IT Governance Ram
Chandra Poudel
1. INTRODUCTION:
IT refers Information Technology and
Governance is the power and process of decision making for the assigned duties.
IT governance is defined as the processes for best use of IT in an entity. IT
implementation in an organization is to ensure that it meets the needs of the
present and future needs of the entity. It is an integral part of the
enterprise governance, and comprises the organizational leadership,
institutional structures and processes, and reporting and feedback, enforcement
etc.
Due to the increase in use of IT in
each and every sector, it is paramount to any sphere of life.IT Governance is
critical at the strategic level of an organization because it can set the tone
for the organization and creates a responsible IT environment by encouraging
adherence to rules and set standards. IT Governance plays a key role in
determining the control environment and sets the foundation for establishing
sound internal control practices and reporting at functional levels for
management oversight and review. The weaknesses in IT Governance affects the
key areas of the entity’s activities.
IT governance should be considered in
relation to how IT creates value that fits into the overall governance Strategy
of the entity. The stakeholders would be required to participate in the
decision-making process by the use of IT. This creates a shared acceptance of
responsibility for critical systems, and ensures that IT-related decisions are
made.
IT Governance is involved with identifying new
or updated business needs, and then providing the appropriate IT solutions to
the intended user. During the development or acquisition of the solution to the
business need, IT Governance ensures that the selected solutions are responsive
to the business and that necessary training and resources like hardware, tools,
network capacity are available to implement the solution. Monitoring activities
may be carried out by the internal audit or quality assurance group, which
would periodically report their results to the top management.
2. Key elements of IT Governance: IT plan, decisions, regulations and
directions, resources, management and monitoring are to be taken into
consideration while describing the key elements of IT Governance. The Key
Elements of IT Governance can be discussed as:
a.
IT Strategy and Planning: The IT Strategy represents the mutual alignment between IT
and business strategic objectives. IT strategic objectives should therefore
incorporate or accommodate the current and future needs of the business. It
should focus on the current IT capacity to deliver services, and the
requirement of resources. The strategy should consider the existing IT
infrastructure and architecture, investments, delivery model, resourcing
including staffing, and layout a strategy that integrates these into a common
approach to support the business objectives.
Lack
of IT strategy may be a sign of underestimating IT as a “purely technical
matter” left by top management to the IT Department. Lack of IT planning may
lead to normal delivery, scaling up or expanding the services being
constrained, for example by deficiencies in IT resources or inefficient use of
existing resources. The most straightforward way to mitigate this risk is to
have an IT Strategy, accepted, actively supported and periodically updated by
top management that would identify resources and plans to meet future needs of
the business. The larger the entity the more important that there should be a
formal IT Strategy which is updated on a periodic basis. Weak strategic
alignment means that even good quality IT system may not be efficiently and
effectively contributing to the achievement of the organization's overall
business and strategic objectives. While framing IT strategy and planning, all
the stakeholders must be effectively involved.
b.
Organizational Structures: Organizational structures are a key element of IT governance
in articulating roles of the various management and governance bodies across
the business. They should assign clearly-defined delegation for decision making
and performance monitoring. Organizational structures must be supported with
appropriate standards, policies and procedures, which should enhance
decision-making capacity. Organizational structures in a public sector entity
are influenced by Stake holders like all groups, organizations, members or
systems who affect or can be affected by an organization's actions. The
examples of important external stakeholders include the Parliament, the
committees of parliament, government entities, media and the citizens.
Organizational
structures are also influenced by users that may be internal and external.
Internal users are the business executives, functional departments who own
business processes, and individuals within the organization who interact with
business processes. External users are the agencies, individuals, public who
use products or services provided by the organization. The need for IT
functionalities or requirements emerges from the users and stakeholders.
Appropriate organizational structures, roles and responsibilities are required
to be mandated from the governing body, providing clear ownership and
accountability for important decisions and tasks. This should include relationships
with key third-party IT service providers.
The IT
Steering Committee is the important part of IT Governance that comes under the
organizational structure. It comprises members of top and senior management and
has the responsibility for reviewing, endorsing and committing funds for IT
investments. The Steering Committee should be instrumental in devising business
decisions for which technology should be provided to support business
investments as well as approving how to acquire this technology. Investment
decisions involving of “build vs. buy” solutions are the responsibility of the
IT Steering committee generally after suitable recommendations from designated
groups or committees. The steering committee also plays a critical role in
promoting the necessary buying and providing management support for programmed
that entail changes to the organization. In many public sector organizations,
IT Steering Committee functions are part of the management function.
c.
