IT Governance

IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT

ALAN CALDER
WITH STEVE MOIR
Copyright Date: 2009
Published by: IT Governance Publishing
Pages: 209
https://www.jstor.org/stable/j.ctt5hh78j
  • Cite this Item
  • Book Info
    IT Governance
    Book Description:

    Corporate governance increasingly provides the context within which twenty-first century organisations have to assess and deal with their investments. But what is corporate governance, and why is it important to the IT professional? Why is IT governance important to the company director, and what do directors of companies – both quoted and unquoted – need to know? Implementing Frameworks and Standards for the Corporate Governance of IT sets out for managers, executives and IT professionals the practical steps necessary to meet today’s corporate and IT governance requirements. It provides practical guidance on how board executives and IT professionals can navigate, integrate and deploy to best corporate and commercial advantage the most widely used of today’s IT management and IT governance frameworks and standards from around the world.

    eISBN: 978-1-905356-91-1
    Subjects: Technology, Business

Table of Contents

  1. Front Matter
    (pp. ii-iv)
  2. FOREWORD
    (pp. v-vi)

    Corporate governance increasingly provides the context within which twenty-first century organisations have to assess and deal with their investments in, and risks to, their corporate information assets and the Information and Communications Technology (ICT, or just IT) infrastructure within which those information assets are collected, manipulated, stored and deployed. But what is corporate governance, and why is it important to the IT professional? Why is IT governance important to the company director, and what do directors of companies – both quoted and unquoted – need to know?

    This book aims to do two things.

    The first is to set out for managers,...

  3. PREFACE
    (pp. vi-vi)
  4. ABOUT THE AUTHOR
    (pp. vii-viii)
  5. ACKNOWLEDGEMENTS
    (pp. viii-viii)
  6. Table of Contents
    (pp. ix-x)
  7. INTRODUCTION: CORPORATE GOVERNANCE CONTEXT
    (pp. 1-10)

    Corporate governance is a daily newspaper subject and, to one extent or another, all company directors – and the directors of public sector and quasi-autonomous governmental organisations (known in the UK as ‘quangos’) – want to know what corporate governance really means for them. What is good corporate governance practice? To whom does the UK’s Combined Code really apply? Is SOX⁴ important outside the US? Should the directors of privately-owned companies pay the same attention to corporate governance as those that are listed on public exchanges?

    In the twenty-first century, corporate governance has become critical for all medium-sized and large organisations. Those...

  8. CHAPTER 1: IT GOVERNANCE DEFINED
    (pp. 11-13)

    Governance, as explained in the Introduction, is distinct from management. Any governance framework – including an IT governance framework - must identify the role of an organisation’s governing body, and align that with the governing body’s role as described in the OECD Principles of Corporate Governance, as revised in 2004, and as originally described in the Cadbury Report on Corporate Governance of 1992.

    The UK’s revised Combined Code (2004) now explicitly states that all directors are required to ‘provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enable risk to be assessed and managed’¹⁶. This...

  9. CHAPTER 2: INTELLECTUAL CAPITAL AND THE INFORMATION ECONOMY
    (pp. 14-17)

    The drivers for IT governance have to be understood in the context of the twenty-first century’s information, or knowledge, economy, because this economy is fundamentally different from the old manufacturing one. The globalisation of markets, products and resourcing has led to increasingly similar shopping streets selling very much the same products throughout the developed world – and to much of the world experiencing the same economic downturn.

    Over 70% of workers in developed economies are now knowledge, rather than manual, workers – including those factory and farm workers whose work depends on understanding and using information technology. Information, networking and telecommunications connectivity...

  10. CHAPTER 3: STRATEGY: THE SEARCH FOR COMPETITIVE ADVANTAGE
    (pp. 18-35)

    IT is neither low-cost nor low-impact. It is investmentintensive. Innovation in the IT sector is common; speed of innovation and deployment can be critical in developing and maintaining competitive advantage. An organisation must respond proactively to change within its market or see its competitive position eroded and ultimately destroyed. Schumpeter called this process ‘Creative Destruction’:

    [The] process of Creative Destruction is the essential fact about capitalism… every business strategy acquires its true significance only against the background of that process and with the situation created by it. It must be seen in its role in the perennial gale of creative...

  11. CHAPTER 4: GOVERNANCE AND RISK MANAGEMENT
    (pp. 36-39)

    Risk management has always been a key governance issue. The board’s job is strategy and, therefore, strategic risk has always been a board responsibility, and effective risk management has become a key competitive differentiator. The modern corporation’s fundamental goal is to create and add value to its business on a continual basis. This means that boards must find an appropriate balance between profit maximisation and risk reduction.

    Strategic risk can be described as the enterprise level risk of a negative impact on earnings or capital arising from an organisation’s failure to create and execute appropriate business plans and strategies, improper...

