In a research note on IT management and globalisation, analyst firm Gartner defines governance as, "The organisational style and process for making decisions about business technology and resources." A busy IT manager might think Gartner is being extremely vague, and wonder why the research group is paid so much money.
On the other hand, a good way to illuminate the importance of governance is to look to where it is absent. When IT projects fail, when valuable data goes missing, when systems crash, someone will come along and ask, "What process did you use to make the decisions you made?"
In post-Enron world, corporate governance has become paramount. It is not enough to make the right decision a company must have an explicit process for making those decisions.
The march of globalisation
The march of globalisation makes the need for effective IT governance even more pressing. Self-awareness in management is crucial in complex global organisations. As Gartner put it in another paper, "As IT-related decision-making becomes more distributed among IT leaders, business leaders and even end users, governance will become even more critical."
But here Gartner offers no prescription for choosing the process by which you make decisions. "There is no one-size-fits-all model for IT governance. Rather, governance flows from the overall structure and strategy of the organisation, and the role of IT in the business. Therefore, as business models evolve, so too does IT governance. As business becomes more global, dynamic and competitive, IT governance must adapt."
Although governance may seem a lofty notion that is only of interest to senior management or board-level players, its effects can trickle down to the most mundane IT tasks.
Managing security patches is a burdensome IT headache. Global businesses are finding that effective governance is the best approach to spending appropriate resources on a problem that could be never-ending.
Getting on top of risk
For a global organisation such as Standard Chartered Bank, risk-awareness is essential in security patching. John Meakin, group head of information security at Standard Chartered Bank, says, "The stakes are very high indeed. With our many large and complex interconnections to the outside world, it's vital to carry out effective patch management. Our aim is to achieve the right level of security through implementing an appropriate risk-based strategy. This cannot be achieved without a clear and accurate understanding of what needs patching and ensuring that it remains reliably patched."
The bank needed a clear picture of where the risks lay in software patching. Using vulnerability management software from Qualys, Standard Chartered gained a clear picture of its exposure to risk with common standards worldwide and prioritised remediation.
Before the introduction of enterprise vulnerability management, Standard Chartered's network topology and system configurations were unknown. Local teams used software tools to scan systems only occasionally. Spot audits were made through penetration- testing and there was no rigorous method to assess exposure and take corrective action.
Employing comprehensive vulnerability management software also helped the bank meet strict financial compliance requirements, Meakin says. Monthly patch management reports to the bank's operational risk committee have enabled Standard Chartered to improve its risk management and address regulatory requirements that impact financial institutions.
Here, globalisation makes the task more complex because of different laws in different countries and economic regions. Standard Chartered has a network of more than 1,400 branches in more than 50 countries across the Asia Pacific Region, South Asia, the Middle East, Africa, Europe and the Americas.
"Regulatory pressures and increased exposure are driving more complex requirements for managing security risks. With this integration, we gain the ability to view and act upon security risk as it pertains to our organisation's assets," says Meakin. "In addition, being able to report on remediation and response plans has helped us meet strict financial compliance requirements."
Governance's role in outsourcing
Another area where the global bank found improved governance valuable was in IT outsourcing. In 1996, Standard Chartered Bank outsourced the management of its major datacentres to Schlumberger's IT subsidiary, Sema Group, as a part of a seven-year IT outsourcing deal. Near the end of the contract in early 2003, Standard Chartered decided to take the opportunity to consider competitive bids before renewal.
Outsourcing advisory firm EquaTerra, incorporating Morgan Chambers, helped build the new contract, but also worked closely with the project sponsor to create a governance model for the bank's IT services.
The EquaTerra team created a structured financial model defining the specific costs associated with each of the domains and countries being considered for outsourcing.
After Atos Origin bought Sema, it offered the bank savings of about 32% of IT costs from day one of a renewed contract, which clinched the renewal deal.
EquaTerra helped the bank to choose its IT service supplier in a controlled and auditable manner, applying the industry's best practices to deliver value for money and alignment with business strategy. It also helped design and implement appropriate governance mechanisms to ensure continued business alignment, measurement, accountability and value for money. This created a new footing on which to make decisions in the future.
John Tilley, managing director of IT outsourcing for Europe at EquaTerra, says the process should leave the firm with a deeper understanding of its IT sourcing, which it can apply to new contracts and relationships as they come along worldwide. "Many companies outsource for cost reduction and other short-terms reasons, but an ongoing sourcing strategy is more important. This is how you are going to manage multi-sourcing in the long term and it gives you a platform for making future decisions."
The potential for failure
IT leaders have increased their emphasis on governance since they have sought to understand failures in IT outsourcing project, Tilley says. Globalisation, which encourages sourcing IT services from a location other than the one where they are used, has created a greater need for effective governance because the risks escalate without it.
"Within a country, if you have no effective governance, can still solve contract or technical problems with 'fire-fighting', although it is not ideal. But with global sourcing, with multiple suppliers in different time zones, that will not work. Your problems are exacerbated."
