Compliance with ISO 20000

Purpose

The purpose of an IT governance framework is to support effective and efficient management of IT resources to facilitate the achievement of an organisation's strategic objectives. All information and information technology resources fall within the scope of IT governance. (The board has responsibility for the stewardship of all IT resources on behalf and for the benefit of all stakeholders).

Approach

An IT governance framework comprises 3 levels of decision-making authority and accountability for the efficient and effective management of IT resources to facilitate the achievement of an organisation’s strategic objectives and satisfy the expectations of all stakeholders.

At level 1, the Board (or the IT Steering Committee appointed by the board) governs IT by:

• Evaluating - the current and future use of IT by examing strategies, proposals and supply arrangements for IT (internal, external, or both)
• Directing – the responsibility and priority in preparing and implementing  a management system of plans, policies and processes so that the use of IT supports business objectives and the achievement of agreed strategic outcomes (via an IT governance charter),
• Monitoring – receives reports about
  • the current and future use of IT,
    
  • progress towards delivering the performance expected from IT measured against agreed plans and business objectives, and
    
  • the use of IT is in conformance with internal policies and external obligations (regulatory, legislation, common law and contractual).

Also at level 1, the Audit committee will govern IT by:

• Evaluating, directing and monitoring the management of risks associated with the use of IT as they relate to financial reporting.

And, the Risk committee will govern IT by:

• Evaluating, directing and monitoring the management of risks associated with the use of IT as they relate to achieving strategic, operational and compliance objectives, but excluding those related to financial reporting (unless the Audit committee and Risk committee are combined).

At level 2, one or more oversight authorities govern by overseeing the:

• Planning – designing efficient and effective processes, implementation plans and governance framework to achieve the desired outcomes,
• Building - organising and leading the implementation of the IT governance framework, organisational structure, processes and governance mechanisms
• Operating - analysing the efficiency and effectiveness of the processes and mechanisms against the desired outcomes,
• Acting – to correct deviations in performance that will impact the desired outcomes.

At level 3, the IT management delivers by:

• Tracking – the activities being executed with the aim of achieving stated goals,
• Supervising – organising and re-organising IT activities so that there is increased reliability in achieving the stated objectives,
• Checking – analysing performance and risk management across IT,
• Controlling – detecting and correcting inefficiencies and poor performance and remediating risks found within IT.

Building an IT Governance Framework

An IT governance framework has to be built from the bottom up. IT activities have to be organised. Processes are a powerful way to better organise IT activities as they group activities together under a common purpose. The various IT activities within an organisation need to be identified and associated with a common purpose. Process models like CobiT and ITIL can help to identify IT activities and determine the relationship and common purpose with which individual activities align.

It would be wrong to implement all the CobiT or ITIL processes. These process models are reference sources that provide useful information to help identify IT activities and the related objectives. Only the IT activities necessary to support the business and achieve the organisation's strategic objectives must be implemented. The challenge is to effectively and efficiently manage (track, supervise, check, control) the use of IT resources within each process and to keep each process aligned  (plan, build, operate, act) with the organisation's strategic objectives.

The board is expected to evaluate, direct and monitor the IT resources being used across the organisation on behalf of all stakeholders. At a minimum, the board should be clear about the strategic objectives and the priority attached to each objective.