ICT GOVERNANCE

Corporate Governance and ICT Governance

Definition

From relative obscurity a few years ago, several factors have come together to make the concept of

formal ICT governance a good idea for virtually every company, both public and private. Key

motivators include the need to comply with a growing list of regulations related to financial and

technological accountability, and pressure from shareholders and customers. Here�s a quick primer

on the basics of ICT governance:

What is ICT Governance?

Simply put, it�s putting structure around how organizations align ICT strategy with business

strategy, normally known as corporate governance ,ensuring that companies stay on track to

achieve their strategies and goals, and implementing good ways to measure ICT�s performance. It

makes sure that all stakeholders� interests are taken into account and that processes provide

measurable results. An ICT governance framework should answer some key questions, such as how

the ICT department is functioning overall, what key metrics management needs and what return ICT

is giving back to the business from the investment it�s making.

Is It Something Every Organization Needs?

Every organization�large and small, public and private�needs a way to ensure that the IT function

sustains the organization�s strategies and objectives. The level of sophistication you apply to ICT

governance, however, may vary according to size, industry or applicable regulations. In general, the

larger and more regulated the organization, the more detailed the ICT governance structure should

be.

Drivers That Motivate Organizations to Implement ICT Governance Infrastructures

Organizations today are subject to many regulations governing data retention, confidential

information, financial accountability and recovery from disasters. While none of these regulations

requires an ICT governance framework, many have found it to be an excellent way to ensure

regulatory compliance. By implementing ICT governance, you�ll have the internal controls you need

to meet the core guidelines of many of these regulations.

What Are the Major Focus Areas That Make Up ICT Governance?

According to the IT governance setters, there are five areas of focus:

Strategic alignment: Linking business and IT so they work well together. Typically, the

lightning rod is the planning process, and true alignment can occur only when the corporate

side of the business communicates effectively with line-of-business leaders and IT leaders

about costs, reporting and impacts.

Value delivery: Making sure that the IT department does what�s necessary to deliver the

benefits promised at the beginning of a project or investment. The best way to get a handle on

everything is by developing a process to ensure that certain functions are accelerated when

the value proposition is growing, and eliminating functions when the value decreases.

Resource management: One way to manage resources more effectively is to organize your

staff more efficiently�for example, by skills instead of by line of business. This allows

organizations to deploy employees to various lines of business on a demand basis.

Risk management: Instituting a formal risk framework that puts some rigor around how IT

measures, accepts and manages risk, as well as reporting on what IT is managing in terms of

risk.

Performance measures: Putting structure around measuring business performance. One

popular method involves instituting an IT Balanced Scorecard, which examines where IT

makes a contribution in terms of achieving business goals, being a responsible user of

resources and developing people. It uses both qualitative and quantitative measures to get

those answers.

Monitoring of Controls and Risks

Overview

Growing regulatory environment, higher business complexity and increased focus on accountability

have led enterprises to pursue a broad range of ICT governance, risk and compliance initiatives

across the organization. However, these initiatives are uncoordinated in an era when risks are

interdependent and controls are shared. As a result, these initiatives get planned and managed in

silos, which potentially increases the overall business risk for the organization. In addition, parallel

compliance and risk initiatives lead to duplication of efforts and cause costs to spiral out of control.

ICT governance, risk, and controls process through control, definition, enforcement, and monitoring

has the ability to coordinate and integrate these initiatives.

The span of a ICT governance, risk and controls process includes three elements

ICT governance is the oversight role and the process by which companies manage and mitigate

business risks

Risk management enables an organization to evaluate all relevant business and regulatory risks and

controls and monitor mitigation actions in a structured manner

Controls ensures that an organization has the processes and internal controls to meet the

requirements imposed by governmental bodies, regulators, industry mandates or internal policies.

ICT governance: With an increase in activism among shareholders and increased scrutiny from the

regulatory bodies, corporate boards and executive teams are more focused on governance related

issues than ever before. The governance process within n organization includes elements such as

definition and communication of corporate control, key policies, enterprise risk management,

regulatory and compliance management and oversight (e.g., compliance with ethics and options

compliance as well as overall oversight of regulatory issues) and evaluating business performance

through balanced scorecards, risk scorecards and operational dashboards. A governance process

integrates all these elements into a coherent process to drive corporate governance.

Risk Management: With the recent jump in regulatory mandates and increasingly activist

shareholders, many organizations have become sensitized to identifying and managing areas of risk

in their business: whether it is financial, operational, IT, brand or reputation related risk. These risks

are no longer considered the sole responsibility of specialists - executives and the boards demand

visibility into exposure and status so they can effectively manage the organization�s long-term

strategies. As a result, companies are looking to systemically identify, measure, prioritize and

respond to all types of risk in the business, and then manage any exposure accordingly. A risk

management process provides a strategic orientation for companies of all sizes in all geographies

with a formal process to identify, measure and manage risk.

Controls: An initiative to comply with a regulation typically begins as a project as companies race to

meet deadlines to comply with that regulation. These projects consume significant resources as

meeting the deadline becomes the most important objective. However, compliance is not a one-time

event - organizations realize that they need to make it into a repeatable process, so that they can

continue to sustain compliance with that regulation at a lower cost than for the first deadline. When

an organization is dealing with multiple regulations at the same time, a streamlined process of

managing compliance with each of these initiatives is critical, or else, costs can spiral out of control

and the risk of non-compliance increases. The compliance process enables organizations to make

compliance repeatable and hence enables them to sustain it on an ongoing basis at a lower cost.

