8/20/2019 A Thorogood Special Briefing IT Governance
1/114
IT GOVERNANCEManaging Information Technology
for Business
David Norfolk
A Thorogood Special Briefing
2nd edition
8/20/2019 A Thorogood Special Briefing IT Governance
2/114
Inside front cover
8/20/2019 A Thorogood Special Briefing IT Governance
3/114
IT GOVERNANCEManaging Information Technology
for Business
David Norfolk
A Thorogood Special Briefing
2nd Edition
8/20/2019 A Thorogood Special Briefing IT Governance
4/114
Thorogood Publishing Ltd
10-12 Rivington Street
London EC2A 3DU
t : 020 7749 4748f : 020 7729 6110
w : www.thorogoodpublishing.co.uk
© David Norfolk 2011
All rights reserved. No part of this
publication may be reproduced,
stored in a retrieval system or
transmitted in any form or by any
means, electronic, photocopying,
recording or otherwise, without the
prior permission of the publisher.
This Special Briefing is sold subject
to the condition that it shall not, by
way of trade or otherwise, be lent,
re-sold, hired out or otherwise
circulated without the publisher’s
prior consent in any form of binding or cover other than in
which it is published and without a
similar condition including this
condition being imposed upon the
subsequent purchaser.
No responsibility for loss occasioned
to any person acting or refraining
from action as a result of any
material in this publication can be
accepted by the author or publisher.
A CIP catalogue record for this
Special Briefing is available from the
British Library.
ISBN: 1-854187-45-7
978-185418745-1
Printed in Great Britain
by Marston Digital
Other Titles from
Thorogood Publishing
IT Contracts: Effective Negotiating
and Drafting
Rachel Burnett
Managing In-house Legal Services
Mark Prebble
Retention of Title
Susan Singleton
Strategy Implementation Through
Project Management
Tony Grundy
Legal Protection of Databases
Simon Chalton
Software Contract Agreements
Robert Bond
Implementing E-procurement
Eric Evans and Maureen Reason
Email – Legal Issues
Susan Singleton
Special discounts for bulk quantities
of Thorogood books are available to
corporations, institutions, associations and
other organisations. For more information
contact Thorogood by telephone on
020 7749 4748, by fax on 020 7729 6110, or
email us: [email protected]
8/20/2019 A Thorogood Special Briefing IT Governance
5/114
The author
David Norfolk BSc, MBCS, CITP, CEng, LRPS, joined Bloor Research as a Senior
Analyst for Development in 2007 and is now Practice Leader for Development
and Governance.
He has published research papers on Compuware Uniface, data integration, the
Artisan Studio software engineering tool, Capability and Maturity, Enterprise
Architecture and so on; and has spoken at many events (e.g. for the Intel software
community).
David is co-author, with Shirley Lacy, of a practitioner-focussed book on
Configuration Management, Configuration Management: Expert Guidance for
IT Service Managers and Practitioners, published by the BCS.
He first got interested in computers and programming quality in the 1970s,
working in the Research School of Chemistry at the Australian National University.
There he discovered that computers could deliver misleading answers, even when
programmed by very clever people, and was taught to program in FORTRAN.
He then worked in DBA and Operations Research for the Australian Public Service
in Canberra. Returning to the UK in 1982, David worked for Bank of Americaand Swiss Bank Corporation, where he occupied positions in DBA, Systems
Development Method and Standards, Internal Control, Network Management,
Technology Risk and even Desktop Support. He was instrumental in introducing
a formal Systems Development Process for the Bank of America Global Banking
product in Croydon.
In 1992, David became disillusioned with the way people issues were being
handled in City IT and decided to start a new career as a professional writer
and analyst. Since then he has written for many of the major computer magazines
and various specialist titles around the world. He helped plan, document and
photograph the CMMI Made Practical conference at the IoD, London, in 2005
and has written many industry white papers and research reports.
He is past co-editor (and co-owner) of Application Development Advisor ; is
currently Executive Editor for Croner’s “IT Policies and Procedures” product;
and was Associate Editor for the launch of Register Developer .
David has an honours degree in Chemistry and is a Chartered IT Professional,
has a somewhat rusty NetWare 5 CNE certification and is a full Member of the
A THOR OGO OD SPEC IAL BRI EFING iii
THE AUTHOR
8/20/2019 A Thorogood Special Briefing IT Governance
6/114
British Computer Society (he is on the committee of the Configuration
Management Specialist Group). He has his own company, David Rhys Enterprises
Ltd, which he runs from his home in Chippenham, where his spare moments (if
any) are spent on semi-professional photography (he holds the Licentiate
distinction from the Royal Photographic Society (LRPS) and is working on the
Associateship), sailing and listening to music – from classical through jazz to folk.
Read David’s blog, The Norfolk Punt , at
http://www.it-analysis.com/blogs/The_Norfolk_Punt/
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
iv A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
7/114
A THOR OGO OD SPEC IAL BRI EFING v
Contents
MANAGEMENT OVERVIEW: DRIVERS FOR
IT GOVERNANCE VII
Management issues in IT governance....................................................viii
Definition of IT governance.....................................................................viii
1 CONTEXT: CORPORATE GOVERNANCE 1
2 EXTERNAL PRESSURES: WHAT REGULATIONS? 7
The response to apparent governance failures......................................10
Legislation affecting IT governance ........................................................13
General legislation with IT governance implications............................21
3 ORGANISATIONAL IMPACT 25Culture ........................................................................................................26
Organisational maturity............................................................................27
Roles and responsibilities .........................................................................32
Practical experience of governance ........................................................34
4 THE IMPACT ON IT 39
Enterprise Architecture ............................................................................41IT Governance Standards.........................................................................42
IT service management .............................................................................44
Lifecycle systems development process..................................................51
Management reporting: Telling a true story ..........................................57
Practical IT governance tools ...................................................................59
CONTENTS
8/20/2019 A Thorogood Special Briefing IT Governance
8/114
A TH OROG OO D SPE CI AL BR IEFI NG vi
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
5 IMPLEMENTING IT GOVERNANCE 65
Obtain management sponsorship............................................................67
IT governance methodology overview....................................................68
6 CONCLUSIONS 77
APPENDIX 81
Resources....................................................................................................82
8/20/2019 A Thorogood Special Briefing IT Governance
9/114
Management overview:
Drivers for IT governance
Corporate scandals such as Enron and perceived issues such as storage of illegal
pornography on company servers, money laundering and terrorism have led to
a change in the way law is applied to ‘limited companies’. Increasingly, the buck
stops with the directors (including non-executive directors) of a company – who
are held personally responsible for the actions of their companies and, in some
cases, face huge fines and possible imprisonment. There is no doubt that this
has increased Board-level interest in IT governance, as corporate fraud, use of
corporate resources for illegal purposes, sexual and racial harassment increasingly
occur in the digital domain. The latest legislation means that a director who turns
a blind eye towards what is going on in his or her computers and to what may
be stored on company servers will probably find that ‘ignorance is no excuse’.
However, although this has been an immediate driver, a moment’s reflection will
assure us that IT governance is a very positive thing for a company. Increasingly,
computers are mission critical; increasingly a company couldn’t function without
its computers and much of the worth of a company resides in ‘digital IP’: intellectual
property in digital form. This includes not only digital documents but also company knowledge embodied in the algorithms implemented in computer programs and
the models and ‘repositories’ that are used to analyze and validate business
processes as part of software engineering generally.
If you are not in control of your IT resource, you are not in control of your company.
In the same way that your annual report is audited to ensure that it tells a ‘true
story’ about your financial position, your computer systems must be audited to
show that they tell a ‘true story’ in the management reports they provide, in the
databases they update and in the reports they send to your regulators.
