May 2009 Archives

Useful piece from Mark Toomey in the latest edition of his Infonomics Newsletter on the distinction between governance and management (http://www.infonomics.com.au/Web%20Content/Documents/The_Infonomics_Letter_May_2009.pdf).

In my experience there still exists a significant lack of clarity between the usage of the two terms, particularly when applied to the management and governance of IT. Mark's article helpfully states that 'in effect, the management systems provide the "machinery of governance", in that they are controlled by, and give effect to the policies determined by the governing body, and provide the necessary visibility to enable the governing body to fulfil its duties in monitoring conformance and performance with respect to the organisation's use of IT'. This supports the view that governance is all about setting policy, direction and decision rights together with appropriate monitoring and oversight to provide assurance that the right outcomes are being achieved. In most enterprises this is the responsibility of the Board of Directors under the leadership of the CEO and Chairman.

I agree with Mark that many of the existing frameworks such as Cobit, Val IT, ISO 27000 and ITIL, whilst being essential for the delivery of proper business outcomes and for the enablement of governance, are not in themselves stand-alone governance frameworks. Whilst many would argue that CobiT and Val IT in particular provide both management and governance guidance and tools, the inclusion of both perhaps does little to provide clarity on what is management and what is governance. To a great extent the new ISO/IEC 38500 standard provides a very high level framework for the achievement of IT governance, particularly when it is used alongside Cobit, Val IT, ITIL and others. To help enable this ISACA has provided a guide called 'ITGI enables ISO38500 Adoption' (http://www.isaca.org/AMTemplate.cfm?Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentID=47865) which sets out how CobiT, Val IT and other frameworks can work alongside ISO38500 to help achieve enterprise governance of IT.

Another helpful quote from Mark's article is 'While the governing body may not directly engage with every discipline........... it is nonetheless important that the design of the system provides a level of integration that assures proper transmission of the governing body's policy and other requirements throughout the system, and also provides appropriate levels of visibility and transparency.' A full read of the Infonomics article will provide excellent input to the governance versus management debate.

Great comment from cj on my last blog. He asks whether or not the assurance over delivery of  value from IT investment is currently the preserve of only the larger, more mature enterprises. My experience is that this is indeed the case although very few of even the largest enterprises really seem to be taking this seriously or methodically. There is always something more pressing on the agenda (which normally means it is just regarded as too difficult). cj asks whether we have entered the age of enlightenment on value management. Well perhaps we have just opened the doors onto the new age but there is still a very long way to go before value management is fully understood and adopted. It needs more than a set of processes, and certainly it needs more than a whizzy and oversold software solution. It needs culture change, and this is always the biggest hurdle to overcome. It needs leadership and commitment, both commodities sadly also in short supply. cj also asks where do we start? This is a question we will be addressing in future blogs. Reader experiences will be very welcome.

I was in Chicago last week as a guest speaker at a Gartner Risk Management and Compliance event. The event was well attended albeit somewhat down on numbers from previous years. However it is clear that interest in this topic remains high. One subject which came up for regular debate was the use, and the meaning, of the frequently used acronym GRC (governance ,risk, and compliance). I touched on this in my first blog a few weeks ago. As discussed in this earlier blog, the term itself is misleading as many regard the management of risk and the achievement of compliance as part of governance and not separate entities. Similarly where does the achievement of value sit within the GRC acronym? Gartner itself seems to be moving away from the acronym with some of their analysts supporting my view that the term has been hijacked by certain elements of the software vendor market to pigeonhole certain of their products. Hence, arguably, the term has not only become confused but also cheapened as a result. There is equal confusion over the meaning of governance, although this debate sometimes misses the point. In my view governance is the structure and processes through which enterprises gain assurance that IT achieves value, mitigates risk and achieves relevant compliance. The whole enterprise plays its part in this, including the CEO and the Boardroom, IT management, security and assurance specialists, business management and finance. Governance itself is not the endgame. What it should help to provide is trust in information systems and value creation from IT. That is the endgame not the process itself.

An interesting new survey from ISACA (www.isaca.org) on the governance of IT related business investments. Amongst the findings from more than 500 enterprises surveyed was the astonishing (to me anyway) absence of a common understanding of what constitutes value to the enterprise. Only 34% of respondents indicated that there was a common understanding of value across different business departments, including IT, whilst 38% admitted no common understanding along with 28% who were unsure. Perhaps this makes it hardly surprising that so few of the enterprises surveyed (just 29%) consistently measured the value arising from investment in IT. In the current recessionary times it is perhaps more important than ever to measure value. Unless this is done, any attempt to reduce IT costs, including project based investments, will be unfocused and arbitrary, whilst future investments are likely to be selected based upon a less than informed analysis.

The same survey indicated also that in almost 50% of the respondent enterprises it is the CIO who has responsibility for ensuring that stakeholder returns on IT related investments are optimized. Whilst undoubtedly the CIO has a significant role to play in optimizing value surely this has to be the prime responsibility of the business? After all the technology itself cannot deliver value. It is the way in which the business uses the technology to reduce cost or enhance revenues that will lead to value creation. Whilst ambiguities remain over the meaning of value, and whose reponsibility it is to deliver it, it is probable that value destruction rather than value creation will be the end result.