Protect and Secure Business Assets with IT Governance

IT governance is a strategic initiative that ensures IT assets and processes increase overall business value. ITG is an important subset of an overall corporate governance structure. As such, it calls for clear top-down mandates that, according to Gartner, provide “The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.”  IT governance directives realize greater business value through the development of definitions and objectives that drive processes and management. ITG provides the framework or creates the “how” value by being transparent and accountable to all involved. However, many would expand that definition to include elements devoted to risk management and compliance (GRC). Governance mandates also impact IT areas like IT service management, regulatory compliance, risk management, business continuity, disaster recovery, and data or information protection processes that have their own structures (such as those of Information or Data Governance). 

ITG originated in the early 1990s as a practice to better integrate IT assets to support the organization. Primarily used as a framework to control the costs versus value derived, corporate and its IT governance subset are now used to protect the organization’s shareholders and stakeholders from the regulatory consequences of fraud and other unethical corporate behaviors. The financial losses of the early part of the 20th century created an environment that demanded government intervention and enactment of laws and regulations to foster accountability and public trust. Today, organizations must provide transparency and comply with laws such as Sarbanes-Oxley Act (SOX), which regulates accounting practices. Other regulation of note are the financial institution mandates within the Gramm-Leach-Bliley Act (GLBA). Because many of these new regulations can punish individual C-level executives and boards with hefty fines or prison sentences, the need for transparency and ethical conduct in corporate governance is clear. And, IT’s role in governance is a primary supporting function for mitigating risk and proving compliance.

Several non-U.S. countries have their own separately established IT governance guides in response to corporate failures that occurred in the 1980s, including the Cadbury Report (UK) and the King Report (South Africa).

Why Do Organizations Implement IT Governance Initiatives?
IT governance, as a subset of corporate governance, originated in the early 1990s to identify ways to connect the management of IT growth with the overall strategic goals of an organization. Eliminating or mitigating conflicts of interest and creating accountability in decision making were instituted to clarify what IT projects to fund. However, IT governance is also used to provide mechanisms to prove regulatory accountability. Unethical practices in the early 2000s led to spectacular business failures of companies such as WorldCom and Enron, which created a heightened regulatory environment. Organizations are now subject to regulations that protect information and demonstrate financial accountability. Add to the new regulatory realities the growth of capabilities and expense of an IT initiative, and the need for business value alignment becomes clear. 

Organizations that institute ITG rely upon the accountability elements and measurements that aid in critical decisions that leverage organizational objectives. These mandates also provide protection and accountability in the new regulatory environment. Another reality is that IT’s reach into an entire organization continues to grow as the demand for enhanced technology services increases. IT governance also provides a mechanism for decision making, such as determining what resources are appropriate to fulfill organizational goals. 

An IT governance framework provides conceptual support and structure that not only defines the IT mandates, but also provides support mechanisms to measure achievement. Some of the most prominent frameworks use these ideals to articulate a logical method for achieving objectives. ISO/IEC 38500 is called the official IT governance standard: It provides a strong framework to specifically assist corporate board members in developing policies relating to legal, regulatory, and accountability. Updated in 2015, this international standard presents general guidance, terminology, and definitions. The six principles embedded in the model are:

1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human behavior 

ITIL (Information Technology Infrastructure Library), first published in 1989, is also a vendor-neutral framework. It was one of the first frameworks to focus on how IT initiatives can add value to the overall organization, which is a key focus of IT governance. Like other frameworks, it derives value from numerous subset activities of IT management and focuses on those that align with overall organizational goals. The ISO/IEC 27002, which was revised in 2013, provides an ancillary standard that’s widely used to support information security management.

Another vendor-neutral framework is Control Objectives for Information and related Technology (COBIT). This framework, which is in widespread use, combines the dual objectives of strong IT governance with comprehensive IT management mechanisms. COBIT began primarily as an IT audit management framework, but governance and risk management were added with the introduction of ISO/IEC 38500. The COBIT framework addresses how the IT department can align with organization goals through performance objectives and measurements.

Since effective governance demands both the articulation of a mandate as well as a process, choosing the right framework depends on how an organization views and implements governance. There are numerous frameworks that provide a strong foundational element for governance process provision and management. For example, COBIT is among the most used frameworks. As such, it has been systematically updated from its original function as an audit tool to support both risk and governance. 

ITIL provides a process model that supports IT service management functions in an effort to integrate with organizational strategy and goals. And, COBIT and ITIL can work individually or be combined with other standards to provide a useful and instructive governance structure. Adding other standards - such as those found in ISO/IEC 27002, which focuses on information security - can create a more robust risk management. 

