I was a member of an innovation team because of my expertise in servers, Active Directory and general information security practices. However, I also brought my audit background. Because of this, I entered the team with trepidation. I wondered how the innovation effort would honor the processes and controls we had in place to protect the organization. As an auditor, I realized that people operating outside of their domains could lack the knowledge of necessary safeguards and, due to the intended rapid pace of prototyping and development, they would not think about them.
I started thinking about what an auditor should bring to the team. What I quickly realized is that we already have guidance on how to handle an innovation situation. Effectively, we are performing the same function as we do for projects, but at a greater-than-normal speed. In reality, this is no different from working on an emergency project. As an IT industry, we have had a number of global efforts of this type, whether we are talking Y2K or figuring out how to achieve EU General Data Protection Regulation (GDPR) compliance. Individually, most of us have been on those types of projects specific to our industry or our organization.
Practically speaking, just like on those types of projects, communication is key for innovation. It is easy to sit back and wait for people to come to us. However, given the rapid pace of innovation, they will not. To be effective, we must be proactive. Reaching out, especially by methods other than email, is crucial to being an active part of the team. The more we communicate, the more trust we build. The more trust we build, the more weight our fellow teammates are going to give to what we share. Therefore, we have to pour more energy and effort into innovation than our standard practice if we want to ensure that critical controls are met and ensure that proper controls are built into whatever is new. At the end of the day, innovation is like any other project initiative: It is about people.
Read K. Brian Kelley’s recent Journal article:
“Innovation Governance: Innovation and the Auditor,” ISACA Journal, volume 3, 2019.
It was 150 years ago that Sir Edward Tylor first referenced culture (in an anthropological sense) in his book Primitive Culture. Then, 80 years later, Elliott Jacques, Ph.D., published The Changing Culture of a Factory, introducing organizational culture as the “… customary and traditional way of thinking and doing of things…and which new members must learn, and at least partially accept, in order to be accepted into service in the firm."1 Today, another 70 years later, organizational culture is recognized as the most significant of all IT governance critical success factors.
This last finding implies that if we ignore the impact of culture on IT governance, then almost anything we do from an IT governance perspective may very well be doomed in spite of our best efforts. This state of affairs is amplified in digital transformation and in the governance of emerging technology, given the pressing need for today’s organizations to increasingly adopt digital—to maintain their competitiveness or, better, to enhance it—and for these activities to create the diverse kinds of value expected of them.
In a digital transformation context, the issue has become much less about having transformational efforts fit into an existing culture, like Jacques proposed, and much more about what changes in an organization’s norms and behaviors may be required for digital transformation and emerging technology initiatives to be successful in the interests of the sustainability of the organization.
In my recent Journal article “The Sheer Gravity of Underestimating Culture as an IT Governance Risk,” I explore the impact of culture on effective IT governance in quite some depth, concluding that corporate culture is instrumental in effective enterprise IT governance, and that it is entirely as significant a stream of work as is the actual implementation effort. For example, if the norms and behaviors of the organization are contrary to the norms and behaviors required for the effective deployment of the technology, then a cultural change will be required for the technology to be successful. The art is ultimately in how to articulate the existing corporate culture, how to articulate the desired culture and how to close the gap between these two points.
In his book Transforming IT Culture, Frank Wander notes that, “We are unable to break free of a cultural model that embraces process warmly while coldly treating people, thus perpetuating a cycle of project failure in this human-centric, emotional endeavor.”2 Whether we are talking about traditional IT initiatives or digitally transformational IT initiatives, we should take note that as much attention should be paid to the process of implementing the technology as should be paid to ensuring that people—incidentally, the very mechanism expected to drive value from those IT initiatives—are warmly and appropriately integrated into the otherwise cold IT initiative or digital transformation program.
Read Guy Pearce’s recent Journal article:
“The Sheer Gravity of Underestimating Culture as an IT Governance Risk,” ISACA Journal, volume 3, 2019.
