More than ever, the modern IT department needs to demonstrate its value to all stakeholders – proving IT’s place as an enabler, rather than a cost centre. A well-developed IT governance framework is one of the best tools to highlight this value.
IT governance is about responsibilities and consequences.
To ‘non-IT’ people, its value is often only highlighted when something goes wrong – when an IT governance failure has real and negative impacts on the organisation and those stakeholders. And it does go wrong: you’ve no doubt seen the reports from auditors, underwriters and others summarising the sheer volume of threats and attacks occurring.
IT governance is the responsibility of executives and the board of directors. It consists of leadership and organisational structures. It also requires processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
The key word is “responsibility”, which lies with the executive and board/Council, rather than the IT department. Organisations, from the board down, must make IT Governance a top order concern. To quote WA’s Auditor General:
When government outsources any ICT function, or buys cloud hosted applications, it remains responsible for identifying risks and ensuring appropriate functionality, security and availability controls are in place. Proper due diligence processes must be undertaken, when designing the contract and throughout the term of the contract, to ensure government gets the service it needs and the community expects.
These concepts of organisational need and community expectation are central to the Office of the Auditor General’s annual Information Systems Audit Report. The report assesses whether controls in government entities “effectively support the confidentiality, integrity, and availability of information systems”.
Without effective IT governance, your organisation will not be able to support that confidentiality, integrity and availability.
In devising and implementing a quality IT Governance framework, it is vital to demonstrate the value of IT governance.
Being able to demonstrate that value to key stakeholders – the executive, the board or the Council – is obviously preferable to suffering through the pain and consequences of a failure: a breach of ratepayer data, a critical system shutdown impacting service delivery and so on.
You need to highlight Fear, Uncertainty and Doubt.
The leaders of the organisation need to understand that the consequences of poor IT governance are real, far reaching and can impact every aspect of what you do. What’s more, those consequences sheet home to the leadership level: these are obligations that they retain regardless of how IT governance is managed or what suppliers are used.
We will talk next week about how to demonstrate the value of IT governance and some great tools that you can use in the process.
Until then, stay safe.