Till very recently, the IT department didn't have a say in how your business ran and they didn't sit in meetings and make suggestions on how to move forward. Today, you have a CIO and a CTO, who are part and parcel of the make up of your company's vision. IT exists at every level in the organization and perforce, needs to add value to your business. At the same time, your business needs to derive equivalent benefit from your IT investment. It is now viewed as a tool for accruing
business growth and value rather than being just an expense.
|
But what exactly is this whole business of governance and how does it benefit business? Why should you add more procedures and regulations to your work? We look at the answer to these in this article. Let's take the second question first. Think back to the Baazee scandal, the Enron scandal and a score of others from the recent past. Many of them, if not all, could have been averted with good IT governance policies. Regulations like the Sarb-Ox (viz Justice Naresh Chandra Committee Report) exist solely to inculcate this need by making it a mandatory compliance requirement. Doing so actually helps in control and auditing, and makes things transparent.
Key roles
The key roles IT governance plays are well defined. These are:
Framework management: Manage and streamline the IT framework within which the corporate business operates. Your business functions in a corporate framework and your IT investment boxes it in for efficiency-IT's primary goal being efficiency. Management of this framework falls outside the ambit of the 'manager' and it's the role of the IT governance machinery to administer it.
Regulatory compliance: Ensure compliance to various laws and regulations that the company must adhere to. Some information needs to be retained for some period of time. Retention beyond this stated period has turned out as a liability for some companies as
recent scandals will bear-so proper archival during mandatory retention, and efficient and permanent disposal at the end of that time are both required. Storage and erasure also dictate how transparent the process should be and how it needs to be documented and reported. All this must be adhered to as well.
Information security: Ensure the security and integrity of information proprietary to the organization. The corporate IT
governance policy must keep the in-house information safe from competitors and the outside world. Trade secrets, process and procedural information, data in workflows and other information must be preserved and served strictly on a need to know basis.
Control and audit: Institute control practices and audit mechanisms. Useful for pointing the finger when the need arises, control and audit trails make it easy to pinpoint bottlenecks and troubleshoot. It also automatically creates reports and feedback on the entire process and the deployed IT in the enterprise.
Continuous self-assessment: Assess and track the performance of the organization based on various parameters (see the box on 'Balanced Scorecards' for more information).
Not just about 'security'
IT governance is not just about security. But recent global events have forced a rethink on the security front and a lot of material out there on IT governance itself, speaks much about security. So, what exactly is it that you should be looking at?
Framing of IT policies: This is a very important component of IT and corporate governance policies. Just as there are HR handbooks for telling employees what they can and cannot do, and what their privileges are, there should be a clearly defined, formally published and publicly (within the organization, of course) accessible document that describes your IT policies. This can be done either in the form of a printed booklet, or, better yet, placing a document on the corporate intranet as part of that website.
Enforcement of policies: Some policies can be implemented automatically. For instance, if you require users to change passwords once a month, your OS or authentication server can be configured to automatically force them to do that. Other policies must be done manually-say, keeping a watch on users printing out confidential documents, transferring files to personal storage (USB drives, CDs) and so on cannot completely be done automatically. They can be 'better enforced' with document-management systems in place.
|
Monitoring the implementation: Regular audits of what policies are in place, if they are adequate and how they are being followed; need to be conducted. Other than legal requirements and 'best practices', if your company is ISO certified (or has similar other
affiliations), you will need to enforce certain other policies as well.
Certifications and standards
Now there are certifications available for corporate information technology governors. Two international exams called CISA (Certified Information Systems Auditor) and for the security-only stream there's the CISM (Certified Information Security Manager) are tasked by the ISACA (Information Systems Audit and Control Association, USA at isaca.org). A standard called the CobiT (Control Objectives for Information and related Technology) issued by the ISACA is also adopted widely by both companies and governments alike to implement better IT governance.
The IT Infrastructure Library (ITIL, itil.gov.uk) from the Central Computing and Telecommunications Agency, UK is gaining popularity in the UK and the US as the definition of IT governance, since it actually draws information from public and private enterprises worldwide to define its content. Reports on the Web
indicate that the organizations that implemented these models have achieved better success and improved their ROI, by reducing
unwanted redundancy, besides cutting operational costs. However, that success comes at an implementation price. The keys to it are:
Starting from the biggest problem area: To implement all policies, the IT departments need to start small. They need to identify the area of your largest problems and weaknesses. Then, start your implementation there, working their way out. This may take a lot of time, but the results will be measurable and manageable.
Getting the IT workforce into the game: An intrinsic requirement to the success of any game plan is to get all the participants to buy into it. Like Punjab National Bank found when it went in for computerized core banking systems, implementing software or hardware networks is the easiest part of IT. The tough one comes when people have to actually use it. Their support must come out of willingness to implement, not the necessity to comply with a policy.
Implementing best practices available: There are many books on what to do and how to do IT. And then there are consultants. Both organizations-ITIL and ISACA publish volumes that you can buy from their website for roughly Rs 7000. Industry consultants like IBM and HP among others also provide guidance and services to this end. DigitalGovernance.org is a website that caters to this need by also making available public-domain knowledge and guidance.
The traditional power-bearers in society have always realized the role of information to gain control and have set up governance mechanisms. Good governance rests on the pillars of knowledge. Further, as the use of IT governance leads to closer contact of individuals within the organization with decision-makers and officials in charge, the impact is immediate. On the whole, it puts greater access and control over the governance mechanism into the hands of the participants, and in process leads to a more transparent, accountable and efficient enterprise.
Sujay V Sarma