Benefits of Taking a Monitoring of Controls and Risk Approach

Many organizations find themselves managing their ICT governance, risk and controls initiatives

- each initiative managed separately even if reporting needs overlap. Even though, each of

these initiatives individually follow the ICT governance, risk and controls process outlined

above, when they deployed software solutions to enable these processes, the selections were

made in a very tactical manner, without a thought for a broader set of requirements. As a

result, organizations have ended up with dozens of such systems to manage individual ICT

governance, risk and controls compliance initiatives, each operating in its own field.

- Organization are quickly finding that as the multiple risk and compliance initiatives become

more intertwined from regulatory and organizational perspectives, multiple systems cause

confusion due to duplicative and contradictory processes and documentation. In addition, the

redundancy of work, as well as sheer expense of maintaining multiple point software

solutions causes the cost of compliance to spiral out of control.

- By taking an integrated controls and risk process approach and deploying a single system to

manage the multiple governance, risk and compliance initiatives across the organization, the

issues listed above can be easily addressed. Such an approach can :

- Have a dramatic positive impact on organizational effectiveness by providing a clear,

unambiguous process and a single point of reference for the organization

- Eliminate all redundant work in various initiatives

- Eliminate duplicative software, hardware, training and rollout costs as multiple governance,

risk and compliance initiatives can be managed with one software solution

- Provide a �single version of the truth� available to employees, management, auditors and

regulatory bodies

Capabilities of the Monitoring and Controls Solution Includes:

a) Governance

b) Enterprise risk management and assessment

c) Board compliance capabilities such as options policy compliance, ethics and policy

compliance, etc.

d) Business performance reporting such as balanced scorecards, risk scorecards, operational

controls dashboards, etc

e) Policy management, documentation and communication

f) Risk Management

g) Risk assessment

h) Risk analysis and prioritization

I) Root cause analysis of issues and mitigation

j) Risk analytics and trend analysis

k) Compliance

l) Flexible controls hierarchy

m) Assessments and audits

n) Issue tracking and remediation

o) Analytics

Support for complex organization models with ability to rollup at various organizational levels,

while retaining the ability to cost-effectively deploy the solution within a department to enable a

tactical compliance or risk initiative

Policies and Procedures of ICT Governance

ICT Policies and Procedures

Definition

Policies and procedures are critical governance tools in every enterprise. Where policies dictate the

rules, procedures explain how these same rules are practically applied in real life. Taken as a

collective, policies and procedures set expectations for behaviors and activities, as well as provide

mechanisms to enforce these expectations.

Given the importance and relative "permanence" of policy and procedure documents, they should be

carefully and conscientiously crafted in order to withstand both time and scrutiny. The goal of this

Policies and Procedures Definition program is to provide the tools and guidance necessary to

construct these governing documents.

This program includes three key steps:

1. Inventory Policies and Procedures

2. Create Policies and Procedures

3. Gain Policy and Procedure Approval

Process Management

Every enterprise has processes, whether they are formally documented or not. In fact, the

fundamental building blocks of any organization are its processes and the people who put them into

practice.

Identifying and mapping processes is the first step in defining meaningful policies and procedures.

Understanding processes gives clarity to how an enterprise actually works, which in turn dictates the

business rules that are encapsulated in policies. Knowledge of processes also drives all procedural

efforts in that processes define the sequence, transitions, and decision points of the workflow that

underlie all detailed procedures.

The goal of the Process Management program is to help you identify, assess, document and manage

processes in IT and the business as a whole. This approach includes four key steps:

1. Understand Process Frameworks

2. Capture Processes

3. Define Processes

4. Manage Process Portfolio

ICT Policies and Procedures Enforcement

Once policies and procedures have been identified and documented, it is imperative to communicate

their presence and purpose to the organization. The fact is that policies and procedures are useless if

they are not enforced.

Implementing and enforcing documented policies and procedures should be a continuous process.

All policies and procedures must be maintained and immediate action taken when a violation has

been identified. Commitment to the review and revision of policies and procedures will ensure they

are kept current and relevant against the organization�s mandates and objectives.

The goal of the Policy and Procedure Enforcement program is to help you implement, enforce, and

review the performance of policies and procedures in IT and the business as a whole. This approach

includes three key steps:

1. Implement the Policy or Procedure

2. Monitor and Manage Policy and Procedure Adherence

3. Review Policy and Procedure Performance

ICT Management Practices

The following are globally accepted best management practices

1. To develop academic and business plans that address organization objectives as well as

changing economic, industry, and regulatory environments.

2. To clearly define areas of responsibility. Assign responsibility and delegated authority to deal

appropriately with the organization's goals, objectives, operating functions, and regulatory

requirements.

3. To establish performance objectives and provide regular appraisals to all employees. Specify

the level of competence needed for particular jobs in requisite skills and knowledge

requirements. Communicate clearly to all personnel the responsibilities and expectations for

the unit's activities.

4. To establish open communication channels to facilitate the flow of information across all

activities and to those who need the information. Consult with individuals who have the

expertise to make informed decisions.

5. To provide the appropriate training, cross-training, and resources to help personnel perform

their duties successfully. Assign duties to individuals who have been properly trained, can

make sound judgments, do not have conflicting duties, and fully understand what is expected.

6. To protect the organization assets by establishing procedures that properly dispose of, and

secure sensitive and/or private information. Document key controls that provide evidence that

various reconciliation and tracking functions are being adequately performed on a regular and

periodic basis.

Impact on ICT Compliance with Compliance Professional Standards and Codes

ICT and professional standards are intertwined due threats that technology brings.

1. ICT compliance improves Professionalism if used adequately.

2. ICT compliance improves competency since resources for further research are found over the

internet.

3. ICT compliance improves leadership since tech-wise organizations manages use

telecommunication nowadays to address certain issues.