IT Governance

Definitions
- Governance -gov·er·nance noun (ˈgə-vər-nən(t)s) : the way that a city, company, etc., is controlled by the
people who run it

- Corporate governance: The structure and the relationships which determine corporate direction and
performance.

o The board of directors is typically central to corporate governance – accountable to shareholders

o Participants include: management, employees, customers, suppliers, and creditors
o Depends on the legal, regulatory, and culture of the community

Information technology governance (ITG):

“The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its
goals.” © 2010 Gartner, Inc.

“A decision-making framework for IT investments that is designed to maximize the return of benefits while
managing risk to acceptable levels.” © 2010 Forrester Research, Inc.

“The system by which the current and future use of IT is directed and controlled. Corporate governance of
IT involves evaluating and directing the use of IT to support the organization and monitoring this use to
achieve plans. It includes the strategy and policies for using IT within an organization.” © International
Organizations for Standardization (ISO).

“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making;
and monitoring performance and compliance against agreed-on direction and objectives.” © ISACA
(COBIT5®).

IT Governance Institute – more definitions

1998 Definition: The responsibility of executives and the board of directors, and consists of the leadership,
organizational structures and processes that ensure that the enterprise’s IT sustains and extends the
organization’s strategies and objectives. © IT Governance Institute.

Today’s Definition: A governance system enables multiple stakeholders in an enterprise to have an

organized say in evaluating conditions and options, setting direction and monitoring performance against

1
enterprise objectives. Setting and maintaining the appropriate governance approach is the responsibility of
the board of directors or equivalent body. © IT Governance Institute.

IT Governance & IT Management Issues

IT governance and corporate governance are interrelated; IT governance is an integral part of corporate
governance. For this reason, many issues and concepts discussed in corporate governance are also
involved in IT governance. These include

 IT risk management.
 The establishment of a governance framework.
 A sense of teamwork and of enterprise.
 Value delivery through IT.
 A more activist information security department and board of directors.
 Cloud computing.
 Continuous auditing and assurance.

i) IT Risk management

Successful organizations that manage to derive business value out of IT investments also understand the
importance of IT control environment and manage the associated risks, such as increasing regulatory
compliance and critical dependence of many business processes on IT. This in particular means that they
manage the risks associated with growing IT opportunities. The risks associated with business processes
conducted through IT support are not only anymore marginal or ‘technical’ problems and become more and
more a key ‘business problem’.

IT risks are risks associated with intensive use of IT to support and improve business processes and business
as a whole. They are related to threats and dangers that the intensive use of IT may cause undesired or
unexpected damages, misuses and losses in whole business model and its environment. Conscience about
the systematic IT risk management should be present at all managerial level in organizations whose business
is in any way related to the functioning of modern information systems (IS), no matter if they are used only
for the purpose of business automation, or some vital business process are performed electronically. Since
the efficiency, effectiveness and in a great deal the successfulness of all business activities depend on the
functioning of the IT and IS, a sound risk management process should not only include technical or
operational issues but also executive management’ frameworks such as IT Governance and IT Audit.

IT Risks represent the likelihood that in certain circumstances a given threat-source can exercise a particular
potential vulnerability and negatively impacts the IT assets (data, software, hardware), IT services, key
business processes or the whole organization.

2
 IT Risks = F (asset, threat, vulnerability)

Quantitative risk assessment draws upon methodologies used by financial institutions and insurance
companies. By assigning values to information, systems, business processes, recovery costs, etc., impact,
and therefore risk, can be measured in terms of direct and indirect costs. Mathematically, quantitative risk
can be expressed as Annualized Loss Expectancy (ALE). ALE is the expected monetary loss that can be
expected for an asset due to a risk being realized over a one-year period

ALE = SLE * ARO

where:

SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may or may not be the entire
asset. This is the impact of the loss. ARO (Annualized Rate of Occurrence) is how often the loss occurs.
This is the likelihood or the number of occurrences of the undesired event.

ii) IT Governance framework

All organizations need to make a decision on the IT governance framework to adopt. These include:

- CobiT (Control Objectives of Information and related Technology),

- ISO 38500:2015
- ITIL (IT Infrastructure Library)

The main objective of all frameworks is to align IT to the organization, create value and control.

iii) Sense of teamwork and of enterprise

- an organization with a cultural focus on results and teamwork tends to implement simple
structures of IT governance and simple decision-making processes, uses more efficiently their IT
resources and integrates better its organizational knowledge
- In organizations that value individual work, there is less teamwork, the structures are more
complex and the decision-making will be more difficult, slow and bureaucratic. This type of culture
causes less participation of business executives in the IT governance model, less interaction
between areas and different resources and therefore less optimized IT resource management
- worker participation, supervision, feedback, rewards, formalization and work rules have an
impact on IT governance resource planning

