Emerging Issues in IT Governance

Paul Williams
IT Governance Adviser
Protiviti UK

paul.williams@protiviti.co.uk
 Agenda
• Corporate and IT governance – what is it, and why is it a
current issue for Boards, auditors and other risk
management professionals?
• Current drivers and inhibitors
• How should the Board address its IT governance
responsibilities?
• An emergent new profession?
• How can auditors and risk managers help?
Why is Corporate (and IT) Governance
Necessary?
The concept dates back at least as far as Adam Smith
(1776):
“when ownership and control of corporations are not fully
coincident, there is potential for conflicts of interest
between owners and controllers.”
Why is Corporate (and IT) Governance
Necessary?
The concept dates back at least as far as Adam Smith
(1776):
“when ownership and control of corporations are not fully
coincident, there is potential for conflicts of interest
between owners and controllers.”

Equally in today’s business world there

often is a separation between those within
the enterprise who provide funds to invest in
IT related business activities and those
whose responsibility it is to manage that
investment.
 Stakeholders with an interest
include….
• Shareholders
• Other suppliers of capital
• Market analysts
• The media
• Employees
• Trading partners
• Governments

• Society at large
The Bad News

MFI Share Price

More Bad News

Sainsbury Share Price

 Enterprise & IT Governance

• Enterprise Governance • IT Governance

– The rules and – The structure,
processes through oversight and
which business management
opportunities and processes which
risks are recognised ensure the delivery of
and managed to the expected benefits
ensure enhanced and of IT in a controlled
sustainable way to help enhance
stakeholder value. the long term
sustainable success of
the enterprise.
MIT DEFINITION OF IT GOVERNANCE

We define IT governance as:

‘specifying the decision rights and accountability framework to
encourage desirable behaviours in the use of IT’
‘Governance is not about what decisions get made – that is
management – but it is about who makes the decisions and
how they are made.’

Peter Weill, Director MIT Center for Information Systems

Research
According to MIT Research enterprises with the most
effective
governance achieve 40% better returns from their IT
investments through…….

• Clarification of business strategies and the role of IT in

achieving them
• Measuring and managing the amount spent on, and the
value received from, IT
• Assigning accountability for the organisational changes
required to benefit from new IT capabilities
• Learning from each implementation and becoming more
adept at sharing and re-using IT assets

IT Governance, Peter Weill and Jeanne Ross 2004

 What is IT Governance?
1. Strategic Alignment
aligning with the business and providing ic t Va
D e l i lu e
DOMAINS

g
collaborative solutions a te e n ve
r
S t ign m ry
A l
2. Value Delivery IT
focus on IT expenses and proof of value Governance

nt
Perf uremen
Mea

e
Domains

agem
3. Resource Management

Man isk
orm
s

R
knowledge, infrastructure and partners

ance t
4. Risk Management Resource
safeguarding assets and disaster recovery Management
5. Performance Measurement
IT Scorecards
 What is IT Governance?
ic t Va
g
e en D e l i lu e
t
ra ve
1. Strategic Alignment S t ign m ry
Al
DOMAINS

aligning with the business and providing IT

Governance

nt
Perf uremen
collaborative solutions

Mea

e
Domains

agem
Man isk
orm
2. Value Delivery

R
ance t
focus on IT expenses and proof of value

3. Resource Management Resource

knowledge, infrastructure and partners Management

4. Risk Management
safeguarding assets and disaster recovery

5. Performance Measurement
IT Scorecards

2005 Doing something about it

2003 Not doing something about it

Current IT Governance Issues and Drivers
• IT is central to business success
• The need to understand and manage all IT related
risks
• The need to optimise returns on IT related business
investments
• The need to deliver value from IT expenditure
• Ensuring that business maximises opportunities for
use of IT including new technologies
• The need to enhance understanding between IT
function and the business
• Ensuring appropriate IT capabilities
• Achieving legal and regulatory compliance
• …….and providing transparency and assurance that
all this is being achieved
Business Risk Model

The CEO and the Board need

to identify and manage
opportunity and risk across
a wide spectrum of
disciplines and functions –
but information technology
usually underpins and
enables everything. Thus it
is fundamental to business
success and requires Board
level direction and
governance

© Protiviti
Business Risk Model

The CEO and the Board need

to identify and manage
opportunity and risk across
a wide spectrum of
disciplines and functions –
but information technology
usually underpins and
enables everything. Thus it
is fundamental to business
success and requires Board
level direction and
governance

© Protiviti
http://www.computerweekly.com/Articles/2006/07/04/216675/Banish+bafflement+in+the+boardroom.htm
(IT governance)….. must become dynamic and
sensitive to change. It too must have tolerance for
uncertainty and a commitment to continuous learning.
Those who implement decisions and deliver results
must be part of the decision-making process.

Extract from letter in Computer Weekly 20 June 2006

(IT governance)….. must become dynamic and
sensitive to change. It too must have tolerance for
uncertainty and a commitment to continuous learning.
Those who implement decisions and deliver results
must be part of the decision-making process.

Extract from letter in Computer Weekly 20 June 2006

A role for non-executives?

Yes, but………..
‘This (IT knowledge) is an area where few, if any, of
our sample would have personal expertise to bring to
bear.’

Ernst & Young Non-Executive Director Survey 2006