To build a successful GRC solution it is absolutely critical to get Management support for GRC project. However to achieve this you must be able to demonstrate the value that GRC projects can add to the business. In this post we look at some essential governance concepts
a. What assertions should IT Governance make?
• With strong IT Governance, Management will be able to manage IT more effectively and understand its VALUE for the company’s business processes.
• IT Governance serves as a foundation for building out other GRC components such as Risk Management and Compliance.
• Measurements on how IT Governance adds VALUE will support building a stronger GRC solution. If we can also provide the right metrics to measure the effectiveness of IT governance. Good reporting of IT governance performance is therefore essential to ensure that results are communicated to Management.
b. What are the key IT Governance Goals?
• IT must be helping the organization’s business-It must ensure that IT goals/strategy are going to be helping the business goals/strategy
• Manage assess & mitigate IT risk-Processes must make organization accountable for risk
c. What is the starting place for IT Governance implementation?
GRC frameworks such as COBIT, ISO27001 are a good starting that provides guidance on the components that need to be developed. It also provides Management with assurance that tested methodologies are being adopted. While the frameworks are a good starting point it is essential that they are customized to meet individual organizational requirements and business requirements.
d. How do you implement IT Governance?
• Set up one or more committees/task force/teams involving representatives from across the company. Typically we should ensure that there is adequate representation from the Board and Management, IT and business units to ensure that responsibilities are shared. Examples are IT Strategy Committee, Steering Committee etc.
• Adequate documentation to support the functioning of these committees, typically this would be part of the IT Policy, which provides direction on the scope of activities of these committees. It is important to know which committee(s) can make decisions. The document would provide answers to questions such as:
i. who can decide on the IT projects that will be executed,
ii. How will these projects be funded?
iii. Who will monitor progress of projects?
iv. How are conflicts of interest resolved?
• Develop reporting on the functioning of these committees. Reports need to be defined with the intended audience in mind. Reports should provide the information on the outcomes of the various activities of each committee. For e.g. ISACA recommends the Balanced Scorecard.
e. What else do you need to do to implement IT Governance projects?
• Market a case for strong IT governance with statistics/metrics
i. Metrics for loss event costs
ii. Metrics for project failure costs
iii. Quotes from Gartner/Forrester, internet on governance benefits.
• Show direct value to business processes
i. IT Governance will fund the right initiatives, allow business managers to improve efficiency
ii. IT Governance will involve executives in funding decisions
• Enlist support, cooperation from other areas
i. Internal Audit can be a source of support. Internal audit support can build a strong case for Risk Management initiatives
ii. Leverage an external auditor to give assurance, feedback on initial plans to build out IT Governance
• Sell IT Governance to other managers
i. New trend is to have business processes own controls and responsibility for managing controls. Governance helps achieve this goal
ii. Demonstrate the link that strong IT Governance helps with Compliance, SOX requirements
f. What IT Governance Metrics are required?
• Project Metrics
i. These include the list of projects currently in progress and their status.
ii. Results of completed projects indicating project successes, budget overages/savings
iii. How projects were funded?
These metrics help you take stock of the situation and also provides a baseline to measure the effectiveness of IT Governance initiatives that were implemented.
• Process Metrics
Sample project metrics include:
i. Identify Key Risk Indicators
ii. Losses from System outages
iii. Losses from Supply Chain Failure
Process metrics will help bolster the argument for GRC initiatives as they would lead to an argument for better procedures, increased training and may be even a change in organization structure.
• Risk Metrics (Financial & Technical)
Sample Financial Metrics include
i. Profit and Loss from operations
ii. Losses from events/threats
iii. Losses from Frauds
Sample Technical Metrics
i. Hardware availability
ii. Network Uptime
iii. Data Volume