3
 - three dimensions of organizational culture called strategy, coordination and leadership, have a
strong relationship with governance in the business IT alignment maturity. Likewise, aspects of
organizational culture like innovation, risk taking, team orientation, and change readiness have a
significant impact on the strategic alignment components
iv) Value delivery

Growing need for assurance about the value of IT, the management of IT-related risks and increased
requirements for control over information are now understood as key elements of enterprise governance.
Value, risk and control constitute the core of IT governance.

v) Information security department and board of directors

From IT Governance, IT Audit and IT Security perspective, IT risk management is the process of
understanding and responding to factors that may lead to a failure in the authenticity, non-repudiation,
confidentiality, integrity or availability of an information system. Attainment of security needs to be one of
the targets set by the board of directors. It can be attained by implementation of ISO 27000:2013

vi) Cloud computing.

vii) Continuous auditing and assurance

Periodic internal or external IT audits are needed to detect the level of compliance with standards and
regulatory frameworks. Performing IT audits are necessary in order to detect the priority risk areas, to
identify specific IT controls needed, to constantly measure the level of their efficiency and to calculate IT
risk level on regular basis

4
IT Governance Frameworks/Authorities
IT Governance Frameworks/Authorities include

 International Standards Organization/ International Electrotechnical Commission (ISO/IEC)

 Information Systems Audit and Control Association (ISACA)
a) The ISO/IEC IT Governance Standard

ISO/IEC 38500 is a high level, principles based advisory standard. In addition to providing broad guidance
on the role of a governing body, it encourages organizations to use appropriate standards to underpin their
governance of IT.

(ISO 38500 definition: - The system by which the current and future use of IT is directed and controlled.
Corporate governance of IT involves evaluating and directing the use of IT to support the organization and
monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.

The objective of their standard is to provide a framework of principles for Directors to use when evaluating,
directing and monitoring the use of information technology (IT) in their organizations.

5
The ‘other’ objectives of ISO/IEC 38500

Proper corporate governance of IT may assist directors in assuring conformance with obligations
(regulatory, legislation, common law, contractual) concerning the acceptable use of IT.

Inadequate IT systems can expose the directors to the risk of not complying with legislation. For example,
in some jurisdictions, directors could be held personally accountable if an inadequate accounting system
results in tax not being paid.

ISO/IEC 38500A is a standard rooted in risk aversion. Processes dealing with IT incorporate specific risks
must be appropriately addressed. For example, directors could be held accountable for breaches of:

o security standards
o privacy legislation
o spam legislation
o trade practices legislation
o intellectual property rights
o record keeping requirements
o environmental legislation and regulations
o health and safety legislation
o accessibility legislation
o social responsibility standards

ISO/IEC 38500 is based on meeting six principles

o Responsibility – Individuals and groups within the organization understand and accept their
responsibilities in respect of both supply of, and demand for IT. Those with responsibility for
actions also have the authority to perform those actions.
o Strategy –The organization’s business strategy takes into account the current and future capabilities
of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization’s business
strategy.
o Acquisition – IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing
analysis, with clear and transparent decision making. There is appropriate balance between benefits,
opportunities, costs, and risks, in both the short term and the long term.
o Performance – IT is fit for purpose in supporting the organization, providing the services, levels of
service and service quality required to meet current and future business requirements.

6
 o Conformance – IT complies with all mandatory legislation and regulations. Policies and practices
are clearly defined, implemented and enforced.
o Human Behavior – IT policies, practices and decisions demonstrate respect for Human Behavior,
including the current and evolving needs of all the ‘people in the process’.

ISO/IEC 38500 Governance Model

IT is governed through 3 main tasks

o Evaluate the current and future use of IT.

o Direct preparation and implementation of plans and policies to ensure that use of IT meets business
objectives.
o Monitor conformance to policies, and performance against the plans

“In ISO’s view, governance is distinct from management, and for the avoidance of confusion, the two
concepts are clearly defined in their standard.”

b) Control Objectives for Information and Related Technology (COBIT) Framework

COBIT® 2012 – An ISACA framework

o COBIT®5 is a foundational enterprise IT Governance framework, providing a basis to effectively

integrate other complimentary frameworks, standards, and practices.
o As a single overarching framework it serves as a consistent and integrated source of guidance in a
non-technical, technology-agnostic, common language.

Scope of COBIT®5

o COBIT®5 addresses the governance and management of information and related technology from
an enterprise-wide, end-to-end perspective, including the activities and responsibilities of both the
IT function and non-IT business functions.
o The end-to-end aspect is further supported by COBIT®5 coverage of all critical business elements,
e.g. processes, organizational structures, principles & policies, culture, skills, information, service
capabilities.