1 Jaques, E.; The Changing Culture of a Factory, Tavistock Publications Ltd., UK, 1951
2 Wander, F.; Transforming IT Culture, John Wiley & Sons Inc., USA, 2013
In light of digital transformation, boards of directors (BoD) often recognize the need for more engagement in digital strategy and oversight. At the same time, many of them are seeking advice on how to realize this type of involvement. Our goal is to enable board members to learn from their peers and translate best practices of other organizations to their own context. To inspire them, we discuss the board IT governance mechanisms that were established at the University of Antwerp (Belgium).
The University of Antwerp: The Context
Like many organizations, the University of Antwerp has become increasingly dependent on IT. No central business forum existed to decide which projects would be executed and which not, swamping the IT department with many requests they could not deliver against. This situation often led to frustration on the business side, a tension that was also reported to and known by some board members. Furthermore, in 2016, a new rector came at the head of the University of Antwerp. The newly appointed rector strongly believes it is the task of the BoD to create a long-term vision, also regarding IT-related issues.
Two New Governing Structures
A widely acknowledged strategy to increase the involvement of the BoD in IT-related decision-making and control is to enhance its IT expertise. Yet the various board members of the university are elected by different university entities. As a result, little room exists to thoughtfully compose the board on the basis of the university’s needs and to increase its IT expertise. Therefore, the university chose an alternative path, creating 2 committees that assist the board in IT-related decision-making and control (figure 1).
Figure 1—Committees Assisting the Board of Directors
- The IT governance committee is responsible for short-term decisions and portfolio management of IT-enabled investments. Its main goal is to manage the IT-enabled investment portfolio more effectively and transparently and make sure it is in line with the overall organizational strategy. However, the aim of the committee is not to go into the technical details, but to discuss the investments from a business perspective. The IT governance committee includes representatives of all university entities, including 4 directors. All other directors are always welcome to join.
- The digital strategy think tank’s task is to keep an eye on the impact of technological developments on the university and consider how societal and market challenges could be addressed leveraging technology. The BoD is represented in this committee; that is, the rector and one other board member are included.
Our recent Journal article shows how BoDs can actively engage in the IT debate, even those boards with a limited amount of IT expertise.
Read Steven De Haes, Laura Caluwe, Anant Joshi and Tim Huygh’s recent Journal article:
“How Boards Engage in Digital Strategy and Oversight: The Case of the University of Antwerp,” ISACA Journal, volume 5, 2018.
Digital innovation and transformation is difficult when there is little in the way of clear and decisive senior leadership direction for it. However, not only may senior leadership lack the qualifications and experience necessary to guide enterprise digital transformation, they may also lack the frameworks required to oversee those innovations. So it is no surprise that digital transformation is difficult; there can be no suitable support given poor strategic direction.
What Is Digital Transformation?
Merely deploying digital technology does not mean that an organization is digital, e.g. digitizing paper forms is just that—the digitization of paper forms. It does not suddenly make the organization digital. A digital organization would mean that every stakeholder interacting with those forms does so digitally, simultaneously increasingly satisfying various stakeholder expectations. Without the latter, why would anyone actually bother? Indeed, this is what makes up the digital business case.
Done well, there would be no further need for processes involving paper forms, and there would be no more paper forms. In other words, the fundamental processes for managing these data flows would change dramatically. Moreover, fundamental changes to these processes would fundamentally impact almost every other process in the business.
Digital transformation demands senior direction and support because it is so much more than just about the old IT promise of process automation. Truly digital organizations are no longer bound by analog concepts such as opening hours and geographical location because digital is a key enabler of anywhere, anytime convenience; a key attraction of a digital business. This level of corporate transformation and innovation succeeds for few, but there are steps that can be taken to improve the chances of success. (See my ISACA® Journal, volume 2, 2018, article, “Minimizing the High Risk of Failure of Corporate Innovation.”)
