Corporate governance and, more particularly, IT governance is more than just the latest IT management fad – it’s a comprehensive approach to solving many of the problems that have, for a long time, been plaguing companies’ infrastructure management efforts.
Indeed, from IT analysts like Gartner Group and Forrester Research to specialised communities such as the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), there is a strong drive towards the stricter application of an overall governing framework for IT.
“IT governance frameworks provide companies with a strong and workable foundation from which to align their IT and business objectives,” says Johan Botha, principal consultant at Quintica.
“However, often we find that organisations are implementing best practice for the sake of best practice without understanding how prolifically it will impact their business on the long run.”
Well-known IT governance framework CobiT (Control Objectives for Information and related Technology) takes it one step further. “IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”
Frameworks like Val IT complement CobiT by analysing the strategic and business value of every IT investment and insisting that each project demonstrate ROI that aligns directly with companies’ organisational objectives.
Furthermore, IT governance and the resultant frameworks aren’t only applicable to listed companies, but can be implemented within every organisation as the benefits far outweigh the initial implementation process.
A strong foundation
That said, where do companies start? CobiT provides a strong and comprehensive foundation to work from, with other frameworks such as ITIL and ISO/IEC20000 filling in the gaps.
Together CobiT, ITIL and ISO/IEC20000 work in harmony to provide tangible business outcomes.
Winston Hayden, director of the South African chapter of ISACA, adds: “The latest version of the framework CobiT 4.0 features a section that was particularly authored to align business goals with that of IT.
“What this essentially means is that CobiT offers companies a strong business perspective while at the same time enabling practitioners to deliver on the promised value.
“It is also important to get to grips with the realities around your business – other portions of CobiT will enable you to do just that.
“CobiT enables you to, for example, do a quick scan of the maturity of your business as well as implement scorecard-based processes – this all offers a strong starting point,” he says.
Frameworks like ITIL and ISO/IEC20000 provide strong complementary processes, particularly in light of audit compliance.
However, says Botha, “what people need to realise is that when you are facing operational issues within your organisation, particularly with controls and processes, ITIL is an awesome tool.”
The importance of re-strategising
Implementing an effective IT governance strategy requires a lot of commitment, according to both Botha and Hayden.
“We still find that internal IT departments and even IT organisations shy away from IT governance,” says Botha
“They suffer from what we call the ‘hero syndrome’ and would rather continue to operate in a reactive environment, their comfort zone, than taking the IT governance route.
“Our biggest challenge is to educate business executives, emphasising how important it is to drive IT governance which, in turn, plays an integral part of their corporate governance efforts.”
Already the South African chapter of ISACA has made enormous inroads; however, Hayden adds that it takes a lot work to convince shareholders, particularly when the ROI is not that immediate.
“What companies don’t realise is that IT governance does not have to be implemented all at once. It can be done in a series of small projects in order to demonstrate what they set to gain.
“Furthermore, it’s not an inflexible process; if one process is not working it can be changed with minimal impact to the rest of implementation.”