Dwight Koop, Co-Founder and the CFO/COO of Cohesive Networks, a member of the Secret Services’ Chicago Electronic Crimes Task Force, and Treasurer for the Chicago FBI Infragard group, provides an overview of the National Institute of Standards and Technology Cybersecurity Framework (NIST): 

The NIST Framework was created for critical infrastructure — banking, aviation, defense — but all organizations can apply the principles to improve security. Traditional audit-focused standards value checklists, while NIST’s risk-based approach focuses on business results and infrastructure security. Because it is an iterative guide created from collective industry knowledge, the Framework has huge value for any organization looking to improve cybersecurity. Unlike the millions of other standards out there, the NIST Cybersecurity Framework combines the best of existing rules, assessments, regulations, and guidelines into a unifying cybersecurity reference guide. As more organizations consider and move to the cloud, IT teams need a guide to cybersecurity that works to both secure critical systems and pass industry standards. The NIST Framework can help teams get started. All organizations deserve to have clear guidelines and advisors who value a practical and honest approach to security.

The framework(s) that work best for an organization will depend on corporate culture, industry regulations, stakeholder and leadership requirements, and the expectations of IT from the business. 

IT governance as a practice is still a fairly new initiative in most organizations and as such is subject to growing pains. Frameworks to support IT management are being updated to include effective governance strategies and to address growing concerns about risk and compliance management. ISACA, an international professional association focused on IT governance, defines five key goals of an IT governance initiative.

• Business/IT Goal Alignment: Provides overall strategic direction to the organization. It prioritizes projects and services as a function of overall corporate or organizational effectiveness.
• Value Delivery: Measurements that confirm value assessment from IT implementations and address ROI opportunities.
• Risk Management: Assessment and implementation of controls and management to protect the organization and stakeholders.
• Resource Management: Addresses issues of capacity and availability, capital, personnel, and infrastructure to meet business requirements.
• Performance Management: Ascertains the contribution of IT to the total business and verifies compliance.

As the need for enhanced IT capabilities grows, there are few exceptions when evaluating a need for IT governance. Since a main feature of ITG is deriving maximum value from the integration of technology, the practice is useful for organizations of any size in the public or private sector. Individuals involved in IT governance are both internal and external to the organization and can include:

• Investors: Those who are financially tied to outcomes, as well as the board of directors, C-level executives, senior management of IT services, business partners, and external investors.
• Providers: Those that provide business and IT management, including support teams, suppliers, and ancillary departments such as HR, legal, and facilities.
• Independent Controllers: Internal and external auditors, financial auditors, and compliance and risk managers.

The scope of involvement in IT governance is tied to the entire corporation. And while IT governance looks for value alignments that drive success, it also can leverage needed organizational trust when choosing and implementing IT initiatives. 

The healthcare industry, for example, is subject to extensive data security measures and must comply with regulations to reduce risk and protect patient data. Apps that provide remote data access are in high demand by patients and practitioners. These apps add an additional layer of complexity to governance for this industry vertical. According to a BMC Medicine article, Do Smartphone Applications in Healthcare Require a Governance and Legal Framework? It Depends on the Application!: 

One solution to safe access to patient-level data through mobile devices is for organizations to have clear security and governance rules in place. These may include the provision of devices or registering of all mobile devices used within the organization; registration of individual users; the use of virtual secure networks; and utilization of apps designed to prevent data being stored locally on the device. For those apps that provide patient-level decision support, mechanisms to maintain a decision-making audit trail must be developed.  

There are numerous benefits to implementing an IT governance initiative. The first is in aligning IT projects and assets with the overall business objectives. ISACA has reported the following five beneficial outcomes derived from a strong IT governance structure:

• Improved transparency and accountability that facilitates optimum decision making.
• Identifying stakeholder value and areas for greater ROI.
• Enhanced value opportunities, partnerships, and joint ventures.
• Benchmarked performance improvements that measure business value.
• Reduced risk and improved external compliance controls.

Implementing a new process, especially one as large and complex as IT governance, comes with challenges. In some cases, the challenges may appear to outweigh the benefits and prevent an organization from implementing IT governance at all. Some of the most common challenges include the following:

• Biting Off More than You Can Chew: IT governance can cover many facets of information, infrastructure, and equipment. Start out with a subset of your overall initiative in order to avoid overwhelming the IT and governance team members.
• Lack of Data Control: IT governance initiatives require knowledge and understanding of the data and information in the organization. Without this knowledge, the implementation of an IT governance initiative will be daunting. 
• Poor Communication: Communication between leadership, stakeholders, and the implementation team is essential or improper expectations may be set, which heightens the risk of failure. 
• Lack of Continual Improvement: IT governance initiatives are not ‘set-it-and-forget-it.’ They require ongoing management, measurement, and improvement to continually add value to the organization.

