IT Governance & Compliance

To make improvement, we need to have base information regarding the state of the companies.
Information on what is the current state of the various IT domains and how it is managed. Based on that
information we can design and create roadmaps to improve and strengthen our current IT governance &
compliance. Those steps can be summarized into the following graph:

Identification Analyse Design Implementation Monitoring

•Identify short and •Evaluate current IT •Create roadmaps to to •Implement roadmap •Continous monitoring
longterm goals state and gather achieve goals according to timeline •Evaluate
•Identify company's risk documents and •Adjust roadmap and prioritization implementation to
appetite evidence. regarding to company's identify potential
•Identify applcable •Perform gap analysis Risk Appetite & Goals improvement points
regulations & Standards

1.1 Phase 1 - Identification

In this phase, this is where we identify basic information regarding the company. First we need to
understand the business goals of the companies, both long-term and short term. This is important because
our goals will be driven by it and our goals should enable business to reach theirs.

This phase is also where we need to understand what the company risk appetite is. How far are the
company’s goals in terms of IT governance. Are we aiming to be the best in the industry in terms of IT
governance? Naturally the more mature a company is, the risk that are facing are also minimized. In the
other hands, getting to a high maturity level will cost money and manpower, since it may be required for
the company to implement a lot of measures to achieve it.

Identifying regulations and standards will be conducted in this phase since those regulation and standards
will be used to measure the company’s current IT governance state. Identifying applicable regulation and
standards can be done by having a data inventory or companies services. For example, GDPR for personal
information, HIPAA for health information, PCI-DSS regarding credit card info. types of services can also
affect what kind of government regulation is required. With all those standards gathered we can create a
toolkit on which to measure the company’s maturity to achieving their goals

1.2 Phase 2 - Analyze

In this stage we have the toolkit to assess and now its time to fully assess the state of the IT in
the company. There are a lot of domains that are needed to be assessed. Using the toolkit we
can identify weak points and strong points. gaps when compared to best practices and industry
standards. If required evidence and document can be used as evidence to confirm current IT
practices. This can also provide further weak points on the current IT governance.
In this phase we can also identify risk based on the state assessment. This can be a lack of process or
inventory of important information. This could be missing controls and missing technical requirements.
All of this will have their own risk and will need to be registered. Depending on its risk levels (Critical, high,
medium or Low) some risk might have to be addressed immediately.

1.3 Phase 3 - Design

After identifying all the gaps and all the weak points, this is where we create a roadmap in order to
achieve our goals in order to support the business. Roadmap will contain timeline and milestones that
we want to achieve. It is important to discuss the roadmap with all stakeholders to have proper design,
implementation and support.

The goals that we want to achieve will also be adjusted according to the company’s risk appetite. How
far are the companies want to achieve and when the company wants to achieve it. We can easily
benchmark with other companies in Indonesia, Asia, even Global through market research sites such as
Gartner and Forrester. By benchmarking we can have comparison with other companies and set our
goals on that

1.4 Phase 4 - Implementation

During this phase, we are starting to implement the roadmap that have been designed. each milestone
will be broken down into smaller timeframe and executed according to the timeline. Each change
implemented shall be documented for future review. All implemented changes will be communicated to
all stakeholders and awareness sessions will be conducted. Changes will be broadcasted from multiple
channels to ensure total coverage of stakeholders and users.

1.5 Phase 5 - Monitoring

After changes are implemented, we need to monitor the changes implemented. Feedback are important
in order to see if what we implemented have benefited or have created more issues for the company.
Gathering feedback from the stakeholders is the important part in this.

Continuous monitoring is also important to monitor if all the policy, process, or control that we
implement are being properly executed or followed by all user and stakeholders.

All risk that have been identified in phase 2 will also need to be monitored, risk action plans need to be
executed accordingly. Either its to remediate or to mitigate.

All these 5 steps can be applied to better strengthen the companies’ IT in terms of management,
governance & compliance. This process can also be repeated yearly to track progress of maturity
improvements in the company so the company can reach its target according to the determined
timeline.