Alan Calder on IT Governance, information security & ISO 27001

It is interesting to note that the “spin-free” new administration of Gordon Brown may be making moves to sweep the NHS IT reform programme under the carpet. The recent resignation of the forthright Richard Granger at Connecting for Health has removed a lightning rod for the project and it is now reported that two of its most vocal government supporters have been moved to other roles.
Here is the striking thing: OGC (Office of Government Commerce) is the developer and owner of two world-recognised best practice frameworks: Prince2, for managing IT programmes and IT projects, and ITIL, for IT Service Management. Prince2 was developed to help government IT projects come in on time, to budget and on specification. ITIL focuses on the need to understand customer (i.e. user requirements) and to develop and deliver services that align with business needs. Both are part of a normal IT governance framework, and both have quite signally failed in the NHS Connecting for Health programme.

We’ve seen Grainger go, and others moved on, but we haven’t seen any overt attempt to rectify the governance failures that led to the current parlous situation in which a national project is behind timetable, over budget and not meeting specification. A delivery-focused government would start off by overhauling the governance framework put in place for this framework, not just on changing faces – maybe Brown and his ministers need a lesson – from one of their own departments – on how these things should be done.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework – Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way – and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.

Getting the best out of Information Technology is rightly spoken of as one of the most pressing responsibilities facing boards in the next five years. However, few organisations currently have the knowledge or skills to develop an appropriate IT governance response – instead, they often become unnecessarily reliant on (costly) outside advice.

Therefore, to help companies and their boards tackle this challenge, we have launched an IT Governance Framework Toolkit, which provides everything a business needs to create a best practice IT Governance regime. Companies will be able manage the entire process in-house and at less cost than a single day’s consultancy.

The Toolkit, which simplifies and accelerates the development of an IT Governance framework, has been created jointly by Steve Moir – a highly experienced IT governance consultant – and me, drawing upon my books ‘IT Governance: Guidelines for Directors’ and ‘IT Governance Today: a Practitioner’s Handbook’.

On a single CD-ROM, the Toolkit provides the full means to understand, organise, adopt and monitor IT Governance practice. Its 98 separate documents include templates, guidelines, checklists, questionnaires, slide presentations, assessments and planning tools, all of which have been specifically designed for the purpose. In addition, each Toolkit includes electronic copies of both of the above books, which offer plain-English guidance on all key aspects of the process.

The toolkit is priced at only £995.00/$1,810.90/€1,442.75, which includes a full online support service covering all aspects of the implementation process. To learn more or place an order click here.

The FSA Full Handbook quite clearly sets out the requirement for its 29,000 regulated firms to implement an IT governance framework. I quote:

SYSC 3A.7.5
IT systems
IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm’s exposure to some ‘people risks’ (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.
SYSC 3A.7.6
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:
(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
(2) the extent to which technology requirements are addressed in its business strategy;
(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
(4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).

Following the launch of our end-to-end IT Governance Framework, here’s a news item that underlines why it is necessary. Mercury Interactive, which develops governance packages, has done research that shows that only 2 percent of businesses are rolling out IT governance across the organisation. OK – good statistic, and doubtless the budgetary constraints that Mercury complains of are factors here. However, I don’t agree that the answer is necessarily just to shovel more of the IT budget into the open pockets of ‘catch-all’ vendors.

The reality is the IT governance is too complex and multifaceted for one or even a couple of smart vendors to be able to solve, no matter how much cash you give them. Instead, companies should look to understand how the various best practice tools already out there can be made to work more in synch with each other and with corporate strategy. That is what our IT Governance Framework is there for – and it’s free.

IT governance is a broad topic involving multiple disciplines, including information technology, risk management, project management, strategy, intellectual property, business design and compliance. Pity the poor IT governance professional trying to draw together the various responsibilities and tools relating to each area. Up to this point no single tool has provided a full picture of IT governance. In fact, collectively, existing tools have often given a confusing impression that actually hinders the purpose of IT governance: to equip boards with information and levers for directing, evaluating and monitoring how well IT supports their core businesses.

To address this problem we have just launched a new IT Governance Framework. It isn’t yet another tool – there are more than enough of those. Instead, it sets out an end-to-end process for integrating the IT governance roles and tools that apply to an organisation’s boardroom, executive and IT department functions. To our knowledge this is the first framework of its type in the world and should significantly help IT governance practitioners communicate to their colleagues what has to be done. Being generous souls we are making this available free of charge.

The IT Governance Framework is based upon our popular management book ‘IT Governance Today – A Practitioner’s Handbook’. It provides the basis for the forthcoming IT Governance Toolkit, which will provide a comprehensive suite of policies, procedures and task sheets to enable organisations to implement a comprehensive IT governance system that genuinely aligns IT with corporate strategy. We plan to release this in Q2 2006 so watch this space.

What is IT governance? What does it include or exclude? Who is responsible for it? These questions are frequently asked in the Blogosphere and elsewhere. Right now it’s the subject of some interesting discussion at Andrew Clifford’s IT Toolbox blog, which includes a good post by Andrew and some quality observations from others. However, the answers are less elusive than some debate suggests.

IT governance does have a formal definition: “IT governance is a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.” (IT Governance: Guidelines for Directors, p20.)

Because it deals with all aspects of governance of IT, it includes system governance. Andrew is absolutely correct in identifying that there are significant systems issues – and I would argue that these issues exist primarily because of an absence of IT governance, in the sense that the organizational governance framework has failed to consider what information and, therefore, what systems requirements the organization will have.

IT governance should be owned by the board. It’s not an IT management responsibility any more than financial governance is a financial functional responsibility. Governance is the board’s job. The board is quite capable of governing IT, if it would only put its mind to it. There are a number of respectable IT governance frameworks that reflect this fundamental principle, including CobiT, the Australian Standard AS 8015:2005 and the IT Governance framework identified in ‘IT Governance Today: a Practitioner’s Handbook’.

The recently launched ‘Aligning Cobit, ITIL and ISO 17799 for Business Benefit‘ is a welcome step toward making IT governance more usable for most organizations. There has long been confusion over which of these three frameworks is really an IT governance framework; for an equal length of time, the answer has been that each is a component of such a framework, as I proposed in IT Governance Today: a Practitioner’s Handbook earlier this year.

While I’m delighed at this progress, there is (as I’ve already argued) further still to go in integrating and simplifying IT governance frameworks, and I will be taking this further in the 2nd edition of the Practitioner’s Handbook when it is published early next year.

Tony Lock writes interestingly about the Niku Corporation’s recent survey: 6 out of10 major European companies plan to deploy information governance and management solutions over the next two years.

It’s good news that such organizations want to effectively manage and measure IT performance; ensure that IT projects are prioritised in line with business needs; and that IT service delivery should be aligned with business requirements.

But it’s also old news: organizations have wanted to do that since the advent of computing as a key business tool.

The emergence of IT governance is to do with the “who” and the “how” of IT is governed – and at the heart of IT governance is the notion that the board should recognise its accountability around IT and structure itself so that it is able to properly discharge that accountability. And this most emphatically does not require the deployment of IT governance “solutions” – “solutions” have a long history of expensive (albeit fashionable) failure, and IT governance is about moving away from IT industry inspired “solutions” to a goverance framework that provides real IT leadership inside the organization.

Organizations that deploy “IT governance and management solutions” without having first created a board-led IT governance framework and environment will rue the day they allowed it to happen.