IT governance is about responsibilities and consequences. To ‘non-IT’ people, its value is often only highlighted when something goes wrong – when an IT governance failure has real and negative impacts on the organisation and those stakeholders.
IT governance is the responsibility of executives and the board of directors. It consists of leadership, organisational structures. It also requires processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
Organisations are subject to regulations governing the protection of confidential information, financial accountability, data retention, disaster recovery and more. These organisations have customers, ratepayers and voters, and community expectations. They have commercial realities, such as the cost of security–appropriate insurance coverage for identified risks, such as cybersecurity.
The intersection of these vectors creates what we call the ‘scary’ obligations of information governance. They are scary because failures of IT governance have real world consequences both for organisations and the people with whom they interact – their stakeholders.
In a previous blog, we touched on some of these consequences in the context of cybersecurity. So, let’s work through a discrete example for local government.
It can be tempting for an organisation to believe that it needs IT support rather than information governance. An IT support mentality will attract limited skillsets and notions of outsourcing to the lowest cost. Contrastingly, information governance recognises the need for orchestrated delivery of technical competencies that align with requirements.
Let’s think of a hypothetical local government. The organisation has in place a Risk Management Government Framework. That Framework explicitly requires overarching information governance in the form of a maturity model.
There is a strong correlation between the maturity curve of IT governance and overall effectiveness of IT. In a capability maturity model, an organisation needs to assess where it sits on the maturity curve in terms of capability: initial/ad hoc, repeatable, defined, managed or optimised.
Our hypothetical local government is in luck: in Western Australia, a maturity-model based ICT strategic framework exists, provided by the Department as a resource for local governments to use to plan for, manage and review information and technology assets.
In addition, the WA Auditor General has oversight of records management in local government. The Auditor General has imposed a mutual requirement for an ICT maturity model.
So, our hypothetical local government has obligations imposed by its own governance frameworks, the Department and the Auditor General.
The capper is probably the local government’s insurance underwriters.
Like any responsible organisation, the local government has assessed the insurable risks to which it is exposed. It has engaged the services of insurance brokers to assist it to quantify those risks and assess coverage options and pricing in the underwriting market. The underwriters have advised that the premium costs will continue to increase subject to the implementation of assessed cyber security recommendations.
In addition, the local government has reviewed its policy wording for its cyber insurance. It has found that coverage may be declined where there is a failure to preserve the privacy of personal data.
And that’s all before one considers the impact of Notifiable Data Breach legislation on local government.
So, should there be a breach of personal data, there is the potential for massive and widespread consequences. For the ratepayers whose information has been compromised. For the local government, its executive and councillors. For the service providers to local government.