Excerpt: IT Governance Roundtable: Brisbane September 2008

ITGI

What is IT governance? And what has it meant to your organisations and other organisations you’ve worked with during your career?

SM: I’m in a capital-intensive business. From an ENERGEX perspective, one of the issues with any investment and capital infrastructure is that whoever goes up for the dollar has to fight with everybody else. For some time we’ve had a conversation with our senior executives that it is better to put in a substation or spend $100 million on some IT system, and have the necessary benefit discussion. So the dollar that you actually spend, which does something real and is visible to the customer, is obviously very important, but in some cases that’s somewhat short-sighted and actually gets you only a part of the way. If you can invest in an IT system, you then provide something that has longevity and adds even more value. It’s during a benefits comparison of one investment to the other that you have to take into consideration the risks and all those other sorts of things that go along with the project governance, which is encapsulated by IT governance. The big issue in our organisation is that we’re trying to look at IT governance in regards to our overall business perspective. We’re trying to manage all of our investments at a portfolio level. It’s also an education session for the senior executives—you need to take them along for the ride as well. …

JT: If we were to use the term ‘governance’ 20 years ago, we would have drawn blank stares. By and large, I think it’s emerged and I think it’s evolving. I personally don’t like the term, IT governance, or ‘information and communication technology (ICT) governance’ because I think it’s just part of enterprise governance. I think every time we label something ICT, it’s shot over to the ICT group, when, in many cases, it’s a business issue. We’ve seen an evolution. The first thing we focused on was to get the factory sorted out. And we’re still trying to do that. Then we had to start getting projects sorted out. And we’re still trying to do that. But now we need to move on to the value piece—how do we get value from this? And that very much changes the dimension because getting value is not a technology issue; it’s a business issue.

AG: I think governance is a terrible term. I didn’t know what it meant. I guess one of my concerns is that at a corporate level, a board level, we’ve seen a lot of business relating to governance in recent years. And most boards in Australia would acknowledge that there’s too much focus on governance, to the exclusion of performance. And the problem with governance is that it tends to be process-oriented—you check the boxes, (answering questions) such as ‘Have you done this? Do you have a management strategy? Do you have a business plan? Do you have an internal committee?’ All of this doesn’t produce performance. All it does is produce checks in boxes. I’m a bit concerned that ICT governance may well develop along the same lines, where you’ll get a lot of checklists. And at the same time you lose $90 million on a project that doesn’t deliver—it isn’t finished on time and it doesn’t meet the client’s needs. So, as a business person, I have a concern about process vs. outcomes. Governance tends to emphasise the process rather than the outcomes. I think this is something you have to be very careful of. In my career, both in IT and as a CEO, I’ve always said that the important thing about IT is the ‘I’, not the ‘T’. It’s the information that’s important. That’s what’s driving your management—there’s too much focus on the technology and too many IT people are technologists. As a CEO, I always insisted that the people who ran IT were business people, not IT people.

MA: What’s interesting is that I don’t know if anyone likes this term, IT governance—no one seems to put their hand up about it. And I’ve got the same issue. When I speak to people at the board level, the senior level, they vaguely know what governance is as a concept. They never really thought of IT governance as something they needed to put in a separate bucket. What’s even more interesting is that, for those organisations, often IT governance is everything—they just don’t know it. They don’t realise that the reason they’re getting poor IT governance or poor IT outcomes is because they’re not providing direction to anyone. I sometimes think, from a business side, they actually like that because, if something goes wrong with IT, they can point the finger at IT and say they didn’t do it right—whatever it may very well happen to be. ‘Whatever it is, it isn’t what I wanted’. But IT governance usually is centered around a budget rather than a strategic plan, even when they think there is a strategic plan. They’re not getting better outcomes because they haven’t thought about it seriously. But one of the fun things is this cultural difference between an accountant, such as myself, and the IT people. We’re taught in accounting school how to say no—you can’t have more budget; you can’t spend more money; I will not sign that check. IT people are very good at saying yes. They’ll say yes to a project because it’s something interesting or something they want to do—I’ll build you a web content management system even though we could buy one. This actually happened at a client with a 24-year-old webmaster who wrote a web content management system from scratch.

TH: In the last decade or so there have been some international events around Enron and the legislation concerning the Sarbanes-Oxley Act in the United States. Global markets and companies have to reach across the world, and there have been extra things put into the process of governing organisations that we never thought of 15 or 20 years ago. There would be some folks who work in the IT (or other) industry who would think that this governance is just getting in the way. Some CIOs have said to me that they could cut loose as they have a good relationship with the CEO. They got their dollars each year and everything was sweet. Now, all these extra things have come to play and it’s constraining their style. …

DM: … I think governance is made up of two things—doing the right thing and doing the things you do right. I think process is very important in order to ensure that what you do is properly executed, because there are good ways and bad ways of delivering projects, delivering IT outcomes. I think what is missing is the performance bit—why are we doing this at all? Is it something we should be doing?

Editor's Note

Look for additional comments and responses in the full IT Governance Roundtable: Defining IT Governance, available for download at www.itgi.org.

Thank you to the IT Governance Institute (ITGI) for providing this content for reprint. The full publication, of which this is an excerpt, IT Governance Roundtable: Defining IT Governance, is available for free download at www.itgi.org. This content is the result of the discussions that took place in September 2008, in Brisbane, Queensland, Australia. This and planned future roundtables are intended as opportunities to learn more about the real-life situations professionals are facing in regard to IT governance.

The participants at the September event included:

Moderator, Tony Hayes, FCPA, executive director of the Public Service Commission, Queensland Government, Australia
Micheal Axelsen, FCPA, director, Applied Insight Pty Ltd., Australia
Ashley Goldsworthy, AO, OBE, FTSE, FCIE, FCPA, professor, Australia
Duncan Martin, CISA, ACA, CIA, CPA, chief financial officer, The Rock Building Society Ltd., Australia
Glen McMurtrie, CISA, CBM, CFE, principal internal auditor, Department of Communities, Australia
Simon Middap, group manager, ICT and projects, ENERGEX Ltd., Australia
John Thorp, CMC, I.S.P., The Thorp Network Inc., Canada

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?