In recent years, the concept of IT governance has garnered much interest due to the integral role IT plays in both commercial and public organisations. Pallavi Sharma discovers the challenges associated with IT governance and its adoption in the Middle East.
In an era where globalisation and competition dictate strategic initiatives, firms are using technology to develop, manage and exchange intangible assets such as information and knowledge with their stakeholders in a bid to gain a significant advantage.
Many believe that this dependency on IT opens organisations up to huge vulnerabilities associated with the abuse of intellectual property, fraud and cyber crime, which are inherently present in complex IT environments..
As organisations work to counter the risk that comes with the pervasiveness of IT, more attention is being paid to IT governance policies, which is believed to help mitigate risks while outlining best practices to enable operational efficiency and business growth.
IT professionals believe that in a dynamic and competitive business environment where firms spend a significant percentage of their revenues on IT to stay competitive, good IT governance is no longer nice to have but is a must have.
“Extracting greater value from IT is rarely a matter of just working harder or longer. Instead it requires development of new techniques for designing, implementing and involving different people in the IT decisions. High-level IT governance models are therefore being created and today IT governance is high
on the agenda in many organisations,” says Wissam Khoury, managing director, SunGard Financial Systems, Middle East.
He believes that in the face of an economy slowly recovering from a global debt crises, these policies become the very base of the business growth cycle. This is because organisations can no longer afford
to indulge IT as a mere cost centre, but must view IT investments in the overall business context, and understand how a particular investment could contribute to revenue generation and business success.
Decision makers point out that this alignment between business strategies and IT initiatives is the most crucial element of IT governance.
“All enterprises have IT governance, but enterprises with effective IT governance have actively designed a set of mechanisms that encourage desirable behaviour. This behaviour is defined as a set that is consistent with the organisation’s strategy, mission, norms, and culture,” says Bobby Gupta, vice-president and head, Mahindra Satyam, MENA.
Khoury explains that aligning IT strategies with business outlook involves three key elements. “Operational efficiency involves analysing how the existing IT set up contributes to the achievement of
business objectives. Operational innovation then focuses on reviewing or reengineering the IT infrastructure to enhance business processes and enable quicker and better results. Finally, operational compliance requires that organisations implement policies conforming with international regulations and reporting standards. This is because compliance with internationally recognised standards will enable decision makers within the organisation to analyse the current state the of operations in comparison to the desired state and thereby increase operational transparency across the board.”
IT professionals agree that one of the challenges with implementing IT governance is being able to describe it to non-IT personnel, who often confuse it with IT management. However, decision makers point out that the difference between the two is fundamental and distinguishable.
“Unlike management, IT governance is not about what specific decisions are made but rather the determination of who within the organisation is responsible for making decisions spanning disparate business units, who has input to a decision, and how these people are held accountable for their role,”
points out Vikram Suri, managing director for the Middle East and India at Sage Software.
Mahesh Vaidya, CEO, ISIT Middle East says, “The domain of IT management focuses on the effective and efficient supply of IT services and the management of day-today IT operations. On the other hand, IT governance is a broader canvas that centres on the contribution of IT operations to business performance and growth, while transforming and positioning IT to meet the future needs of the business.”
Dr. Angelika Plate, director of strategic security consulting, helpAG adds that IT governance provides guiding principles to the influencers and decision makers within the organisation on the, efficient and acceptable use of IT.
“Ensuring that organisations follow these principles will assist directors in balancing risks and encouraging opportunities arising from the use of IT. If applied correctly, IT governance will help directors to conform to given obligations (such as legal, regulatory or contractual requirements) and to ensure that the organisation’s IT is fit to support identified business goals,” she says.
Over the past few years several frameworks aimed to define, assess and improve internal controls of organisations have been brought out. These are aimed at assisting managers in the tasks of measuring and monitoring IT performance and effectiveness. Some examples of these frameworks include Information Technology Infrastructure Library (ITIL) principles, Information Security Management
Standards (ISMS), Control Objectives for Information and Technology (COBIT) among others.
Vaidya opines that IT governance frameworks are based on the ‘plan-do-checkact’ methodology. “IT governance begins with setting objectives and providing direction followed by implementing the planned
activities. Once the execution is completed, decision makers must measure and review the implementation to compare actual vs. planned results, and finally tweak the plan to correct any errors, fill any gaps or improve the process,” he says.
