Haris Hamidovic, CIA
The presence of an effective corporate governance system, within an individual company and across an economy as a whole, helps to provide a degree of confidence that is necessary for the proper function of a market economy.1
Governance is a process by which a board of directors, through management, guides an institution in fulfilling its corporate mission and protects the institution’s assets. Effective governance occurs when a board provides proper guidance to management regarding the strategic direction for the institution and oversees management’s efforts to move in this direction.2
Over the years, IT has become the backbone of businesses to the point where it would be impossible for many to function without it. IT is no longer separate from the enterprise; it is an essential element of it. While, in the past, business executives could delegate, ignore or avoid IT decisions, this is now impossible in most sectors and industries.3
A lack of board oversight for IT activities is dangerous; it puts the enterprise at risk in the same way that failing to audit its books would.4 In fact, the Bank for International Settlements (BIS) has pointed out that board members in financial institutions should address IT as they would any other strategic board agenda item.5
Critical dependency on information technology calls for a specific focus on IT governance to ensure that the investments in IT will generate the required business value and that risks associated with IT are mitigated.6
The main objective of this article is to provide an introduction to the key elements of IT governance, to key industry frameworks used by organizations, and to guiding principles for directors of organizations on the effective, efficient and acceptable use of IT within their organizations based on ISO/IEC 38500:2008.7 It should assist board members in starting to fulfill obligations in respect to their organizations’ use of IT.
The IT Governance Institute® (ITGI®) states that, fundamentally, the governance of IT is concerned about two things: IT’s delivery of value to the business and the mitigation of IT risks. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained.
This leads to the five main focus areas for IT governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management (which overlays them all) and performance measurement. IT governance is also a continuous life cycle.8
IT governance is distinct from IT management. Governance determines who makes the decisions. Management is the process of making and implementing the decisions.9
IT governance is about who is entitled to make major decisions, who has input and who is accountable for implementing those decisions. It is not synonymous with IT management. IT governance is about decision rights, whereas IT management is about making and implementing specific IT decisions.10
A number of experts suggest frameworks that are detailed and intended for implementation by middle managers. These are known as IT governance “frameworks.” Some of the frequently cited frameworks are:11
Although these frameworks are characterized as “IT governance frameworks,” some of them are in fact management frameworks.15
These frameworks are not alternative treatments of the same issues.
COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.16
ITIL is essentially a series of documents that are used to aid the implementation of a framework for IT service management. This customizable framework defines how service management is applied within an organization. Although ITIL was originally created by the Central Computer and Telecommunications Agency (CCTA), a UK government agency, it is now being adopted and used across the world as the de facto standard for best practice in the provision of IT service. Although ITIL covers a number of areas, its main focus is on IT service management.17
ISO/IEC 27001:2005 is a standard that sets out the requirements for an information security management system. It helps identify, manage and minimize the range of threats to which information is regularly subjected. The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties, including an organization’s customers.18
An example of the growing importance of IT governance, ISO released in 2008 a new worldwide standard, the objective of which is to provide a framework of principles for directors to use when evaluating, directing and monitoring the use of IT in their organizations. In this standard, ISO puts forward six principles for governance of IT:19
Enterprises implement their governance arrangements through a set of governance mechanisms: structures, processes and communications.20 Well-designed, well-understood and transparent governance mechanisms promote desirable IT behaviors. Conversely, if mechanisms are poorly implemented, then governance arrangements will fail to yield desirable results.
Effective governance deploys three different types of mechanisms:
The Australian Computer Society president, Richard Hogg, said:
Just as [information and communication technologies (ICT)] managers are having to broaden their skills to better understand the business structure and processes they are required to support, so must boards enhance their awareness of the various issues associated with IT. Corporate boards must learn what questions to ask about ICT governance… It is poor corporate governance to push ICT governance down to the IT manager level. ICT is an integral part of their business and ICT governance is an integral part of corporate governance.21
Asking tough questions is an effective way to get started in implementing IT governance. Of course, those responsible for governance want good answers to these questions. Then they want action. Then they need follow-up. It is essential to determine not just the action, but also who is responsible to deliver what by when.22
The Canadian Institute of Chartered Accountants (CICA) released a brochure called “20 Questions Directors Should Ask About IT” to assist corporate directors in the discharge of their responsibilities. The document is also intended to be helpful to audit and IT steering committees.23 The questions make it clear that the prime responsibility rests with management to implement the necessary procedures. The board members need to determine that management has done so—that the procedures are in place.
