Where networking and knowledge intersect.
T. van der Walt, A. D. Coetsee and S. H. von Solms
For South Africa, a developing country, social, economic, political and cultural transformation is very high on its agenda. Information and communication technology (ICT) is a key enabler to achieve these developmental goals and to position South Africa for sustainable growth. But without appropriate governance, the value of ICT cannot be unlocked.
The King Report on Corporate Governance updated in 2009 (King III), issued by the King Committee on Corporate Governance, explains good governance in the context of effective leadership, as the responsibility of strategic leadership to define strategy, provide direction and ensure sustainability of performance.1
Corporate governance of ICT (CGICT), as a subset of corporate governance, is subject to strategic leadership in an organisation. When this leadership is either lacking or poorly executed, it negatively impacts the performance of the organisation.
The successful implementation of CGICT in an organisation is dependent on the implementation of effective governance and management systems on three levels: the governing body, organisational management, and ICT management and operations. (The last item is not the subject of and, thus, will not be addressed in this article.)
Internationally, much research, literature, best practice and standards are available on CGICT. However, research and case studies on CGICT in the governments of developing countries are lacking. For the purpose of this article, the authors identified the following as international best practices in the field of CGICT:
The article will further discuss how the Department of Public Service and Administration (DPSA)’s CGICT Policy Framework (CGICTPF)5 was influenced by these international best practices. The scope of this article is the South African Public Service, which is constituted of two levels of government, namely the national and provincial government, excluding local governments.6 Reference to departments includes national and provincial departments and provincial administrations.
The CGICTPF facilitates the institutionalisation of CGICT as an integral part of corporate governance within the South African Public Service in a uniform and coordinated manner.7 It follows a layered approach making provision for Public Service-wide political direction and oversight from Parliament and Cabinet, involving policy and monitoring departments and forums. On a departmental level, it provides an accountability structure for the executive authority, head of department and executive management through a set of principles and practices, and provides a governance model and an implementation approach.8
Guided by the CGICTPF, departments are expected to further develop and implement their own framework to suit their individual environments. The CGICTPF requires departments to follow a three-phased implementation approach:
It is acknowledged that there are many related good practices and frameworks in the field of CGICT. However, the Governance Task Team found ISO/IEC 38500, King III and COBIT 5 to be the most relevant to inform the development of the CGICTPF because they discuss the practices and principles required to implement CGICT. In this context, a principle is expressed as a preferred behaviour to guide decision making, and a practice is the activities through which the principles are implemented.9
ISO/IEC 38500 StandardThis advisory standard provides a top-down approach and is comprised of definitions, principles, practices required to implement the principles, and a model for the governance of ICT and its related activities.10 The model describes the tasks of evaluating, directing and monitoring and is used to apply the principles. The principles primarily guide governing bodies, which can, in turn, direct that certain actions be taken by management. ISO/IEC 38500 explains the increasing importance of ICT, as a functional business tool, to the current and future business plans of organisations and the related significant ICT expenditure. It assists governing bodies and management to understand their responsibility for ICT within the organisation.
King III The King III report dedicates a chapter (Chapter 5) to the governance of ICT. It also follows a top-down approach to address the accountability of the governing body and management regarding “leadership, sustainability and corporate citizenship” responsibilities for corporate governance, fully integrating ICT into an organisation.11 It alludes to the ever-increasing reliance of organisations on ICT as an enabler of business and the resultant escalation in organisational risk. King III creates awareness about the responsibility of the governing body and management for the effective and efficient governance of ICT to ensure that they support the strategic objectives of the organisation. In support of the creation of awareness, King III provides specific principles and practices that should be achieved and executed within a “comply or explain” regime12 by the governing body and management.
COBIT 5COBIT 5 is a comprehensive business framework that follows a holistic (top-down and bottom-up) approach to assist organisations in achieving their objectives for GEIT.13 It focuses on the pervasiveness of ICT, the increasingly important role ICT plays in improving quality of information and generating value from ICT expenditure. The governing body and executive management need to embrace ICT as they would any other asset/resource of business.
