How can I implement effective IT controls and still encourage innovation and creativity in the IT solutions development process?
Any organization that has undertaken an information technology (IT) initiative with the aim of reducing the cost of doing business, increasing revenue or creating a strategic, lasting competitive advantage faces one daunting question: Have we complied with all corporate governance controls and still developed the most pragmatic IT solution for the job? The answer to this question is frequently: “We hope so.” In fact, there is a way you can leverage IT governance to answer the above question with confidence.
The need for IT governance
In recent years, IT controls have become integral to the effective governance of the modern enterprise. The IT governance, in part, is driven both by the need to ensure that internal risk management controls comply with external regulations, and the need to ensure that scarce IT resources are aligned to meet business objectives.
The regulatory compliance requirements are mandated by OECD’s Principles of Corporate Governance, Basel II, Sarbanes-Oxley and New York Stock Exchange guidelines. The rationale for these regulations is to make sure that there is a verifiable process to manage corporate risks and instill a corporate environment of respect for all stakeholders.
As corporate IT groups recognized the inherent value of corporate and IT governance, the notion of business and IT alignment was born. It is a continuous process, ensuring that the consumption of all IT resources (human, hardware, software, vendors/partners etc.) is clearly linked to the company’s business goals.
IT governance
Governance itself, though, is essentially about ensuring that business is conducted properly. It is less about overpowering controls and strict adherence to rules and more about guidance for effective and equitable usage of resources. For a control practice to be effective, it must have context, which defines the drivers; processes that are defined and accepted by all stakeholders; resulting content that describes the process for value generation; and a mechanism to provide flow control and feedback for continuous improvement.
Not all IT governance initiatives need to adhere to identical mandates. You can undertake one governance initiative to meet regulatory requirements, another to implement a formal process to manage enterprise risks, and still another to create a continuous improvement environment. For example, there are many organizations that have simply adopted ISO 9000:2000 quality management systems to become compliant and forgone the opportunity to create a continuous improvement environment. (However, they have failed to realize the total business value from the formal control practice.) Similarly, an IT organization could adopt IT governance to simply become compliant to external regulations. Or they could use it as a strategic tool.
The process outlined here describes how IT governance could be used to deliver IT projects more effectively, so you can better leverage your IT assets. This framework outlines the context, typical processes, the content generated by these processes, measures of enterprise value, as well as mechanisms for process flow control and document repository. And, it can be used to monitor the maturity of internal IT governance process.
How to implement IT governance
As your corporate colleagues in the lines of business might have realized when implementing the ISO 9000: 2000 Quality Management System or gaining Workwell Health and Safety compliance, these systems require a balanced integration of people, processes and technologies.
Based on my experience, the typical budget allocation for governance system should be broken down into this ratio: 50 per cent for staff development, 35 per cent for development of processes and 15 per cent for supporting information technologies.
Staff development: The corporate staff in your lines of business and in IT must recognize their roles in the enterprise value-generation process; they must also have certain skills and an aptitude for assuming leadership. This cannot be learned in the classroom alone. There must be a concerted effort made to provide mentoring, coaching and an environment for learning by trial and error.
Process development: The processes must be developed holistically, and with a focus on the total value to the enterprise. One must resist the urge to optimize the need for individual professions in the value chain. For example, I have seen solution delivery lifecycle processes that are developed in isolation by stakeholders such as project management or corporate audit and risk that are so cumbersome it takes more than 90 per cent of the initiative’s budget to become compliant — and in these cases, the original intent to deliver enterprise value via the initiative has been relegated to being simply a byproduct.
Supporting technologies: The technologies exist to support the above-defined business processes. Although technology solutions are required to make processes efficient, they do not ensure the processes’ effectiveness. Only an educated, trained and principled staff following processes in context can make a process effective.
To implement IT governance cost-effectively and without disturbing the entire enterprise, consider the following major business processes:
- Enterprise architecture and portfolio management
- Solution delivery lifecycle
- Post-implementation support and asset retirement
The governance model must control these processes yet at the same time allow creativity and innovation. The industry defined processes such as the Open Group Architecture Development Methods for Enterprise Architecture, PMI-defined project management processes and Rational Unified Process for solution development, and Information Technology Infrastructure Library (ITIL)-defined processes to provide post-implementation support provide an effective and efficient mechanism for staff and process development.
As the internal processes mature, adopt supporting IT solutions on an as-required basis to provide necessary automation. There are a multitude of vendors in each area. One should look to a single integrated solution that provides services as an application solution provider (ASP), look to gain the ability to procure services as required and/or find a vendor that provides source code to extend the solutions to meet your specific business and cultural needs.
IT governance maturity
In order to ensure continuous improvement and guard against the governance process becoming too bureaucratic, one must instill a monitoring process that also provides guidelines for corrective actions. Control Objectives for Information and related Technologies (COBIT) provides a good practice across multiple domains and a process framework in a logical and a manageable structure. The main focus areas of COBIT are strategic alignment, value delivery, resource management, risk management and performance management. It defines supporting processes for each domain and the ability to monitor process maturity from level 0 (nonexistent) to level 5 (optimized).
Remember: IT governance is not about controls and overpowering rules, it is about providing guidance to ensure long-term sustainability.
Jason Uppal is a chief architect of QRS and is a Certified Master IT Architect by The Open Group. QRS provides education, training, mentoring and off-the-shelf software solutions. He can be reached at [email protected].
Contact the editor
