Other Blogs
There are no items in this list.
ISACA > Journal > Practically Speaking Blog > Categories
Board Involvement in Digital Strategy and Oversight

In light of digital transformation, boards of directors (BoD) often recognize the need for more engagement in digital strategy and oversight. At the same time, many of them are seeking advice on how to realize this type of involvement. Our goal is to enable board members to learn from their peers and translate best practices of other organizations to their own context. To inspire them, we discuss the board IT governance mechanisms that were established at the University of Antwerp (Belgium).

The University of Antwerp: The Context
Like many organizations, the University of Antwerp has become increasingly dependent on IT. No central business forum existed to decide which projects would be executed and which not, swamping the IT department with many requests they could not deliver against. This situation often led to frustration on the business side, a tension that was also reported to and known by some board members. Furthermore, in 2016, a new rector came at the head of the University of Antwerp. The newly appointed rector strongly believes it is the task of the BoD to create a long-term vision, also regarding IT-related issues.

Two New Governing Structures
A widely acknowledged strategy to increase the involvement of the BoD in IT-related decision-making and control is to enhance its IT expertise. Yet the various board members of the university are elected by different university entities. As a result, little room exists to thoughtfully compose the board on the basis of the university’s needs and to increase its IT expertise. Therefore, the university chose an alternative path, creating 2 committees that assist the board in IT-related decision-making and control (figure 1).

Figure 1—Committees Assisting the Board of Directors
Committees Assisting the Board of Directors

  1. The IT governance committee is responsible for short-term decisions and portfolio management of IT-enabled investments. Its main goal is to manage the IT-enabled investment portfolio more effectively and transparently and make sure it is in line with the overall organizational strategy. However, the aim of the committee is not to go into the technical details, but to discuss the investments from a business perspective. The IT governance committee includes representatives of all university entities, including 4 directors. All other directors are always welcome to join.
  2. The digital strategy think tank’s task is to keep an eye on the impact of technological developments on the university and consider how societal and market challenges could be addressed leveraging technology. The BoD is represented in this committee; that is, the rector and one other board member are included.

Our recent Journal article shows how BoDs can actively engage in the IT debate, even those boards with a limited amount of IT expertise.

Read Steven De Haes, Laura Caluwe, Anant Joshi and Tim Huygh’s recent Journal article:

How Boards Engage in Digital Strategy and Oversight: The Case of the University of Antwerp,” ISACA Journal, volume 5, 2018.

If Digital Transformation Is Hard, Your Board May Be Lacking Key Skills and Experiences

Digital innovation and transformation is difficult when there is little in the way of clear and decisive senior leadership direction for it. However, not only may senior leadership lack the qualifications and experience necessary to guide enterprise digital transformation, they may also lack the frameworks required to oversee those innovations. So it is no surprise that digital transformation is difficult; there can be no suitable support given poor strategic direction. 

What Is Digital Transformation?

Merely deploying digital technology does not mean that an organization is digital, e.g. digitizing paper forms is just that—the digitization of paper forms. It does not suddenly make the organization digital. A digital organization would mean that every stakeholder interacting with those forms does so digitally, simultaneously increasingly satisfying various stakeholder expectations. Without the latter, why would anyone actually bother? Indeed, this is what makes up the digital business case.

Done well, there would be no further need for processes involving paper forms, and there would be no more paper forms. In other words, the fundamental processes for managing these data flows would change dramatically. Moreover, fundamental changes to these processes would fundamentally impact almost every other process in the business.

Digital transformation demands senior direction and support because it is so much more than just about the old IT promise of process automation. Truly digital organizations are no longer bound by analog concepts such as opening hours and geographical location because digital is a key enabler of anywhere, anytime convenience; a key attraction of a digital business. This level of corporate transformation and innovation succeeds for few, but there are steps that can be taken to improve the chances of success. (See my ISACA® Journal, volume 2, 2018, article, “Minimizing the High Risk of Failure of Corporate Innovation.”)

Bold Board Leadership: A Key Facilitator of Successful Digital Transformation

Some businesses maintain the status quo until profitability suffers, a case of, “why spend money of you do not have to spend?” These reactive organizations are the most likely to require digital transformation to survive. It is very risky at this point, but it becomes a matter of there being no choice. There is, however, such a thing as being too late.

Other businesses—possibly more long-sighted or without legacy baggage—proactively look to digital to realize competitive advantage. For these organizations, the inevitability of full digital transformation is less risky if they are not already digital by design.  

In either case, a task of the board is to approve strategy, one that ensures organizational sustainability. A key driver of sustainability, at least for tertiary industries, is digitization. If the board is unable to articulate or validate the need for digitization within the organization’s strategy, then the risk profile of the entire organization increases because sustainability is compromised. Read my volume 5, 2018, article, “Digital Transformation? Boards Are Not Ready for It!” to learn why boards may be lacking both the qualifications and experience necessary to facilitate enterprise digital transformation.

