For too many boards of directors, IT is still seen as simply a
cost, rather than a a way to make the most of business
opportunities. But forward-looking companies like electronics giant
Philips are now moving IT benefits up the corporate agenda.
Business is now irreversibly dependent on information technology to
manage transactions, information and knowledge. This calls for
improved and proactive governance of IT to:
- ensure alignment to the strategic direction of the
business
- achieve the chosen objectives
- make sure IT-related opportunities are properly understood
- determine and mitigate risks
- verify that resources are used responsibly.
All these strategies are focused on adding long-term, sustainable
value to the enterprise. Few now doubt that the use of IT will be a
major driver of economic wealth in the 21st century. Leveraging it
successfully to transform the enterprise and create value-added
products and services has become vital for most businesses.
IT is fundamental to enterprise resource management; it is
indispensable for customer relationship management; it enables
increasingly global and de-materialised transactions; and it is key
for recording and dissemination of business knowledge.
Accordingly, a formal approach to IT governance will be an
essential component of long-term business success. Senior
management will need to fully undertand - and proactively manage -
IT value drivers and risks. But too many boards of directors
discuss IT only as a cost at the annual budgeting round. IT is
rarely a matter for open discussion at board level, unless problems
have arisen or costs are perceived to be excessive.
IT
 | | "IT governance can be effective
only if directors are properly educated in the opportunities and
the risks presented by the technology." | | | | | |
| | Paul Williams | | |
|
|
governance can be effective only if directors are properly educated
in the opportunities and the risks presented by IT. Boards could
usefully ask themselves the following questions:
- Are directors aware of the latest developments in IT from a
business perspective?
- Is IT a regular item on the agenda of board meetings and is it
addressed in a structured manner?
- Does the board articulate and communicate the business
direction to which IT should be aligned?
- Is
| | "There are now more organisations
with a formalized IT governance function within their
structures." | | | | | |
|  | Paul Williams | | |
|
|
the board aware of potential conflicts (for example, over
priorities) between enterprise divisions and IT?
- Does the board have a view on how much the enterprise invests
in IT compared to its competitors?
- Is the reporting level of the most senior IT manager
commensurate with the importance of IT to the enterprise?
- Does the board have a clear view of the major IT investments
from a risk and reward perspective?
- Does the board obtain regular progress reports on major IT
projects?
- What assurance does the board get (for example, independent
reporting) that these progress reports are complete and
reliable?
- Does the board obtain IT performance reports illustrating the
value of IT from a business driver perspective (for example,
customer service, cost, agility and quality)?
- Is the board regularly briefed on IT risks to which the
enterprise is exposed, including legal and compliance risks?
- Does the board obtain assurance of the fact that suitable IT
resources, infrastructures and skills are available to meet the
required enterprise strategic objectives?
If directors cannot answer "Yes" tomost of these questions, any
real success achieved by IT in adding value to the enterprise is
down to luck rather than the result of good planning.
However, it is encouraging that IT governance has become a more
prominent management issue over the last year or so. More and more
articles and conference presentations are dedicated to the subject,
and in my work at Arthur Andersen I find more unprompted discussion
of the issue among my clients. Particularly encouragingly, there
are more organisations with a formalised IT governance function
within their structures.
IT governance activities need to focus on aligning IT activities
with the enterprise's overall business goals and initiatives. To
illustrate this concept, let's take look at how one organisation
seamlessly wove IT governance together with its executive-level
programmes.
Case study: Philips passes the initiative test
Royal
Philips Electronics is a global electronics company with a
multinational workforce of more than 225,000 offering sales and
service in 150 countries. Established in 1891 and headquartered in
Amsterdam, Philips took forward-thinking steps to organise and
support its IT governance process and improve its IT-related
control framework.
Pieter Kock, vice-president, corporate information technology, says
that Philips utilised the open standard COBIT (Control Objectives
for Information and related Technology) framework - downloadable
from
www.isaca.org - to
implement two company-wide senior management initiatives. These
projects were endorsed and led by the Philips Supervisory
Board:
First, The BEST (Business Excellence through Speed and Teamwork)
quality improvement programme has strong, visible support from
senior management. As part of this programme, Philips developed a
Process Survey Tool for IT, based on the COBIT 3rd Edition
model.
Next, under the Statement on Business Controls programme a formal
statement is issued by each organisational unit within Philips.
These are consolidated into the annual report's internal control
statement and therefore has complete support of senior management.
The IT section of the Statement on Business Controls was based on
control objectives outlined throughout COBIT.
Philips' corporate IT operation developed the BEST programme's
Process Survey Tool during the second and third quarters of 2000.
After undergoing testing in ten pilot workshops, the Process Survey
Tool was released with two implementation paths:
- Product division - where one contact person for each division
and/or business group is responsible for roll-out
- Region (ie, Asia Pacific, East and West Europe, Latin America
and North America) - where roll-out will be facilitated country by
country
Corporate IT or trained representatives facilitated group
discussions during roll-out and scored all the pertinent processes.
Then control objectives and maturity levels set out in the COBIT
framework were used to define improvement actions.
For the second executive-level project implementation, a formal
approach was used to develop the Statement on Business Controls.
Statement questionnaires were distributed throughout the financial
controllers network early in the year to allow time to submit the
internal control statement by its January deadline. The IT
department completed its portion of the document, based on COBIT
guidance.
Philips used COBIT to establish organisational capabilities on a
maturity level basis, giving a clear indication of
where
improvement is possible and
how to effect improvement.
To maintain its proactive approach to IT, Philips continues to
focus on:
- Assessing actual outcomes of the process (based on key goal
indicators and maturity levels)
- Identifying problem areas (for IT processes with low maturity
scores)
- Defining best practices ('defined process' maturity level and
higher)
- Improving management processes and actions
- Benchmarking scores
The two programmes make up a ground-breaking initiative by Philips
as they allow business functions to become directly involved in the
IT governance debate. The intitiative also enables the business and
IT to work together more effectively to ensure that business
processes and controls are subject to continuous improvement
All of this can only lead to better value being obtained from the
group's IT investments.
If you want to know more, Pieter Kock will discuss details of Royal
Philips Electronics' initiatives as part of the first IT Governance
Forum to be held in Paris in June 2001. More information about the
Forum at
www.isaca.org
.
Paul Williams, FCA, MBCS is international president of the
Information Systems Audit and Control Association (www.isaca.org)
and a partner with Arthur Andersen's financial markets division in
London.