{"id":227,"date":"2009-04-30T12:28:01","date_gmt":"2009-04-30T06:58:01","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=227"},"modified":"2009-04-30T12:29:52","modified_gmt":"2009-04-30T06:59:52","slug":"essential-it-governance-concepts","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/essential-it-governance-concepts\/","title":{"rendered":"Essential IT Governance Concepts"},"content":{"rendered":"<p>To build a successful GRC solution it is absolutely critical to get Management support for GRC project. However to achieve this you must be able to demonstrate the value that GRC projects can add to the business. In this post we look at some essential governance concepts<br \/>\n<!--more--><br \/>\n<strong>a.\u00a0\u00a0\u00a0 What assertions should IT Governance make?<\/strong><\/p>\n<p>\u2022\u00a0\u00a0\u00a0 With strong IT Governance, Management will be able to manage IT more effectively and understand its VALUE for the company\u2019s business processes.<br \/>\n\u2022\u00a0\u00a0\u00a0 IT Governance serves as a foundation for building out other GRC components such as Risk Management and Compliance.<br \/>\n\u2022\u00a0\u00a0\u00a0 Measurements on how IT Governance adds VALUE will support building a stronger GRC solution. If we can also provide the right metrics to measure the effectiveness of IT governance. Good reporting of IT governance performance is therefore essential to ensure that results are communicated to Management.<\/p>\n<p><strong>b.\u00a0\u00a0\u00a0 What are the key IT Governance Goals?<\/strong><\/p>\n<p>\u2022\u00a0\u00a0\u00a0 IT must be helping the organization\u2019s business-It must ensure that IT goals\/strategy are going to be helping the business goals\/strategy<\/p>\n<p>\u2022\u00a0\u00a0\u00a0 Manage assess &amp; mitigate IT risk-Processes must make organization accountable for risk<\/p>\n<p><strong>c.\u00a0\u00a0\u00a0 What is the starting place for IT Governance implementation?<\/strong><\/p>\n<p>GRC frameworks such as COBIT, ISO27001 are a good starting that provides guidance on the components that need to be developed. It also provides Management with assurance that tested methodologies are being adopted. While the frameworks are a good starting point it is essential that they are customized to meet individual organizational requirements and business requirements.<br \/>\n<strong><br \/>\nd.\u00a0\u00a0\u00a0 How do you implement IT Governance?<\/strong><\/p>\n<p>\u2022\u00a0\u00a0\u00a0 Set up one or more committees\/task force\/teams involving representatives from across the company. Typically we should ensure that there is adequate representation from the Board and Management, IT and business units to ensure that responsibilities are shared. Examples are IT Strategy Committee, Steering Committee etc.<br \/>\n\u2022\u00a0\u00a0\u00a0 Adequate documentation to support the functioning of these committees, typically this would be part of the IT Policy, which provides direction on the scope of activities of these committees. It is important to know which committee(s) can make decisions. The document would provide answers to questions such as:<\/p>\n<p>i.\u00a0\u00a0\u00a0 who can decide on the IT projects that will be executed,<br \/>\nii.\u00a0\u00a0\u00a0 How will these projects be funded?<br \/>\niii.\u00a0\u00a0\u00a0 Who will monitor progress of projects?<br \/>\niv.\u00a0\u00a0\u00a0 How are conflicts of interest resolved?<\/p>\n<p>\u2022 Develop reporting on the functioning of these committees. Reports need to be defined with the intended audience in mind.\u00a0 Reports should provide the information on the outcomes of the various activities of each committee. For e.g. ISACA recommends the Balanced Scorecard.<\/p>\n<p><strong>e.\u00a0\u00a0\u00a0 What else do you need to do to implement IT Governance projects?<\/strong><\/p>\n<p>\u2022\u00a0\u00a0\u00a0 <strong>Market a case for strong IT governance with statistics\/metrics<\/strong><\/p>\n<p>i.\u00a0\u00a0\u00a0 Metrics for loss event costs<br \/>\nii.\u00a0\u00a0\u00a0 Metrics for project failure costs<br \/>\niii.\u00a0\u00a0\u00a0 Quotes from Gartner\/Forrester, internet on governance benefits.<\/p>\n<p>\u2022\u00a0\u00a0\u00a0 <strong>Show direct value to business processes<\/strong><\/p>\n<p>i.\u00a0\u00a0\u00a0 IT Governance will fund the right initiatives, allow business managers to improve efficiency<br \/>\nii.\u00a0\u00a0\u00a0 IT Governance will involve executives in funding decisions<\/p>\n<p>\u2022\u00a0\u00a0\u00a0 Enlist support, cooperation from other areas<\/p>\n<p>i.\u00a0\u00a0\u00a0 Internal Audit can be a source of support. Internal audit support can build a strong case for Risk Management initiatives<br \/>\nii.\u00a0\u00a0\u00a0 Leverage an external auditor to give assurance, feedback on initial plans to build out IT Governance<\/p>\n<p>\u2022\u00a0\u00a0\u00a0 <strong>Sell IT Governance to other managers<\/strong><\/p>\n<p>i.\u00a0\u00a0\u00a0 New trend is to have business processes own controls and responsibility for managing controls. Governance helps achieve this goal<br \/>\nii.\u00a0\u00a0\u00a0 Demonstrate the link that strong IT Governance helps with Compliance, SOX requirements<\/p>\n<p><strong>f.\u00a0\u00a0\u00a0 What IT Governance Metrics are required?<\/strong><\/p>\n<p>\u2022\u00a0\u00a0\u00a0 Project Metrics<\/p>\n<p>i.\u00a0\u00a0\u00a0 These include the list of projects currently in progress and their status.<br \/>\nii.\u00a0\u00a0\u00a0 Results of completed projects indicating project successes, budget overages\/savings<br \/>\niii.\u00a0\u00a0\u00a0 How projects were funded?<\/p>\n<p>These metrics help you take stock of the situation and also provides a baseline to measure the effectiveness of IT Governance initiatives that were implemented.<\/p>\n<p>\u2022\u00a0\u00a0\u00a0 Process Metrics<\/p>\n<p>Sample project metrics include:<\/p>\n<p>i.\u00a0\u00a0\u00a0 Identify Key Risk Indicators<br \/>\nii.\u00a0\u00a0\u00a0 Losses from System outages<br \/>\niii.\u00a0\u00a0\u00a0 Losses from Supply Chain Failure<\/p>\n<p>Process metrics will help bolster the argument for GRC initiatives as they would lead to an argument for better procedures, increased training and may be even a change in organization structure.<\/p>\n<p>\u2022\u00a0\u00a0\u00a0 Risk Metrics (Financial &amp; Technical)<\/p>\n<p>Sample Financial Metrics include<\/p>\n<p>i.\u00a0\u00a0\u00a0 Profit and Loss from operations<br \/>\nii.\u00a0\u00a0\u00a0 Losses from events\/threats<br \/>\niii.\u00a0\u00a0\u00a0 Losses from Frauds<\/p>\n<p>Sample Technical Metrics<\/p>\n<p>i.\u00a0\u00a0\u00a0 Hardware availability<br \/>\nii.\u00a0\u00a0\u00a0 Network Uptime<br \/>\niii.\u00a0\u00a0\u00a0 Data Volume<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To build a successful GRC solution it is absolutely critical to get Management support for GRC project. However to achieve this you must be able to demonstrate the value that GRC projects can add to the business. In this post we look at some essential governance concepts<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[24],"tags":[],"class_list":["post-227","post","type-post","status-publish","format-standard","hentry","category-grc"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-3F","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=227"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/227\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}