Regulation, governance, information technology. These three terms have created whole industries within organisations. Why is this, and can firms cope? In 11 steps, this article explains the relationship among the three and provides some actions and guidance on how to make sure they contribute to sound governance and genuine compliance within firms in ways that support business, rather than dominate it.
1. Understand the origins
Among the 30 United Nations human rights, we have “the right to freedom of thought…” and to “…opinion and expression”. These magnificent rights create problems when turned into actions – how can we honour a person’s freedom of thought and expression without dishonouring those of others?
The answer is that we cannot, but natural laws have evolved over time, shaping behaviour that is accepted as appropriate to society: regulation and governance have commenced. New technologies empower society, but also exploit it: IT is today’s "empowerer".
2. Understand the relationship between governance and regulation
The starting point is governance. Governance is all about behaviours and relationships.
If we all had the same high expectations, ambitions and experiences, good governance would happen naturally. But we are not the same, so inevitably there will be ethical dilemmas that can only be addressed through consensus of what is equitable and just.
Hence the development of formal regulation, codes of corporate governance, ethical policies, and frameworks such as COBIT that codify how we should behave and set expectations on the benefits to society as a result of that behaviour.
3. Understand the power and pitfalls of IT
IT has revolutionised the way we live. Technology has empowered people in rich and poor nations to degrees not even dreamed of 30 years ago. Let’s look at two aspects – the web and business systems – to understand the power and pitfalls.
The web has brought millions of people together, but also makes it difficult to validate with whom we are communicating, and why. This has made individuals and nations think how appropriate an ungoverned worldwide web is. Each of us is looking for the right level of governance for our web, from “no restrictions” to varying degrees of restriction. We all want to have technology that benefits without harming us, but interpretation of these is problematic at a national, cultural and personal levels. What do we mean by “harm” for example? The web’s pitfall is that we cannot govern it, but local legislation does set national boundaries of acceptable use and behaviour.
Business systems, whether offering client services or purely for internal use, have their own governance issues. The benefits are enormous for fast data analysis and high-volume transactions using straight-through processing. It removes human error, but also removes knowledge.
Underlying assumptions and dependencies are forgotten over time, so enhancing one area of the system can have unintended consequences for other parts. Think how often new releases of computer software have introduced new bugs. Stating that there was insufficient testing is too simplistic: to know what to test is to first know how all aspects of system and service delivery will react to the changes.
4. Focus on business and IT design integration
Applications are becoming more intuitive, so we need a more intuitive approach to building systems and applications. Business should still lead, while IT serves, but it is a meeting of equals coming together on a regular and frequent basis to increase mutual understanding.
There is a lot of governance-related regulation in the UK. Corporate responsibility is covered in the Companies Act 2006 and Higgs Report. See also the application of Turnbull’s recommendations, the Stewardship Code, the Guidance on Board Effectiveness, and the Corporate Governance Code.
5. Understand what shapes governance in your organisation
All businesses will be subject to legislation covering how firms are run. Many corporates will have to follow corporate governance codes and individual sectors will have specific regulation. The list is vast on governance alone.
You need to have a general awareness of what influences governance in the firm and have access to the experts in your organisation, typically the legal and compliance experts, to check on points to detail.
Changes to IT work both ways: a process change needs to be checked against regulatory requirements, and changes in regulatory requirements must be assessed against IT processes.
6. Know who the key stakeholders and decision-makers are
There may be competing requirements among people who operate the service (supportability), users of the service (usability), risk managers (security and controls) and compliance managers (conforming).
For example, more security may make the system more difficult to use or compliance requirements may require more information than the actual business needs.
7. Check alignment to strategic or business objectives
Test the proof of concept against strategy and objectives. It makes sense to check that changes meet top management’s objectives before applying them. Too often, the strategy set at the board level and what actually happens in the operational areas differ.
8. Get access to your business people
If you cannot get access to the business experts, then your project is at risk of not achieving business benefits. The worst case is that your organisation can no longer report compliance and loses its licence.
Download more resources on IT governance and compliance
9. Ensure the basics of good IT governance are applied
Good documentation covering the original design, including the names of all the people involved and their positions and department plus the date, is extremely important as it provides context of when decisions were made.
Documentation must be kept up to date and should be tested for its relevance as often and as much as testing the actual system. That way, the loss of knowledge is reduced and the documentation becomes a useful asset connecting business requirements with IT solutions.
Have clear roles, responsibilities and reporting lines. Clarify the level of autonomy to make decisions.
10. Widen your risk assessment
Governance failures are often failures in judgement because the risks are assessed too narrowly, typically at a business unit level. In IT, many risk assessments just focus on the project process.
Extend the assessment beyond the project – assess corporate, business, project and product risks for all IT developments – so that there is a clearer picture of cause and effect on the whole business.
Governance frameworks such as COBIT can lead you on the right path.
11. Look to your data management
This is an area that is often overlooked, which the discussion on big data has highlighted: managing data is time consuming. Data is the life blood of business. If data is underused, there is no return on the investment for collecting and storing it. The regulation on data protection, while focusing on the personal, has some sound principles that apply to all data.
Information technology empowers organisations and individuals. Data provides the information and knowledge. These, under the stewardship of business and IT professionals, provide the automated systems and processes that produce goods and services, and also the proof that these have been provided in ways appropriate to the sector.
To ensure suppliers, customers and society are treated equitably, our organisations must work within a culture of good governance and demonstrate governance through compliance to regulations.
Sue Milton is ISACA London Chapter president
Read more on Regulatory compliance and standard requirements
BEIS confirms rogue umbrellas will be covered by single enforcement body’s clampdown powers
Keep people at the centre of risk management, says consultant
Security Think Tank: Security governance key to outcomes-based approach
GDPR: securing data is more than just a technology fix, it’s about understanding human behaviour