With Basel II coming into effect at the end of 2006, Paddy Keenan highlights the need for companies to prioritise their IT governance.
In July, something really exciting happened in Switzerland. Well, to those in IT who have been tracking the bone-dry text of the publications of the Basel Committee, it was exciting.
Finally, what had been intimated for years was said plainly and, for the first time, the management of IT operational risk is a board-level responsibility.
Under the Basel Committee Publications (sic) No 98, the board or, more accurately, an individual board member, will be held accountable for IT operational failures.
Since IT entered the business arena, boardrooms have viewed it as a "below stairs" operation - a costly, little-understood activity that frequently lets the company down. However, this is about to change.
IT governance is about developing processes and frameworks to manage risk, build audit trails and create value.
The regulatory and legal frameworks built around Higgs, Sarbanes-Oxley and Basel II have led most large financial organisations to appoint a compliance officer at an executive level.
There has also been a run on compliance software as banks, insurance companies and anyone else who handles money on their customers’ behalf, have been spurred into action at the thought of their executives going to jail or being fined into penury.
How does governance differ from compliance? Compliance is a cost and does not deliver any benefit to the business. Governance, on the other hand, delivers compliance and creates value for the business.
Another subtle difference is that the objective of compliance is to minimise risk, whereas governance manages risk.
When the sums are done, the operational risk (in Basel II terms) associated with IT is very high.
An approach that manages that risk rather than minimising it is the only viable way that value can be returned to the business.
At the heart of IT governance is a feedback loop that conducts the standards set by the board down through the setting of policy by management, to the implementation of those policies in the machine room and the return of a measurement of achievement back to the board.
For this loop to function and be auditable, an automated mechanism is required in which processes can be defined and artefacts, such as compliance statements, questionnaires, dispensations, can be managed and stored. Such a system is very different to a compliance system.
A recent survey by QA of IT management and professionals revealed a worryingly low interest in IT governance. This will change only when boards step up to their new responsibility and IT becomes visible.
Increasingly, regulators are being armed with powerful and personal sanctions. Let’s hope that it doesn’t take “a few people to be slapped about”, as one American commentator put it, for the message to get home.
In the meantime, there is nothing to stop IT management from laying down the mechanisms to govern their operations.
Much of the budget required for developing effective governance practices is already being spent on compliance. It takes just one more step to move from controlling expenditure and minimising risk to managing risk and creating value.
With Basel II coming into effect at the end of 2006, IT management needs to drive governance priorities now.
OK, so "exciting" is pushing it a bit, but let no one in IT management underestimate the significance of what happened in Switzerland in July.
What do you think?
How seriously is your company taking corporate governance requirements? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Paddy Keenan is managing consultant of QA, a security solutions company for large organisations.
This was first published in September 2003