grc-me.org: The International Standard for IT Governance places the responsibility to evaluate, monitor and direct IT Governance with the Directors. However, we don’t see too many Directors taking such an active interest in IT to the point of evaluating, monitoring and directing it. Is it a maturity level the organizations need to achieve? Your views.
Marghanita da Cruz: In my experience, it is quite the opposite. The members at the highest levels of organisations do take an interest in IT. They are well aware of the high level of risk associated with IT but also recognise that this risk reflects both opportunities for delivering significant value and threats to their business. What is also now well known is that many IT Projects simply run their course, with little chance of delivering any benefits, until the money runs out.
It is worth noting, that in Australia, listed companies are required to keep their shareholders informed under a continuous disclosure framework. Annual Reports inform stakeholders about major projects and activities, that may affect the value of the company, this may include the risks to their current business from developments in IT or a major IT driven initiative being undertaken. Investors are aware of the significant opportunities and threats associated with IT and want to be kept informed.
grc-me.org: What could be some of the ways that CIOs can make Board members to think and work on lines of IT Governance?
Marghanita da Cruz: Only the directors or those with a whole picture of the organisation and its business are able to make informed decisions on where to direct resources. This direction may be to or away from particular IT projects or activities. In the past, too often IT projects are not stopped or refocused early enough.
The International Governance Standard and its progenator, the Australian Standard, aren't just aimed at the Directors of an Organisation. The Australian Standard for Governance of ICT, is part of a series of Australian Corporate Governance Standards. These standard seek to assist those providing advice to be understand the scope of their role. That is to keep the directors appraised and informed about the risks, uncertainty, opportunities and threats as they emerge as well as options for dealing with these.
grc-me.org: In practice, the decision rights on key IT governance decisions such as IT Financial Investment decisions are not necessarily common across organizations, such as with a CFO or a Board, or steering committee etc. Do you think that for key IT Governance Decisions, there should be a standard model for decision rights?
Marghanita da Cruz: While financial decisions are easily understood, IT decisions have a wider impact than financial decisions and greater uncertainty. Good Decisions can only be made at the right levels.
Any Model needs to provide the flexibilty as well as the cabability to enable informed and timely decision making. There is also a need for good judgement, about the impact of a decision and the level at which it should be made. For example to ensure interoperability and interorganisation exchange of information, decisions may need to be made at a country, industry or international level. Too much or too little investment can both be detrimental.
grc-me.org: What are your views on adopting COBIT as a guideline in adapting IT Governance?
Marghanita da Cruz: COBIT provides a decision and auditing model. As such it provides a basis for the operation of an organisation. Conformance with CoBIT, ITIL (ISO 20000), ISO 27000, ISO 9000 or their equivalents should be a given.
However, the Corporate Governance of IT as with finance and human resources, requires Performance as well as Conformance.
grc-me.org: We have heard from CIOs that adapting COBIT for IT Governance has been challenging because it is too detailed and they find it hard to attract the interest of the Board or Directors. What other measures or frameworks do you think they can adopt to establish appropriate IT Governance?
Marghanita da Cruz: CoBIT, ITIL (ISO 20000), ISO 9000, Six Sigma and to some degree, AS4360 The Australian Risk Management Standard, were well established at the time the Australian Standard for Corporate Governance of ICT was being drafted. These management standards are useful, as once these types of quality systems are in place, organisations and boards can move away from the routine and focus on strategic issues that affect the viability and performance of the organisation.
grc-me.org: IT Governance was more or less the function of leadership capabilities of the CIOs or few CEO / Directors for a long time before the practices and standards came on the scene. How important do you think is the leadership factor is now?
Marghanita da Cruz: Leadership is still critical to the success of IT. Best practices and standards can only provide compliance and a solid base to work from. However, those championing IT projects need to negotiate opposition to change from within the organisation and design systems that will work in a global market place.
grc-me.org: How do we know what methodology or model of Governance suits an Organization?
Marghanita da Cruz: An interesting question. Organisations go through cycles. So, different governance models are required at different times.
It should also be noted, that IT is a change agent, which produces paradigm shifts. Quality and incremental improvement methodologies such as ISO 9000, ISO 20000 and Six Sigma are more relevant after a new technology has been introduced, not so much in the identification, evaluation and implementation of new technologies.
The introduction of a new technology is a new business venture which requires good risk management and agility to succeed. By the time IT becomes routine it may well be obsolete.