Areas of focus in IT governance
Strategic alignment and strategic governance are keys to ensuring that the company takes full advantage of opportunities and manages risks in a changing market. According to the IT Governance Institute, there are five focus areas:
Connecting business and IT so that they work well together. The lightning rod is typically the planning process, and true alignment occurs only when the business side of the business communicates effectively with line-of-business (LOB) and IT leaders about costs and benefits.
Ensure that the IT department does what it takes to reap the benefits of an IT investment. The best practice is to develop processes to ensure that target values grow and those that reduce value are eliminated.
One way to manage resources more effectively is an efficient staff organization, for example on skills rather than industry. This allows for better staffing and demand management.
By setting up a formal risk framework, it details how IT measures, accepts and manages risks, and reports on which risks are managed.
Provide structure around measuring business performance. A popular method is to set up an IT Balanced Scorecard (BSC), which examines where IT contributes to achieving business objectives. It uses qualitative and quantitative measurements for measurements.
Governance challenges in outsourcing
In 2004, a study by the IT Governance Institute (ITGI) found that the required levels of governance are not reliably extended to relationships when services are outsourced. It is no longer the property of an organization that matters, but rather the ability to leverage and scale its outsourcing capabilities. The findings show that the benefits of outsourcing are not just about the price, but rather the quality of service, risk management and freeing key personnel to focus on core value-added activities.
Chief Information Officers (CIOs) who want to outsource parts of the IT operation to outside agents abroad must carefully consider their own maturity and organizational readiness processes. The need to demonstrate the contributions of IT to business results. In addition, increased financial regulations, such as the Sarbanes Oxley Act (SOX) & Basel II, force CIOs to take a closer look at the IT landscape. As a result, agents are also looking for third-party insurance to provide their clients with comfort over their internal control environment.
Many Indian service providers have implemented recommendations from NASSCOM, the leading organization representing the government and setting the tone for government policies for the Indian software industry. Most organizations are aware of potential problems that may arise from misuse of information security. Many Indian companies have taken strict measures to prevent misuse of information. NASSCOM encourages the Indian legislator to make changes to information technology laws to expand the areas of data protection concerns. “The customer has to do certain things and is responsible for certain things, and so do we“said Ed Nalbandian, vice president of Avaya Operations Services, a global provider of business communications solutions.
We begin our discussion of frameworks with Statement on Auditing Standards (SAS) No. 70, the most widely used audit standard.
SAS No. 70 (SAS 70 for short), an audit standard developed by the American Institute of Certified Public Accountants (AICPA), recognizes that an audit was conducted by an “independent” auditor and that a service organization conducts an in-depth review of its audit objectives . This is critical because service organizations or suppliers must demonstrate adequate controls and security mechanisms, especially when hosting or processing customer data.
Control Objectives for Information Technology (COBIT) is another popular process framework created by Information Systems Audit and Control Association (ISACA). COBIT is both, an IT governance framework and supporting toolset that allows managers to bridge gaps in the governance of the organization. This framework includes core activities and support processes. COBIT is a framework to be applied by the IT department as well as by the company as a whole.
Complementing COBIT is ISACA’s Val IT governance framework that demonstrates business value derived from IT investments. It is a set of guiding principles, processes, best practices and management practices to help executive management demonstrate the value of IT at the company level. This framework goes beyond financials and includes Portfolio Management.
IT infrastructure library (ITIL)
Information Technology Infrastructure Library (ITIL) is a set of practices developed by the UK Office of Government Commerce (OGC) for IT Service Management (ITSM). ITIL version 3 (latest) aligns IT services with business strategy and provides a holistic perspective that spans the entire IT and support organizations.
Calder-Moir IT Governance Framework
The Calder-Moir IT Governance Framework is designed to take exactly advantage of overlapping frameworks and standards. This framework is no other solution, but a way to organize IT governance issues. It offers tools that the board can use to evaluate, manage and monitor processes via a PDCA cycle (Plan, Do, Check, Act).
