What are the top issues for IT governance?
Larry Marks (no relation) has had an article published by ISACA on “top IT governance issues of 2011“. He has a great surname, but I am not persuaded that his points and priorities are so great.
Like Larry, I am a fan of the ISACA/ITGI guidance on IT governance, and his summary of it is excellent – highly recommended (although I even more strongly recommend checking out the complete guidance, available at http://www.itgi.org/).
He has these as the IT governance issues of 2011:
- IT risk management
- The establishment of a governance framework
- A sense of teamwork and of enterprise
- Value delivery through IT
- A more activist information security department and board of directors
- Cloud computing
- Continuous auditing and assurance
To pick on a couple: Larry does not (IMHO) emphasize sufficiently the need for risk management within IT to be integrated with and supportive of enterprise or corporate risk management. As Risk IT says (which he references), what is important is the effect that IT-related activities may have on business risks. There are no “IT risks” per se.
Then, why is selection and establishment of a governance framework so critical? I am more interested in results, and here are my top IT governance priorities:
- Include IT-related activities to enable as well as support enterprise strategies and goals. Be part of, if not lead, strategy-setting
- Provide leadership as technology enables new corporate strategies and initiatives. In these days of mobile computing, cloud, and ‘big data’, IT should be taking the lead to explain what is possible to management – rather than waiting to meet their (ignorant) requirements
- Integrate IT risk activities into the enterprise risk management process, and (if necessary and appropriate) taking a lead to ensure effective ERM
- Ensure that decisions are made on reliable, current, timely, and available (where it is needed, when it is needed) information. Move from managing based on old, inconsistent, and fragmented data to current information that is reliable
- Simplify the IT infrastructure, eliminating duplicative or redundant applications and data repositories, to not only contain cost but build the platform for the future
- Support all the compliance requirements, preferably through a strategy that relies on a single set of solutions rather than an incompatible rag-bag
Which Marks is right? Or are we both wrong?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I’m a big advocate of not seeing IT anythings – risks, governance issues, etc – as isolated from the rest of the organisation. But, can you make your priorities snappier, Marks N?
Norman, you are right on “marks!” IT projects seem to be driven by the newest and the greatest in the field, but find that most initiatives are cost-prohibitive and not supported by Senior Management. When the marketing or sales staff influences IT priorities, some companies may find that the market is just not mature enough to influence current sales. The ideas are implemented “before their time.” As a result, frustration sets in and these priority projects get shelved or placed on hold until the market takes hold, which may be too late to position itself for growth. (techies keep development soaring, possibly making the creative idea obsolete within a year) IT loses some of its credibility in the process.
The struggle between IT and the Business Areas is real because of the lack of technical knowledge as you imply. IT needs to look at the “Big Picture” and make sure the infrastructure is able to handle the strategic growth initiatives. As you indicate, it is a coordinated risk management process that should address the more critical issues. Automated IT solutions, continuous auditing, and business analytics is a start in the right direction, but I agree with you that IT’s “voice” about trends in the industry must be heard loud and clear by Senior Management and the Board.
There is a natural difference in the point of view of IT and Business people perceiving the IT risks. I classify them as pure IT risks ( The impacts can be assesed by IT only, business can and may not have much knowledge about the root-causes and mitigation methods ) and hybrid risks ( The impacts can be assessed by business only, but the mitigating controls can be applied by IT, IT can not know the impact on the business processes) and I call the hybrid risks as threats (root cuses) of business risks. Both types of risks ( and threats) should be included in ERM process so that the alignment between the IT and the business lines can be established. The alignment is my priority.
Norman, both you and Larry hold respective views on the basis of your own experience and knowledge, hence I would not comment on who is right or what is right in this case. However, when it comes to the talk of IT Governance and Corporate Governance, then what I fail to understand is “Why are we talking about two different Governance models and why is IT being talked separate than Business?” Ain’t IT supposed to be an enabling function for the various business processes?
If an organization has Corporate Governance model, shouldn’t IT Governance be part of it, just like Financial Governance or the Work Place Ethics and Employee Governance? I have faced numerous situation where it takes a lot to make clients understand the importance of integrating both as one as they are required to act as a single wheel.
With respect to the Risk Assessment and Management, what surprises me it the treatment of IT Risk as a separate domain as compared to the other Business Risks. I for that matter find that IT Risks are integral part of the Operational Risks that any organization would have to deal with.
I guess this treatment to IT Risk in silos and on the basis of various compliance requirements has created more of a chaos than actually helping any organization. Even if the non-IT people can’t understand the IT Risks that an IT guy would understand, I am sure that we can make the non-IT people understand at a minimum the Impact IT Risks would / might have on the Business Process Functioning.
One more point that we need to understand with respect to the IT Risks and it is about the IT team itself having two fractions – first one that makes up the IT Delivery Organization and second one that makes up the IT Security Organization. And in my experience, people from IT Delivery Organization do not have any better understanding of the IT Risks as compared to the other Business Functions. So, there is another catch 22 situation for the Governance structures mentioned in Larry’s article as well as in your question above.
Looking at these comments, I am on the side of Jackie and Mayank: what matters is optimizing the business as a whole. IT is a leader and enabler, but is not and should not be a silo. If a so-called IT risk (sorry Alpaslan) can only be assessed by IT and not in terms of its impact on the business, how do we know it really matters?
That is why I said:
“the need for risk management within IT to be integrated with and supportive of enterprise or corporate risk management. As Risk IT says (which he references), what is important is the effect that IT-related activities may have on business risks. There are no “IT risks” per se.”
I think it is the maturity of the organization that matters. In order to establish a nice flowing ERM process initally you need to have the IT is aligned to business objectives. When you look at the ERM perpective every IT Risk is actually Business Risk. But as I said, to overcome the difficulty of siloing, it really takes time to have the business take the leading role and convince IT as a business enabler. I have encountered many situations that both IT and business side made risk analysis seperately and come out of very different risk matrix. I have seen cases such that, even 80% of the risk from each side do not match each other.