The best way to begin an IT governance initiative is to define a proven framework that will work for your organization. This will provide a starting point and guidelines throughout the process. A successful IT governance initiative requires detailed planning and begins at the top with a clear mandate and direction for IT management responsibilities. This allows for the proper implementation of processes and controls that focus on measurable costs and benefits. Governance also works toward the development of organizational trust when initiating IT projects, especially those that are cross-departmental. When governance fails, it can impact more than the bottom line. Best practices protect shareholders and stakeholders from financial or regulatory harm, as well as provide protections to mitigate the undefined costs of a lost reputation or public trust.

Lee Barrett, Executive Director of the not-for-profit Electronic Healthcare Accreditation Commission (EHNAC) and national speaker on security, privacy, ransomware, and cybersecurity risk and mitigation strategies, tactics, and best practices, suggests the following when implementing a successful information governance framework:

The push to address security needs to be instituted at the highest level of the organization, consider three lines of defense:

1. Defense at the business unit level. How are sponsors and risk managers managing third parties and subcontractors? 
2. Evaluate security from the standpoint of governance, compliance, and oversight. How sourcing is handled and how the various relationships with business partners are being handled? 
3. Internal auditing to independently test internal controls. What safeguards do we have in place? 

For many organizations, the best way to mitigate risk is to contractually mandate that any vendor your organization partners with has secured third-party accreditation or certification. Often, these steps can be evaluated and confirmed by quantifiable metrics.

Yuri Shtivelman is the COO at mezocliq, a data governance software vendor. “The best approach to IT governance starts with taking control of your data,” he says.

“Most corporations run on a web of hundreds, if not thousands, of best-of-breed applications with data spread in a myriad of databases. The same data is available in multiple places, but is represented in different data models and is very rarely consistent across various systems. Cleaning and integrating this data is a resource-consuming task for any organization, and it is an impediment to providing accurate and timely information to business stakeholders. A major part of IT governance should be developing strategies for reducing the number of applications and databases by replacing legacy systems with innovative solutions, and keeping tight control over existing data.” 

Implementing any new process can be challenging, but adhering to best practice advice, demonstrating quick-wins to gain organizational support, following a chosen framework or frameworks, and then measuring the success of the initiative will put your organization in a position for success.

The IT department does not exclusively measure IT governance success. Instead, it can be decentralized to factor in the competing interests of investors, those who manage or control processes and infrastructure, and those who deliver or provide the services. You can enhance decision-making mechanisms through effective communication plans and meaningful measurements or “scorecards” that define what success looks like to the board, stakeholders, and external organizations. 

Some key elements include measuring against stated objectives, gaps between current and desired state of IT, cost reductions, customer satisfaction, using data that is easily collected and understood, problem reduction and prevention, and comparisons that provide meaningful guidance and information to stakeholders. 

As with most IT functions such as management, audit, and compliance, governance is gaining momentum as a certified practice. Certifications that specialize in the intricacies of ITG include those focused on ITIL and proprietary certifications through ISACA. Generally, those looking to work on IT governance mandates first need relevant work experience in numerous IT practices. 

Some of the most popular certifications include:

• Certified in the Governance of Enterprise IT (CGEIT) – Issued by ISACA
• IT Infrastructure Library (ITIL) – Issued by various organizations and at various levels
• Certified in IT Governance, Risk, and Compliance (CGRC – IT)) – Issued by The GRC Group
• Certified in Risk and Information Systems Control (CRISC) – Issued by ISACA

IT governance has become an important mandate for meeting today’s regulatory obligations, especially those involving information and data security. These templates can help you start identifying areas in your organization where IT governance can make a difference.

Project Risk Template

The key to successful project management is to identify hidden risks early in the project, before they affect cost and deadlines. The project risk tracker organizes all potential risks in one location and is beneficial to anyone managing a medium-to-large project. 

Download Project Risk Template

Excel | Smartsheet

Risk Assessment Matrix

Use this simple matrix template to aid the assessment process. It provides a quick view of the relationship between the likelihood of occurrence and the severity of impact, as well as the number of risks that fall into each category. The color scheme makes it easy to distinguish among the different ratings, so you can get an overview of the levels of risk that need to be addressed.

Download Risk Assessment Matrix

Excel | Word | PDF | Smartsheet

Risk Management Matrix

This risk assessment matrix is a good tool for getting an overview of risk ratings. Use the included management matrix for identifying and assessing risks, describing mitigation strategies, and monitoring control efforts.

Download Risk Management Matrix

Excel | Word | PDF | Smartsheet

Harnessing the opportunities provided through the judicious and effective use of technology has become an important driver for corporate success or failure. An IT governance framework can add the needed structure to assess the real value and opportunities of IT to an organization. By adding strong mandates for IT governance, those in charge are better equipped to address the real costs and assess those costs to value for the organization. And finally, the elements that foster accountability and transparency aid in developing or maintaining trust for an organization's numerous stakeholders and their external partners. 

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.