Bold Board Leadership: A Key Facilitator of Successful Digital Transformation
Some businesses maintain the status quo until profitability suffers, a case of, “why spend money of you do not have to spend?” These reactive organizations are the most likely to require digital transformation to survive. It is very risky at this point, but it becomes a matter of there being no choice. There is, however, such a thing as being too late.
Other businesses—possibly more long-sighted or without legacy baggage—proactively look to digital to realize competitive advantage. For these organizations, the inevitability of full digital transformation is less risky if they are not already digital by design.
In either case, a task of the board is to approve strategy, one that ensures organizational sustainability. A key driver of sustainability, at least for tertiary industries, is digitization. If the board is unable to articulate or validate the need for digitization within the organization’s strategy, then the risk profile of the entire organization increases because sustainability is compromised. Read my volume 5, 2018, article, “Digital Transformation? Boards Are Not Ready for It!” to learn why boards may be lacking both the qualifications and experience necessary to facilitate enterprise digital transformation.
Read Guy Pearce’s recent Journal article:
“Digital Transformation? Boards Are Not Ready for It!,” ISACA Journal, volume 5, 2018.
Technological innovation has significant governance dynamics. Linked to the governance dynamics are offensive and defensive innovation strategies. Offensive strategies encompass reconfiguration, redefinition and pure spending. Reconfiguration occurs when the challenger performs an activity innovation in the value chain or the configuration of the entire business. Redefinition arises when a challenger redefines the competitive scope compared to the market leader. Pure spending transpires when the challenger buys a market position through superior resources utilization or greater willingness to invest.
Conversely, a defensive strategy focuses on lowering the probability of competition from new entrants pursuing innovation monetarization or from established competitors seeking to reposition a line of business. Defensive strategies encompass technology licensing, selective retaliation, entry deterrence and forming coalitions. The principal objective of implementing a defensive plan is to influence new entrants or established competitors to conclude that market participation is an unattractive organizational commitment.
An enterprise’s strategy converges on managing the envisioned destiny and achieving the articulated objectives. Michael Porter’s updated 5 Forces paradigm aids in studying market competitiveness through assessing the power of buyers, the power of suppliers, availability of substitutes, threats of new entrants and industry rivalry. These 5 forces assist in determining if an opportunity exists to enhance the organizational state, based on what is occurring in the marketplace and anticipated potential threats. Nonetheless, of importance is dynamic capabilities viewed as strategic options that give firms a choice to pursue new directions when opportunities arise.
Technological innovation efficacy depends on usage within a value chain. Offensive or defensive strategies can affect short-term profitability, depending on the available resources and the macro environment in which the enterprise operates. Thus, to achieve effective technical innovation, manager-leaders should govern technological innovation considering complex adaptive system theory to ensure strategic viability. Proper management regulates participating parties in a collaborative relationship through governance mechanisms reflecting technology innovation dynamics. My Journal article presents how to manage technical innovation-related risk and obtain support for technological innovation projects based on an offensive or defensive strategy decision.
Read Robert E. Davis’ recent Journal article:
“Technology Innovation Dynamics: Innovation Governance,” ISACA Journal, volume 4, 2018.
Recently, the world has seen more leaders win elections based on promises to fight against corruption in their countries . This shows how eager people are to weed out corruption, terror funding, illegal transactions and to bring transparency to every sphere of human life. People want reform and, if given an opportunity by the government to participate in the process of governance of currencies, both the people and the government will benefit.
The 3 main components in the implementation of the e-governance of currencies are encrypted Quick Response (QR) code printing on currencies, endpoint devices handling currencies and the backend system of the central bank.
Fiat currencies are printed using a sophisticated technology on a very special material that supports ultraviolet, infrared and magnetic sensors for their security features. Having the QR code printed with encrypted data in it, using the double-layered encoding, might not be that difficult.