Ultimately, you need to be a mature organisation with a measurement culture
– ‘you can’t control what you can’t measure’. You must have well-defined
organisational goals, measure your progress towards these goals and apply
corrections – feedback – if you aren’t getting closer to these goals. This is
commonly accepted in business but a, largely unconscious, exception has
commonly been made in favour of the IT group. How do many organisations
truly measure the ROI (return on investment) from IT? How many organisations
accept IT projects that are ‘late, over budget and wrong’ as the norm? How many
managers know what their IT staff actually do? How many organisations don’t
MANAGEMENT OVERVIEW: DRIVERS FOR IT GOVERNANCE
vii A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
10/114
A TH OROG OO D SPE CI AL BR IEFI NG viii
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
accurately know how many PCs they have and what programs run on them?
How many organisations don’t have an overall picture of exactly what is stored
on their servers?
When the directors of such companies accept responsibility for what their
organisation does and how it does it, how can they do so with any confidence
at all? Such a state of affairs cannot be allowed to continue.
Management issues in IT governance
• Providing an organisational structure that allows Board-level manage-
ment to set strategic goals and cascade these through the organisationdown to the IT technicians implementing automated systems.
• Aligning IT strategy with business strategy; perhaps, even, making
IT an integral part of the business.
• Providing an effective communications infrastructure that enables two-
way communication (feedback) between all the stakeholders in the
governance process, both internal and external.
• Providing effective low-level enforcement of business-focused govern-
ance policies in the IT sphere.
• Enabling the effective identification of IT-related risk in the context of
business service provision, and the translation of IT risk mitigation
measures into a business terminology.
• Providing metrics for the effectiveness of IT governance.
• Identifying a return on the investment in IT Governance in terms of
‘better, faster, cheaper’ business systems.
Definition of IT governance
IT Governance is that part of corporate governance in general which ensures
that automated systems contribute effectively to the business goals of an
organisation; that IT-related risk is adequately identified and managed (mitigated,
transferred or accepted); and that automated information systems (including
financial reporting and audit systems) provide a ‘true picture’ of the operation
of the business.
8/20/2019 A Thorogood Special Briefing IT Governance
11/114
References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the
Resources appendix, at the end of this Report.
MANAGEMENT OVERVIEW: DRIVERS FOR IT GOVERNANCE
ix A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
12/114
8/20/2019 A Thorogood Special Briefing IT Governance
13/114
Chapter 1
Context: Corporate governance
A Thorogood Special Briefing
8/20/2019 A Thorogood Special Briefing IT Governance
14/114
Chapter 1
Context: Corporate governance
“Modern capitalism – the model to which virtually
the whole world now aspires – is totally dependent
on high standards of governance.”
GEORGE COX, ERSTWHILE DIRECTOR GENERAL OF THE INSTITUTE OF DIRECTORS
According to George Cox when he was Director General of the Institute of
Directors, in the Introduction to the director’s guide to ‘corporate governance’
[IOD, 2004], “Modern capitalism – the model to which virtually the whole world
now aspires – is totally dependent on high standards of governance”.
What he means by ‘governance’ is the overall and rigorous supervision of
company management so that business is done competently, with integrity and
with due regard for the interests of all stakeholders. And this is important, not
for altruistic reasons but because investors wouldn’t buy shares in a company
(or, rather, they’d insist in a considerable discount) if it wasn’t run that way. As
Alastair Sim, Director of Strategy and Marketing at SAS, points out in his Forward
to the same work [op. cit.], staying competitive involves maintaining investor
confidence. The best way to do this is to ensure the transparency of a company’s
operations to investors and other stakeholders, by supplying them with
appropriate and trustworthy information (with due regard to business
confidentiality) and this is one of the main concerns of corporate governance,
along with the need to comply with applicable laws and regulations.
In the UK, the law is defined by statute; statutory instruments, which implement
Acts of Parliament and can materially affect the impact of a statute; and is furtherdeveloped in the courts by precedent – so determining exactly what the law says
is not always straightforward and taking expert advice is often a good idea. We
then follow a ‘comply or explain’ approach to governance. What this means is
that, for example, companies with a full London Stock Exchange listing have
to state that they comply with, for instance, the Combined Code (the consolidated
governance rules promulgated in June 1998) but can report exceptions in certain
areas, where they must explain the reasons for their departure from the rules.
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
2 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
15/114
The Combined Code [Combined Code, web] places great emphasis on the need
to manage risk, which is largely what the financial reports made available to
the various stakeholders are used for. As Peyman Mestchian, (Director, risk
management practice, SAS UK) puts it “the sensible company takes risks – but
not gambles”. You must take a holistic and objective view of risk – there is more
to worry about than just financial risk. Reputation risk, for example, is frequently
overlooked – until loss of reputation starts to affect the financial bottom-line,
when it is often too late to mitigate it (a reputation that took years to build can
be lost in months). The Turnbull Report guidelines to governance for companies
quoted on the UK stock exchange talk about the risk associated with market,
credit, liquidity, technological, legal, health and safety, environmental, reputation
and business probity issues, as well as financial risk. However, some risk is good
– you can’t avoid risk without forgoing the business opportunities associatedwith new kinds of customers, new technologies and new products. In fact, risk
avoidance is in itself risky as it limits your opportunities for profit, and doing
nothing is frequently the worst possible response to an emerging issue. What
is important is that commensurate rewards are associated with the risks that
you take, which implies that you have access to reliable information that lets
you forecast the rewards and assess the risks with confidence.
Corporate governance ultimately depends on the good functioning of the Board
of Directors – and, increasingly, non-executive directors are asked to take
responsibility for deviations from good governance. Quoting Kerrie Waring,
international professional development manager at the IOD [op. cit.], “A well
functioning Board is key to the performance of companies and their capacity
to attract capital. A well-established corporate governance framework should
ensure that Boards monitor managerial performance effectively to achieve an
equitable return for shareholders and uphold the values of fairness, transparency,
accountability and honesty.”
You could say that the prime objective of IT governance is to help rather than
hinder the Board in its governance efforts, as part of a dynamic partnership
between business and technology. (Technologists enable business; business
rewards technologists.) In many organisations, the IT function is seen as a bit
of a loose cannon, subject to different standards, responsibilities and controls
to the rest of the organisation; and, in the long term, this isn’t going to be good
for the careers of those employed by the IT function.
Corporate governance is often talked about in the context of publicly quoted
companies, because the shareholders in such companies form a wide and visible
set of stakeholders, and because stock markets underlie most economies these
1 CONTEXT: CORPORATE GOVERNANCE
3 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
16/114
days. However, similar considerations also apply to private companies, of course,
since although the stakeholders are different and the legal issues perhaps rather
simpler, the owners of the company still need access to reliable information as
to its operation.
Regulations in the USA, say, are generally more draconian these days – although
even Sarbanes-Oxley seems to be less prescriptive and more in the European
style than previous US regulations. This is actually an improvement, as it is harder
to merely comply with the ‘letter of the law’ if you can be assessed both on what
you consider to be appropriate internal controls and also on the effectiveness
of your implementation of these controls.
International corporate governance rules are also changing, but rules worldwide
seem to be generally moving in the same direction. Eventually, it is hoped thatthe mission statement of the International Accounting Standards Board (IASB)
will come to fruition and we will have ‘a single set of high quality, understandable
and enforceable global accounting standards that require transparent and
comparable information in general purpose financial statements’.