  12. CHAPTER 5: IT REGULATORY COMPLIANCE
    (pp. 40-45)

    Information is increasingly subject to legislation. Customers, staff, suppliers, tribunals and law courts all expect organisations to comply with this legislation in a proactive manner. Legislation and regulation exist on national, international, and industry-specific levels. Most OECD countries have some form of data protection and privacy legislation. National regulations often overlap and are sometimes contradictory, and almost all of them lack implementation guidance or adequate precision. Copyright, digital rights, computer misuse and electronic trading legislation are changing rapidly, and legislation on money laundering, proceeds of crime, human rights and freedom of information all add to the confusion.

    Organisations also have...

  13. CHAPTER 6: INFORMATION AND CONTINUITY RISK
    (pp. 46-51)

    Organisational information is an asset and therefore, by definition, someone outside the organisation will want it; if no-one wanted it, it wouldn’t be an asset. If it is to be useful to an organisation, information must:

    be available (to those who need to use it)

    be confidential (so that competitors can’t use it)

    have its integrity guaranteed (so that it can be relied upon).

    Information risk arises from the threats – both external and internal – to the availability, confidentiality and integrity of the organisation’s information assets. Organisations must address direct risks to the availability, confidentiality and integrity of their information; they...

  14. CHAPTER 7: INTERNAL CONTROL FRAMEWORKS
    (pp. 52-58)

    Internal control frameworks have traditionally been designed to deal primarily with financial risk: the risk that errors or dishonesty could lead to loss of corporate money. From a corporate governance perspective, it is now increasingly understood that internal controls must respond to the much wider range of risks identified within the organisation’s enterprise risk management (ERM) framework.

    UK-based companies look primarily to the Turnbull Guidance on internal control and, while the work done on internal control frameworks by the international Treadway Commission and the US Public Company Accounting Oversight Board (PCAOB)⁵⁵, are more directly relevant to US-listed companies they are...

  15. CHAPTER 8: PROJECT GOVERNANCE
    (pp. 59-68)

    The fast-changing information economy drives organisations to continuous information innovation. This, combined with relentless cost pressure, drives them on to attempt continuous system and process improvement. Increasingly, organisations ‘bet the farm’ on the successful development and deployment of new systems, in a business environment that can change so fast that the original assumptions on which a project’s rationale were based can become fatally undermined before the project has been completed.

    These projects have ceased to be IT projects; they are complex ‘whole business’ projects, with varied impacts across the business as a whole, requiring input and resource from many areas...

  16. CHAPTER 9: COMPONENTS OF IT GOVERNANCE
    (pp. 69-72)

    An IT governance framework consists, essentially, of a set of principles, a decision-making hierarchy and an appropriate suite of reporting and monitoring processes. While all IT governance frameworks will have common elements, few frameworks are likely to replicate one another; each organisation has a unique business model and a unique risk environment, and its IT governance framework should reflect that.

    There are, in fact, seven components for the corporate governance of IT that should be considered when designing an IT governance framework:

    There are two types of principle in this context:

    Governance principles (how IT is to be managed in...

  17. CHAPTER 10: ISO/IEC 38500
    (pp. 73-86)

    This chapter describes the scope, application and objectives of ISO/IEC 38500. It also sets out some of the benefits of using the standard, in terms of the conformance and performance of the organisation. Finally, it provides a set of useful definitions, some of which are drawn from ISO Guide 73:2002 (Risk Management – Vocabulary – Guidelines for Use in Standards).

    As might be expected, the scope of ISO/IEC 38500 is ‘the governance of management processes (and decisions) relating to the information and communications processes used by an organization’⁶⁸. The standard recognises that these processes could be controlled by one or more of...

  18. CHAPTER 11: IT GOVERNANCE FRAMEWORKS AND STANDARDS
    (pp. 87-96)

    ISO/IEC 38500 is an overarching framework of principles and guidance for the directors of an organisation. It deals with the governance of IT, not its management.

    A number of frameworks and standards have evolved over the last 20 years that do provide detailed guidance and support for specific areas of IT activity for which the board is responsible. Each of these frameworks has its own strengths and weaknesses, and each is capable of being used on its own or in conjunction with one or more of the other frameworks. All can be used within an ISO/IEC 38500 IT governance framework....

  19. CHAPTER 12: THE CALDER-MOIR FRAMEWORK
    (pp. 97-106)

    The Calder-Moir IT Governance Framework⁸⁸ is a meta-model for co-ordinating frameworks and organising IT governance. It helps organisations to implement ISO/IEC 38500, the first international standard to provide guidelines for corporate governance of IT, while simultaneously drawing intelligently on all other available frameworks and standards.

    IT governance is a broad subject that involves many disciplines: information technology, risk management, strategy, intellectual property, business design, project management, compliance, and so on. There are IT governance solutions and tools associated with most of these disciplines, but most of them are very detailed and have narrow scopes. No single standard, discipline or tool...

  20. CHAPTER 13: IMPLEMENTING IT GOVERNANCE
    (pp. 107-122)

    Implementation of an IT governance framework using the Calder-Moir Framework or any other approach is, conceptually, quite straightforward; it does, however, require substantial planning and detailed follow-through if it is to be effective. This chapter looks first at the concept of maturity models, which provide a useful context for considering how an IT governance framework may be developed and matured over time, then goes on to provide an overview of the key steps involved in implementing an IT governance framework, and finally looks at the initial issues whose resolution is essential to a successful implementation.