Currency counting machines, e.g., automated teller machines (ATMs) and cash deposit machines (CDMs), used at bank counters, by cashiers and by cash handling systems, would need 2 additional changes. First, they need network connectivity for mutual authentication of the devices with the central bank. Second, they require additional or use of existing circuitry to scan the encrypted QR code. In the case of a smartphone, a valid mobile number, camera and an application (app) from the central bank to connect online should be enough to do mutual authentication and to scan.
The backend system needs a database; encryption; decryption; app support; mutual authentication and a set of features for tracking, tagging and recording information from the devices, which are primarily carried out by the central bank.
The use of QR codes is an additional security feature and will only add value to the existing system and process, and its integration does not mandate a strict timeline or specific environment. Its implementation is very flexible and can be carried out on an ongoing basis, without any enforcements or disruption of existing services.
Read Vijayavanitha Sankarapandian’s recent Journal article:
“E-Governance of Currencies,” ISACA Journal, volume 2, 2018.
“Governance” and “innovation” are terms of such global importance today that an innovation governance event billed as “the first global leadership roundtable centered on issues at the intersection of [artificial intelligence] innovation and governance” was hosted in Belgium in March. No less than the country’s deputy prime minister cohosted the event.
Few can forget Elon Musk’s comments at the Massachusetts Institute of Technology (Massachusetts, USA) as quoted by The Guardian on 27 October 2014: “I’m increasingly inclined to think that there should be some regulatory oversight, maybe at the national and international level, just to make sure that we don’t do something very foolish.” USA Today reported cosmologist Stephen Hawking saying that artificial intelligence (AI) could prove to be “the worst event in the history of civilization” on 2 January 2018. The source reminds us that Facebook’s Mark Zuckerberg poo-pooed these warnings. The summit’s participants, however, recognize that there is a potential issue and, therefore, aim to begin the conversation of AI innovation governance at a global policy level.
Closer to home, ISACA’s CGEIT Review Manual reminds us of John C. Henderson and N. Venkatraman’s strategic IT-business alignment model, published in the IBM Systems Journal back in 1999, titled “Strategic Alignment: Leveraging Information Technology for Transforming Organizations.” While the model provides a “competitive potential alignment” perspective, the question of the governance of that transformation is unanswered. For 1999, this was forgivable, as innovation governance was likely nowhere near top-of-mind. Today, forgiveness is increasingly less likely.
Pragmatically, the call for global policy-led AI innovation governance is at an extreme end of the IT innovation governance spectrum. For corporations, innovation governance matters because organizational resources are involved and because it is a governance imperative to ensure that those resources are appropriately directed toward fulfilling the organization’s strategy. While some may be familiar with the risk and compliance aspects of innovation, fewer might be familiar with the corporate governance imperatives associated with corporate innovation. My Journal article aims to create awareness of the need for improved corporate innovation governance in the interest of good corporate governance.
A follow-up AI innovation governance summit is already planned for the United States this year. If its future impact results in various government policies being established, regional regulations are sure to follow. And where there are more regulations, governance oversight and compliance management are imperatives, which ensures that innovation governance becomes increasingly topical at the board level.
Read Guy Pearce’s recent Journal article:
“Minimizing the High Risk of Failure of Corporate Innovation,” ISACA Journal, volume 2, 2018.
Almost every enterprise aspires to use technology for integrating information, achieving process efficiencies and transforming service delivery into a paragon of effectiveness. Organizational leaders should manage innovation by creating processes that sustain or increase business performance and growth. If properly integrated, among other benefits, information technology can provide a competitive advantage for innovative products and services. Nonetheless, there is a need for innovation governance to ensure IT is achieving management’s objectives.
Governance of an enterprise usually occurs at different organizational strata. As a result, procedures are operationally tailored, with processes linking to systems, and systems interfacing with various programs receiving objectives from the firm’s oversight committee through established reporting lines. Consistent with corporate governance, IT governance and information security governance definitions, innovation governance represents combined people, processes and technologies deployed by the organization’s highest-level oversight committee and executive management to inform, direct, manage and monitor creativity toward objectives achievement.
