You’re a CEO. Your organisation has multiple objectives, broad responsibilities and competing priorities.
Governance is a key requirement for every organisation. It is likely that your board and executive do not have a developed awareness of the importance of IT governance.
IT governance is about responsibilities and consequences. To ‘non-IT’ people, its value is often only highlighted when something goes wrong – when an IT governance failure has real and negative impacts on the organisation and those stakeholders.
IT governance is a whole of organisation initiative. How do you get buy in across your organisation?
To quote WA’s Auditor General:
“IT governance is the responsibility of executives and the board of directors. It consists of leadership, organisational structures. It also requires processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives”.
Ineffective IT governance means an organisation’s strategies and objectives are at risk. Very often boards and executives lack awareness of the problems generated by a lack of IT governance.
A starting point is education. Ensure that your IT department is providing the appropriate educational resources for your board and senior executives. This might include inviting an industry expert to present on IT governance to the board and executive. Make sure that they read and understand the Auditor General’s annual information systems audit report. The report highlights and recommends solutions to common system weaknesses. Those weaknesses threaten information security and, in turn, IT governance. Make sure IT is providing other relevant publications on the benefits of governance generally and IT governance in particular.
Next, raise the priority and visibility of IT governance. Are these questions being asked at all levels of the organisation:
- How often is the board briefed on the IT risks to which their organisation is exposed?
- Is IT a regular item on the agenda of the board?
- Is IT addressed in a structured manner at board meetings?
- Is the board clearly articulating the business objective to facilitate alignment with IT for those objectives?
- Does the board understand the risk/return dynamics of major IT investments?
- Does the board obtain regular progress reports on major IT projects?
- Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks?
- How does the board perform its oversight of IT?
- What are the controls and reporting for IT?
- What are IT’s performance indicators?
- Who is tasked with championing and driving IT governance?
You should consider how appropriate structures at board level provide specific accountabilities. And how this, in turn, facilitates both IT governance and supports initiatives within IT. These structures can include:
- Improving director competency by appointing new directors with appropriate IT skills and expertise
- Improving that competence via education of existing directors
- Making explicit the responsibilities of board committees (for example, audit and risk) to specifically include IT governance
- A further step (adopted by board with high reliance on IT capabilities) is establishing an additional committee or advisory group with a particular IT governance focus
- Reviewing assurance arrangements, including the role and scope of internal/external audit arrangements in respect of IT governance
- Assessing the delegations established by the board and formalising responsibility and accountability for IT management.
In coming weeks, we will discuss some of the other tools to enhance the prominence and understanding of IT governance and information security. These all build towards making IT an effective enabler of the remainder of the organisation. It makes IT closely aligned to business objectives and drives an effective IT culture across the organisation.