Which brings us to Information Technology (IT), since large amounts of
information are seldom stored, processed and retrieved manually these days. Your
financial reporting is only as good as the quality of the data reported. You must
be able to audit the lifecycle of this data from collection through to destruction:
you must be able to show where it comes from, who has access to it and that
any changes are properly authorised. IT can facilitate this: there is an issue with
the transparency of IT (few businessmen are completely comfortable with code
analysis) but business policies can be rigorously enforced in unambiguous
computer code and any risk of manual error mitigated. Well, up to a point –
‘garbage in = garbage out’ applies and IT systems only do what they are told to
do. This is, of course, a governance issue: the policies embodied in the automated
systems must be aligned with corporate policy, the instructions input to the IT
systems must be the right instructions, and the accuracy of the translation of these
instructions into code must be tested.
IT is also increasingly a major source of risk in companies:
• IT facilitates worldwide access to internal systems, increasing the
opportunity for fraud and data theft.
• The scope of impact of IT systems failure can be company-wide.
• IT projects are frequently an enabler for new business; in fact, IT systems
are increasingly central to the operation of many companies.
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
4 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
17/114
• Despite the importance of IT, according to the Standish Group Chaos
Reports [Standish, web], over 80% of IT projects come in late, over
budget or wrong (and frequently all three) – over a quarter are cancelled
before they are fully implemented.
The Board needs to recognise the risk factors affecting IT projects: very large
projects, visible projects, projects crossing geographical or departmental
boundaries, projects using new technology projects particularly dear to the
Board’s heart are all particularly risky.
IT development failures or operational failures are equally matters of corporate
governance. When Nick Leeson brought down Barings, there was a real failure
of banking governance – essentially, it simply isn’t good practice to allow traders
to make their own settlements. However, you can equally see this as partly an
IT governance issue:
• The technology is available to enforce governance policies including
separation of function.
• Positions and limits can be reported transparently to management.
• The calculation of settlements can be removed from the possibility of
human error.
What technology can’t do, of course, is to inculcate common sense in the Board
or counteract complacency or greed. Even so, increasingly, IT is being made
accountable for technology-driven business outcomes and a technical failure
that is allowed to affect the operation or reputation of a company is being seen
as a failure of corporate governance – as, of course, it is.
The next chapter looks at the legal framework underlying governance generally
in the context of IT governance specifically.
1 CONTEXT: CORPORATE GOVERNANCE
5 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
18/114
8/20/2019 A Thorogood Special Briefing IT Governance
19/114
Chapter 2
External pressures:
What regulations?
The response to apparent governance failures
Legislation affecting IT governance
General legislation with IT governance implications
A Thorogood Special Briefing
8/20/2019 A Thorogood Special Briefing IT Governance
20/114
Chapter 2
External pressures:
What regulations?
“I think the reason that we are seeing an increase in ITIL®
[say] over the last 9 months is due to Sarbanes-Oxley. They
have to look at it, it’s not a question of should we/shouldn’t
we, they do have to look at the process issues.”
THOMAS MENDEL, PRINCIPLE ANALYST, FORRESTER RESEARCH.
It is a mistake to see IT Governance as purely a response to external regulatory
pressures, as this engenders a fundamentally unsound attitude: governance
becomes seen purely as a cost, a cost of doing business, over which you have
no control.
In fact, IT governance should be seen as a way in which the Board can ensure
that IT resources are deployed and managed cost-effectively, in the pursuit of
business strategy. The ultimate aim of IT governance is better, faster, cheaper
business; that is, the assurance of business outcomes.
Nevertheless, one aspect of this is the transparency that ensures that all the
stakeholders in a business can satisfy themselves that the business is being carried
out honestly and ethically, in the interests of the business (and community) as
a whole, instead of the dysfunctional interests of particular parties. In the extreme,
IT Governance is about mitigating the risk of internal IT-assisted fraud,
probably a far greater potential disaster to a company than the high profile risk
of external hacking. The positive benefit from this transparency is that you can
demonstrate the probity and reliability of your company to third parties: business
partnerships will be easier to arrange (thus enabling greater automation of inter-
business processes or ‘straight through processing’) and raising investment capital
(from shareholders) should be easier.
Unfortunately, it must be apparent that corporate governance in general has
had a bumpy ride at the end of the last century and the beginning of this one.
The Bank of Credit and Commerce International survived conventional auditing
for years, despite being run as a criminal enterprise (a fact apparently known
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
8 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
21/114
to many inside the banking industry, where it was sometimes referred to as the
Bank of Crooks and Conmen International). It became apparent that many people
held more non-executive directorships than they could manage if they were really
overseeing the governance of the companies they held them with, and were
treating them simply as a rewarding perk; and then Enron threatened to make
the idea of corporate governance a joke.
Since a lack of confidence in the operational probity of commercial organisations
threatens the very fabric of international commerce, governments rapidly began
to investigate the issue of what proper internal control should be – and then to
tighten up regulatory legislation. This generally addressed corporate governance
in the widest sense but, unavoidably, had implications for IT governance
specifically.
Fortunately, most new legislation is no longer purely prescriptive (that is, it doesn’t
just specify a list of more-or-less arbitrary rules) but attempts to engender ‘good
practice’ and foster ‘organisational maturity’. A company that satisfies the spirit
of Sarbanes-Oxley, for example, will be a better-managed company, able to
measure the effectiveness with which it aligns IT objectives to business
objectives, able to demonstrate the effectiveness and honesty of its financial
reporting – and able to operate more cost-effectively as a result.
Even so, there is a lot of new legislation surrounding financial reporting and
internal control generally, which the IT group must be aware of. It is always going
to be more effective in the context of an evolving business and rapidly changing
technology if IT governance is built into automated systems from the start. This
means adopting a lifecycle development and maintenance process, which treats
regulatory requirements as equal in importance to the other business
requirements and implies that automated systems are tested against scenarios
derived from applicable legislation. In general, the IT group can expect business
stakeholders in an automated system to tell it what the regulatory requirements
are, but the IT analysts must question what they are told and ensure that automated
systems can satisfy ‘non functional’ requirements for effective audit trails, accesscontrols and systems resilience, which originate in governance-promoting
legislation. In turn, this means that they must be aware of what legislation exists
and what sort of controls it mandates, at least so they can have sensible
conversations with business managers as to what is needed.
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
9 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
22/114
The response to apparent governance failures
There are several commissions/committees etc. that have reported on corporate
governance and which provide a background to IT governance. Broadly speaking,these seem to have had wide influence, so that the Cadbury Report in the UK, for
example, may well influence US legislators formulating US legislation.
Committee of Sponsoring Organisations of the Treadway
Commission (COSO)
As long ago as 1985, The National Commission on Fraudulent Financial
Reporting (the Treadway Commission) was set up under joint sponsorship by
the American Institute of Certified Public Accountants (AICPA), American
Accounting Association (AAA), Financial Executives International (FEI),
Institute of Internal Auditors (IIA) and Institute of Management Accountants
(IMA, formerly the National Association of Accountants) to address the issue
of fraudulent financial reporting. It resulted in the setting up of a task force under
the auspices of the Committee of Sponsoring Organisations of the Treadway
Commission (COSO) [COSO, web], which developed a set of practical, broadly
accepted criteria for establishing internal control and then evaluating its
effectiveness. In 1992, this issued the Internal Control-Integrated Framework,
commonly called the COSO framework, which has in turn influenced other
initiatives, such as COBIT (Control Objectives for Information and related
Technology) from the IT Governance Institute. COSO was developed in the USA
but has influenced thinking on internal control and governance worldwide.
COSO describes an internal control process, run by the Board with the co-opera-
tion of an organisation’s management, which addresses the need for:
• effective and efficient operational processes;
• reliable and truthful financial reporting processes; and
• compliance with all applicable laws and regulations.