Read Guy Pearce’s recent Journal article:
Digital Transformation? Boards Are Not Ready for It!,” ISACA Journal, volume 5, 2018.

Managing Technology Innovation Efficacy

Technological innovation has significant governance dynamics. Linked to the governance dynamics are offensive and defensive innovation strategies. Offensive strategies encompass reconfiguration, redefinition and pure spending. Reconfiguration occurs when the challenger performs an activity innovation in the value chain or the configuration of the entire business. Redefinition arises when a challenger redefines the competitive scope compared to the market leader. Pure spending transpires when the challenger buys a market position through superior resources utilization or greater willingness to invest.

Conversely, a defensive strategy focuses on lowering the probability of competition from new entrants pursuing innovation monetarization or from established competitors seeking to reposition a line of business. Defensive strategies encompass technology licensing, selective retaliation, entry deterrence and forming coalitions. The principal objective of implementing a defensive plan is to influence new entrants or established competitors to conclude that market participation is an unattractive organizational commitment.

An enterprise’s strategy converges on managing the envisioned destiny and achieving the articulated objectives. Michael Porter’s updated 5 Forces paradigm aids in studying market competitiveness through assessing the power of buyers, the power of suppliers, availability of substitutes, threats of new entrants and industry rivalry. These 5 forces assist in determining if an opportunity exists to enhance the organizational state, based on what is occurring in the marketplace and anticipated potential threats. Nonetheless, of importance is dynamic capabilities viewed as strategic options that give firms a choice to pursue new directions when opportunities arise.

Technological innovation efficacy depends on usage within a value chain. Offensive or defensive strategies can affect short-term profitability, depending on the available resources and the macro environment in which the enterprise operates. Thus, to achieve effective technical innovation, manager-leaders should govern technological innovation considering complex adaptive system theory to ensure strategic viability. Proper management regulates participating parties in a collaborative relationship through governance mechanisms reflecting technology innovation dynamics. My Journal article presents how to manage technical innovation-related risk and obtain support for technological innovation projects based on an offensive or defensive strategy decision.

Read Robert E. Davis’ recent Journal article:
Technology Innovation Dynamics: Innovation Governance,” ISACA Journal, volume 4, 2018.

Security of Currencies

Vijayavanitha SankarapandianRecently, the world has seen more leaders win elections based on promises to fight against  corruption in their countries . This shows how eager people are to weed out corruption, terror funding, illegal transactions and to bring transparency to every sphere of human life. People want reform and, if given an opportunity by the government to participate in the process of governance of currencies, both the people and the government will benefit.

The 3 main components in the implementation of the e-governance of currencies are encrypted Quick Response (QR) code printing on currencies, endpoint devices handling currencies and the backend system of the central bank.

Fiat currencies are printed using a sophisticated technology on a very special material that supports ultraviolet, infrared and magnetic sensors for their security features. Having the QR code printed with encrypted data in it, using the double-layered encoding, might not be that difficult.

Currency counting machines, e.g., automated teller machines (ATMs) and cash deposit machines (CDMs), used at bank counters, by cashiers and by cash handling systems, would need 2 additional changes. First, they need network connectivity for mutual authentication of the devices with the central bank. Second, they require additional or use of existing circuitry to scan the encrypted QR code. In the case of a smartphone, a valid mobile number, camera and an application (app) from the central bank to connect online should be enough to do mutual authentication and to scan.

The backend system needs a database; encryption; decryption; app support; mutual authentication and a set of features for tracking, tagging and recording information from the devices, which are primarily carried out by the central bank.

The use of QR codes is an additional security feature and will only add value to the existing system and process, and its integration does not mandate a strict timeline or specific environment. Its implementation is very flexible and can be carried out on an ongoing basis, without any enforcements or disruption of existing services.

Read Vijayavanitha Sankarapandian’s recent Journal article:
E-Governance of Currencies,” ISACA Journal, volume 2, 2018.

IT Innovation Governance:  From International Policy to Company Oversight

“Governance” and “innovation” are terms of such global importance today that an innovation governance event billed as “the first global leadership roundtable centered on issues at the intersection of [artificial intelligence] innovation and governance” was hosted in Belgium in March. No less than the country’s deputy prime minister cohosted the event.

Few can forget Elon Musk’s comments at the Massachusetts Institute of Technology (Massachusetts, USA) as quoted by The Guardian on 27 October 2014:  “I’m increasingly inclined to think that there should be some regulatory oversight, maybe at the national and international level, just to make sure that we don’t do something very foolish.” USA Today reported cosmologist Stephen Hawking saying that artificial intelligence (AI) could prove to be “the worst event in the history of civilization” on 2 January 2018. The source reminds us that Facebook’s Mark Zuckerberg poo-pooed these warnings. The summit’s participants, however, recognize that there is a potential issue and, therefore, aim to begin the conversation of AI innovation governance at a global policy level.

