what the board should know about it governance - grc summit
TRANSCRIPT
www.ovum.com
1 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
What the board should know about IT
governance
Why it’s needed, and how to approach it
Alan Rodger
Senior Analyst, Ovum.
@AlanRodger_Ovum
2 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Agenda
Background on IT developments and trends
Why boards need to know about IT governance
‘How to’ - IT governance practicalities
3 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
IT has become the hub of most organizations
Across industry sectors:
Healthcare: EHR, digital prescriptions, and treatment monitoring/recording
Transport: ticketing, reservations, taxi, and automated driving
Telecoms/media: business model convergence, advanced content delivery
Finance and payments: simplification/ transformation
A critical means of reaching out to employees and customers:
Mobile, social
Achieving efficiencies:
Cloud, process outsourcing, partnership
Key to customer service:
Analytics enabling the Customer Adaptive Enterprise
Underpinning ‘digital transformation’
4 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
“Be digital”, and use that to focus on customers
Source: IBM Global C-suite Study 2015
5 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
IT is top of mind for CxOs
“We’re counting on technology to fuel our next wave of growth”
– CFO, Indian insurance company.
“If we gamble on the wrong thing, it could have a really negative impact on our business”
– COO, Belgian electronics firm.
“CxOs are desperately trying to cope with a technological onslaught”
- CIO of a Malaysian healthcare provider. Source: IBM Global C-suite Study 2015
6 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
IT’s role is not going to reduce
Source: IBM Global C-suite Study 2015
Benefits
Cloud: Agility/Faster deployment; lower capex/operating costs; shared use of IT resources; collaboration
across enterprise boundaries.
Mobile: Real-time data, or customer service, to the point of need/opportunity; improve customer
engagement / experience
IoT: Opportunity to wrap services with products; instrument assets for efficiency
7 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Why is IT Governance needed?
IT is a critical and heavy investment that has its own risks
With newer tech (cloud, mobile, IoT), some risks types are yet to be understood
Security can no longer define the boundaries of the enterprise
……but essential to attain the benefits
IT supports many third-party relationships:
Business partnerships.
Technology providers.
Outsourcing relationships.
Cyber security attacks are a growing threat to business
Digital information must be guarded as a key organizational asset
Compliance++…….. data is becoming a greater focus of legislation
8 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Data privacy regulations will impact global business
Current privacy laws are some way behind the realities of the digital economy
Over 75% of organizations say their regulated and sensitive data will be present
in cloud/SaaS applications by mid-2018
Significant trust issues may undermine cross-border business
Responses to “…please highlight the countries you believe would access your data without your permission”
9 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Data privacy regulations will impact global business
Data ownership, access rights, and location are blurred by technology models
EU General Data Protection Regulations (GDPR) – in force late 2017
52% think it will result in business fines (“up to 10% of global turnover”).
19% expect hires in the legal function, to cope.
31% expect hires in the technology function.
34% expect hires in the compliance function.
two-thirds expect it to force some change in their European business strategy.
10 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
How should IT governance address all of this?
Ovum’s definition:
IT governance is the establishment and operation of a management framework,
by which an organization maximizes the value that it derives from IT in support
of its strategic objectives.
The purpose is to align IT with business
To maximize value, risks must be managed (the risk/reward balance)
Not a solution – a process framework that can be supported by solutions
(“…governance is something you do – not something you buy”)
11 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
IT governance perspectives at different levels
12 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Board adoption of IT governance responsibility
ISO/IEC 38500 is the international standard for corporate governance of IT
Since 2008, a framework for boards to understand and fulfil their legal, regulatory,
and ethical obligations in respect of their organization’s use of IT
Sets out six principles for good corporate governance of IT:
Responsibility – the obligation to establish clearly understood responsibilities for IT,
from the top down.
Strategy – defined so that business and IT executives can conduct IT planning to best
support the organization.
Acquisition – the responsibilities involved in acquiring IT resources of any kind.
Performance - ensuring that IT performs according to enterprise needs.
Conformance – setting out how IT must conform with formal rules.
Human behavior – governing IT initiatives’ responsibilities to respect human factors.
13 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
ISO/IEC 38500 model for corporate governance of IT
Source: ISO
14 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Management-level IT governance
COBIT is the accepted standard (from Information Systems Audit and Control
Association (ISACA)) :
extensively adopted internationally, dating since 1996
comprehensive practical framework focused specifically on governance
authoritative set of IT control objectives for day-to-day use by business managers, IT
professionals, and risk assurance professionals.
Integrates risk and value management, as of COBIT 5 (2012)
Aligns with other important standards:
Project management (PMBOK, PRINCE2).
Business Model for Information Security (BMIS).
The Open Group Architecture Framework (TOGAF).
15 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
COBIT 5 coverage of governance and management
Frameworks, process descriptions, control objectives, management guidelines, and maturity models
Source: ISACA
16 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
COBIT 5 – Process reference model
Source: ISACA
17 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Operational governance - ITIL
Scope: ITSM; Service portfolio management; Demand management;
Financial management for IT services; Business relationship management
18 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Recommended IT governance standards
ISO/IEC 38500
COBIT
ITIL
19 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Summary
IT is already critical, and that won’t change
IT-specific regulation and compliance issues are arising
Boards need to engage with their responsibility for IT
Well-established standards reduce the risks of adoption
Boards are the ideal point to ensure IT serves strategic business needs
www.ovum.com
20 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.
Thank you
Questions?
www.ovum.com
Alan Rodger
Senior Analyst, Ovum.
@AlanRodger_Ovum