Report of the Committee on the Financial Aspects of Corporate
Governance (Cadbury Report, 1992)
This began the process of formalising corporate governance in the UK and
included a code of best practice. It was extended to cover, for example, corporate
pay by the Greenbury Committee.
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
10 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
23/114
Combined Code on Corporate Governance (UK)
In 1995 a review of corporate governance in the UK started under the
chairmanship of Sir Ronald Hampel, culminating in the Final Report: Committee
on corporate governance, issued in Jan 1998. In June 1998, this resulted in the
Combined Code [CC, web], which has more or less regulated corporate
governance in the UK since, although it has been developed further (see The
Higgs Review, below).
Organisation for Economic Co-operation and Development
(OECD), Principles of Corporate Governance
These were first published in 1999 and updated following a consultation process
started in 2004, with representatives from, for example, business, trade unions
and governments. The principles assert such things as the right of investors to
nominate and elect company directors, question companies on their compensation
policy and to ask questions of the auditors. The OECD also expects Boards to
protect whistle-blowers by allowing them confidential access to someone on
the Board. The review process for the OECD Principles of corporate governance
is described at [OECD, web].
Bank for International Settlements (BIS), Enhancing Corporate
Governance in Banking Organisations
The Bank for International Settlements (BIS) is an international organisation that
fosters international monetary and financial cooperation and serves as a bank
for central banks. The head office is in Basel, Switzerland and it has representative
offices in the Hong Kong Special Administrative Region of the People’s
Republic of China and in Mexico City. It was established in 1930 and is the world’s
oldest international financial organisation. The BIS report, Enhancing corporate
governance in Banking Organisations (1999) [BIS, web], is a useful summary
of the principles of corporate governance in 1999, referencing the Basel
Committee etc. The BIS site is generally a useful source of information on banking
governance.
Internal Control: Guidance for Directors on the
Combined Code (Turnbull Report)
The Turnbull Report was issued in 1999 and adopting its recommendations
[Turnbull, Web] is mandatory for companies quoted on the UK Stock Exchange,
but the recommendations are far from prescriptive, although companies will
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
11 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
24/114
find them sufficiently challenging. They call for Audit Committees to adopt a
broader role in corporate governance and reiterate that the Board should maintain
an effective internal control regime. This implies accuracy and transparency in
the IT reporting systems that must be a foundation of any such effort.
The Financial Reporting Council reviewed Turnbull in July 2004, which affects
accounting periods starting on or after 2006. This review found that the Turnbull
guidance still generally achieves its intended effect, in the light of UK and
international experience since 1999 although there are questions as to how far
it has succeeded in promoting the actual embedding of governance in business
processes. The Turnbull Review Group made only a small number of changes
to the Turnbull Guidance, one being that the board’s statement on internal control
should confirm that necessary actions have been, or are being, taken to remedy
any significant failings or weaknesses in internal control. Turnbull at present is
concerned with the spirit of corporate governance and isn’t very prescriptive;
it remains to be seen whether it becomes more prescriptive over time, along
the lines of Sarbanes-Oxley (which is more prescriptive and longer than Turnbull,
although less purely prescriptive than is usual with US regulations). The UK
Auditing Practices Board revises its bulletins on The Combined Code on corporate
governance: Requirements of Auditors under the Listing Rules of the Financial
Services Authority [APB, web] in the light of any changes to Turnbull; Bulletin
2004/3 was replaced with Bulletin 2006/5 in September 2006, and part of this is
superseded by Bulletin 2009.4, Developments in Corporate Governance
Affecting the Responsibilities of Auditors of UK Companies, issued in December
2009 (see the list of Bulletins at [APB, web], for example).
IT Governance Institute, Control Objectives for
Information and Related Technology
The Control Objectives for Information and related Technology (COBIT) is an
important framework developed by the IT Governance Institute in the context
of COSO and is built on the premise that the role of IT is to deliver the informationthat an organisation needs in order to meet its objectives. IT Governance is then
the process that ensures that it satisfies this role adequately. A useful introduction
and overview of COBIT is contained in the Board Briefing on IT Governance,
from the IT Governance Institute [BoardBrief, web].
The Higgs review
Derek Higgs was commissioned by the DTI to review the role and effectiveness
of non-executive directors in the implementation of good corporate governance.
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
12 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
25/114
He reported in 2003 with a set of suggested changes to the Combined Code,
which was republished accordingly in that year.
The Combined Code is now under the auspices of the Financial Reporting Council(FRC) and further changes can be expected as and when needed to ensure that
it remains relevant in the face of changing business conditions and technologies.
Legislation affecting IT governance
Legislation affects IT governance and it is important to actually read the legislation,
as well as any guidance notes or press releases. Many vendors seek to generate
sales from high profile legislation, and only by referring to the legislation itself will you discover that there may be, for example, exceptions for smaller companies
or wider issues that make a vendor’s ‘silver bullet’ solution unlikely to be effective.
For example, ‘SOX kits’ are available which promise to deliver Sarbanes-Oxley
compliance – but in the absence of an active and well-understood process
framework it is unlikely that these will deliver more than compliance with the
‘letter’ of the law on the day that they are delivered. Since directors are supposed
to revisit internal controls whenever anything which might affect them changes,
it is likely that any ‘silver bullet’ will prove to be expensive in the longer term,
may well prove not to deliver the compliance with the spirit of the law that
regulators expect – and won’t deliver the organisational benefits possible from
a holistic approach.
Of course if you put in place the frameworks, processes and organisational
maturity necessary to comply with the spirit of Sarbanes-Oxley, say, you may
find a ‘silver bullet’ technology that meets your needs – but it is then hardly just
a silver bullet.
The main act affecting companies in the United Kingdom is the Companies Act
2006. This is the longest Act of Parliament ever enacted in the United Kingdom
(305,397 words) and it is supported by numerous regulations having the force
of law. In effect, it establishes an equivalent to the US Sarbanes-Oxley Act (see
below) in the UK. It is less prescriptive and detailed than SOX (UK companies
(unless registered on the US stock exchange or subsidiaries of US companies
etc) should concern themselves with the Companies Act before getting paranoid
about SOX), although the devil is in the detail of how the regulators and law courts
interpret the Act. The Companies Act 2006 affects (or is capable of affecting) IT
governance in many ways, but the following should perhaps be particularly noted:
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
13 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
26/114
Statutory registers
Each company is required to maintain and update as necessary a register of
members and certain other statutory registers.
Accounting records
A company must keep adequate accounting records sufficient to show and explain
the company’s transactions, to disclose with reasonable adequacy the financial
position of the company at any time and to enable the directors to prepare accounts
in accordance with the Act (s. 386).
Statutory accounts
Directors are required to use the accounting records to produce statutory accounts
that fulfil the legal requirements, and to prepare a directors’ report (and in some
cases other reports) that give prescribed information. These must be signed to
indicate that the directors accept responsibility. If an audit is compulsory or if
an audit has been commissioned even though it is not compulsory, the accounts
are then audited and the auditor will sign the audit report. In all cases, signed
accounts must be sent to every company member and to Companies House.
Obviously, IT systems must provide accurate information for these purposes.
Auditors’ rights
Auditors have a right of access at all times to the books, accounts and vouchers
of the company. They also have the right to require from directors, other officers,
employees and certain other persons such information and explanation as they
think necessary for the performance of their duties. Any person who, in making
any statement (orally or in writing) that purports to convey information or
explanations to the auditors in the course of their audit, knowingly or recklessly
makes such a statement that is misleading, false or deceptive in a material particular,
commits an offence punishable by a fine or imprisonment for up to two years
(or both). Failure to provide requisite information or explanations is also
punishable, unless the person concerned can prove that it was not reasonably
practicable to provide them (s. 501).