Closer to home, ISACA’s CGEIT Review Manual reminds us of John C. Henderson and N. Venkatraman’s strategic IT-business alignment model, published in the IBM Systems Journal back in 1999, titled “Strategic Alignment:  Leveraging Information Technology for Transforming Organizations.” While the model provides a “competitive potential alignment” perspective, the question of the governance of that transformation is unanswered. For 1999, this was forgivable, as innovation governance was likely nowhere near top-of-mind. Today, forgiveness is increasingly less likely.

Pragmatically, the call for global policy-led AI innovation governance is at an extreme end of the IT innovation governance spectrum. For corporations, innovation governance matters because organizational resources are involved and because it is a governance imperative to ensure that those resources are appropriately directed toward fulfilling the organization’s strategy. While some may be familiar with the risk and compliance aspects of innovation, fewer might be familiar with the corporate governance imperatives associated with corporate innovation. My Journal article aims to create awareness of the need for improved corporate innovation governance in the interest of good corporate governance.

A follow-up AI innovation governance summit is already planned for the United States this year. If its future impact results in various government policies being established, regional regulations are sure to follow. And where there are more regulations, governance oversight and compliance management are imperatives, which ensures that innovation governance becomes increasingly topical at the board level.

Read Guy Pearce’s recent Journal article:
Minimizing the High Risk of Failure of Corporate Innovation,” ISACA Journal, volume 2, 2018.

Innovating Innovation Governance

Robert DavisAlmost every enterprise aspires to use technology for integrating information, achieving process efficiencies and transforming service delivery into a paragon of effectiveness. Organizational leaders should manage innovation by creating processes that sustain or increase business performance and growth. If properly integrated, among other benefits, information technology can provide a competitive advantage for innovative products and services. Nonetheless, there is a need for innovation governance to ensure IT is achieving management’s objectives.

Governance of an enterprise usually occurs at different organizational strata. As a result, procedures are operationally tailored, with processes linking to systems, and systems interfacing with various programs receiving objectives from the firm’s oversight committee through established reporting lines. Consistent with corporate governance, IT governance and information security governance definitions, innovation governance represents combined people, processes and technologies deployed by the organization’s highest-level oversight committee and executive management to inform, direct, manage and monitor creativity toward objectives achievement.

Implicit in the aligned definition, effective innovation governance is innovation management’s fiduciary relationship with stakeholders, executive management and the organization’s customers. However, there are few available frameworks for implementing innovation governance within an enterprise. I address this gap in my Journal article by defining the structure for organizational knowledge sharing through applying a supply chain platform framework that can assist management in governing innovations.

Business manager-leaders face constant pressure to achieve and sustain a competitive advantage. Therefore, manager-leaders need to address the pros and cons of innovation strategies in their markets. Using strengths, weaknesses, opportunities and threat analysis enables the creation and defining of objectives tailored to the firm’s environment after assessing current capabilities. Subsequently, an enterprise’s innovation strategy converges on managing the envisioned destiny and achieving the articulated objectives. My Journal article integrates business and IT platform strategies as a means to generate appropriate innovation governance then relate various competitive strategies to IT platforms for achieving the selected business objectives.

Read Robert Davis’ recent Journal article:
Applying a Technological Integration Decision Framework to Innovation Governance,” ISACA® Journal, volume 2, 2018.

Updating the COBIT Process Assessment Model

Determining the level of process maturity for a given set of IT-related processes allows organizations to determine which processes are essentially under control and which represent potential “pain points.” Process maturity has been a core component of COBIT for more than a decade; however, in COBIT 5, there was a change from the Maturity Model used in COBIT 4.1 to a Process Capability Model.

Currently, the COBIT 5 Process Assessment Model (PAM) is based on International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 15504, which is a global reference for conducting process capability assessments. Meanwhile, a new standard, namely the ISO/IEC 330xx family, replaced and extended the ISO/IEC 15504 family. Since the ISO/IEC 15504 family is now withdrawn and was replaced by the ISO/IEC 330xx family, an update of the ISACA publication COBIT Process Assessment Model (PAM):  Using COBIT 5 should be considered.

The new ISO/IEC 330xx family of standards presents a more detailed and well-defined process assessment model than the older ISO/IEC 15504 family. The gaps regarding rating methods and aggregation methods perceived in the older standard have now been solved with clear and standardized guidance on how to perform it. Also, the definitions of some process attributes, outcomes and base practices are now more consistent. Therefore, for all these reasons, updating COBIT 5 PAM to this new standard is not only a necessity, but also an opportunity to improve the assessment of COBIT 5 processes.