Comprising five principles and seven enablers, COBIT 5 creates awareness of the importance of implementing CGICT in support of strategic goals at all levels of an organisation. It provides a comprehensive and adaptable framework of governance and management processes, allocating responsible, accountable, consulted and informed (RACI) roles as well as a facilitative implementation guide.
COBIT 5 also supports the adoption of ISO/IEC 38500’s principles and implementation approach.14
King III and ISO/IEE 38500 provide primarily top-down approaches for the implementation of CGICT. COBIT 5, on the other hand, follows a combined approach. A combination of these best practices guided the holistic approach followed in the CGICTPF.
Layered Governance ModelAlthough generic, the best practices for CGICT focus primarily on the private sector. They refer to governing bodies as the board of directors and organisational management, implying a two-layer approach. King III, ISO/IEC 38500 and COBIT 5 agree that the ultimate accountability for corporate governance of ICT lies with the board. The equivalent of this had to be defined in the South African Public Service context.
On a Public Service-wide, holistic level, Parliament and Cabinet fulfil the role of the governing body, whilst within the individual departments, each with its own mandates and governance structures, the executive authority (minister) provides political leadership and the head of department and executive management (heads of branches within departments) provide the strategic leadership. This complexity required a three-layer approach in the CGICTPF:
Currently, most departments treat the ICT function as a technical entity15 and do not govern it as an asset to add value to service delivery. Its governance is not embedded in the corporate governance systems within the three levels. The CGICTPF facilitates the institutionalisation of CGICT on these three levels.
Governance and Management ModelISO/IEC 38500 establishes a model for the governance of ICT, which describes the evaluating, directing and monitoring tasks of the governing body.16 This model was adapted to reflect CGICT from an external, Public Service-wide political, prescriptive and oversight environment to a departmental, internal context, depicting the total value chain.
Accountability FrameworkDue to the history of the apparent disconnect between political and strategic leadership and the ICT function in departments, it was concluded that King III should comply with or explain the system of governance with no significant results in departments. King III, however, alludes to the allocation of accountability and responsibility to both the board and organisational management. The required results in the South African Public Service can be achieved only in a compulsory compliance regime within the ambit of the Public Service Act and Regulation;17 therefore, an accountability framework was created that allocates specific principles, with their related practices, to the political and strategic leadership of departments.
Principles and PracticesISO/IEC 38500, King III and COBIT 5 demonstrate the concept of governance principles to achieve a specific outcome. ISO/IEC 38500 provides principles and describes practices as necessary for successful implementation of CGICT,18 whilst King III allocates specific accountability to the board through specific principles and related practices.19
COBIT 5 is based on principles and incorporating enablers, and also provides comprehensive governance and management processes and related practices, which provide guidance for the implementation of CGICT. The CGICTPF principles and practices were derived from these best practices, with the political and strategic leadership of a department being accountable for their implementation.
The principles address political and strategic mandate, CGICT, business and ICT strategic alignment, ICT expenditure, risk management and assurance, and organisational behaviour. The practices provide for the execution of the principles by allocating specific accountability, roles and responsibilities to the political and strategic management. The practices also allude to vertical sector mandates in which the mandate of executive authorities transcends into relevant business, provincial and local government.
Governance and Management SystemsISO/IEC 38500 and principle five of COBIT 5 require separate governance and management systems for CGICT.20 The CGICTPF is a governance framework and does not create context for a management system. The latter will be addressed in the pursuant implementation guideline, which will be derived from the COBIT 5 management processes.
Implementation ApproachThe generic implementation guidance of ISO/IEC 3850021 and COBIT 522 confirmed the importance of developing an implementation guideline for the CGICTPF. Therefore, the CGICTPF provides specific implementation guidance on how departments should create an enabling environment through a CGICT policy and charter, developing and implementing related policies and coordinating governance functions. Departments are further expected to perform business and ICT strategic alignment and achieve continuous improvement. The CGICTPF contains specific timelines within which each of these must be achieved.
No other case studies could be found where these international best practices were collectively and selectively adapted to a public service/federal government context. Thus, the DPSA had to develop a tailor-made CGICTPF. However the CGICTPF does not re-invent the wheel. Where applicable, it draws on the strengths of each of the leading international best practices. It spells out what should happen, how, when and by whom, thus providing specific guidance.
