At the time of writing this blog, Talk Talk experienced a massive DDOS attack. It was one of many exposures this week. Getting security right is key but to know where to invest requires more than security expertise, it requires good IT governance to “improve performance with a balanced framework for creating value and reducing risk.”
This is what all firms aim to do yet why do they often fail to secure or minimise adverse impacts? Because collectively we underestimate the impact of risk crystallization whilst believing that investment in security and controls is expensive. This is typical in firms that have three elements missing from the assurance framework:
1. IT governance integrated within corporate governance,
2. an appropriate enterprise assurance tool, and
3. carrying out risk assessment and assurance properly.
Corporate governance is key. Official definitions of what corporate governance is are long (for one of a number of good choices see the Applied Corporate Governance website). Mine is “doing the right thing in the right way with equitable treatment of all stakeholders”. Within that is the strategic and risk management element, “identifying the intended outputs and outcomes, and how to achieve them” and the assurance element, “checking that these are being achieved without detrimental impact”.
Good governance is a strategic priority in its own right, needing to combine technical excellence – those skills and experiences required to produce the right outputs and outcomes – with institutional excellence – having capability to direct individual behaviours in a way that many (from chairman to doorman) act as one (the firm). COBIT 5 is the framework that addresses all the italicised aspects.
We need to dispel some myths:
• COBIT 5 is not just for IT or auditors. It is a comprehensive framework to assess governance and identify enhancements.
• COBIT 5 is not a prescriptive tool that you can implement. The framework guides business leaders through the governance process.
• Good governance is not a one-time fix. It is ongoing and must evolve as the business and its environment evolves.
• Achieving good governance takes time and effort. It is the ultimate business control and cannot be skimped. Just look at Volkswagen and remember BP, Enron and Arthur Anderson.
Understand the reality, too:
• Every organization is now an IT firm as well as producing goods and services.
• Each organization needs two, inter-dependent strategies covering business and IT.
• COBIT 5 provides a sound framework, focusing primarily but not exclusively on the IT elements. As IT underpins everything we do, by default it addresses many corporate governance issues too.
• Do not be put off by terminology that appears to exclude business issues. The read-across to a broader business approach is easy because IT will be the key tool for performing each aspect of the business.
Have a look at COBIT 5. ISACA members get full access but you can get temporary access.
There are five principles that cover the institutional aspects:
1. Meeting stakeholder needs.
2. Covering the enterprise end-to-end.
3. Applying a single, integrated framework.
4. Enabling a holistic approach.
5. Separating governance from management.
Looking at each of the aspects, technical excellence can be achieved by understanding stakeholder needs (Principle 1) of customers, clients, staff, management, the board, the supply chain, the regulators and legislature. Anything that is mandatory can be seamlessly incorporated within business needs, for example collecting management information that is of use to both the board in determining progress, profit, risk and strategy, and to the regulator as demonstrable evidence that the firm is compliant.
The right outputs and outcomes become more likely if there is a clearer separation between governance and management (Principle 5) and applying them consistently across the organization (Principle 3).
There is no hard dividing line between governance and management. They are two halves of the same coin. Governance sets the firm’s strategic priorities and risk appetite, enabling boards to direct managers in achieving strategic and business objectives. Management implements the strategy through plans and operations, and by monitoring performance and results. Management is accountable to the board, the board to all stakeholders. The same people can do both so long as both are done. If the governance aspects are interpreted as an opportunity cost – too much ‘thinking’, not enough ‘doing’ – then crucial stepping stones to success are missed, such as clearly communicated business priorities, the level of risk the company is willing to accept, and the necessary contingencies to minimise risk impacts.
The COBIT 5 framework helps firms achieve institutional excellence by providing a holistic approach to good governance (Principle 4). Institutional Excellence, as opposed to technical excellence, relies on the firm’s moral tone – the desire to add value to society – by providing goods and services as promised. So, no deceiving customers or regulators as per Volkswagen. No applying inequitable treatment to stakeholders, as per FIFA. The holistic approach checks that these extremes do not occur by examining the firm’s own principles and practices.
As all firms are ‘IT shops’ too, fragmentation between IT and corporate governance must be avoided. This has to be lead from the top, else governance and management over business and IT will be as good as the most senior person interested in doing both well. The lower down the hierarchy this occurs, the greater the fragmentation. COBIT 5’s guidance on end-to-end governance covering both IT and the organization (Principle 2) helps solve these problems by encouraging the whole organization to be part of the solution.
An objective assessment of the firm, using COBIT 5, really helps firms achieve good governance for the whole enterprise, covering both IT and non-IT. The five principles will enable firms optimise individuals’ strengths and reduce individuals’ weaknesses so that many can act as one.
For more information on COBIT 5 please refer to www.apmg-cyber.com/products/cobit5.
Author Sue Milton – originally published October 28, 2015