Company management, and its directors in particular, should think in advance
about the sort of information the auditors might need and ensure that systems
are designed to provide it (or can be easily modified to provide it) as and when
required. This policy then forms a ‘non-functional requirement’ for systems
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
14 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
27/114
development in general – which developers must be made aware of. Similarly,
the provision of robust audit trails for financial information becomes a general
non-functional requirement.
Further, the only practical way you can be sure that your policies concerning
the provision of audited financial information have actually been adopted in the
automated systems that you use, is to implement recognised ‘industry best
practice’ processes for the development of automated systems and the
operational management of the infrastructure that they run on – such as the
Dynamic Systems Development Method [DSDM, web] and the IT Infrastructure
Library [ITIL®, web] procedures. Beyond even this, a company might find that
process improvement (the ability to say what you are going to do, measure what
you actually do and apply changes to the process that reduce any gap between
aspiration and achievement) helps it to address regulatory criticisms in a cost-
effective way and to cope with changing circumstances. One recognised
process improvement regime for IT organisations is CMMI (Capability Maturity
Model Integration) from the Software Engineering Institute [CMMI, Web].
Statement in the directors’ report
The directors’ report must contain a statement from each of the company directors
at the relevant time, to the effect that there is no relevant audit information of
which the auditors are unaware (as far as the director knows), and that he orshe has taken all appropriate steps to make him or herself aware of such
information and to bring it to the attention of the auditors.
Directors’ duty to exercise reasonable care, skill and diligence
The Companies Act lists a number of directors’ general duties, including a duty
to exercise reasonable care, skill and diligence. The remedy for a claimed failure
in this regard is a civil action by the company against directors believed to be
at fault.
A director must exercise the degree of care, skill and diligence that would be
exercised by a reasonably diligent person with:
• the general knowledge, skill and experience that may reasonably be
expected of a person carrying out the same functions as the director
in relation to the company and
• the general knowledge, skill and experience that the director actually
has.
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
15 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
28/114
The director must meet the higher of the two requirements and it is interesting
to note that this duty follows the duty set out in Section 214 of the Insolvency
Act 1986.
As a practical example, it means that a non-executive director who is a well-
qualified and experienced solicitor must bring the care, skill and diligence expected
of such a person to a very small private company that operates a fish and chip
shop. On the other hand an unqualified and inexperienced director of a major
public company must meet the standard expected of a director of that type in
a company of that type.
It is relatively easy to set out the required standard, but it must of course be
translated into a myriad of individual circumstances, which may not be easy in
practice. Judges have in the past (especially in the distant past) taken a very relaxed view about the standards expected, but the requirements have grown more
demanding over the years, and especially in recent years.
Directors are not expected to be experts in everything, which is an obvious
impossibility. They are expected to use common sense, give a reasonable amount
of time and effort to the company and to make suitable enquiries when necessary.
They are expected to do what may reasonably be expected of a director of that
type in a company of that type, and if they have particular skill, knowledge or
training, they are expected to use it. This means, for example, that if a director
is the Chief Technical Officer and a skilled programmer, he or she would have
some responsibility for poor IT systems that do not implement company policy
or which permit fraudulent practices.
Sarbanes-Oxley Act (USA)
Sarbanes-Oxley (SOX, [SOX, Web]) is US legislation but it is very high profile.
Mark Mitchell of Informatica has met UK companies that are not subsidiaries
of US companies or listed on US stock exchanges, that claim to have a strategy
involving Sarbanes-Oxley compliance. This is usually revisited when he pointsout the likely cost of this (although there are reasons for pre-emptive compliance:
the prospect of takeover by a US company, perhaps). Effective IT governance
is a worthwhile goal but compliance with any regulations that don’t specifically
apply to you, without a clear business reason, is very unlikely to be cost effective.
Nevertheless, SOX does affect many UK companies. In the Netegrity Security
and Compliance Survey [op. cit.], however, only 15% of respondents thought
that it was important. It seems rather unlikely that 85% of UK companies are
neither listed on the NY Stock Exchange nor NASDAQ; nor are offshoots of US
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
16 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
29/114
companies; nor doing significant business with US companies (in which case
they’ll need to supply the information their partner needs to satisfy SOX); nor
likely to be taken over by, nor merge with, a US company.
Generally, SOX involves implementing an internal control framework such as
COSO (see above) – and only a recognised control framework that is established
by a body or group that has followed due process procedures, including the
broad distribution of the framework for public comment, will be accepted.
The essence of SOX compliance seems to be that you build a rod for your own
back. You must develop a defensible approach to internal control for your business
(and this can be criticised), and then you devise a defensible approach to internal
control for your systems and then you must demonstrate that you are adhering
to your own rules. In other words, it’s not simply a case of adhering to the rules,there’s an effectiveness measure too (and this is more along the lines of European
regulatory practice).
The impact on IT is that it must facilitate this process, by building into its systems
and processes facilities that provide the information needed by SOX, the audit
trails needed to assure the integrity of this information, and so on. The IT Group
must also be aware of ‘Silver Bullet’ solutions: cosmetic ‘quick fixes’ for
compliance, that are a constant maintenance overhead when the business changes
[Faegre, web].
The two sections with most impact on IT are 302 and 404(a), which deal with
the internal controls that should be in place to ensure the integrity of a company’s
financial reporting and this will impact directly on the software that controls,
transmits and calculates the data used to build the company’s financial reports.
SOX SECTION 302
Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the
accuracy of their company’s quarterly and annual reports. They must state:
1. That they have viewed the report.
2. That to the best of their knowledge, the report contains no untrue
statement of a material fact and does not omit any material fact that
would cause any statements to be misleading.
3. That to the best of their knowledge, the financial statements and other
financial information in the report fairly present, in all material aspects,
the company’s financial position, results of operations and cash flows.
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
17 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
30/114
4. That they accept responsibility for establishing and maintaining
disclosure controls and procedures, and the report contains an
evaluation of the effectiveness of these measures.
5. That any major deficiencies or material weaknesses in controls, and
any control-related fraud, have been disclosed to the audit committee
and external auditor.
6. That the report discloses significant changes affecting internal controls
that have occurred since the last report, and whether corrective actions
have been taken.
There are serious civil and criminal penalties for making untrue statements in
the areas above, so C-level executives are placing considerable trust in the integrity
of their IT systems and the people developing and supporting them. Which means
that they will start taking an interest in the IT process and that this will likely
become seen as an area C-level executives worldwide should be interested in
– even if SOX isn’t involved.
SECTION 404(A)
If Section 302 might have onerous implications for executives, Section 404 sets
out the rules in detail (and you should check the Securities Exchange Commission
(SEC) website [SECSOX, web] for the latest details and implementation dates).
In September 2003 the SEC said, “We recognise that our definition of the term
‘internal control over financial reporting’ reflected in the final rules encompasses
the subset of internal controls addressed in the COSO Report that pertains to
financial reporting objectives”.
The SEC expects to see an Internal Control report in a company’s annual report
that:
• states that company management is responsible for establishing and
maintaining adequate internal control over financial reporting for the
company;
• identifies the framework against which the effectiveness of this
internal control is assessed by management;
• assesses the actual effectiveness of a company’s internal controls in
practice; at the latest financial year-end; and
• states that the company auditor has checked out the management’s
assessment of its internal controls.
