You’re an IT manager. It is very likely that your awareness of the importance of IT governance is not be matched by the board and senior executives within your organisation.
IT governance is about responsibilities and consequences. To ‘non-IT’ people, its value is often only highlighted when something goes wrong – when an IT governance failure has real and negative impacts on the organisation and those stakeholders.
IT governance is a whole of organisation initiative. It requires buy in from the very top of the organisation. How do you get that buy in?
To quote WA’s Auditor General:
“IT governance is the responsibility of executives and the board of directors. It consists of leadership, organisational structures. It also requires processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives”.
Ineffective IT governance means an organisation’s strategies and objectives are at risk. Very often boards and executives lack awareness of the problems generated by a lack of IT governance. In this environment, it is near impossible to bring priority to an IT governance implementation initiative.
A starting point is education. Provide the appropriate educational resources for your board and senior executives. This might include inviting an industry expert to present on IT governance to the board and executive. Provide them with the Auditor General’s annual information systems audit report. The report highlights and recommends solutions to common system weaknesses. Those weaknesses threaten information security and, in turn, IT governance. Provide other relevant publications on the benefits of governance generally and IT governance in particular.
Next, raise the priority and visibility of IT governance. Start asking questions at all levels of the organisation. These questions might include:
- How often is the board briefed on the IT risks to which their organisation is exposed?
- Is IT a regular item on the agenda of the board?
- Is IT addressed in a structured manner at board meetings?
- Is the board clearly articulating the business objective to facilitate alignment with IT for those objectives?
- Does the board understand the risk/return dynamics of major IT investments?
- Does the board obtain regular progress reports on major IT projects?
- Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks?
- How does the board perform its oversight of IT?
- What are the controls and reporting for IT?
- What are IT’s performance indicators?
- Who is tasked with championing and driving IT governance?
You can also highlight how appropriate structures at board level provide specific accountabilities. And how this, in turn, facilitates both IT governance and supports initiatives within IT. These structures can include:
- Improving director competency by appointing new directors with appropriate IT skills and expertise
- Improving that competence via education of existing directors
- Making explicit the responsibilities of board committees (for example, audit and risk) to specifically include IT governance
- A further step (adopted by board with high reliance on IT capabilities) is establishing an additional committee or advisory group with a particular IT governance focus
- Reviewing assurance arrangements, including the role and scope of internal/external audit arrangements in respect of IT governance
- Assessing the delegations established by the board and formalising responsibility and accountability for IT management.
This is not an exhaustive check list. However, it provides a commencement point to bring IT governance to prominence within your organisation.
In coming weeks, we will discuss some of the other tools to enhance the prominence and understanding of IT governance and information security. These all build towards making IT an effective enabler of the remainder of the organisation. It makes IT closely aligned to business objectives and drives an effective IT culture across the organisation.
Until then, stay safe.