Industry experts point out that there isn’t much overlap across different frameworks. For instance, where COBIT details IT controls and metrics, ISMS covers IT security and ITIL emphasises processes, notably those surrounding the IT helpdesk.
Consultants agree that the best approach is to research the standards, review the needs and then move forward with the standard that is the best initial fit, and focus on areas that are of the greatest concern to all the stakeholders.
“All of the standards are huge undertakings and you are far better off to phase in various elements over time than to try and implement everything at once,” says Plate.
Gupta recommends an adopt and adapt approach. “Rather than select one approach, organisations would be wise to get an overview of the different frameworks and then work out a policy that blends the best practices to suit the needs of the organisation,” he says.
Help at hand
Experts largely agree on broadly defined principles that must form the very crux of an effective IT governance initiative.
Plate explains, “IT governance must ensure that individual business units and stakeholders understand and accept the need for these policies and go on to assigning specific roles and responsibilities in respect of both supply and demand of IT. This is followed by clearly outlining the business strategy to incorporate the current and future capabilities of IT, and then aligning these strategies with IT initiatives that are capable of satisfying the current and ongoing need of the organisation’s business strategy.”
According to Plate, in addition to the above, IT governance must also take into account the need and basis for IT acquisitions. These acquisitions must be made for valid reasons, on the basis of appropriate and
ongoing analysis, with clear and transparent decision making. “It is imperative that there is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term,” she adds.
Following this she recommends that senior management within the organisation outline the best use of these acquisitions by plugging them into spaces where they prove most beneficial. This must be supported
with measurement metrics and performance indicators to ensure that IT platforms are delivering the promised levels of serviceand quality to meet both present as well as future requirements.
Additionally, IT governance policies must be established keeping in mind mandatory regulations and best practices to minimise cost of errors or re-implementations. Finally, IT governance policies must demonstrate respect for human behaviour including the current and evolving needs of all the people
involved in the organisation.
When discussing the challenges associated with implementing a robust IT governance framework, vendors often point to lack of senior management commitment as being a major obstacle.
Khoury says, “Internal education is definitely a challenge and this has much to do with the organisation’s culture. Since IT governance requires more collaboration across IT and business operations, the challenge is often associated with convincing departments to share what is considered sensitive information about their internal success and performance with one another. This is an attitude that has to be corrected
from the senior management down. So the success of an IT governance policy depends on the commitment of top management to the need and execution of these frameworks.”
“Much like other aspects of IT, governance policies require constant monitority and day-to-day maintenance of standards defined by them. All of this also requires sign-off and support from top
management,” states Sage’s Suri.
IT professionals recommend that the best way to address this challenge is through investing in a pre-planned environmental assessment that proactively addresses issues relating to organisational culture, leadership and communication challenges. “IT governance and implementation must be integrated with the company’s corporate governance initiatives to strengthen top management involvement and commitment,” he adds.
Despite this daunting challenge, industry analysts believe that organisations in the Middle East are making great strides in formulating and executing successful IT governance policies.
Suri says, “Organisations in the region are fast realising the need to adopt IT governance principles conforming to international standards. The BFSI and telecommunications sectors in the region
are leading this adoption fuelled by legal and audit requirements that are critical to their operations and long term success.”
Vaidya believes that although IT governance policies are quickly becoming an area of focus for CIOs in the region, there is room for more growth. “IT governance has been present in one form or another but in a more or less unstructured manner. The need to comply with regulations and laws for conducting business internationally combined with the push from companies operating in the governance space has contributed to the growth in adoption, albeit in bits and pieces.”
“Over the last few years, we have witnessed increasing numbers of organisations hiring consultants to help them emulate best practices to reduce costs and enhance efficiency,” says Gupta.
He predicts that technologies like cloud computing and mobility will only further necessitate the need for organisations to invest in IT governance policies to both monitor outsourced applications as well as control business operations across employees working on site and on field.
Vendors and industry stakeholders believe that the future is set to witness a spurt in IT governance policies across the globe. This will include policies centred on the monitoring and management of mobile
devices across the enterprise space and the integration and use of social media tools for business and cloud technologies. Clearly, one can now say where IT governance is concerned; this is just the tip of the iceberg.