Techscope 2003: IT Governance
Enterprise IT governance - The obvious step

Technology is so embedded in internal functions and in the external value propositions of most modern organizations, that it has assumed a strategic role. When we recognize that IT is getting an equal level of importance as any other business process, the need to 'govern' IT becomes obvious. by MSV Rao

Moore's law will continue to outdo itself; Arun Netravali's (former president of Bell Labs) predictions that, intelligent devices worldwide will 'talk' to each other and bandwidth will be a commodity free like air, may soon prove to be true. Such unbounded explosion of technology involving major transformation of the Internet into a mega High-IQ net will influence the very nature by which IT is used in many enterprises.

In recent years the world has been witnessing a phenomenal change in the way IT is used in enterprises. It has graduated at a fast pace, from a mere supportive role to an enabling role, and in some business areas, to a critical success factor interwoven with the other business processes of the enterprise. Technology has become so embedded in the internal functions and the external value propositions of a modern organization, at least in some sectors, that it has assumed a strategic role. Many organizations have begun to use IT-based processes like Intranets, Extranets, ERP, and SCM. IT has thus become truly all-pervasive. The moment we recognize that IT is getting an equal level of importance as any other business process, the need to 'govern' IT becomes obvious.

Enterprise governance
Effective enterprise governance focuses individual and group expertise and experience in specific areas where its benefits can be felt the most. The governance initiative can then measure performance and provide assurance to the critical issues.

The importance of enterprise governance is being accorded the deserved significance. Worldwide, investors are willing to pay up to 20 percent premium on the shares of companies that have a corporate governance framework in place. In India too, companies have begun to subject themselves to a rating process on corporate governance abilities.

The Investment and Credit Rating Agency (ICRA) has developed a product called Corporate Governance Ratings (CGR). The CGR can provide a relative index of corporate governance abilities of an enterprise. The index can essentially indicate the company's adherence to good practices and code of ethics in corporate governance. The CGR tends to focus on the statutory requirements of the regulators and the financial interests of the stakeholders. One can soon expect to hear of enterprises achieving level 1 CGR or level 2 CGR ratings, just like the CMM levels of software organizations.

Strategic alignment
Since IT plays a critical role by interlinking various business processes, the act of strategic alignment between IT and the enterprise objectives becomes a Critical Success Factor (CSF). Effective IT governance should help achieve this CSF.

ISACA
According to Information Systems Audit and Control Association (ISACA), IT governance is an inclusive term which encompasses information systems, technology and connectivity, business, legal and other issues, all concerned stakeholders, directors, senior management, process owners, IT suppliers, users, and auditors. Once enterprises recognize that it relies on IT significantly and also relies on the IT processes which are interwoven with the business processes, the enterprise has to provide the same level of commitment it devotes to financial supervision and overall enterprise governance.

Information is power
The dependence of enterprises on IT has naturally made information an indispensable asset. Information is created and maintained by IT. It has often been said that information is power. However the actual value of information has been largely underestimated. In the opinion of some consultants, only 15 percent of the market value of an enterprise resides in its tangible assets. And the larger part of the remaining 85 percent is in its information base. This establishes the need to develop standards for recording intangible assets—Information Systems Auditing.

Impact of IT governance

IT governance, control and assurance can impact an enterprise's effectiveness by:

• Addressing business issues like e-commerce and ERP
• Assuring security, reliability, and integrity of strategic information
• Protecting the enterprise's investments in IT including systems and network
• Ensuring appropriate management of the enterprise's information assets

The four questions
IT governance can be illustrated with the help of four questions:

1. Is the enterprise doing the right things?
2. Is it doing the right way?
3. Is the use of IT efficient?
4. Are the desired goals achieved?

These concerns about IT governance have to be addressed naturally at the highest level or the board level. IT deployment is very capital-intensive and logically involves high risks. At the same time, IT can present enormous opportunities and benefits to the enterprise in terms of reduced costs, increased revenues, and more importantly, improved customer services. In view of this the board should take active interest and assert that IT is delivering the benefits after being deployed with a complete understanding of the costs and risks.

The management needs to react to the board's requirements by aligning the IT strategy and goals to the enterprise's business strategy and goals. They must ensure cooperative cross-departmental responsibility for the success of IT and undertake an appropriate risk analysis, identifying vulnerabilities, and reviewing regularly the performance of IT assets.

Critical function
IT functions have increasingly assumed a critical status in many enterprises. Businesses like telecom companies, banks, mass media, and airlines cannot exist without IT. Businesses like travel agencies depend on IT for their SCM initiative. Some may have to deploy IT due to guidelines from regulatory bodies.

Some industries like the health sector invest in IT more than the industry average. However, the attention to IT in some of these enterprises is still confined to the IT department. The main reasons are:

• a. IT continues to be treated as an entity separate from the business
• b. The complexity of IT is increasing with the advent of networks and the Internet
• c. Not many boards have members with extensive IT knowledge

IS audits and COBIT
IS audit can play an important role in bringing out the need for IT governance. IS auditors can achieve this by first understanding IT governance, convince the board and the management to focus on relevant issues, recommend a suitable control frame work, and measure the performance regularly.

Control Objectives for Information and related Technologies (COBIT) is perhaps the most widely adopted and accepted framework for IT governance. Its adoption in the US and other countries with a very high degree of IT usage is quite widespread. Indian organizations also have begun to appreciate the comprehensive nature of the model and have started adopting it.

The basic premise of COBIT is that IT is required to create, process, and deliver the information that the enterprise needs to achieve its goals. COBIT divides IT into four domains namely planning, acquisition and implementing, delivery and support, and monitoring. These basically cover the important phases of an IT process.

A total number of 34 processes are defined and grouped under the above four domains. Each process has a high-level control objective associated with the process, and several detailed lower-level control procedures. The COBIT model allows the business process owner to define its information process requirements through information criteria needed by him.

There are seven such criteria: effectiveness, efficiency, availability, integrity, confidentiality, and compliance. In order to provide the required information, the IT management approaches the framework by looking at the resources to be considered for the control. The resources are data, application systems, technology, facilities, and people. COBIT provides a very effective tool to all levels of management to achieve good IT governance leading to good corporate governance.

Readers can visit www.isaca.org and www.ITgovernance.org for a detailed insight.

The writer is Director, Department of IT, Air-India.