Standards, Policies and Processes: Standards and policies are adopted by the organization and
approved by top management. Policies lay the framework for daily operations in
order to meet the goals set by the governing body. Polices are supported by
procedures or processes that define how the work is to be accomplished and
controlled. These goals are set by the top management to accomplish the
organization's mission and at the same time to comply with regulatory and legal
requirements. Polices and corresponding procedures need to be communicated to
all relevant users in the organization on a periodic basis.
d.
Human Resources (HR): The Human Resources (HR) policy deals with the hiring, training, job
rotation, job specification, job termination and other functions of HR in the
organization. It deals with roles and responsibilities of various personnel
within the organization as well as the requisite skill or training they are
required to possess to carry out their duties. The HR policy also assigns roles
and responsibilities and ensures segregation of duties.
e. Documentation: Documentation of system
development, information systems, applications, job roles, events, transactions
and reporting systems and their periodicity is an important reference point to
align IT operations with business objectives. Appropriate document retention
policies enable tracking and managing iterative changes to information
architecture in an entity. The documentation policy should be in compliance
with the Organization's IT Strategy and any other regulatory requirements. In
some countries, government agencies have to obey strict legal rules for periods
and types of documents to be retained. Documentation includes emails, logs,
internal memos and of course financial and business-related documents.
f.
Outsourcing Policy:
The Outsourcing Policy of IT related job that enhance the governance defines
the goals and objectives of outsourcing. Outsourcing is most often aimed at
allowing the entity’s management to concentrate their efforts on core business
activities. The need for outsourcing may also be driven by the need to reduce
operating costs. The outsourcing policy should address the identification of
functions and activities that could be outsourced in line with IT Strategy, IT
Security policy or regularity requirements.
If
there are no proper processes of governing the acquisition of outsourcing
process, the organization might face a situation where it depends completely on
one vendor or contractor. This is a high risk because if the vendor exits the
market or if it fails to deliver the contracted services, the organization is
going to be in difficult position. Department of Transport Management is facing
the outsourcing problem to render the effective services to the citizens. There
are also other issues, for example, disputes over intellectual property,
systems, and databases. Organizations that outsource or regularly contract with
vendors for solutions may need to have an outsourcing or acquisition policy
that defines what may or may not be outsourced.
Conclusion:
The
typical organization of IT and related functions in an entity involves the
functions of strategic planning, setting up the organization structure,
standards, policies and processes in the entity. The IT Governance is related
to government or non-government mechanism to derive desired service delivery.IT
Governance includes the Organization's Strategic Plan, IT Policy, Human
Resource Policy, Acquisition / Procurement Policy, Outsourcing Policy, Document
Retention Policy, IT Security Policy, Internal Control Policy and others.
Information on different policies. IT Governance involves the allocation of
resources, and justification of investments in technology or training. The IT
strategy and implementation is aligned to entity’s strategy and objectives and
thus the IT implementation is fulfilling the organization's overall objectives.
One way to achieve this is to review business owners to ensure that they are
involved in the review and approval of the IT Strategy, their get to comment on
the vision. They involved stakeholders in IT operations and decision-making
process. To understand the organization of IT functions, it is necessary to
review the documentation of the IT Plan, organization structure, strategic
business plans, strategic IT Plans which are being implemented or are going to
be implemented and all related policies. It may be possible that distinct
policy documents may not be available in an entity but such information is
available as part of some proposal or in other forms within the entity. IT is
an integral part of not only the public sector programme but also the private
sector programme to deliver corporate IT Governance. IT governance ensures that
IT goals are met and IT risks are mitigated such that IT delivers value to
sustain and grow the organization. IT governance drives strategic alignment
between IT investment and programme delivery and must judiciously measure
performance. Lastly, IT Governance plays an important role in ensuring the
effectiveness of the general control environment. The Government of Nepal is
also in the phase of using Electronic Governance in service delivery. The ICT
(Information Communication Technology) project is in implementation phase under
Office of the Prime Minister and council of Ministers. The use of IT is
widespread. The Electronic Transaction Act, 2063, Electronic Transaction Rules,
2064 are also aligned with the effective use of IT Governance. So, the use of IT
is to be enhanced and legacy is to be maintained to meet the changing
expectations of the citizens.
REFERENCE:
·
E-Learning
Course, 2014-16
·
COBIT
4.1 Framework, 2007, IT Governance Institute
·
COBIT
5 Framework, 2012, ISACA
·
Electronic
Transaction Act, 2063
·
Electronic
Transaction Rules, 2064