Today, IT faces a number of unprecedented challenges as it is expected to harness technology to deliver strategic value to the business. For most companies, IT investments are the key to remaining nimble and competitive in an environment of continual change. In an ideal world the CIO would like to lock down the ‘working’ IT infrastructure to ensure maximum service availability. However, the business must deal with the changes and demands placed on it to take advantage of new opportunities and stay competitive. It is a difficult balancing act and the management of change and a clear audit trail thus become an imperative.
Two key factors create the need for effective change control – compliance with the ever growing raft of regulations and the drive for operational excellence. Legislation such as Sarbanes-Oxley and the myriad data protection regulations in effect throughout the world make compliance a difficult and potentially resource-intensive process. My personal view is that an approach using ITIL to deliver operational excellence and service availability is to be preferred as compliance comes largely as a by product. A compliance led approach can be costly and doesn’t necessarily lead to operational excellence.
Recently, governance and compliance issues have been well covered in the media. Many organisations are now focusing on good governance to manage business opportunities and risks more efficiently and effectively. Unfortunately the catalyst for such focus is often a high profile incident of non-compliance, or evolving legal requirements following new government legislation. Failure to comply with new legislation can lead to fines, have a damaging effect on corporate and personal reputations which in turn potentially damages trust and can lead to loss of revenue.
Successful IT management is thus more about the business and less about the technology and is the primary reason why an IT governance framework must link directly to a company’s goals and objectives.
It is therefore interesting to note that whilst, on the surface, IT governance and compliance appear to be popular, very few IT professionals are able to state clearly and succinctly what IT governance solutions and procedures they have in place in their organisation and how they link to business operations and business goals. This calls into question just how closely IT governance solutions and IT compliance are really aligned with the business - if at all. In reality, IT governance and compliance must be championed from the top of the organization – in other words this is where the ‘tone’ is set.
Essentially, having an IT governance framework is not really that different from having other governance processes in place such as risk management.
Governance as a broad concept is about the processes that must be followed in a successful business or project. In the case of IT governance this is the administration of IT resources using the processes of strategic planning, prioritisation, decision-making, and performance measurement to ensure that IT resources and assets support the business properly in achieving its goals.
Clear policies and procedures are necessary, but in today’s world I wonder if there is a tendency to hide behind the statement that “procedures have been followed” or “I haven’t broken any rules” despite the obvious and quite apparent failings of the system. There are numerous examples where simply following procedure has produced a less that acceptable outcome. As a small aside, just look at the debacle unfolding over MP’s expenses. Most of the things that the average tax payer would consider unacceptable are quoted by MPs as being “within the rules”. What is interesting is that I have not heard one politician say “I did nothing morally wrong'”. Why? Because they know they have. Reputations and public trust are in tatters. Policies are meaningless unless they are enforced and there is an audit trail. Therefore, auditors should identify whether the organisation has a system in place that enforces breaches of policy and defines the consequences for such transgressions.
Of course, the challenge is that the more compliance you put in place, the more likely controversy will occur because it takes away the innate sense of personal responsibility and engenders a culture of ticking the box and just following the process or interpreting the rules.
On a broader front, there is an increasing recognition of the wider business benefits of good governance. A recent survey by PricewaterhouseCoopers found that an integrated approach to governance, regulation and compliance can enhance the value of an organisations’ reputation by 23%, employee retention by 10% and increase revenue by 8%.
Clearly such a potential impact is worthy of serious consideration. A robust and effective governance and compliance framework is no longer a nice to have, it is essential.
Any feedback and comments are always welcome!!