Nice to see you again. This week we will be talking about Governance, the first pillar of the GRC process. We can call Governance the foundation stone of the GRC process. Using an analogy, constructing Risk and Compliance without Governance is like trying to build a house roof and ceiling without building the walls. It would be best if you had a governance framework in your company to implement a risk framework. Of course, you cannot demonstrate compliance without a defined governance for your IT processes.
IT Governance can be described as the discipline that allows companies to align enterprise objectives to IT objectives, that measure that alignment, and improve that alignment based on those metrics.
We need to understand that a committee does not reflect Governance nor a monolithic process on a specific point of time.
Governance means that the alignment to corporate objectives must permeate the organization as a whole and persist during its existence. Implementing a governance department without proper sponsoring and resources to reach all organization levels will be close to useless. It is a corporate effort, and everyone needs to be on the same boat and in the same direction.
A couple of concepts closely related to Governance are ownership and responsibility. The company objectives ownership is not only to shareholders but to any stakeholders at the company. It includes all the supply chains, collaborators, and of course, the customers. On the other hand, responsibility is an obligation from management to make critical decisions in accordance with all stakeholders.
We can count several domains when we speak about IT Governance:
Framework: This is the lifeline between the alignment of IT objectives to corporate objectives. It serves as a base for the company IT strategy. Frameworks like ITIL®, COBIT®, and ISO 38500-2015 can provide IT departments with standards to follow. On the other hand, organizations need an IT governance model that assigns roles, responsibilities, and accountability clearly defined and enforced.
Strategic management: To fulfill company objectives, the IT strategy must be following business objectives. Strategic planning becomes a vital tool for CIOs around the world. It includes the creation of metrics to ensure the compliance of IT objectives, and of course, enterprise objectives. The use of balanced scorecards, along with an architecture model and project-based activities, are strongly recommended.
Value: Nowadays, everything is about the added value to the company. Cost reduction, Internal rate of return, effectiveness, and improvement are concepts that keep stakeholders interested in the value of the IT business function to the organization.
Risk optimization: One of the main areas of influence for IT governance is to focus on risk optimization. It means driving organizations to the use of technology not only in a secure manner but also in a way that will allow the company to achieve strategic objectives by taking risks within its risk appetite.
Resource efficiency: To achieve efficiency, Information technology requires the right resources promptly and in a way that will allow IT to provide value to the organization.
In next weeks' column, we will be talking about ITIL® and how this framework can help organizations to achieve successful and valuable results for organizations. Don't forget to comment with your impressions about this column and let us know your questions and feedback.