7
IT governance according to COBIT®

Governance

• Ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions, and
options

• Sets direction through prioritization and decision making

• Monitors performance, compliance, and progress against the agreed upon direction and objectives

Management

• Plans, builds, runs, & monitors activities in alignment with the direction set by the governance
body to achieve the enterprise objectives

COBIT®5 (GEIT) principles COBIT

8
COBIT and ISO/IEC standards have dissimilar IT governance principles

COBIT 5 ISO 38500

• Responsibility

• Strategy

• Acquisition

• Performance

• Conformance

• Human Behavior

Governance & management processes

9
Principle 5: Separating governance & mgt.

Process reference model: Divides governance and management processes into two primary domains:

• Governance (1 Domain, 5 Processes)

o Within each process, evaluate, direct, and monitor practices are defined.

• Management (4 Domains, 32 Processes)

o In line with responsibility areas of plan, build, run, and monitor, provide an end‐to‐end coverage
of IT Management. The processes cover the full spectrum of business and IT activities related to
governance and management of enterprise IT thus making the process model truly enterprise wide

COBIT® Process reference model

COBIT Governance Processes

Governance Domain – evaluate, direct, and monitor
1. EDM01: Ensure governance framework setting and maintenance
2. EDM02: Ensure benefits delivery
3. EDM03: Ensure risk optimization

10
4. EDM04: Ensure resource optimization
5. EDM05: Ensure stakeholder transparency COBIT Governance Processes

11
12
Principle 2: Covering enterprise end-to-end
• Governance Enablers (Principle 4)
• Frameworks, principles, structures, processes, practices
• Governance Scope - definable
• Enterprise, entity, or tangible asset
• Roles, activities and relationships

13
Corporate Governance of IT
Obstacles to IT Governance

• Widely misunderstood

• Negative connotation and pervasive negative opinion

• Past IT governance failures

• Lack of process and process management proficiency (resulting in bureaucracy, increased cycle-
time and costs, over-process vs. optimized process)

• Philosophically and intellectually vs. business-case driven

• Managers don’t like to be governed

• Not business-sponsored or driven

IT Governance Drivers

Increased IT Governance Awareness

• Audit Influence

• ISACA/IT Governance Institute

• Audit Issues

• Risk and Compliance

• Regulatory Requirements

• Legal Requirements

• Security Requirements

• Investment Decision-making - PPM

• IT-Business Alignment

• IT Accountability to the Business

14
 Who drives IT governance?
From the definition of Governance: the way that a city, company, etc., is controlled by the people who run
it — this involves every aspect of the company, including information technology (IT)

ITG is a function of the board of directors

The Board is responsible for ensuring…

• IT is aligned with business strategy

• IT brings value to the business

• IT manages risk

• IT manages resources

• IT manages performance

 Every decision is “governed”

Many organizations mistakenly believe, “We don’t have IT governance.”

• This view fails to recognize the omnipresence of governance – something is governing all decisions, it is
simply a matter of whether those “governance mechanisms” are formally defined and managed

• Formal governance – laws, regulations, rules, boards, committees, policies, standards, processes, data
(metrics), “authorized intuition”

15
• Informal governance – culture, beliefs, values, ethics, attitude, emotion, genetics, data (metrics), etc.

 Every organization has governance

The fact is, all managers (and all decisions) are ‘governed’ – even when there are no “governors”

• The purpose of governance is to enable and ensure reasoned and rational decision-making…

• …so formal governance mechanisms are only necessary when informal governance mechanisms
don’t enable and ensure reasoned and rational decision-making

 Integration of governance and management

Distinction between Governance & Management often misunderstood

• Effective integration of these two elements is critical for successful IT governance in any
enterprise or organization

• IT governance is NOT responsible for “rendering” IT infrastructure

• IT governance IS responsible for “oversight of the management processes” that render IT

infrastructure

Governance defined “Governance is the system by which organizations are directed and controlled. It is
essentially about leadership and involves overseeing the preparation of plans, overseeing the delivery of
business change, overseeing operations, and overseeing the realization of benefits.” Basil Wood, New
Zealand @bazpractice

 IT governance simplified

A simplified definition would be: The processes and relationships that lead to reasoned decision-making in
the use of information technology

However, 3 Key Questions arise:

• What information technology decisions need to be formally governed?

• Who will be assigned accountability for governing those decisions?

• How will those decisions be governed? E.g.

