In a research note on IT management andglobalisation, analyst firm Gartner
definesgovernanceas, "The organisational
style and process for making decisions about business technology
and resources." A busy IT manager might think Gartner is being
extremely vague, and wonder why the research group is paid so much
money.
On the other hand, a good way to illuminate the importance of
governance is to look to where it is absent. When IT projects fail,
when
valuable data goes missing, when systems crash, someone will
come along and ask, "What process did you use to make the decisions
you made?"
In
post-
Enron world, corporate governance has become paramount. It is
not enough to make the right decision a company must have an
explicit process for making those decisions.
The march of globalisation
The march of globalisation makes the need for effective IT
governance even more pressing. Self-awareness in management is
crucial in complex global organisations. As Gartner put it in
another paper, "As IT-related decision-making becomes more
distributed among IT leaders, business leaders and even end users,
governance will become even more critical."
But here Gartner offers no prescription for choosing the process
by which you make decisions. "There is no one-size-fits-all model
for IT governance. Rather, governance flows from the overall
structure and strategy of the organisation, and the role of IT in
the business. Therefore, as business models evolve, so too does IT
governance. As business becomes more global, dynamic and
competitive, IT governance must adapt."
Although governance may seem a lofty notion that is only of
interest to senior management or board-level players, its effects
can trickle down to the most mundane IT tasks.
Managing
security patches is a burdensome IT headache. Global businesses
are finding that effective governance is the best approach to
spending appropriate resources on a problem that could be
never-ending.
Getting on top of risk
For a global organisation such as Standard Chartered Bank,
risk-awareness is essential in security patching. John Meakin,
group head of information security at Standard Chartered Bank,
says, "The stakes are very high indeed. With our many large and
complex interconnections to the outside world, it's vital to carry
out effective patch management. Our aim is to achieve the right
level of security through implementing an appropriate risk-based
strategy. This cannot be achieved without a clear and accurate
understanding of what needs patching and ensuring that it remains
reliably patched."
The bank needed a clear picture of where the risks lay in
software patching. Using vulnerability management software from
Qualys, Standard Chartered gained a clear picture of its exposure
to risk with common standards worldwide and prioritised
remediation.
Before the introduction of enterprise vulnerability management,
Standard Chartered's network topology and system configurations
were unknown. Local teams used software tools to scan systems only
occasionally. Spot audits were made through penetration- testing
and there was no rigorous method to assess exposure and take
corrective action.
Employing comprehensive vulnerability management software also
helped the bank meet strict financial compliance requirements,
Meakin says. Monthly patch management reports to the bank's
operational risk committee have enabled Standard Chartered to
improve its risk management and address regulatory requirements
that impact financial institutions.
Regional variations
Here, globalisation makes the task more complex because of
different laws in different countries and economic regions.
Standard Chartered has a network of more than 1,400 branches in
more than 50 countries across the Asia Pacific Region, South Asia,
the Middle East, Africa, Europe and the Americas.
"Regulatory pressures and increased exposure are driving more
complex requirements for managing security risks. With this
integration, we gain the ability to view and act upon security risk
as it pertains to our organisation's assets," says Meakin. "In
addition, being able to report on remediation and response plans
has helped us meet strict financial compliance requirements."
Governance's role in outsourcing
Another area where the global bank found improved governance
valuable was in IT
outsourcing. In 1996, Standard Chartered Bank outsourced the
management of its major datacentres to Schlumberger's IT
subsidiary, Sema Group, as a part of a seven-year IT outsourcing
deal. Near the end of the contract in early 2003, Standard
Chartered decided to take the opportunity to consider competitive
bids before renewal.
Outsourcing advisory firm
EquaTerra, incorporating Morgan Chambers, helped build the new
contract, but also worked closely with the project sponsor to
create a governance model for the bank's IT services.
The EquaTerra team created a structured financial model defining
the specific costs associated with each of the domains and
countries being considered for outsourcing.
After Atos Origin bought Sema, it offered the bank savings of
about 32% of IT costs from day one of a renewed contract, which
clinched the renewal deal.
EquaTerra helped the bank to choose its IT service supplier in a
controlled and auditable manner, applying the industry's best
practices to deliver value for money and alignment with business
strategy. It also helped design and implement appropriate
governance mechanisms to ensure continued business alignment,
measurement, accountability and value for money. This created a new
footing on which to make decisions in the future.
John Tilley, managing director of IT outsourcing for Europe at
EquaTerra, says the process should leave the firm with a deeper
understanding of its IT sourcing, which it can apply to new
contracts and relationships as they come along worldwide. "Many
companies outsource for cost reduction and other short-terms
reasons, but an ongoing sourcing strategy is more important. This
is how you are going to manage multi-sourcing in the long term and
it gives you a platform for making future decisions."
The potential for failure
IT leaders have increased their emphasis on governance since
they have sought to understand
failures in IT outsourcing project, Tilley says. Globalisation,
which encourages sourcing IT services from a location other than
the one where they are used, has created a greater need for
effective governance because the risks escalate without it.
"Within a country, if you have no effective governance, can
still solve contract or technical problems with 'fire-fighting',
although it is not ideal. But with global sourcing, with multiple
suppliers in different time zones, that will not work. Your
problems are exacerbated."