Moreover, if the directors are to perform an effective oversight role with regard to management, they would be remiss to rely simply on the representations of management, no matter how honest and reliable management might be. Therefore, some corroborating evidence would be essential. Directors must determine that procedures are in place, that the procedures are appropriate, and they must obtain corroborating evidence.24
Maturity of the governance of key assets varies significantly in most enterprises today. Financial and physical assets are typically the best governed, and information assets are among the worst governed. However, IT governance should be an integral part of corporate governance. Asking proper questions is an effective way to get started in implementing IT governance. Board members must learn what questions to ask about IT governance. Then, they need good answers to these questions and they must require action. The next step is to implement governance arrangements through a set of governance mechanisms—structures, processes and communications.
1 Organisation for Economic Co-operation and Development (OECD), OECD Principles of Corporate Governance, France, 20042 Rock, Rachel; Maria Otero; Sonia Saltzman; Principles and Practices of Microfinance Governance, ACCION International, USA, August 19983 Van Grembergen, Wim; Steven DeHaes; Implementing Information Technology Governance: Models, Practices and Cases, IGI Publishing, USA, 20084 Nolan, Richard; F. Warren McFarlen; “Information Technology and the Board of Directors,” Harvard Business Review, 1 October 20055 Bank for International Settlements (BIS), “Enhancing Corporate Governance in Banking Organisations,” September 1999, referenced in IT Governance Institute (ITGI), Unlocking Value: An Executive Primer on the Critical Role of IT Governance, USA, 20086 Op cit,Van Grembergen and DeHaes, 20087 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/ IEC 38500:2008, Corporate governance of information technology, 2008, www.iso.org/iso/catalogue_detail.htm?csnumber=516398 ITGI, Board Briefing on IT Governance, 2nd Edition, USA, 20039 Weill, Peter; Jeanne Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business Press, USA, 200410 Broadbent, Marianne; “Understanding IT Governance,” CIO Canada, 1 April 200311 Musson, David; “IT Governance: A Critical Review of the Literature,” Information Technology Governance and Service Management: Frameworks and Adaptations, Ed. Aileen Cater-Steel, Information Science Reference, USA, 200912 ITGI, COBIT, 1996-2007, www.isaca.org/cobit13 Office of Government Commerce, IT Infrastructure Library (ITIL) V3, UK, 200914 ISO and IEC, ISO/IEC 27001, Information technology— Security techniques—Information security management systems—Requirements, 2005, www.iso.org/iso/catalogue_detail?csnumber=4210315 Van Bon, Jan; Arjen de Jong; Axel Kolthof; Mike Pieper; Ruby Tjassing; Annelies van der Veen; Tieneke Verheijen; Foundations of IT Service Management Based on ITIL® V3, Van Haren Publishing, The Netherlands, 200716 ISACA, www.isaca.org/cobit17 IT Service Management Zone, www.itil.org.uk18 BSI Management Systems, www.bsi-emea.com19 Op cit, ISO/IEC 38500:200820 Op cit, Weill and Ross21 Australian Computer Society (ACS), “ACS Stresses Need for Better ICT Governance,” media release, 5 March 200222 Op cit, ITGI, 200323 Canadian Institute of Chartered Accountants (CICA), “20 Questions Directors Should Ask About IT,” Canada, 200424 Trites, Gerald; “Director Responsibility for IT Governance,” International Journal of Accounting Information Systems, vol. 5, issue 2, July 2004
Haris Hamidovic, CIAis chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North Atlantic Treaty Organization (NATO)- led Stabilization Force (SFOR) in Bosnia and Herzegovina. He is the author of four books and more than 60 articles for business and IT-related publications. Hamidovic is a certified information technology expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.