Deming (i.e. Plan, Do, Check and Act).
On a regular basis issues arise in each process that need management attention. Some relate to the work being performed, some to the configuration of the process being used, and others from problems that arise. A management plan is used to record the acceptance/rejection of the issues that arise and maintain an order of priority. This management plan feeds an implementation plan which is monitored in the medium-term and has scheduled review points. The implementation plan for each issue addresses the resources, tasks and responsibilities for introducing, developing and executing the work required to resolve the issue. When designing and executing the implementation plan, managers:
-determine the sequence of implementation,
-document roles and responsibilities,
-determine the target dates for implementation and
-decide on the frequency and format of reporting against milestones.
The challenge for managers is to coordinate work that needs to be planned and executed across a number of processes and functional units. Within the manager’s own area of authority a manager is able to redesign processes and practices and re-assign work priorities. However, with an established accountability framework, each manager is empowered with specific responsibilities and entrusted with defined decision-making authority. To succeed, managers need to collaborate and coordinate their actions.
Actionable Tasks for better Governance
Frameworks like CobiT and ITIL provide important guidance about the required tasks that make up generally accepted best practice for IT processes and the actual process of implementing or modifying the recommended practices. Companies often struggle to define and implement the processes, triggers, controls and governance mechanisms recommended and frequently there is considerable upfront investment in simply understanding the requirements of the selected frameworks with little real value actually being created or governance established.
What companies require is a management system and streamlined processes with clearly defined accountability for actionable tasks that if followed, manage the risks, deliver the results expected and support regulatory compliance obligations.
A management system should facilitate cross-divisional co-operation and teamwork, promote compliance and continuous improvement. A management system will include:
-Assess, plan and execute the processes and their continuous improvement
-Tracking that processes are capable of delivering against enterprise, governance, management and control objectives
-Make use of the available implementation guidance:
› sources of good practice
› emerging standards
› compliance requirements
› automation opportunities
› productivity improvements.
Implementing the levels of a governance framework will establish effective governance of information and technology resources. The board is able to direct, managers continuously improve and staff deliver the performance expected.
Der Autor
Peter Hill (CISA, CISM, CGEIT) is an IT Governance specialist with over fifteen years related experience. He is currently a director of the IT Governance Network, a company specialising in IT Governance, CobiT, ISO 38500, ISO 27001, management systems and training. The IT Governance Network also provides integrated CobiT and ITIL process, risk management and compliance solutions and management systems on the mobile platform.