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
18 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
31/114
Not surprisingly, perhaps, in view of its general findings, the Netegrity Security
and Compliance Report [op. cit.] found that about a third of those that thought
SOX was important (only 15% of the total, remember) weren’t spending any
money on technology to facilitate compliance with Section 404; and a further
third were spending less than £50,000. In the light of this, it will also be no surprise
that almost 90% of them either weren’t sure that they’d manage to get their
internal controls accredited against SOX, or thought it not likely. Leaving aside
the question of penalties, is it possible that prospective partners in, investors
in, or purchasers of a business, might think a business that couldn’t satisfy SOX
Section 404 represented an increased risk over investing in, say, a more compliant
organisation? One would certainly think so.
The 8th EU Statutory Audit Directive
The EU Statutory Audit Directive (revised from the 8th Company Law directive)
is the European equivalent to Sarbanes-Oxley [8thDirCons, web] and has been
progressively implemented since 2006; the position early in 2010 (see the
Scoreboard on the transposition of the Statutory Audit Directive (2006/43/EC)
published by the EC [EUAuditDir, web]) was that the vast majority of EU member
states had incorporated the Directive in their law. In the UK, it is implemented
through the Companies Act 2006, as amended by the Statutory Auditors and
Third Country Auditors Regulations 2007 (SI 2008/3494) etc.
The UK regulators are generally interested in balancing principles and detailed
rules (presumably this reflects UK concern with the spirit rather than the letter
of company law) and the principles of subsidiarity and proportionality.
The UK ICAEW, for example, is liaising with UK Government, the European
Commission and other stakeholders on the implementation of this Directive in
the UK [see ICAEW, web]. James S Turley, Chairman and CEO, Ernst and Young,
sees this Directive as a welcome step towards global corporate governance
standards. It certainly underlines the global nature of commerce today and hence
the need for global regulation.
Basel II and the EU’s CRD
The Basel Committee on Banking Supervision issued a revised framework for
capital adequacy (credit risk management) generally known as the Basel II (or
Basel 2) accord in June 2004. This came into full effect in 2007. In July 2004, the
European Commission published a Capital Requirements Directive (CRD) to bring
Basel II into European Union (EU) law.
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
19 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
32/114
Basel II had a significant impact on banking processes and the IT systems that
implement and support them – largely in the area of credit risk profiling and
monitoring. The UK FSA issued a consultative paper ‘Strengthening capital
standards’ in January 2005 (consultation closed at the end of April 2005), putting
forward the options for implementing CRD in the UK.
Basel II is of great importance to banks, but probably won’t affect companies
in general very much. However, for financial institutions, Basel II has some quite
subtle implications. Especially as some financial observers think that banking
is all about the serious business of trying to evade the spirit if not the letter of
the new accord, without being ambushed by the small print. Risk management
is not particularly deterministic and the new rules may simply mean that risk
is transferred to less (or differently) regulated subsidiaries. This could certainly
result in some challenges for the IT group – a need for rapid changes to financial
systems as risk arbitrage opportunities arise and disappear. This will be an
environment not especially friendly to IT governance (higher levels of
capability/maturity may not be particularly appropriate, for example) but business
needs must rule and IT risk must still be managed (look what happened to Barings
when controls were relaxed for a new business environment and a dealer was
able to make his own settlements).
As predicted in the first edition of this report, issues with Basel II in practice
resulted in development of what is generally being called Basel III, which the
G20 is talking about finalising in 2011 and implementing in 2012.
This is undoubtedly being driven by the near collapse of the banking system in
recent years and is likely to attempt to regulate definitions of tier 1 capital (which
constitutes the most commonly cited financial strength metric for a bank) and
necessary capital buffers, allowable leverage ratios, measures to limit counterparty
credit risk and short/medium term liquidity ratios.
However, some banks are resisting more regulation as it might impede their ability
to function (although some might see that as no bad thing) and in Sept 2010, the
FT reported “German banks try to fend off Basel III” [FT, Web]. The implication
for IT organisations in the Financial Services and Banking industry is that the
regulations that their systems will have to enforce (and the degree to which they
will be enforced in practice) are by no means defined yet. This is a lesson for IT
generally: automated systems must be defined so as to support whatever
regulations are in force (this is a definite requirement to analyse even if a system’s
sponsors sometimes forget to mention this) but they must be particularly flexible –
agile – in this area as regulations are never set in stone and can move rapidly up
senior management’s agenda in response to particular crises or scandals.
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
20 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
33/114
General legislation with IT governance
implications
A great deal of legislation has implications for the design and implementation
of IT systems – and always remember that IT isn’t a special case. The Internet,
for example, is often thought of as unregulated, because much legislation was
formulated before the Internet came along or without any particular reference
to it. In truth, however, it is over-regulated, since existing legislation usually applies
to it anyway, whether appropriate or not. Of course, some of this legislation
would be very hard to enforce, but inappropriate legislation that is only erratically
or arbitrarily enforced is hardly a sound basis for electronic or computer-
supported commerce.
One of the objectives of corporate governance in the COSO framework is ‘compli-
ance with all applicable laws and regulations’. In the IT world, this means that
you must address, at least (the list isn’t exhaustive):
• The Freedom of Information Act (UK) [FI, web] or the equivalent in
other countries. This does only apply to government services, but it
will affect the design of information storage and retrieval systems for
such services (not only must information be retrievable but the
performance impact of this must be considered).
• Data Protection regulations; for example, the Data Protection Act (UK)[DPA, web] and legislation throughout Europe enforcing the EU Data
Protection Directive. Not only must you protect personal information,
which you can only collect and use for specified purposes, you must
destroy it securely when it is no longer needed and provide facilities
for the subjects of personal data to access and correct it. A particular
issue for many global automated systems that may start to rely on ‘Cloud
Computing’ technology, where the location of data at any particular
time is not well defined, is that you are probably in breach of EU data
protection regulations if data is stored or transmitted outside of EU
borders.
• Intellectual Property (IP) protection; for example, the UK Copyright,
Designs and Patents Act and others [CopyRight Act, web]. In many cases,
the most valuable property in a company is its IP and it is particularly
hard to manage technology IP, because a lot of it is still in people’s heads.
An important related issue these days is software licensing. Unlicensed
software may have been ‘hacked’ crudely and made unreliable, or even
insecure, although it is hard to see that this makes it much worse than
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
21 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
34/114
some legitimate products. However, it is illegal and the activities of
organisations such as the Business Software Alliance [BSA, web] or
FAST (the Federation Against Software Theft) [FAST, web]) makes even
unintentional use of unlicensed software unacceptably risky. In January
2004, The Federation reinforced its use of criminal proceedings to crack
down on the misuse of software under s.109 of the Copyright, Designs
and Patent Act 1988. Companies have been prosecuted even while in
the process of addressing their licensing issues, and the interruption
to business (from confiscated computers etc.) and loss of reputation,
may be a bigger problem than the fine.
• Health services and pharmaceutical regulations such as, for example,
the US Health Insurance Portability and Accountability Act of 1996
[HIPAA, web], and various pharmaceutical industry regulations
worldwide. The pharmaceutical industry is particularly highly regulated.
• Telecommunications regulations such as the Regulation of Investigatory
Powers Act (RIPA) [RIPA, web]. This impacts the interception of
electronic communications and the use of encryption technology.
• The Health and Safety at Work Act in the UK [HAS, web]. This applies
to workers in IT just as much as anywhere else. It isn’t perhaps an IT
governance issue, exactly, but it is important to remember that IT
workers are not exempt from Health and Safety issues – and some of
these (the impact of computer monitors on eyesight and Repetitive
Strain Injury (RSI) from keyboard use, for example) are particularly
related to computer use.
• The WEEE Recycling Directive [WEEE, web]. This probably won’t
impact end-users of IT much, but it may impact Operations, as most
electronic equipment must now be recycled when it is disposed of
(luckily, the vendor probably has to arrange this).
