A network patch management tool to be procured is often seen mainly as an expense by the finance department, and therefore queried subjectively or even rejected. This can arguably be interpreted as a counterintuitive posture to a strategic procurement under the Risk Treatment Plan that should be mitigated, and can be considered one of the most significant risks facing the organization. The loss to the organization can be substantial if this negative posture gains currency and prevails.
In this context, the lack of proper IT governance may yield two differing quotes, respectively:
“We need to purchase a tool that scans our network for threats and quickly identifies vulnerabilities, and propose mitigation steps.”
Or:
“We want to allow your IT department to do what it thinks is needed, based on the guidance of your Board of Directors (BoD), where we as a company are moving toward, and how the IT department can enable this journey.”
Which statement you think gets the C-suite executive to sit down and listen?
Well, the research seems to suggest that, on most occasions, the latter one gets their attention. This brings us to the symptoms of poor IT governance, which are easily discernible. They are manifested as follows:
- Executive management distancing themselves or not taking responsibility for IT issues or investments
- IT as a topic is absent from the BoD agenda
- IT professionals complaining about why approvals for critical IT asset purchases are not given
- High IT staff turnovers and significant gaps in IT training budgets or competency requirements
- Significantly, the most notable symptom is IT personnel not being sure about the business objectives or what the business wants to achieve – to put succinctly, “void understanding of business strategy.”
Therefore, an integral element of the value of good IT governance is the absence of these symptoms.
The overarching principle that encapsulates the value of IT governance most simplistically is alignment, the ability to align the IT objectives with strategic business goals. Once this is achieved, it is easier for the C-suite to understand and appreciate the process accordingly. The value in IT governance is not well understood because it is often complicated with varying and imprecise definitions, difficulties encountered in implementation and miscommunication during the process.
I will define IT governance as the overarching directive borne out of leadership to steer the critical alignment between IT assets and business strategy. The formula below summarizes this:
Leadership * (Framework + Directive + Value Optimization ) = IT Governance
The important question is, how did we evolve to this formula? Accordingly, COBIT 2019 demarcates 40 processes – 35 processes for management, and five processes for governance. The five governance processes labeled Evaluate, Direct and Monitor (EDM) EDM01 - EDM05 are shown in the diagram below.
Figure 1- IT Governance Formula derived from COBIT 2019
CGEIT ideally covers all five of these governance topics as of the CGEIT Review Manual 7th Edition. However, what is noteworthy is that the CGEIT community is composed of mostly IT professionals. Therefore, although the content is invaluable, we need a mechanism to get it into the board room, where we have executive managers, board members, lawyers, accountants and C-suite executives. Accordingly, I have added leadership as an area of focus for us, as IT professionals, to use our leadership skills and create condensed versions of IT governance and management topics, and target them as a short learning exercise to the BoD and C-Suite executives.
The reason I highlighted leadership is that leadership produces a profound effect on IT governance. In this context, regardless of your role and title in a company, getting your executives to see the value of IT governance requires you to speak their language. Richard L. Routh, in The Power of Role, provided an excellent breakdown of C-suite roles and their focus and expectations. He asserts that if you understand the role, you will have more considerable influence and more significant political clout in the corporate world. This also applies to explaining or proposing IT governance.
Governments, like businesses, are seldom devoid of bureaucratic and governance mechanisms, all of which came from various periods of mis-allocation or enforced by external pressure to ensure transparency and accountability. However, ICT is hardly considered in the same light of requiring rigorous mechanisms for governance and management. This is true solely for one reason; we have not yet experienced a local or worldwide catastrophe that requires a buck in the trend and for the accounting arm of businesses, governments, and international standards to unilaterally enforce IT governance. Yet, this is not to say that some entities have not begun to accept international guidelines and rules, and have not seen tremendous benefits from IT governance. We all know that the shift to the International Financial Reporting Standards and Sarbanes-Oxley was triggered by scandals at Enron and other corporations. Why wait for major incidents to trigger the adoption of good practices? IT governance is a necessity. Our job as IT professionals is to explain this to the right people, at the right time, and in the right way.
