In Information Systems Control Journal, volume 3, 2002, this author wrote an article on IT governance titled, "Make Sure Management and IT Are on the Same Page: Implementing an IT Governance Framework." The article provided insights into how to recognise the practical IT issues that regularly concern top management, so when the governance process is being implemented, the organisation can ensure it provides answers to the kinds of questions increasingly being put forth at senior management meetings.
This article takes some of those thoughts a step further—if these are the issues most companies need to address in IT governance, then what is the best vehicle for coordinating the discussion and ensuring action is taken? The IT Governance Institute (ITGI) last year published a booklet titled IT Strategy Committees1 which states:
"As IT becomes increasingly critical for enterprise survival as well as enabling growth, IT Strategy Committees need to broaden their scope. In addition to providing counsel on strategy when advising the board on its IT governance responsibilities, they need to focus on IT value, risks and performance."
The booklet provides excellent guidance on how the role of the IT strategy committee could be better structured to support IT governance.
If organized properly and composed of the right mix of senior decision makers, a committee such as this focused on IT governance can act as the coordinating team for all the key issues and decisions affecting the use of IT across the enterprise, providing, for example:
- Guidance on strategic goals
- Alignment of IT and business objectives
- Direction and control of IT activities
- Consideration of risk exposures and monitoring of risk management
- A communication path between the board/executive and middle management
- Resolution of cross-function or intercompany issues
- IT funding and monitoring of financial objectives and performance
- Assessment of IT capability and adequacy of the IT infrastructure
- Drive for best practice, standardisation and interoperability internally and externally
- Coordination of contractual and functional IT aspects of e-business partnerships
- Consideration and monitoring of external outsourced IT services
- Sponsorship of IT improvement projects (e.g., technology, skills, process enhancements, etc.)
- Advice regarding technology trends, potential to use IT for business advantage
Although it is usual for such a governance committee to be formed from an existing IT strategy committee, the composition of the committee will be broader, and so too will its remit. The ITGI booklet states:
"IT Strategy Committees often limit their scope to providing direction to ensure that IT is aligned with current and future business strategies. However, the IT Strategy Committee is well placed to assist the board on all aspects of IT governance, notably the monitoring of the successful implementation of the strategic plans."
The name "IT strategy committee" may be inappropriate and could instead be referred to as the IT governance committee, or any name that carries the most support and political acceptance within the organisation.
Composition of the committee should be drawn from those management groups with the most interest in IT-related issues, and the most to contribute to the direction of successful outcomes.
Who Should Be Interested in Top Management IT Issues?
The primary stakeholders who ultimately have an interest in IT performance and require effective IT governance will be the board, executives, shareholders and customers. The stakeholders rely on the management of the business to manage IT-related risks and deliver the value needed from IT investments.
While the CIO or equivalent has direct responsibility for directing and managing IT resources and safeguarding IT assets, the creation of successful IT outcomes relies on all of the organisation's management working together in harmony to achieve common goals.
Using the COBIT Framework2 to summarise typical top management concerns by COBIT's IT domains,3 figure 1 lists the management groups that should have a primary interest in these issues.
Who Should Participate?
Recognising the need for a collective approach, a key success factor is that membership should represent business and IT interests (see figure 1). The members of the committee will, therefore, have diverse backgrounds with representation from all key areas. One of the likely outcomes of this approach is that IT will have a minority role, but it will gain by having the support and commitment from others, sharing responsibility and accountability.
An example of a typical committee membership is shown in figure 2, taken from ABSA,4 a major financial institution in South Africa, which has been developing an approach to IT governance leadership since 2000.
ABSA chose not to include a representative from internal and/or external audit. Inclusion of this function in an advisory capacity can be beneficial—not just because independent input can be provided on IT risk and compliance matters, but also because the auditors will benefit from greater insight and awareness of top-level business-related IT issues.
Leadership and authority are key. According to the ITGI IT strategy committee briefing, "The chairman should be a board member and it is important that at least two board members remain active in the committee so the board is adequately represented." In addition, objective input can be very helpful, as well as the provision of external expertise, especially in a smaller enterprise. "To ensure that there is enough technical expertise in the committee, the board may choose to select IT experts to serve as external advisors." The briefing also advises that "the members should be selected on the basis of their knowledge and expertise in understanding the business impacts of information and related technology."
ABSA realised that for the committee to fulfill its functions, members must have certain attributes which are outlined in figure 3.
At this year's ISACA EuroCACS Conference, an excellent keynote presentation5 was given by Alexander Rinnooy Kan, main board director responsible for IT policy at ING, a large worldwide financial institution headquartered in the Netherlands. ING recently was profiled in a Gartner report on "Effective Governance by Design." Figure 4 shows how ING structures its IT decision-making.
Kan explained that "ING has implemented a global IT governance structure that meshes with its overall corporate governance structure which helps it to ensure the strategic alignment of IT with the business. This structure is intended not only to improve the quality of the IT function but also to speed up decision-making." ING has a strategy committee, known as the IT policy board, which is chaired by Kan. Two additional main board directors sit on this committee, thus ensuring proper interest and accountability for IT at the board level. The board also consists of the OPS/IT portfolio keepers of the four executive centres (divisions) and the director of the staff department corporate IT. There also is an IT leadership council consisting primarily of business CIOs who will advise the policy board. To demonstrate the seriousness applied to information security, the company also has a separate information security steering committee, which reports directly to the IT policy board. The IT leadership council has three subgroups, dealing with IT standards, IT architecture and IT infrastructure.
"A key feature of our governance structure is the existence of corporate IT, one of our group staff departments responsible for policy preparation, the provision of IT advice to the businesses and monitoring the IT activity within the entire organisation. This latter activity is carried out by a small subgroup within CIT-the IT performance and investment management team. In addition, there are application forums within the executive centres (divisions) to provide a mechanism for standardising functional application areas (for example CRM) across the businesses. The approach is to bring the demand (from the business) and supply (from IT) together to determine the optimum way forward," according to Kan.
What Is IT Governance Best Practice for IT Strategy Committees?
Figure 5 summarises some of the views of leading analysts regarding the purpose and functions of a committee charged with IT governance.
The IT Governance Institute has analysed the various elements of IT governance, considered the views of analysts and other experts, and concluded that IT governance consists of five main dimensions:
- Strategic alignment—With focus on aligning with the business and collaborative solutions
- Value delivery—Concentrating on optimising expenses and proving the value of IT
- IT resource management—Focussing on knowledge and IT infrastructure
- Risk management—Addressing the safeguarding of IT assets and disaster recovery
- Performance measurement—Tracking project delivery and monitoring IT services
These five dimensions provide a complete view of what IT governance covers. Figure 6 summarises what the key committee responsibilities are for the five key aspects of IT governance, and how the committee can achieve positive results.
1 IT Strategy Committees, ITGI, 2002, www.itgi.org/resources.html
2 COBIT 3rd Edition, Framework, ITGI, 2000
3 Information Systems Control Journal, volume 3, 2002
4 Presentation on IT Governance by Dr. D.C. Le Roux, head of IT Strategy, Infosec Africa, July 2002
5 EuroCACS 2003, Amsterdam, The Netherlands, 24 March 2003
is director of IT Winners Ltd., an independent consultancy based in the UK that specialises in IT risk management and performance improvement. Hardy has been a member of ISACA since 1981 and has held several leadership positions, including board member. He is a founding, and continuing, member of the COBIT Steering Committee, and a contributor to ISACA's and ITGI's work on IT governance. Hardy has been involved in IT, IT audit and IT risk consulting for more than 25 years in industry, internal audit, external audit and consulting.