This model for evaluating internal controls comes from the Treadway Commission’s Committee of Sponsor Organizations. It contains guidelines for many functions, including human resource management, inbound and outbound logistics, external resources, information technology, risk, legal, enterprise, marketing and sales, operations, all finance functions, purchasing and reporting. This is a more general business framework that is less IT specific than the others.
Developed by a group of Carnegie-Mellon’s government, industry and Software Engineering Institute, the Capability Maturity Model Integration method is a process improvement approach that spans 22 process areas. It is divided into assessment, evaluation and structure. CMMI is particularly suited to organizations that need help developing applications, lifecycle issues, and improving product delivery throughout the lifecycle.
Choosing the best corporate governance framework for a company is the subject of striking the right balance between serving all stakeholders in which the company operates. A good governance framework should be managed and monitored by an independent board of directors that oversees the implementation of a corporate vision. Directors are guided by a set of policies that govern business practices in all areas of business.
Today, most companies opt for COBIT or ITIL, but other frameworks are also suitable. ITIL is primarily a good framework or operational activity, while CMMi is suitable for application development and life cycle issues. COBIT is a great overarching framework for risk management.
While each framework has a unique value proposition, combining frameworks is to design a custom framework that fits an organization’s goals. A company can use COBIT as a general framework and ITIL for specific operations, CMMI for development and ISO frameworks for security. In fact, combining frames is quite common. A study by PricewaterhouseCoopers found that in 65 percent of cases, companies used COBIT and ITIL together or with lesser known frameworks.
Outsourcing governance is primarily a subset of IT governance and the primary focus is on controlling the interface between the organization and its outsourced service provider. A critical consideration when considering outsourcing governance is the close interrelation between the internal and outsourced IT environment, with the focus on IT outsourcing governance always proving insufficient. It should be viewed in the context of IT governance as a whole.
The most important thing is to use a framework that fits the corporate culture and that most stakeholders know.
Bring them together
To turn great ideas into great project results, strategic IT governance is mandatory. “If the IT governance framework is not properly implemented, it can directly affect how IT is experienced at a high level. The last thing you want is for IT to be viewed as a cost center with no real value“said Marios Damianides, former International President of ISACA and the IT Governance Institute, and currently a partner for Ernst & Young.
Solid governance goes côte à côte with good execution. This means setting up a Project Management Office (PMO) and a Governance Board. For larger projects, a program manager must be chartered and held accountable for all issues and escalations. The PMO must regularly report progress to the Board of Directors.
In addition, the chosen Governance framework should not be too complicated or difficult to manage. The structure must be simple and easy to understand; objectives should be clear and understandable to all stakeholders. In short, outsourcing Governance frameworks must be effective, productive and in line with strategic business needs and requirements. It is important that the governance framework is periodically reactivated to remain relevant to business objectives.
- When should support services be divested by Petter Østbø, Tor Jakob Ramsøy and Anders Rasmussen, Corporate Finance Practice, McKinsey Quarterly, July 2009
- The value of outsourcing obsolete insurance products by Matthias Daub and Ferruccio Lagutaine, Business Technology Office, McKinsey Quarterly, December 2010
- The Black Book of Outsourcing: How to Manage the Changes, Challenges, and Opportunities (Wiley Desktop Editions) by Douglas Brown and Scott Wilson (May 2, 2005)
- Operational Excellence: The New Force Driving High Performance Through Outsourcing by Jeff Osborne, Managing Director, BPO Global Delivery, Accenture, 2010
- The Outsourcing Enterprise – From Cost Management to Collaborative Innovation by Leslie P. Willcocks, Sara Cullen and Andrew Craig. ISBN: 9780230231917, published October 14, 2010
- Information Technology Strategy and Management: Best Practices (Premier Reference Source) by Eng K. Chew and Petter Gottschalk (November 26, 2008)
- Creating better governance of offshore services, Judith C. Simona, Robin S. Postona & Bill Kettingera, Information Systems Management, Volume 26, Issue 2, 2009; DOI: 10.1080 / 10580530902794778
- Frameworks for Information Systems Audit & Control Association
- Fort India? by Pete Engardio, Majeet Kripalani and Josey Puliyenthurrthel ,, Business Week, August 16, 2004