• The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,
IT organisations are not exempt. In particularly, web sites must be
designed to facilitate access by the differently abled. The key standard
in this area is probably the Web Content Accessibility Guidelines 1.0
(1999; work continues on these and a Working Draft 2.0 was produced
in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,
web].
• Anti-Money Laundering legislation, which (in the UK) is embodied in
several pieces of primary legislation: the Criminal Justice Act 1988
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
22 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
35/114
(as amended), the Drug Trafficking Act 1994 and the Terrorism Act
2000 (as amended). This largely, although not exclusively, affects banking
and financial organisations, which must make Suspicious Transaction
Reports (STRs), if money laundering is suspected, to either the law
enforcement authorities or to the relevant Money Laundering
Reporting Officer (MLRO).
Obviously, automated financial processing systems may have to recog-
nise suspicious transactions and this may impact IT systems design;
there is also a possibility that STR processing may appear to conflict
with the requirements of the Data Protection Act (since ‘tipping off’
the subject of an STR is illegal) and this may also have an impact on IT
systems design or operation [STR-DPA, web]. Anti-Money Laundering
legislation introduces its own risks too – what should a bank do if it
finds that its best and most profitable customers are probably money
launderers but it can’t really afford to lose their business?
Publications such as Gee’s IT Policies and Procedures [ITPP, 2004] attempt to
guide subscribers on the current state of such legislation and are regularly
updated, but you should always take professional advice as to the exact impli-
cations of legislation, if it affects you specifically. It is perhaps not directly a part
of ‘IT Governance’ per se but it is sometimes worth remembering that it’s a very
good idea to avoid expensive court cases wherever possible (investigate ‘alter-
native dispute resolution’) and, in particular, to avoid becoming a test case for
new regulations. It is indeed possible that regulatory compliance may be imple-
mented in the software driving the business but be very careful about this.
Ultimately, the effect of regulatory law and its associated enabling legislation
is what a court decides it is, not what seems reasonable to technically compe-
tent lay-readers of legal material. Even an expert legal opinion is not binding
on a future court.
In the next chapter we look at the impact of IT governance on the organisation
in general.
2 EXTERNAL PRESSURES: WHAT REGULATIONS?
23 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
36/114
8/20/2019 A Thorogood Special Briefing IT Governance
37/114
Chapter 3
Organisational impact
Culture
Organisational maturity
Roles and responsibilities
Practical experience of governance
A Thorogood Special Briefing
8/20/2019 A Thorogood Special Briefing IT Governance
38/114
Chapter 3
Organisational impact
Culture
Good IT governance doesn’t exist in a vacuum. However experienced your IT
staff are, and however good the practices they follow, you don’t have good IT
governance unless these practices are institutionalised as part of a formal process
that is regularly assessed and updated in the light of changes to the business
or technology.
If you just ‘do it right, because that’s how we do things’, even if you are successful,
how will you convince the auditors or regulators that you weren’t successful
purely through luck and that you will continue to do things right? Well, you’ll
have to conduct a review for them (or give them access to conduct their own
review) that lets them discover all your critical processes and determine that
they are properly controlled. This will be expensive, especially if you delegate
it to an external party – and you’ll have to do it all over again if the business,the technology or even the interested party changes. This is not an efficient use
of resources and you can hardly claim to have implemented good governance
if it is based on such an ad-hoc set of processes. Especially if you also consider
the fact that time and resource pressures applied to a process that, essentially,
repeats the same redundant evaluations repeatedly, will result in omissions and
superficial assessments.
An organisation that wants to implement good IT governance must have a
supportive culture behind this. This means a culture that institutionalises good
practice processes in pursuit of clearly defined organisational goals, and
encourages buy-in to these goals at all levels.
However, you can imagine a company that employs the best (or most expensive)
people taking the view that “what kept programmers from reaching their full
potentials were managers who tried to impose standards, expectations or
restrictions” (quoting from Larry Constantine’s description of the state of affairs
at the fictional Nanomush, in ‘Constantine on Peopleware’ [Constantine, 1995]).
Such companies are fairly common in the software industry and they usually
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
26 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
39/114
enforce any regulatory rules with draconian disciplinary procedures, once they
have been bought to their attention. So, if you’re caught using someone else’s
intellectual property in your IT systems, unlicensed, or you find fraudsters using
a back door into your systems put there so that programmers could fix bugs
faster, do you simply sack the person responsible for that bit of the system (if
they are still working for you) and hope that the issue goes away? Of course, it
doesn’t – the lawyers carry on seeking damages or whatever; you’ve lost the
free spirits who built your code without wasting time on documenting what they
did and the rest of your staff think you’re victimising the unfortunate sacked
programmers, who were only doing what their culture expected anyway.
In this situation, you then start worrying about what other surprises await you,
because if leaving programmers free to do their own thing has given you one
problem, you have no means of assuring yourself that others haven’t taken similar
risks. Typically, after one bad experience, you start mandating compliance with
some source of ‘best practice’, telling your programmers ‘to get it right or else’
which, since you are trying to change their culture, probably won’t go down
very well (you may lose the best of them and keep the ‘dead wood’ that can’t
easily get a job elsewhere). You’ll find that you can’t just mandate compliance
with anything outside of a military organisation – and, in fact, military
management practices are usually fairly enlightened because even under military
discipline the people at the sharp end can work around your mandates (and
also because, possibly, battlefield soldiers have the ultimate sanction available
against bad managers).
Unless you are the sort of company that sets goals before taking action, that
measures the impact of its actions relative to those goals and then changes what
it is doing to reduce the gap between its aspirations and what it actually achieves,
then attempts to achieve good IT governance are probably doomed to failure.
This culture of measurement and continuous process improvement is largely
what is meant by ‘organisational maturity’ – although in our ageist society,
companies often prefer to aspire to being ‘adaptive’ rather than ‘mature’.
Organisational maturity
As Constantine points out [op. cit.], “Maturity is a central issue for the field of
software development. Methodologists are wondering how long it will take for
software engineering to mature as a discipline, managers are concerned about
the level of ‘process maturity’ in the approaches to development used within
3 ORGANISATIONAL IMPACT
27 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
40/114
their organisations, and project leaders wonder about the maturity of the
individuals whom they are called upon to lead”. But it’s a concern in many more
fields than just software development. Firefighting system failures may be fun
and, in some organisations, you may be rewarded for the loyalty and dedication
firefighting at 03:00 am demonstrates – even if you’re responsible for the problem
you’re fighting (you probably delivered really fast and got rewarded for that too).
However, most business users would prefer you to take a more mature
approach and not put the problem there in the first place (or, at least, observe
its appearance and preemptively nip it in the bud).
This concern for ‘maturity’ is really driven by a desire for a quiet life, without
surprises and embarrassments. Allegedly, the Software Engineering Institute
at Carnegie Mellon started looking at capability and maturity in IT software
development because someone at a party to celebrate the first moon landing
noticed that we could put a man on the moon but couldn’t build software that
worked reliably. It started to develop a Capability Maturity Model for Software
that an organisation could use as a target to assess the maturity of its software
delivery processes against. It then found that there was a need for other process
maturity models and, to avoid the management issues of multiple assessments,
came up with the Capability Maturity Model Integration (or Integrated, in older
references) – CMMI.
