4Matt Technology

IT Governance must be driven by Corporate Governance

In the pandemic times of Covid-19, the information technology area is even more under pressure to release services such as Remote Office, E-commerce, among others, and increasingly faster.

This speed creates super pressure on IT managers regarding processes and good IT governance practices. A survey by Gartner in November 2019 brought a very clear view of the support, management software and ownership that IT governance needs from corporate governance.

Governance methods have become fundamental to assess the risks and return of an investment. In fact, this is one of the main reasons that has given a lot of evidence to the subject when it comes to efficiency and transparency in business management in these current times.

IT governance is driven by good corporate governance. CiOs, IT managers, and other IT leaders need to understand these strategic business principles and how to get senior executive input into IT governance—that is, align IT with the business.  

Main discoveries

  • Corporate governance in companies is an important contribution to define IT governance and its strategic alignment.
  • IT governance must ensure that IT risks are managed effectively, without impacting digital transformation.
  • IT governance requires the participation of senior executives, especially at the board level, working across the entire structure, organizational culture, and governance definitions.

Recommendations

  • CIOs must understand the specific principles of good corporate governance practices and the processes that ensure and drive IT governance.
  • Use the most appropriate corporate governance principles and resources to gain executive support and participation in IT governance.
  • Apply research and relationship resources to ensure board-level involvement in IT governance and alignment with business processes and strategic objectives.

What is corporate governance and how does it influence IT governance?

Corporate governance provides the framework for determining organizational goals, allocating authority to achieve them, and monitoring performance to ensure those goals are achieved. Good corporate governance is also important in governmental and non-profit organizations, where foundations, sponsors, contributors or other interested parties are equally concerned that your organization is properly governed.

While several corporate governance principles influence IT governance, there are two where this influence is substantial:

  • Disclosure and transparency — This refers to the organization's financial and operational information and predictable risk factors such as information from SAM Software Asset Management or IT asset management.
  • Responsibility of the board of directors — This involves ensuring strategic guidance to the organization, effective monitoring and accountability to shareholders/stakeholders.

Although the investment grade varies from country to country, boards of directors must ensure that investments are made in an organized manner between corporate governance and IT Governance. Investments in IT assets and IT professionals can be up to 50% of the total capital expenditure invested in corporate governance in some organizations and organizational structures.

However, when it comes to managing these IT assets, few boards understand how much their organizations depend on Information Technology for continuous operations and information assets that reside in countless applications in their IT infrastructure or architecture.

Few boards realize how many business decisions depend on the information contained in these IT assets. Even fewer have the fundamental knowledge needed to ensure that proper supervision is in place. These issues, however, do not relieve them of their responsibility to ensure that the company's IT assets are properly managed.

Although corporate governance has long been formalized, the concept of IT governance is a little more recent. What does IT governance mean? It's not just IT management, but it's about how organizations must ensure that IT assets deliver value to the business and whose performance is measured and risks are mitigated.

Until recently, there was not a significant body of knowledge on the subject. TIGI, or the Information Technology Governance Institute (ITGI), — an offshoot of the Information Systems Audit and Control Association (ISACA) — is a recognized leader in governance, control, security, and assurance. It was formed in 1998.

In 2009, ITGI adopted the ISO/IEC 38500 IT governance standard, which is based on a pre-existing Australian standard and has been in effect since April 2008. It represents an effort to guide the definition of IT governance as a component governance and is aimed at all organizations, regardless of size or sector.

As with all governance, there is no one-size-fits-all solution. Effective information technology governance must be a cohesive and integrated process aligned with the business, compatible with the style and culture of management decision-making, and perceived by executive management as a value and examples of corporate governance.

IT governance has often been left primarily to the CIO without involving the board, which has a responsibility to understand the inherent risks and strategic importance of IT. Boards must be more involved in IT governance to ensure their organizations are able to sustain operations and implement future IT strategies in line with the strategic plan.

IT Governance: Demand and Supply

The IT governance model that Gartner advocates clearly states that IT governance is a business goal, not just an IT goal. IT governance is defined as addressing two main areas: demand-side governance (deciding what and how IT should work) and supply-side governance (deciding how IT should do what it does).

Demand-side governance is a process of decision-making and oversight of managerial investments; therefore, it is primarily a corporate management responsibility, driven by the IT governance manager under the corporate governance umbrella, managing IT demands.

Supply-side governance is primarily the responsibility of the CIO and is the mechanism that ensures compliance with corporate policies, such as those dealing with regulatory compliance, security, and procurement.

When talking to customers, Gartner sees the lines between business and IT increasingly in shadow areas. We see IT tasks being performed in the business, businesses taking on IT leadership roles, and vice versa. However, when it comes to IT governance, we see that this is often wrongly delegated to the CIO due to several factors:

  • Lack of understanding by business areas of the board's role in ensuring that IT assets and resources are managed and measured, and that IT and IT professional risks are mitigated.
  • The perception that everything the information technology area needs must be handled by the CIO and that he must guarantee controls.
  • Competition within IT, all wanting governance over their respective domains, such as the development area “wanting” to manage the infrastructure area and vice versa.