    The capability maturity model (CMM)...

  21. CHAPTER 14: DECISION MAKING AND THE IT ORGANISATION
    (pp. 123-141)

    The two executive roles that are critical to the effective implementation of an IT governance framework are those of the CEO and the CIO. Both roles have existed for some time, and the relationship between the two is not always a successful one. We think that any IT governance initiative will fail if the organisation does not appoint a CIO to a role that has adequate authority and scope for effective IT management. It will also fail if it does not have the complete support of the board and the CEO.

    There are a number of other roles – such as...

  22. CHAPTER 15: IT STEERING COMMITTEE AND EXECUTIVE COMMITTEE
    (pp. 142-145)

    The two key layers of any IT governance framework are a board-level IT steering or strategy committee and a management-level executive committee. This chapter explores both types of committee.

    The board needs to create a mechanism – the IT steering committee - through which it can provide the business with strategic technology leadership. Technology/IT leadership requires a specific mechanism, in a way that HR, Sales or Marketing, for example, do not. These other divisions are usually already effectively dealt with as part of the existing board agenda; most board members already understand the issues around sales and marketing, and the people...

  23. CHAPTER 16: ENTERPRISE IT ARCHITECTURE COMMITTEE
    (pp. 146-157)

    InIT Governance: Guidelines for Directors¹⁰¹we discussed the hierarchy of IT decision-making, the importance of an enterprise IT architecture, and the relationship between the enterprise architecture committee and the technology committee. This chapter looks in more detail at the role and work of the enterprise architecture committee.

    A key architectural debate that all organisations must resolve is the extent to which IT – as an infrastructure and as a functional department (or organisation) – is centralised or decentralised. The question as to whether or not IT (or parts of it) should be outsourced is entirely subsidiary to this key strategic issue,...

  24. CHAPTER 17: IT AUDIT
    (pp. 158-159)

    Companies have become more and more dependent on technology to support financial reporting and almost all aspects of business operations, and to manage critical information assets. Continuous changes in technology and legislation create new exposures and requirements for all organisations. This emphasises the need for competence and experience in the proper evaluation of risks related to information technology, and the adequacy of an organisation’s technology control structure. Information technology is fundamental both to the work of financial auditors and to the financial audit process. It is therefore essential that auditors have a thorough understanding of the risks in IT systems...

  25. CHAPTER 18: THE ITIL/COBIT/ISO27002 JOINT FRAMEWORK
    (pp. 160-164)

    Fines, reputation and brand damage and, in some circumstances, jail time for directors are outcomes that every business wants to avoid. The growing attractiveness of IT governance is due, at least in part, to the idea that a joined-up, coherent approach to the management of IT and compliance risk will bring the organisation identifiable benefits. Organisations also want to reduce the cost and disruption of multiple compliance initiatives, and to minimise the impact of their compliance activity on customer-focused business operations. Some organisations want to go further than this, and look to get positive business returns from their investment in...

  26. CHAPTER 19: THE IT MANAGEMENT SYSTEM OF TOMORROW
    (pp. 165-183)

    The Calder-Moir Framework describes the relationships between a multitude of frameworks and standards. Implementation of an integrated IT governance framework requires integration, at many levels, of a diversity of standards and requirements. One approach is that set out in the ITGI/OGC Joint Framework discussed inChapter 18: The ITIL/COBIT/ISO27002 Joint Framework. Another is to integrate IT management system specifications.

    There are a number of elements common to the ISO/IEC 27001 and ISO/IEC 20000-1 specifications. Organisations that wish to benefit from the guidance of both standards will not necessarily – for reasons of cost and complexity – wish to implement two separate and...

  27. CHAPTER 20: CALDER-MOIR IMPLEMENTATION – A 15-STEP PROCESS
    (pp. 184-192)

    Implementation of the Calder-Moir Framework follows a 15-step process, and this process draws on all the steps described in this book.

    You can design and implement an IT governance framework that draws on the guidance in this book, combined with the input of an experienced IT governance practitioner, and the commitment and drive of a senior sponsoring board director. You can simplify your design and implementation process by using a toolkit such as the one available from IT Governance Ltd¹¹⁹; you will also need copies of standards¹²⁰ such as ISO/IEC 38500.

    This chapter describes the 15 steps for implementing the...

  28. CHAPTER 21: MAKING THE BUSINESS CASE FOR IT GOVERNANCE
    (pp. 193-194)

    It can be surprisingly difficult to make the business case for IT governance. While 93% of business leaders think IT is important for delivering the strategy, 62% say IT is not always on their board agenda¹²³.

    In other words, the business case for IT governance still has to be made in each and every organisation. A starting point is the case for corporate governance as more than just a box-ticking exercise: as long ago as 1996, McKinsey and Company found that two-thirds of the companies in a survey would pay an 11% premium for the stock of a company with...

  29. ITG RESOURCES
    (pp. 195-196)