CMMI is proving popular, both as a way of an organisation internally
benchmarking its own ability to deliver and, perhaps unfortunately, as a marketing
tool for organisations striving to distinguish themselves in a competitive
marketplace. However, you don’t have to have CMMI in order to be a mature
organisation, it’s just a good framework to work within (and you do really need
an external benchmark to manage your progress against). ‘Passing’ a CMMI
appraisal (actually, there’s no ‘pass’ in the certification sense, you just get
appraised) doesn’t guarantee good governance – it may simply show that your
lack of governance is deliberate and that your management should be aware
of this (which is, actually, a good start). However, mostly, what you measure (and
this does apply to process) you try to do well.
CMMI
We must stress that we are not really discussing formal CMMI process
improvement initiatives here – they’re a whole different topic and deserve a report
in themselves. However, we are using CMMI as a framework within which to
talk about the maturity necessary for good IT governance. It is a convenient way
to categorise the levels of maturity in an IT organisation, but we must apologise
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
28 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
41/114
to serious CMMI practitioners for taking a rather superficial view of the subject.
You should also remember that although CMMI deals with more than just
software development, it doesn’t cover every aspect of an organisation, even if
its levels could provide a convenient shorthand for describing maturity in areas
where CMMI proper doesn’t apply. For those seeking more information, refer
to the CMMI, web address in Resources Appendix [CMMI, web].
CMMI is commonly seen as a five-stage process, with organisations progressing
through the stages in turn, although there is also a continuous representation,
which allows an organisation to be at a different capability level in different process
areas at the same time (and CMMI experts often find this a more productive
way to look at real organisations). The staged representation is easier to follow
as a basis for discussion of maturity. The stages are:
5 The institutionalisation of continuous process improvement through
proactive process measurement.
4 The use of quantitative process metrics, at the organisational level, to
manage and improve the process.
3 The availability of managed process at an organisational level.
2 The availability of managed process, at a project level.
1 The adhoc application of process.
Level 1 doesn’t mean that you have no process or that projects always fail or
that nothing good happens – a common misconception. However, at Level 1 any
successes can’t be guaranteed – they may depend on particular people or circum-
stances and a way of working in one project that delivers success may be
abandoned or, at least, not used somewhere else, simply because management
doesn’t recognise what it has. It is hard to see how you can claim any great degree
of IT Governance at the equivalent of CMMI Level 1.
Going from Level 1 to Level 2 can be quite onerous, because it involves recognising
and documenting what you have – and that often brings you up against the usual
people issues as your IT ‘mavens’ may feel that documenting what they do and
sharing it with others diminishes their value in the organisation. At Level 2, you
are starting to have a degree of IT Governance – and, remember, that we are
only using the CMMI Levels as a framework for describing maturity levels. You
may effectively be at something corresponding to CMMI Level 2 as far as IT
Governance is concerned, even if you aren’t formally implementing a CMMI
initiative and haven’t undergone CMMI assessment (just don’t claim to be at
CMMI Level 2 unless you do undergo proper appraisal, undergo regular re-
appraisals and publish the appraisal class – A, B or C – and its scope).
3 ORGANISATIONAL IMPACT
29 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
42/114
CMMI Level 3 is probably as far as you absolutely need to go for IT Governance
– which is not to say that going further doesn’t bring advantages and even better
governance. However, at Level 3, you not only know what you have and know
what you are doing with it, you are managing your IT resource at an
organisational level and making basic measurements of the effectiveness of your
management, which you can use to improve it.
At what corresponds to Capability/Maturity Level 3, which includes Level 2, you
should have, at least:
• Asset management in place, including management of information,
infrastructure and application assets.
• An organisation-wide security policy, based on risk management and
effective identity management.
• Implemented a business continuity policy; complemented with service
level management; incident, service impact and problem management;
and effective capacity planning and provisioning.
• Effective configuration management in place.
• Information lifecycle management in place, ensuring that electronic
business records are kept safely for as long as necessary and then
disposed of reliably and securely.
• Managed processes for application lifecycle and operational
management.
It should be noted that CMMI is itself developing, partly to address “gaming”
of appraisals by company marketing departments (which is why the scope of
an appraisal should be available and why appraisals have a limited period of
validity). Interesting developments are new CMMI “constellations”, CMMI-SVC
for developing services rather than software and CMMI-ACQ for companies
acquiring automation rather than developing it. There is also the issue that
maturity and good process isn’t an end in itself but a means for delivering business
outcomes – and an organisation which is generally of high maturity may fail to
deliver because just one key part of the organisation is at a low maturity level
and fails to control risk.
Process-driven development and operations are fundamental to what we think
of as IT governance and will be treated in more detail in the next chapter. A
typical but vendor-independent development process is the Dynamic Systems
Development Method [DSDM, web] and a widely accepted infrastructure/
operations management process is documented in ITIL®, originally sponsored
by a UK Government computing organisation [ITIL
®
, web].
IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS
30 A TH OROG OO D SPE CI AL BR IEFI NG
8/20/2019 A Thorogood Special Briefing IT Governance
43/114
Higher levels of maturity will fundamentally alter the nature of an organisation
– the comparison is with the way that ‘lean’ engineering revolutionised the Japanese
car industry and enabled it to compete with and displace the traditional US motor
industry in world markets. However, higher levels of maturity may not suit some
organisations or, in particular, emerging industries and technologies, where things
may be changing too fast for a stable process to be feasible (although if you are
implementing CMMI properly and fully understand its concepts, we suspect that
there is room for argument here). Whatever, it is probably true that you can’t
properly appreciate the benefits, and the consequences or implications, of higher
maturity levels until you are at Level 2 or 3.
At the equivalent of Level 4, you become a metrics-focused organisation,
managing quantitatively through metrics – which doesn’t mean that you don’t
measure capability and improvement, where you can, at lower levels. You don’t
just measure what is easy to measure, you potentially measure everything, on
the grounds that you can’t manage what you can’t measure. There is an overhead
associated with this measurement activity, however, so you will concentrate, in
practice, on a few carefully-chosen “key performance metrics (which may be
derived from several low-level metrics) – and measurement automation is vital
(you really need to build the necessary instrumentation into the design of your
systems rather than try to bolt it on afterwards). As technology improves, business
analytics and optimisation technology [BloorAnalytics, Web] can build good
governance into the framework of automated business systems. With the benefit
of the metrics you collect, you can focus on areas for improvement and confirm
that your improvements are, in fact, working.
At the equivalent of Level 5, you are into continuous process improvement and
the occult powers of warrior-monks in Chinese martial arts movies start to seem
normal. Your metrics become predictive and you start to improve processes in
anticipation of emerging problems. At this level, IT Governance is so innate that
you probably don’t even need to think about it – but there aren’t many true Level
5 organisations in the world and many that have been assessed at CMMI Level
5 have only done so with a limited scope.
The point of this section is not to say that you must gain CMMI Assessment at
Level 3 in order to implement good IT governance but that you must have a certain
level of maturity across the whole organisation in order to implement IT
governance effectively. And CMMI Level 3 gives you some idea of the minimum
maturity level you will need in practice. If you implement IT governance at lower
maturity levels you will be lucky if it achieves what you hope it will. You will
likely end up with ‘islands of good governance’ and may find that embarrassing
3 ORGANISATIONAL IMPACT
31 A THOR OGO OD SPEC IAL BRI EFING
8/20/2019 A Thorogood Special Briefing IT Governance
44/114
areas aren’t covered. You will be unable to reliably measure either the
effectiveness or the overheads of your governance initiatives, and you will be
unable to manage the overall alignment of your IT Governance efforts with the
requirements of corporate governance as a whole.
Roles and responsibilities
One of the key issues in IT governance is the assignment of roles and
responsibilities. The IT optimisation company, Mercury Interactive, an industry
leader in application delivery, application management and IT governance (and
now part of HP’s Business Technology Optimisation practice), once commi