Implicit in the aligned definition, effective innovation governance is innovation management’s fiduciary relationship with stakeholders, executive management and the organization’s customers. However, there are few available frameworks for implementing innovation governance within an enterprise. I address this gap in my Journal article by defining the structure for organizational knowledge sharing through applying a supply chain platform framework that can assist management in governing innovations.
Business manager-leaders face constant pressure to achieve and sustain a competitive advantage. Therefore, manager-leaders need to address the pros and cons of innovation strategies in their markets. Using strengths, weaknesses, opportunities and threat analysis enables the creation and defining of objectives tailored to the firm’s environment after assessing current capabilities. Subsequently, an enterprise’s innovation strategy converges on managing the envisioned destiny and achieving the articulated objectives. My Journal article integrates business and IT platform strategies as a means to generate appropriate innovation governance then relate various competitive strategies to IT platforms for achieving the selected business objectives.
Read Robert Davis’ recent Journal article:
“Applying a Technological Integration Decision Framework to Innovation Governance,” ISACA® Journal, volume 2, 2018.
Determining the level of process maturity for a given set of IT-related processes allows organizations to determine which processes are essentially under control and which represent potential “pain points.” Process maturity has been a core component of COBIT for more than a decade; however, in COBIT 5, there was a change from the Maturity Model used in COBIT 4.1 to a Process Capability Model.
Currently, the COBIT 5 Process Assessment Model (PAM) is based on International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 15504, which is a global reference for conducting process capability assessments. Meanwhile, a new standard, namely the ISO/IEC 330xx family, replaced and extended the ISO/IEC 15504 family. Since the ISO/IEC 15504 family is now withdrawn and was replaced by the ISO/IEC 330xx family, an update of the ISACA publication COBIT Process Assessment Model (PAM): Using COBIT 5 should be considered.
The new ISO/IEC 330xx family of standards presents a more detailed and well-defined process assessment model than the older ISO/IEC 15504 family. The gaps regarding rating methods and aggregation methods perceived in the older standard have now been solved with clear and standardized guidance on how to perform it. Also, the definitions of some process attributes, outcomes and base practices are now more consistent. Therefore, for all these reasons, updating COBIT 5 PAM to this new standard is not only a necessity, but also an opportunity to improve the assessment of COBIT 5 processes.
Read Joao Souza Neto, Rafael Almeida, Pedro Linares Pinto and Miguel Mira da Silva’s recent Journal article:
“A COBIT 5 PAM Update Compliant with ISO/IEC 330xx Family,” ISACA Journal, volume 1, 2018.
Most of us live in cities. We are always busy, so we only see the impact and benefit of IT when it is not there, e.g., during failures, service unavailability, loss of physical devices, natural disasters and so on.
The definition of “city” has evolved, and IT has been an enabler for that evolution, transforming cities to become smart or smart sustainable. All types of disruptive or cognitive technology used in this transformation have benefits and risk, but if they are well governed, the probability of value delivery increases.
In my recent Journal article, I present how an IT governance framework can be implemented to help cities get value from the use of IT, following the structure proposed by ISACA’s publication Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT.
A city’s board and executive managers need to evaluate the requirements of all of the city’s stakeholders, considering cultural aspects, transparency, accountability for investments and use of the community’s financial resources.
IT must have direction, and there must be clear definition of the city’s IT-related and enabler goals. Finally, monitoring activities have to be undertaken to demonstrate that value has been delivered; benefits realization and risk and resource optimization should be measured and compared with expectations.
Read Graciela Braga’s recent Journal article:
“Smart Sustainable Cities Need Well-governed Disruptive IT, Not Just IT,” ISACA Journal, volume 1, 2017.