Extensive knowledge of the organisational environment is required for the development of a framework of this magnitude. In the South African Public Service, this knowledge base was available internally.
The CGICTPF is a flexible, holistic approach and creates a governance regime that spans all three levels of governance of ICT required in the South African Public Service. The CGICTPF follows a top-down approach from Cabinet and Parliament, the political governance of ICT, to political and executive leadership, at which point the executive authority for a department is accountable.
A principle-based accountability structure according to which the political and strategic leadership of departments must integrate the CGICT into their unique governance systems is provided. Furthermore, the policy framework provides practices to cascade the implementation of the governance principles, a timeline for their implementation, as well as context for a standard against which conformance and performance are measured.
As research/case studies on the CGICT in the governance regimes of governments of developing countries are lacking, it is anticipated that South Africa is the first public service to implement holistic CGICT. The CGICTPF could easily be adapted for governments of other developing countries.
Political support of the CGICTPF has not been tested as it is not yet approved by Cabinet. A lack of political will and drive would seriously impact the Public Service-wide implementation of CGICT.
The acceptance of and commitment to the implementation of the CGICTPF at the political and strategic leadership level in a department may place obstacles in the department’s road to conformance.
The political and strategic awareness of and buy-in to the CGICTPF and its related change management may delay the implementation process and may cause departments to miss implementation timelines.
The CGICTPF does not contain governance and management processes for implementation. It does, however, indicate that the implementation guideline provides guidance to the departments on the minimum set of COBIT 5 processes that should be implemented. The implementation guideline is still in development, thus the processes to be focused on have yet to be finalized.
CGICT is not a new subject and is addressed by international best practices such as King III, ISO/IEC 38500 and COBIT 5.
Individually these best practices did not sufficiently address the context of CGICT for the South African Public Service; however, collectively they provided a holistic approach and strong foundation for the development of the CGICTPF. The CGICTPF creates Public Service-wide and departmental context for the political and strategic leadership of ICT through principles, practices, a governance model and an implementation approach.
1 Institute of Directors Southern Africa, King Report on Governance for South Africa, South Africa, 1 September 20092 International Organization for Standardization, ISO/IEC 38500:2008, Corporate Governance of Information Technology, June 2008, Switzerland3 Op cit, Institute of Directors Southern Africa, 20094 ISACA, COBIT 5, USA, 2012, www.isaca.org/cobit55 Department of Public Service and Administration (DPSA), Draft Public Service Corporate Governance of Information and Communication Technology Policy Framework, internal document, South Africa, 1 March 20126 Department of Public Service and Administration, Public Service Act 103 of 1994, South Africa, 19947 The DPSA is the policy department for inter alia ICT in the South African Public Service (all national/provincial departments). 8 Op cit, DPSA, 20129 Op cit, International Organization for Standardization, 200810 Ibid.11 Op cit, Institute of Directors Southern Africa, 200912 Ibid.13 Op cit, ISACA, COBIT 514 Ibid. 15 The Auditor General of South Africa, ‘Status of the governance of information technology in government’, Letter from the Auditor General to the Department of Public Service and Administration regarding the information systems review of the governance of information technology in government, unpublished, 28 May 201016 Op cit, International Organization for Standardization, 200817 Department of Public Service and Administration, Electronic Government Regulations (as amended), South Africa, 5 January 200118 Op cit, International Organization for Standardization, 200819 Op cit, Institute of Directors Southern Africa, 200920 ISACA, COBIT 5: Enabling Processes, USA, 2012, www.isaca.org/cobit521 Op cit, International Organization for Standardization, 2008, p. 922 ISACA, COBIT 5: Implementation, USA, 2012, p. 10
T. van der Walt is a director in the Department of Public Service and Administration (DPSA), South African Public Service. She is coauthor and responsible for the development of the CGICT Policy Framework.
A. D. Coetsee is a deputy director in the DPSA and coauthor of the CGICT Policy Framework.
S. H. von Solms is the director of the Centre for Cyber Security, Academy for Computer Science and Software Engineering at the University of Johannesburg.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.