Read Joao Souza Neto, Rafael Almeida, Pedro Linares Pinto and Miguel Mira da Silva’s recent Journal article:
A COBIT 5 PAM Update Compliant with ISO/IEC 330xx Family,” ISACA Journal, volume 1, 2018.

Governance and City Development

Most of us live in cities. We are always busy, so we only see the impact and benefit of IT when it is not there, e.g., during failures, service unavailability, loss of physical devices, natural disasters and so on.

The definition of “city” has evolved, and IT has been an enabler for that evolution, transforming cities to become smart or smart sustainable. All types of disruptive or cognitive technology used in this transformation have benefits and risk, but if they are well governed, the probability of value delivery increases.

In my recent Journal article, I present how an IT governance framework can be implemented to help cities get value from the use of IT, following the structure proposed by ISACA’s publication Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT.

A city’s board and executive managers need to evaluate the requirements of all of the city’s stakeholders, considering cultural aspects, transparency, accountability for investments and use of the community’s financial resources.

IT must have direction, and there must be clear definition of the city’s IT-related and enabler goals. Finally, monitoring activities have to be undertaken to demonstrate that value has been delivered; benefits realization and risk and resource optimization should be measured and compared with expectations.

Read Graciela Braga’s recent Journal article:
Smart Sustainable Cities Need Well-governed Disruptive IT, Not Just IT,” ISACA Journal, volume 1, 2017.

The Decision to Adopt Machine Learning for Telemedicine

Telemedicine is fast-growing as a mobile health care information system (HIS) in most parts of the world. Fast Internet, smart phones and increased comfort of physicians in using electronic communication are also helping telemedicine become more widely adopted. Telemedicine consultation can contribute to reducing cost, lessening the stress of patients and improving accessibility to specialized consultations. However, it is difficult to schedule correct telemedicine sessions without a deep understanding of the health care needs of the region. The use of machine learning for decision making and better treatment has been a highly researched topic. Machine learning is also used to monitor patients remotely. However, this technique is not currently used to monitor telemedicine session broadcasting. In our recent Journal article, we present the case of an Indian health care organization that broadcasts telemedicine sessions to associated hospitals in remote locations. For the purpose of telemedicine governance, we suggest the following steps while using machine learning techniques through the department-session-organization (DSO) model proposed in our article:

  • Understand the specific IT governance problem using organization mission and vision to determine the purpose of the prediction model.
  • Past data collection, data cleaning to remove incomplete data and analysis of the data is required.
  • Perform data transformation for simplification and improved decision making if needed. For example, we simplified our model by clustering hospitals based on regions and identified teaching and nonteaching hospitals for better distinction and prediction.
  • Based on the data set, the organization needs to determine the kind of machine learning technique suitable for its decision making. In our study, as the variables were categorical and best suited for a classification model, we tested multiple classification techniques. Based on the results, we observed that a classification tree provided us the best prediction accuracy.

It is also important to balance the cost of information retrieval and resulting profit out of the prediction technique. While determining the return on the additional investment, we accounted for the risk associated with misclassification by the telemedicine decision support system (TDSS). A clear understanding of the risk and return on investment will help the hospital to understand the pros and cons of going forward with such a prediction technique.

Read Shounak Pal and Arunabha Mukhopadhyay’s recent Journal article:
A Machine Learning Approach for Telemedicine Governance,” ISACA Journal, volume 1, 2017.

The Wall and Boundaries—Mild Spoiler Warning
Giuliano PozzaGiuliano Pozza
John Snow, a character in the book and TV series Game of Thrones, realized that it was nonsense to have a wall dividing 2 cultural groups, with 1 group living south of the wall and 1 relegated to the north side. They were so different and yet so similar because of a shared goal:  to survive the common enemy.

I believe in IT, we are in a similar situation. Now more than ever, diverse groups who share common goals but have different backgrounds, languages and cultures are required to cooperate. Unfortunately, our effort to improve the specialization and competence of IT professionals are building a frustrating wall.
This way of operating cannot work. If we as IT professionals continue to deepen our technical and methodological skills without finding ways of effective communication and cooperation with other social groups, we are doomed to fail both in governance of enterprise IT (GEIT) and in value creation for the enterprise and society.

How can we change the status quo? This problem, of course, is not new. Social scientists studying similar situations have come up with an interesting concept called boundary objects. Boundary objects examine how different communities use information in different ways. Boundary work and boundary objects are only a part of the solution. Other basic ingredients of the recipe for effective collaboration are a shared governance framework, business and IT eLeadership, and effective communication.
Read Giuliano Pozza’s recent JournalOnline article:
A Social Approach to IT Governance,” ISACA Journal, volume 4, 2014.
1 - 10 Next