As a result, the term “governance” has become widely used and misunderstood. IT leaders must understand that IT governance is effective when it is driven by the fundamentals of corporate governance and defined as a cohesive process using five steps: strategy, plan, implementation, management and monitoring.

Align supply to demand using corporate governance principles

CIOs must ensure that they understand the fundamental principles of corporate governance, specifically disclosure and transparency, and the board's responsibilities. Knowing these principles can help IT leaders get the business engagement they need. They are well understood by senior executives and are of great interest because key executives or senior management (for example, the CEO, CFO, and board members) may be personally responsible for violations of these principles.

CIOs must build a bridge of understanding with senior executives, linking management principles and responsibilities with IT functions and processes. A common understanding in this area can help both sides to better integrate business and IT management, thereby gaining more business participation in demand-side governance and driving the supply-side approach and governance policies. This can lead to more clearly establishing IT governance as a component of corporate governance.

Disclosure and Transparency

This principle has two key aspects that impact IT governance. First, it provides for disclosure of material matters that affect the organization's financial condition, issues that affect stakeholders, and, most importantly, predictable risk factors. Second, it provides for an annual independent audit that provides an external and objective assurance to the board on the organization's financial condition. It further clarifies that these external auditors are responsible for the organization's shareholders/stakeholders.

In today's environment, companies rely heavily on the reliability and accuracy of the IT systems (ie the applications, e-commerce, information and infrastructure) that contain their financial information. Using the principle of disclosure and transparency, IT governance has a duty to ensure that these components are available, reliable and accurate.

Other examples include: if IT assets are not adequately protected from security threats (internal or external) or if projects are not delivered on time, on budget, or do not deliver the anticipated business results.

What can a CIO do to get the Board involved?

Many customers say they fail to get the board's attention and involvement to participate in IT governance. CIOs need to employ strategies aimed at achieving this engagement. In this case, some creative steps are needed. Some ideas for getting this engagement include:

  • Increase knowledge and awareness of corporate governance principles among the IT management team.
  • Use available resources (such as enterprise architecture, information security and compliance, infrastructure and operations management teams, project management, and process management) to ensure a common understanding of what is in place and where likely candidates at risk they are.
  • Create a coalition of supporters (eg, corporate governance people, internal auditors, business risk team, or CISOs) to create and send coordinated messages to the board.
  • Use the current relationship with senior corporate management as a means of sponsoring engagement with board members.

IT is part of the business

The bottom line is that IT or information technology is an integral part of the business. Organizations must consider IT as critical to the success (or failure) of the organization as any other business unit. Business and information technology leaders should view IT governance as an opportunity to better integrate the two areas of business and IT and move towards a more cohesive model, providing a better understanding of the role of information technology in the organization and allowing IT to contribute its participation to meet the principles of corporate governance.

IBGC and corporate governance

An international trend, corporate governance in Brazil came as a way for companies and other organizations to be managed and monitored in a transparent manner and with codes of conduct. This corporate dynamic encompasses aspects such as the relationship between partners, the board of directors, management, supervisory bodies and effective controls and other interested parties. But, how do you know if your company is on the governance path and what is the concept of corporate governance?

According to Code of Best Corporate Governance Practices IBGC, of IBGC (Brazilian Institute of Corporate Governance) corporate governance is based on four principles of good practice. Its proper adoption results in a climate of trust both internally and in relationships with third parties. Check it out below:

Transparency

One of the main characteristics is the desire to make available to interested parties the information that is of interest to them and not just those imposed by provisions of laws or regulations. It should not be restricted to economic-financial performance, but also contemplate other factors (including intangibles) that guide managerial action and that lead to the preservation and optimization of the organization's value.

Equity

It is characterized by the fair and equal treatment of all partners and other interested parties (stakeholders), taking into account their rights, duties, needs, interests and expectations.

Accountability (accountability)

The agents and governance structure must be accountable, as basic principles of their performance, in a clear, concise, understandable and timely manner, fully assuming the consequences of their acts and omissions and acting with diligence and responsibility within the scope of their roles.

corporate responsibility

The agents and corporate governance structure must ensure the economic and financial viability of organizations, reduce the negative externalities of their businesses and operations and increase the positive ones, taking into account, in their business model, the various capitals (financial, manufactured, intellectual, human, social, environmental, reputation etc) in the short, medium and long term.”

Following this theme of the international trend, good corporate governance is vital for business viability and not just an isolated issue such as project management or process management. A collapse of confidence in corporate governance, the financial crisis and management over the last 10 years and especially the Covid-19 pandemic has led to increased regulation in the US (eg the Sarbanes-Oxley Act), and new regulatory initiatives in Europe as GDPR and in other countries such as Brazil with the LGPD, making good corporate governance mandatory.

Professional investors and even family business owners are willing to pay more for companies with strong and effective corporate governance. However, IT management, which is considered the guardian of the main IT corporate assets, often struggles to implement effective IT governance aligned with corporate governance goals and usually the investment is nothing more than strategic planning, hindering good management of your company.

Tag: corporate governance, governance practices, good practices, governance concept, best governance practices, best practices, corporate governance practices, accountability, corporate responsibility, Brazilian governance institute, code of best practices, Brazilian corporate governance institute, management strategy, good it practices, governance institute, management consultancy, organizational strategies, set of practices.

Work with us

Related Posts