IT too needs proper governance

Does the IT department in the workplace need rules, or is its role relegated to the basement as portrayed in the UK sitcom, "The IT Crowd"?

Dixon Karani, a consultant who also trains on IT governance frameworks, says that IT should be treated the same way as the rest of the organisation is treated. There is need for governance in life, starting with societal governance, all the way down to corporate governance. He says that organisations have been slowly rolling out governance, which has resulted in boards of directors as well as other cadres of management undergoing training and workshops on the same.

The term "Corporate governance" refers to the way an organisation is manned and directed. "An owner investing in a new company would like to set up a structure so that their objectives are achieved," says Karani.

One of the objectives of corporate governance is accountability in an organisation in the use of assets, for example people and trucks. Corporate governance will also enable the organisation to comply with legislation and regulations such as the Kenya Communications Amendment Act (2008) and the UK Data Protection Act. The organisation also needs to manage its risks; it should not just consist of ambitious plans that do not address any risks that may arise. The business needs to plan for disasters such as IT failures, theft and hacking.

An organisation also needs strategic planning to act as a guide for the organisation. Karani says that the IT department is not an enterprise but a corporate organ. It therefore also needs a governance plan. Enter IT governance frameworks: "If a corporation has weak or immature governance, any objectives to achieve this will fail,'' he says.

IT governance determines how IT is managed and directed. "Corporate governance must be done in conjunction with IT. Without it, [there is a lack of] clear authority and accountability in the firm, coupled with asset and task duplication," he adds.

Setting up IT governance

The first step in IT governance is setting up an IT governance framework. This includes defining a strategic plan that defines the organisation's identity. The IT strategy must be aligned with the corporate strategy.

Policy plans, standards and procedures need to be defined since they guide people's conduct on a daily basis. For example, no major project should start without a bailout or roll back plan.

Roles and responsibilities also come into play during setup of a governance framework. Their purpose is to define an accountability framework - when servers are down, it should be known when they went down, how and why. System changes should also be detailed explanations, rather than a simple "it was a computer error."

Activities in IT governance

The second step in IT governance comprises the various activities that result in IT governance. This includes strategy making and alignment. Karani says that most organisations are run in a 'juakali' manner where people just turn up and work. An organisation must define where it currently is and its future targets. IT should also be aligned with the business,

"Management is usually frustrated with IT because IT normally operates in its own 'cocoon','' says Karani. Another activity is the management of resources such as infrastructure, servers, software and licenses.

Asset management is an activity that deals with financial concepts, which is important given that organisations spend significant amounts of money on IT. Asset management includes tracking and keeping an inventory of IT assets from a financial perspective. This will also include operational expenditure, as well as hidden costs such as depreciation and the increased cost of electricity incurred by running more IT equipment. Accountability should give an idea of who is responsible for assets such as a laptop when it is upgraded or repaired.

Performance measurements are activities for defining metrics that measure business plan adherence. "If you cannot measure it, you cannot manage it," says Karani. Targets also help people meet organizational objectives - not IT metrics, but business metrics. The organisation should define what its customers get from IT services, the customer being the business. These can be defined as key performance indicators and critical success factors, amongst other definitions. Karani says such metrics offer visibility on how things are being done, but more importantly they highlight and enable correction of variances.

To determine the value that customers get in the end, value delivery activities are put in place. Metrics here should document business requirements and needs. Karani states that value delivery is a major challenge, with most departments struggling to come up with a suitable definition.

The business also needs to protect itself from legal exposure by putting in place compliance activities. This ensures that the business is able to comply with IT specific regulations and contractual obligations.

"IT governance is too important to be left to IT alone, it should be a corporate responsibility," advises Karani. It should serve the business and help achieve the corporate objectives. Its implementation affects decision-making rights and responsibilities.

Implementation of IT governance

"In practice," Karani says, "there should be several levels of governance." This may start with an IT management team within the IT department which is then overseen by an IT steering committee - a body that he maintains is the most important organ in IT decision making. The steering committee should consist of both IT and non-IT business representatives, the latter to stand in for the customer. The best practice is that senior business representatives such as the chief marketing officer, the chief finance officer and the head of procurement should all be part of the committee and should constitute a majority over IT representatives.

At the highest level of IT decision making is the board since they own or represent the organization's owners. The board members make IT decisions that have huge implications on the business, such as those requiring significant capital investments.

The IT department should have a top down structure. This structure should provide guidance on how work is done in IT with documented processes to act as a guide. Formal processes, roles and responsibilities, as well as putting in place metric guides.

IT governance best practices can be obtained from industry best practices and guides such as the IT Infrastructure Library (ITIL), Control Objectives for Information and related Technology (COBIT) and the Committee of Sponsoring Organizations (COSO). COSO is a general-purpose corporate governance standard, but in this case also applies specifically to IT. COSO was formed in response to the UK corporate scandals of the 1980s. In response, several organisations formed a committee led by Sir Cadbury of Cadbury Chocolate. The report of the committee summarizes that governance should begin from the top and has to be managed.

Karani advises that an organisation should carry out regular IT audits to determine its IT governance levels and whether structures are working. The audits can be carried out by either internal or external auditors.

Benefits of proper IT governance

Proper IT governance ensures that the business is in compliance with laws such as various data protection acts for instance the Health Insurance Portability and Accountability Act (HIPAA) in the USA. Regulatory bodies might also demand certain accountability procedures and processes form the business, which IT governance will help in complying with.

By putting proper policies in place, the organisation is able to convince customers and other businesses of its high level of trustworthiness. The business saves money since it operates in a controlled environment where there is minimal resource misuse and better risk management.

There is a high likelihood of IT projects becoming successful when they are properly governed. Staff satisfaction is also high since individuals have clear roles and responsibilities and are aware of what they are accountable for. This can also result in low turnovers. Most importantly, value delivery for the business is achieved since customers' expectations are known and met.

Furthermore, the IT department clearly knows their roles and expectations, hence reducing the chances of their services being outsourced due to non-performance or value delivery.