Business is now irreversibly dependent on information technology to manage transactions, information and knowledge. This calls for improved and proactive governance of IT to:
- ensure alignment to the strategic direction of the business
- achieve the chosen objectives
- make sure IT-related opportunities are properly understood
- determine and mitigate risks
- verify that resources are used responsibly.
All these strategies are focused on adding long-term, sustainable value to the enterprise. Few now doubt that the use of IT will be a major driver of economic wealth in the 21st century. Leveraging it successfully to transform the enterprise and create value-added products and services has become vital for most businesses.
IT is fundamental to enterprise resource management; it is indispensable for customer relationship management; it enables increasingly global and de-materialised transactions; and it is key for recording and dissemination of business knowledge.
Accordingly, a formal approach to IT governance will be an essential component of long-term business success. Senior management will need to fully undertand - and proactively manage - IT value drivers and risks. But too many boards of directors discuss IT only as a cost at the annual budgeting round. IT is rarely a matter for open discussion at board level, unless problems have arisen or costs are perceived to be excessive.
- Are directors aware of the latest developments in IT from a business perspective?
- Is IT a regular item on the agenda of board meetings and is it addressed in a structured manner?
- Does the board articulate and communicate the business direction to which IT should be aligned?
"There are now more organisations with a formalized IT governance function within their structures." Paul Williams
- Does the board have a view on how much the enterprise invests in IT compared to its competitors?
- Is the reporting level of the most senior IT manager commensurate with the importance of IT to the enterprise?
- Does the board have a clear view of the major IT investments from a risk and reward perspective?
- Does the board obtain regular progress reports on major IT projects?
- What assurance does the board get (for example, independent reporting) that these progress reports are complete and reliable?
- Does the board obtain IT performance reports illustrating the value of IT from a business driver perspective (for example, customer service, cost, agility and quality)?
- Is the board regularly briefed on IT risks to which the enterprise is exposed, including legal and compliance risks?
- Does the board obtain assurance of the fact that suitable IT resources, infrastructures and skills are available to meet the required enterprise strategic objectives?
If directors cannot answer "Yes" tomost of these questions, any real success achieved by IT in adding value to the enterprise is down to luck rather than the result of good planning.
However, it is encouraging that IT governance has become a more prominent management issue over the last year or so. More and more articles and conference presentations are dedicated to the subject, and in my work at Arthur Andersen I find more unprompted discussion of the issue among my clients. Particularly encouragingly, there are more organisations with a formalised IT governance function within their structures.
IT governance activities need to focus on aligning IT activities with the enterprise's overall business goals and initiatives. To illustrate this concept, let's take look at how one organisation seamlessly wove IT governance together with its executive-level programmes.
Case study: Philips passes the initiative test
Royal Philips Electronics is a global electronics company with a multinational workforce of more than 225,000 offering sales and service in 150 countries. Established in 1891 and headquartered in Amsterdam, Philips took forward-thinking steps to organise and support its IT governance process and improve its IT-related control framework.
Pieter Kock, vice-president, corporate information technology, says that Philips utilised the open standard COBIT (Control Objectives for Information and related Technology) framework - downloadable from www.isaca.org - to implement two company-wide senior management initiatives. These projects were endorsed and led by the Philips Supervisory Board:
First, The BEST (Business Excellence through Speed and Teamwork) quality improvement programme has strong, visible support from senior management. As part of this programme, Philips developed a Process Survey Tool for IT, based on the COBIT 3rd Edition model.
Next, under the Statement on Business Controls programme a formal statement is issued by each organisational unit within Philips. These are consolidated into the annual report's internal control statement and therefore has complete support of senior management. The IT section of the Statement on Business Controls was based on control objectives outlined throughout COBIT.
Philips' corporate IT operation developed the BEST programme's Process Survey Tool during the second and third quarters of 2000. After undergoing testing in ten pilot workshops, the Process Survey Tool was released with two implementation paths:
- Product division - where one contact person for each division and/or business group is responsible for roll-out
- Region (ie, Asia Pacific, East and West Europe, Latin America and North America) - where roll-out will be facilitated country by country
Corporate IT or trained representatives facilitated group discussions during roll-out and scored all the pertinent processes. Then control objectives and maturity levels set out in the COBIT framework were used to define improvement actions.
For the second executive-level project implementation, a formal approach was used to develop the Statement on Business Controls. Statement questionnaires were distributed throughout the financial controllers network early in the year to allow time to submit the internal control statement by its January deadline. The IT department completed its portion of the document, based on COBIT guidance.
Philips used COBIT to establish organisational capabilities on a maturity level basis, giving a clear indication of where improvement is possible and how to effect improvement.
To maintain its proactive approach to IT, Philips continues to focus on:
- Assessing actual outcomes of the process (based on key goal indicators and maturity levels)
- Identifying problem areas (for IT processes with low maturity scores)
- Defining best practices ('defined process' maturity level and higher)
- Improving management processes and actions
- Benchmarking scores
The two programmes make up a ground-breaking initiative by Philips as they allow business functions to become directly involved in the IT governance debate. The intitiative also enables the business and IT to work together more effectively to ensure that business processes and controls are subject to continuous improvement
All of this can only lead to better value being obtained from the group's IT investments.
If you want to know more, Pieter Kock will discuss details of Royal Philips Electronics' initiatives as part of the first IT Governance Forum to be held in Paris in June 2001. More information about the Forum at www.isaca.org .
Paul Williams, FCA, MBCS is international president of the Information Systems Audit and Control Association (www.isaca.org) and a partner with Arthur Andersen's financial markets division in London.