The following summarizes the discussion carried on among the panelists and the 40 plus attendees:
Paul Williams initiated the discussion by noting the interplay between enterprise governance and the New Economy:
- "Weightlessness" – less correlation between an enterprise's tangible assets and market value
- Technology – advances bring both opportunity and risk
- Sector meltdown – changes in traditional industry classifications
- Stakeholder expectation – greater environmental, ethical and social responsibility
- Litigation – increased product and commercial liability risk
- Increased globalization – differing regulatory environments
Enterprise governance is the rules and processes through which business opportunities and risks are recognized and managed to ensure enhanced and sustainable stakeholder value (employees, their families, community, clients, suppliers, product safety and retirement). IT governance is the management process which ensures delivery of the expected benefits of IT in a controlled way to enhance the long-term, sustainable success of the enterprise. There is a growing set of responsibilities for the audit committee under enterprise governance.
Vernon Poole noted that corporate governance looks to the past, while IT governance looks to the future. It is critical for enterprises to get their governing boards involved and excited about IT governance.
Per Ronald Saull, the CIO is a business manager, managing a very complex business. The IT governance framework is a way to organize key elements of that environment.
Archie Watt stated his opinion that IT governance is as important as enterprise governance, due to the growing reliance of businesses on IT. Enterprise governance cannot exist without IT governance. IT governance helps CIOs introduce a controls framework into their enterprises.
I felt this was a great opportunity and pointed out the need to assemble allies in the effort to promote IT governance within enterprises. IT governance will receive attention from senior management if it is possible to prove a return on investment. With the fallout from Y2K and questions about the large amounts of money invested in Y2K preparatory measures ("unnecessarily", according to some), this might not be the best time to promote another new IT-related concept. However, once accepted and adopted within enterprises, IT governance might help IT management reach the level of respect merited rather than, as is all too often the case, merely being an 'appendage' to the finance director. After all, that is where our own profession originated in many companies, and, unfortunately, still is in some. Put another way, the IT director belongs on the bridge, not confined to the obscurity of the engine room.
What is the difference between governance and management? Everyone plays a role in governance, because governance is aimed at reaching the organization's goals. It is recognized that directors have a responsibility to introduce a control environment within their enterprises. Governance equals "direct" and "control," while management equals "plan," "organize," "direct" and "control." Governance is responsible for making sure the management framework is in place -- not for executing it.
Why is IT governance needed? Enterprise governance has specific areas of focus; IT is "our" (the IT Governance Institute's) domain. E-business was identified as one of the best vehicles through which IT can be recognized: IT is no longer just a facilitator of the business, especially when it comes to e-commerce, it is an integral factor contributing to the success of the business.
IT governance is policies, procedures, standards -- and a great deal more. There is considerable debate about how "big" it is and what it includes, but it certainly includes, in addition to the aforementioned items, a concept of stewardship and responsibility.
The issue of IT governance must be discussed at the governing board level: how does IT reach its potential in moving an organization to its objective? It was noted that IT governance is not second nature in dot.com enterprises, yet that is where it is needed desperately. However, most dot.coms are focused on cost-cutting, rather than on implementing controls. All too often, "weightlessness" can therefore easily become synonymous with "control-less." As long as companies are succeeding, controls are the last things on their mind; once their success starts flattening out, cost management and controls start taking a more important role in their activities.
The discussion then centered on use of COBIT (Control Objectives for Information and related Technology, published by ISACF), and whether use of such a formalized, standardized framework is an advantage over using an enterprise's own, personalized reference model. The consensus was, in this era of constant mergers and takeovers, that a standardized framework helps make the integration of two enterprises transpire more smoothly. Moreover, the adoption of an objective, third-party framework helps the enterprises involved avoid the "winner/loser" tensions that might develop if the proprietary framework of one is adopted over that of the other. Finally, use of a mutually adopted standard such as COBIT helps auditors spell out their skills in business terms to business people.
It was noted that the 3rd Edition of COBIT, slated for availability in late July 2000, will be published under the auspices of the IT Governance Institute. This will help confer upon it a level of credibility above and beyond the traditional audit realm.
As an important ally, I saw another independent body that is constantly raising the profile of IT within enterprises: the Information Security Forum.1 Bringing together the knowledge and experience of over 220 of the world's leading organizations, the Information Security Forum is dedicated to meeting the ever-increasing demand for business-based solutions to information security problems and to using its influence to further developments in the field. Amongst ISF's many valuable publications, its Standard of Good Practice is an ideal complement to COBIT.
"Governance" as a term is just beginning to earn acceptance. It fits well into the strategic view of enterprises. As business cycles get shorter and it becomes increasingly hard to plan ahead, governance concepts carefully applied, help an organization become nimble and flexible, and know when to take legitimate risks.
The IT steering committee in enterprises (it may be called different things in different organizations) is a good starting point to begin spreading governance principles. Governance is not just about generating policies; it is vital for the ability and authority to measure against such policies.
IT governance is a way to help auditors overcome the traditional auditor role of coming in after the fact with their unappreciated hindsight and evaluating actions already taken. Instead, IT governance provides a tool by which auditors can enter the scene from the beginning, making sure proper controls and procedures are in place before the process takes place and while it is being implemented.
Special note: The Information Systems Control Journal is grateful to Hugh Penri-Williams for interjected first-hand comments into this summary.
Hugh Penri-Williams, B.Sc.Econ.(Wales), CIA, CISA, PIIA
is Senior Audit Manager of Information Systems worldwide for Alcatel Group Audit Services based in Paris, France. Formerly in security management and audit at S.W.I.F.T., Belgium, he gained extensive audit and information systems experience in insurance and banking. Hugh is very active in the IT audit and security community. His contributions to the profession include membership on the ISACA Global Conferences Committee; recipient of the John Kuyers Award; 1995-97 Vice President ISACA International Board of Directors; and 1993/94 Council Chairman of the Information Security Forum. Hugh helped organize several audit conferences throughout Europe and has given presentations from Oslo to Cape Town. His audiences ranged from IT professionals to insurance underwriters and police officers. He has also appeared on IS audit best practices and security videos. In his free time, Hugh's hobbies include railways (particularly steam engines), and British humor.
Endnotes
1 www.securityforum.org
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2000 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.