is so embedded in internal functions and in the external
value propositions of most modern organizations, that
it has assumed a strategic role. When we recognize that
IT is getting an equal level of importance as any other
business process, the need to 'govern' IT becomes obvious.
by MSV Rao
law will continue to outdo itself; Arun Netravali's
(former president of Bell Labs) predictions that, intelligent
devices worldwide will 'talk' to each other and bandwidth
will be a commodity free like air, may soon prove to
be true. Such unbounded explosion of technology involving
major transformation of the Internet into a mega High-IQ
net will influence the very nature by which IT is used
in many enterprises.
In recent years the world has been witnessing a phenomenal
change in the way IT is used in enterprises. It has
graduated at a fast pace, from a mere supportive role
to an enabling role, and in some business areas, to
a critical success factor interwoven with the other
business processes of the enterprise. Technology has
become so embedded in the internal functions and the
external value propositions of a modern organization,
at least in some sectors, that it has assumed a strategic
role. Many organizations have begun to use IT-based
processes like Intranets, Extranets, ERP, and SCM. IT
has thus become truly all-pervasive. The moment we recognize
that IT is getting an equal level of importance as any
other business process, the need to 'govern' IT becomes
Effective enterprise governance focuses individual and
group expertise and experience in specific areas where
its benefits can be felt the most. The governance initiative
can then measure performance and provide assurance to
the critical issues.
The importance of enterprise governance is being accorded
the deserved significance. Worldwide, investors are
willing to pay up to 20 percent premium on the shares
of companies that have a corporate governance framework
in place. In India too, companies have begun to subject
themselves to a rating process on corporate governance
The Investment and Credit Rating Agency (ICRA) has developed
a product called Corporate Governance Ratings (CGR).
The CGR can provide a relative index of corporate governance
abilities of an enterprise. The index can essentially
indicate the company's adherence to good practices and
code of ethics in corporate governance. The CGR tends
to focus on the statutory requirements of the regulators
and the financial interests of the stakeholders. One
can soon expect to hear of enterprises achieving level
1 CGR or level 2 CGR ratings, just like the CMM levels
of software organizations.
Since IT plays a critical role by interlinking various
business processes, the act of strategic alignment between
IT and the enterprise objectives becomes a Critical
Success Factor (CSF). Effective IT governance should
help achieve this CSF.
According to Information Systems Audit and Control Association
(ISACA), IT governance is an inclusive term which encompasses
information systems, technology and connectivity, business,
legal and other issues, all concerned stakeholders,
directors, senior management, process owners, IT suppliers,
users, and auditors. Once enterprises recognize that
it relies on IT significantly and also relies on the
IT processes which are interwoven with the business
processes, the enterprise has to provide the same level
of commitment it devotes to financial supervision and
overall enterprise governance.
Information is power
The dependence of enterprises on IT has naturally made
information an indispensable asset. Information is created
and maintained by IT. It has often been said that information
is power. However the actual value of information has
been largely underestimated. In the opinion of some
consultants, only 15 percent of the market value of
an enterprise resides in its tangible assets. And the
larger part of the remaining 85 percent is in its information
base. This establishes the need to develop standards
for recording intangible assetsInformation Systems
Impact of IT governance
IT governance, control and assurance can impact an enterprise's
Addressing business issues like e-commerce and ERP
Assuring security, reliability, and integrity of strategic
Protecting the enterprise's investments in IT including
systems and network
Ensuring appropriate management of the enterprise's
IT governance can be illustrated with the help of four
Is the enterprise doing the right things?
Is it doing the right way?
Is the use of IT efficient?
Are the desired goals achieved?
These concerns about IT governance have to be addressed
naturally at the highest level or the board level. IT
deployment is very capital-intensive and logically involves
high risks. At the same time, IT can present enormous
opportunities and benefits to the enterprise in terms
of reduced costs, increased revenues, and more importantly,
improved customer services. In view of this the board
should take active interest and assert that IT is delivering
the benefits after being deployed with a complete understanding
of the costs and risks.
The management needs to react to the board's requirements
by aligning the IT strategy and goals to the enterprise's
business strategy and goals. They must ensure cooperative
cross-departmental responsibility for the success of
IT and undertake an appropriate risk analysis, identifying
vulnerabilities, and reviewing regularly the performance
of IT assets.
IT functions have increasingly assumed a critical status
in many enterprises. Businesses like telecom companies,
banks, mass media, and airlines cannot exist without
IT. Businesses like travel agencies depend on IT for
their SCM initiative. Some may have to deploy IT due
to guidelines from regulatory bodies.
Some industries like the health sector invest in IT
more than the industry average. However, the attention
to IT in some of these enterprises is still confined
to the IT department. The main reasons are:
a. IT continues to be treated as an entity separate
from the business
b. The complexity of IT is increasing with the advent
of networks and the Internet
c. Not many boards have members with extensive IT
audits and COBIT
IS audit can play an important role in bringing out
the need for IT governance. IS auditors can achieve
this by first understanding IT governance, convince
the board and the management to focus on relevant issues,
recommend a suitable control frame work, and measure
the performance regularly.
Control Objectives for Information and related Technologies
(COBIT) is perhaps the most widely adopted and accepted
framework for IT governance. Its adoption in the US
and other countries with a very high degree of IT usage
is quite widespread. Indian organizations also have
begun to appreciate the comprehensive nature of the
model and have started adopting it.
The basic premise of COBIT is that IT is required to
create, process, and deliver the information that the
enterprise needs to achieve its goals. COBIT divides
IT into four domains namely planning, acquisition and
implementing, delivery and support, and monitoring.
These basically cover the important phases of an IT
A total number of 34 processes are defined and grouped
under the above four domains. Each process has a high-level
control objective associated with the process, and several
detailed lower-level control procedures. The COBIT model
allows the business process owner to define its information
process requirements through information criteria needed
There are seven such criteria: effectiveness, efficiency,
availability, integrity, confidentiality, and compliance.
In order to provide the required information, the IT
management approaches the framework by looking at the
resources to be considered for the control. The resources
are data, application systems, technology, facilities,
and people. COBIT provides a very effective tool to
all levels of management to achieve good IT governance
leading to good corporate governance.
Readers can visit www.isaca.org and www.ITgovernance.org
for a detailed insight.
The writer is Director, Department of