- committees

16
 - policy / standard

- process

- “authorized intuition”

Assuring and Sustaining IT Governance

 Benefits of sustainable IT governance
IT Functions as a Business Partner Enabling Competitive Advantage such as:
• Executive leadership freed from day-to-day execution
• IT freed from proving value
• Exploring avenues to leverage IT for competitive advantage
• Focused on the future vision
• Driving business innovation
 Obstacles to IT-driven business innovation
From various research studies
• IT’s contribution to efficiency is deemed more important than its innovative value.
• 42% of IT orgs said that they reported to the CFO, and 53% of CFOs said that they would like to move
to this reporting arrangement.
• Only 25% of respondents said the CIO’s primary role in innovation is to drive new business value. Only
55% viewed the lead IT executive as both a business and IT leader.
 ITG processes require process management
Changing from a function-centric to a process-centric Organization
• Process design
• Process implementation
• Process management lifecycle
• Process governance
• Institutionalize processes
IT governance principle metrics

17
Strategic Alignment
Focus on aligning with the business and collaborative solutions such as
• How IT supports the Enterprise Strategy
• How IT Operations are aligned with current Enterprise Operations
Also, how IT:
• Delivers against the strategy
• Adds value to products and services
• Improves customer satisfaction and customer retention
• Assists in competitive positioning
• Balances investments between systems that support the enterprise as is, and transforms
the enterprise to create an infrastructure that enables the business to grow
• Contains costs and improves administrative efficiency
• Increases managerial effectiveness
(Read Appendix A)

18
Value delivery
Optimizing expenses and proving the value of IT
• How IT delivers appropriate quality on-time and within budget
• How actual cost and ROI is managed
Also, how IT:
• Is fit for purpose, meeting business requirements
• Flexible to adopt to future requirements
• Provides required throughput and response times
• Enables ease of use, resiliency and security
• Provides integrity, accuracy and currency of information
Risk Management
Addressing the safeguard of IT assets, disaster recovery and continuity of operations such as:
• Risk Controls
• Transferring risk
• Risk Acceptance
Also, how IT:
• Mitigates risk by implementing controls (e.g. Risk Management Systems, Audit
controls, acquiring and deploying security technology to protect the infrastructure,
Business Continuity Planning, Disaster Recovery, etc.)
• Transfers risk by sharing risk with partners or transfers risk to insurance coverage
• Accepts risk by formally acknowledging that the risk exists and it is being monitored
Resource management
Optimizing knowledge and IT infrastructure
• How IT optimizes the infrastructure
• How IT optimizes human resources
Also, how IT:
• Manages system procurement
• Benefits from service procurement
• Manages the lifecycle of hardware, software licenses and services contracts
• Applies appropriate methods and adequate skills to manage and support IT Projects and
Systems

19
 • Improves workforce planning, recruiting and workforce retention
• Provides IT education and development
Performance management
Tracking project delivery and monitoring IT services e.g.
• How IT measures performance (balanced scorecard, KPIs, etc.)
• Use of automated systems providing performance data and information
Also, how IT:
• Establishes and measures financial objectives
• Maps financial objectives to customer requirements and needs
• Measures process performance, effectiveness, efficiency and criticality to the business
• Addresses innovation requirements and future needs
• Determines how business executives and users view the IT department
(Read Appendix B)
Symptoms of poor IT Governance
Symptoms include
• When Senior executives can’t describe your IT Governance
• Decisions take too long
• There is little accountability for decisions
• Senior management less than happy (IT Governance performance self-assessment is poor or
varies widely by respondent)
• There is ineffective IT Portfolio Management – duplication, too many applications, low
percentage spend on new initiatives
• IT Governance seen as overhead and “red-tape”

Maturing IT Governance requires…

• Acknowledging that governance is both decision-making and accountability (should be
empowering, not bureaucratic)
• Linking the firm’s other key assets and incentives to governance
• Recognizing the link to financial performance (firms with superior IT Governance also had
more than 20% higher profits)
• Determining what should be shared at enterprise, sector and BU levels and govern at that level

20
 • Relying on a few IT governance mechanisms (utilizing non-IT governance mechanisms e.g.,
exec committee, CapEx process, etc.)
• Focusing on how each project and service contributes to a reusable digitized platform
• Centralizing for cost focus – decentralizing for innovation and growth and blended governance
to achieve both
• Simplification, removing bureaucracy and fostering more communication

Best practice in addressing IT governance

• Ensure IT Governance is driven by business problems and opportunities – not Governance for
its own sake
• Transparency is the most critical aspect of IT Governance
• Design deliberately at enterprise and BU levels
• No one-size-fits all – find the right flavor
• Redesign and constantly strike the balance – not too much, not too little
• Governance processes can be sophisticated and complex, or incredibly simple and should
quickly address and respond to exceptions
• Assign ownerships that continually educates, engages, incentivizes, and proves the value of IT
Governance –The three M’s: metrics, measures and marketing
IT governance critical success factors
• Absolutely requires Executive sponsorship and leadership – vision and enablement
• Absolutely requires Business participation – IT facilitates but the business must be a partner, if
not the leader in the effort
• Business process initiative –This requires skills in process management, design, implementation
– and organizational change
• Decisions require fact-based information –This requires a systematic approach to collect,
integrate, analyze and provide meaningful data

21