Governance is even helping to enhance the value of IT in a global economy. As firms have sought to reach new markets around the world, there has been a boom in mergers and acquisitions, during which effective IT governance becomes essential.
In September 2006, the German global industrial conglomerate Linde took over UK-based gas firm BOC in a deal worth £8.2bn. However, the model of IT governance developed by the UK firm prevailed in the newly merged company.
Jon Fundrey, BOC's finance director of global functions, says that before the merger, Linde's business model had been regional, but it was now adopting a hybrid model that retained some regional aspects but had a global IT function.
The value of BOC's global IT operation was benchmarked by Gartner and, more recently, by UK IT performance measurement company H2Index. This measurement highlighted the performance of BOC's UK-based datacentre, which supports SAP applications in more than 30 countries.
"We have been global [in IT] for a number of years, but Linde is at the start of a learning curve in terms of how to manage a global IT operation," Fundrey says "We will be sharing best practice."
Easing mergers and acquisitions
Strong governance can markedly improve the position of IT during mergers and acquisitions, according to Ben Booth, chief technology officer at Ipsos, which bought British market research firm Mori in 2005. "If you are being bought, good governance means the value is greater and the risk is less, which establishes the worth of the IT department from the start.
"Some IT departments would have been dispersed within the acquiring business, but if it is well managed through good governance, you may find it carries on and have the model approached by the acquiring business."
Ipsos was 10 times our size of Mori when it bought the firm. Although Booth had previously been CIO at Mori, he quickly moved to become CTO of the much larger, newly merged firm. The strong governance of Mori's IT department was vital to that transition, he says.
Globalisation has created several drivers for better governance in IT. These include increased complexity of sourcing IT and international rules determining how data be managed. But globalisation can also change the shape of the IT department itself, and hence its governance.
As businesses are required to respond to their customers in a globally consistent fashion, the need for global governance becomes greater, Booth says. "Our business started off with many individual acquisitions. Now we are moving to a global model, because our clients expect global services."
So if a client expects a particular level of service and security in one country, they will expect it throughout the world, regardless of the internal business operation on the ground of company history, says Booth, who is also a fellow of the British Computer Society. "If you agreed to do something for a client worldwide, it requires a worldwide approach to governance."
But bringing disparate IT departments in line with a global governance model can be a challenge, he says, because of their differing histories and cultures. "They start off by mostly doing things professionally, but that may not fit with the overalls situation. They can be doing something that is not best practice."
Training and education can help to align these disparate elements with the overall governance model, Booth says, as can programmes to encourage them to feel part of a global team. "But ultimately there has to be a degree of compulsion," he says.
This can achieved through budgetary control and even forcing spending on particular activities, he says.
The very shape of an IT department should will be determined by its governance model and should reflect the overall structure of the business, according to Booth.
Far from being an esoteric management concept, governance determines everything from the structure of your IT department to which security patch you apply first. And the continuing push for business globalisation is amplifying its importance.
Case study: Novartis
International pharmaceutical giant Novartis is addressing the challenge of IT security, governance and globalisation with the help of vulnerability measurement software form Qualys. It now measuring the vulnerability of more than 10,000 PCs, thousands of in-house servers, backbone services, outsourced service lines and numerous extranet services.
In a highly regulated industry, Novartis must be explicit on the risks it takes and be aware of legislation that applies to the firm. Chief security officer, Andreas Wuchner, says geo-politcal factors combine with its business factors to create an overall model of risk. "A system that is fine in London would be handled differently in the third world because of the political situation and stability are all factors."
Using the Qualys system, Novartis ensures its global information technology systems and corporate data are maintained within Novartis' security policy and security baselines as well as in compliance with government regulations. For globalised businesses, different regulations with implications for IT security apply in different regions. For example, Sarbanes-Oxley comes out of the US, while the Basel II accord is a European initiative.
Before the implementation of its global vulnerability management software, Novartis had no easy way to globally manage its security and compliance risks.
Wuchner says key to applying a governance model to IT security is the ability to measure security threats, which the firm does with tools from Qualys. "If you cannot measure the risk, you cannot manage it," he says.
Before this approach, each region had been responsible for maintaining the security and compliance of its own systems. Some geographical regions did a better job of maintaining compliance, while others focused on securing their systems from vulnerabilities.
The new IT security governance model, which uses software tools, comes out of a cross-management group that builds in factors such has importance of data to the business, for example the relative importance of protecting financial data compared with protecting intellectual property. These are combined with legislative compliance and local variation in security threats.
This approach allows security measures that are not fixed to a particular product or project, but can evolve. A project-management life-cycle process is required for every new business process that involves IT. This ensures that Novartis' security polices are well established and maintained.
Gartner's guide to IT governance in global firms
Global structure: centralised
Style of IT governance: direct and uniform. Strong architecture and standards drive compliance.
Global structure: federated
Style of IT governance: enabling within corporate vision, led by corporate CIO,
using corporate architecture and standards designed for flexibility and agility.
Dispersed and probably not standardised, limited opportunity for corporate leadership, minimal central standards.