Governance is even helping to enhance the value of IT in a
global economy. As firms have sought to reach new markets around
the world, there has been a boom in mergers and acquisitions,
during which effective IT governance becomes essential.
In September 2006, the German global industrial conglomerate
Linde took over UK-based gas firm
BOC in a deal worth £8.2bn. However, the model of IT governance
developed by the UK firm prevailed in the newly merged company.
Jon Fundrey, BOC's finance director of global functions, says
that before the merger, Linde's business model had been regional,
but it was now adopting a hybrid model that retained some regional
aspects but had a global IT function.
The value of BOC's global IT operation was benchmarked by
Gartner and, more recently, by UK IT performance measurement
company H2Index. This measurement highlighted the performance of
BOC's UK-based datacentre, which supports SAP applications in more
than 30 countries.
"We have been global [in IT] for a number of years, but Linde is
at the start of a learning curve in terms of how to manage a global
IT operation," Fundrey says "We will be sharing best practice."
Easing mergers and acquisitions
Strong governance can markedly improve the position of IT during
mergers and acquisitions, according to Ben Booth, chief technology
officer at Ipsos, which bought British market research firm Mori in
2005. "If you are being bought, good governance means the value is
greater and the risk is less, which establishes the worth of the IT
department from the start.
"Some IT departments would have been dispersed within the
acquiring business, but if it is well managed through good
governance, you may find it carries on and have the model
approached by the acquiring business."
Ipsos was 10 times our size of Mori when it bought the firm.
Although Booth had previously been CIO at Mori, he quickly moved to
become CTO of the much larger, newly merged firm. The strong
governance of Mori's IT department was vital to that transition, he
says.
Globalisation has created several drivers for better governance
in IT. These include increased complexity of sourcing IT and
international rules determining how data be managed. But
globalisation can also change the shape of the IT department
itself, and hence its governance.
As businesses are required to respond to their customers in a
globally consistent fashion, the need for global governance becomes
greater, Booth says. "Our business started off with many individual
acquisitions. Now we are moving to a global model, because our
clients expect global services."
So if a client expects a particular level of service and
security in one country, they will expect it throughout the world,
regardless of the internal business operation on the ground of
company history, says Booth, who is also a fellow of the British
Computer Society. "If you agreed to do something for a client
worldwide, it requires a worldwide approach to governance."
But bringing disparate IT departments in line with a global
governance model can be a challenge, he says, because of their
differing histories and cultures. "They start off by mostly doing
things professionally, but that may not fit with the overalls
situation. They can be doing something that is not best
practice."
Training and education can help to align these disparate
elements with the overall governance model, Booth says, as can
programmes to encourage them to feel part of a global team. "But
ultimately there has to be a degree of compulsion," he says.
This can achieved through budgetary control and even forcing
spending on particular activities, he says.
The very shape of an IT department should will be determined by
its governance model and should reflect the overall structure of
the business, according to Booth.
Far from being an esoteric management concept, governance
determines everything from the structure of your IT department to
which security patch you apply first. And the continuing push for
business globalisation is amplifying its importance.
Case study: Novartis
International pharmaceutical giant
Novartis is addressing the challenge of IT security, governance
and globalisation with the help of vulnerability measurement
software form Qualys. It now measuring the vulnerability of more
than 10,000 PCs, thousands of in-house servers, backbone services,
outsourced service lines and numerous extranet services.
In a highly regulated industry, Novartis must be explicit on the
risks it takes and be aware of legislation that applies to the
firm. Chief security officer, Andreas Wuchner, says geo-politcal
factors combine with its business factors to create an overall
model of risk. "A system that is fine in London would be handled
differently in the third world because of the political situation
and stability are all factors."
Using the Qualys system, Novartis ensures its global information
technology systems and corporate data are maintained within
Novartis' security policy and security baselines as well as in
compliance with government regulations. For globalised businesses,
different regulations with implications for IT security apply in
different regions. For example,
Sarbanes-Oxley comes out of the US, while the
Basel II accord is a European initiative.
Before the implementation of its global vulnerability management
software, Novartis had no easy way to globally manage its security
and compliance risks.
Wuchner says key to applying a governance model to IT security
is the ability to measure security threats, which the firm does
with tools from Qualys. "If you cannot measure the risk, you cannot
manage it," he says.
Before this approach, each region had been responsible for
maintaining the security and compliance of its own systems. Some
geographical regions did a better job of maintaining compliance,
while others focused on securing their systems from
vulnerabilities.
The new IT security governance model, which uses software tools,
comes out of a cross-management group that builds in factors such
has importance of data to the business, for example the relative
importance of protecting financial data compared with protecting
intellectual property. These are combined with legislative
compliance and local variation in security threats.
This approach allows security measures that are not fixed to a
particular product or project, but can evolve. A project-management
life-cycle process is required for every new business process that
involves IT. This ensures that Novartis' security polices are well
established and maintained.
Gartner's guide to IT governance in global
firms
Global structure: centralised
Style of IT governance: direct and uniform. Strong architecture
and standards drive compliance.
Global structure: federated
Style of IT governance: enabling within corporate vision, led by
corporate CIO,
using corporate architecture and standards designed for
flexibility and agility.
Multi-local [decentralised]
Dispersed and probably not standardised, limited opportunity for
corporate leadership, minimal central standards.