There’s no need for wrong turns on the road to achieving
effective IT governance. Frameworks can offer a clear path to
better risk management and value.
Within many organisations IT governance is up there with
military intelligence and rap music as one of the great oxymorons
of our time.
To more enlightened organisations, however, IT governance is a
central component of their business culture, leading to enhanced
management of risk and the delivery of measurable and sustainable
stakeholder value from IT-related investments.
A KPMG study on IT governance from 2004 contained references
from a number of CIOs of major UK companies with quotes such as
“the potential benefits of governance include the significant
elimination of waste and improved strategic focus”, and “improved
communication is one of the most important achievements of
governance”.
Studies such as this are not short of ringing endorsements for
the value that a positive approach to IT governance can bring. Few
such studies, however, concentrate on the difficulties that many
organisations experience in developing, implementing, maintaining
and monitoring effective IT governance structures and
processes.
Many organisations embarking on the road of IT governance seek
assistance from other, perhaps more mature, organisations among
their peers or from external advisers. Such help can be invaluable
in helping to avoid the pitfalls and in enhancing their ability to
achieve success in the shortest time.
However, external help will never be low cost, and peer group
assistance will always be inhibited by competitive pressures.
Equally, a fully independent approach can be a lonely and
unpredictable course, prone to blind alleys, self doubt and
frustration.
Set against this background, therefore, it is surprising that
relatively few organisations to date have started to use existing
IT governance frameworks to help them in their endeavours.
Indeed, the same KPMG study identified that fewer than 20% of
organisations were using frameworks such as the Control Objectives
for Information and Related Technology (Cobit), the Capability
Maturity Model (CMM), ISO 17799 and the IT Infrastructure Library
(ITIL) to assist with their IT governance implementation. Why is
this?
Of course, with the possible exception of Cobit, there is no
non-proprietary framework that comprehensively covers the total
spectrum of structures and processes relevant to IT governance.
And Cobit itself is often in danger of being regarded as the
“all-purpose miracle cleaner” of IT governance frameworks in the
way it has been promoted as an IT governance, process and
management control and IT audit tool.
The existence of these (and other) standards has often caused
some confusion with IT and business managers who often ask which of
these they should use, or which is the most appropriate for their
environment.
Of course it is not a simple matter of selecting the right one
for your organisation. The fact is that all of these frameworks are
potentially useful and, depending on your specific needs, they may
be used collectively but in a practical and selective way.
Due to the confusion, the recently published management briefing
from the IT Governance Institute (ITGI), which is responsible for
Cobit, and the UK Office of Government Commerce (OGC) – the sponsor
of ITIL – is to be welcomed. The IT Service Management Forum
(itSMF) has also endorsed its content.
This joint briefing paper makes the point that to achieve
alignment of best practices to business requirements, Cobit should
be used at the highest level. This will provide an overall control
framework based on an IT process model that should generically suit
most organisations, regardless of industry or whether private or
public sector.
Specific practices and standards such as ITIL and ISO 17799
cover discrete areas and can be mapped up to the Cobit framework,
thus providing a hierarchy of guidance materials.
Cobit has the major advantages of being globally accepted and
promoted as an open standard which is available to be used by any
organisation for their own IT governance and related purposes at no
cost. If used intelligently, it has the flexibility to be totally
adaptable to the needs of each different organisation.
A 2005 survey carried out by PricewaterhouseCoopers on behalf of
the ITGI has indicated that, of those entities currently using
Cobit, 75% found it either very useful or somewhat useful, with 15%
undecided and less than 10% showing a negative response. The main
negative issue identified by the respondents was the perceived
complexity of the framework.
Most users recognise that to cover the comprehensive ground that
it does, a degree of complexity is unavoidable, but this can be
overcome by an initially selective implementation leading towards
full implementation over a sensible period of time.
To help with this there is a “lite” version of Cobit called
Cobit Quickstart which, although originally designed for
small-to-medium-sized enterprises, can be used to support an
initial implementation of Cobit in larger enterprises.
However, whichever framework is selected, if IT governance is
going to be successful and deliver real value within your
organisation, it is essential that there is a proper balance
between the IT function’s ability to operate in an entrepreneurial
way, and seeking to comply with a set of rules and appropriate
behaviours.
This is a key reason why the implementation of IT governance
using a supporting framework has to be done using intelligence and
discretion.
The solution has to be appropriate to the need, thus it requires
a proper understanding of the business, its value drivers, its
appetite for risk, the relevant regulatory framework and the
corporate culture.
However, with the aid of such an understanding the use of a
governance framework can significantly reduce the pain and effort
required to ultimately reap the benefits of IT governance.
What is Cobit?
The Control Objectives for Information and Related Technology
(Cobit) is an IT governance framework and supporting toolset that
allows IT managers to bridge the gap between control requirements,
technical issues and business risks.
Created by the Information Systems Audit and Control Association
(ISACA), and the IT Governance Institute (ITGI) in 1992, Cobit
enables clear policy development and good practice for IT control
throughout organisations.
Cobit provides IT managers, auditors and IT users with a set of
generally accepted measures, indicators, processes and best
practices to assist them in maximising the benefits derived from IT
and developing appropriate IT governance and control in a
company.
Paul Williams is an independent consultant specialising in
IT governance, and a past international president of the IT
Governance Institute
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats