Professional Documents
Culture Documents
IT Governance
IT Governance
To make improvement, we need to have base information regarding the state of the companies.
Information on what is the current state of the various IT domains and how it is managed. Based on that
information we can design and create roadmaps to improve and strengthen our current IT governance &
compliance. Those steps can be summarized into the following graph:
•Identify short and •Evaluate current IT •Create roadmaps to to •Implement roadmap •Continous monitoring
longterm goals state and gather achieve goals according to timeline •Evaluate
•Identify company's risk documents and •Adjust roadmap and prioritization implementation to
appetite evidence. regarding to company's identify potential
•Identify applcable •Perform gap analysis Risk Appetite & Goals improvement points
regulations & Standards
In this phase, this is where we identify basic information regarding the company. First we need to
understand the business goals of the companies, both long-term and short term. This is important because
our goals will be driven by it and our goals should enable business to reach theirs.
This phase is also where we need to understand what the company risk appetite is. How far are the
company’s goals in terms of IT governance. Are we aiming to be the best in the industry in terms of IT
governance? Naturally the more mature a company is, the risk that are facing are also minimized. In the
other hands, getting to a high maturity level will cost money and manpower, since it may be required for
the company to implement a lot of measures to achieve it.
Identifying regulations and standards will be conducted in this phase since those regulation and standards
will be used to measure the company’s current IT governance state. Identifying applicable regulation and
standards can be done by having a data inventory or companies services. For example, GDPR for personal
information, HIPAA for health information, PCI-DSS regarding credit card info. types of services can also
affect what kind of government regulation is required. With all those standards gathered we can create a
toolkit on which to measure the company’s maturity to achieving their goals
The goals that we want to achieve will also be adjusted according to the company’s risk appetite. How
far are the companies want to achieve and when the company wants to achieve it. We can easily
benchmark with other companies in Indonesia, Asia, even Global through market research sites such as
Gartner and Forrester. By benchmarking we can have comparison with other companies and set our
goals on that
Continuous monitoring is also important to monitor if all the policy, process, or control that we
implement are being properly executed or followed by all user and stakeholders.
All risk that have been identified in phase 2 will also need to be monitored, risk action plans need to be
executed accordingly. Either its to remediate or to mitigate.
All these 5 steps can be applied to better strengthen the companies’ IT in terms of management,
governance & compliance. This process can also be repeated yearly to track progress of maturity
improvements in the company so the company can reach its target according to the determined
timeline.