www.ovum.com

1 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

What the board should know about IT

governance

Why it’s needed, and how to approach it

Alan Rodger

Senior Analyst, Ovum.

@AlanRodger_Ovum

2 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Agenda

Background on IT developments and trends

Why boards need to know about IT governance

‘How to’ - IT governance practicalities

3 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

IT has become the hub of most organizations

Across industry sectors:

Healthcare: EHR, digital prescriptions, and treatment monitoring/recording

Transport: ticketing, reservations, taxi, and automated driving

Telecoms/media: business model convergence, advanced content delivery

Finance and payments: simplification/ transformation

A critical means of reaching out to employees and customers:

Mobile, social

Achieving efficiencies:

Cloud, process outsourcing, partnership

Key to customer service:

Analytics enabling the Customer Adaptive Enterprise

Underpinning ‘digital transformation’

4 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

“Be digital”, and use that to focus on customers

Source: IBM Global C-suite Study 2015

5 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

IT is top of mind for CxOs

“We’re counting on technology to fuel our next wave of growth”

– CFO, Indian insurance company.

“If we gamble on the wrong thing, it could have a really negative impact on our business”

– COO, Belgian electronics firm.

“CxOs are desperately trying to cope with a technological onslaught”

- CIO of a Malaysian healthcare provider. Source: IBM Global C-suite Study 2015

6 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

IT’s role is not going to reduce

Source: IBM Global C-suite Study 2015

Benefits

Cloud: Agility/Faster deployment; lower capex/operating costs; shared use of IT resources; collaboration

across enterprise boundaries.

Mobile: Real-time data, or customer service, to the point of need/opportunity; improve customer

engagement / experience

IoT: Opportunity to wrap services with products; instrument assets for efficiency

7 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Why is IT Governance needed?

IT is a critical and heavy investment that has its own risks

With newer tech (cloud, mobile, IoT), some risks types are yet to be understood

Security can no longer define the boundaries of the enterprise

……but essential to attain the benefits

IT supports many third-party relationships:

Business partnerships.

Technology providers.

Outsourcing relationships.

Cyber security attacks are a growing threat to business

Digital information must be guarded as a key organizational asset

Compliance++…….. data is becoming a greater focus of legislation

8 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Data privacy regulations will impact global business

Current privacy laws are some way behind the realities of the digital economy

Over 75% of organizations say their regulated and sensitive data will be present

in cloud/SaaS applications by mid-2018

Significant trust issues may undermine cross-border business

Responses to “…please highlight the countries you believe would access your data without your permission”

9 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Data privacy regulations will impact global business

Data ownership, access rights, and location are blurred by technology models

EU General Data Protection Regulations (GDPR) – in force late 2017

52% think it will result in business fines (“up to 10% of global turnover”).

19% expect hires in the legal function, to cope.

31% expect hires in the technology function.

34% expect hires in the compliance function.

two-thirds expect it to force some change in their European business strategy.

10 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

How should IT governance address all of this?

Ovum’s definition:

IT governance is the establishment and operation of a management framework,

by which an organization maximizes the value that it derives from IT in support

of its strategic objectives.

The purpose is to align IT with business

To maximize value, risks must be managed (the risk/reward balance)

Not a solution – a process framework that can be supported by solutions

(“…governance is something you do – not something you buy”)

11 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

IT governance perspectives at different levels

12 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Board adoption of IT governance responsibility

ISO/IEC 38500 is the international standard for corporate governance of IT

Since 2008, a framework for boards to understand and fulfil their legal, regulatory,

and ethical obligations in respect of their organization’s use of IT

Sets out six principles for good corporate governance of IT:

Responsibility – the obligation to establish clearly understood responsibilities for IT,

from the top down.

Strategy – defined so that business and IT executives can conduct IT planning to best

support the organization.

Acquisition – the responsibilities involved in acquiring IT resources of any kind.

Performance - ensuring that IT performs according to enterprise needs.

Conformance – setting out how IT must conform with formal rules.

Human behavior – governing IT initiatives’ responsibilities to respect human factors.

13 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

ISO/IEC 38500 model for corporate governance of IT

Source: ISO

14 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Management-level IT governance

COBIT is the accepted standard (from Information Systems Audit and Control

Association (ISACA)) :

extensively adopted internationally, dating since 1996

comprehensive practical framework focused specifically on governance

authoritative set of IT control objectives for day-to-day use by business managers, IT

professionals, and risk assurance professionals.

Integrates risk and value management, as of COBIT 5 (2012)

Aligns with other important standards:

Project management (PMBOK, PRINCE2).

Business Model for Information Security (BMIS).

The Open Group Architecture Framework (TOGAF).

15 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

COBIT 5 coverage of governance and management

Frameworks, process descriptions, control objectives, management guidelines, and maturity models

Source: ISACA

16 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

COBIT 5 – Process reference model

Source: ISACA

17 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Operational governance - ITIL

Scope: ITSM; Service portfolio management; Demand management;

Financial management for IT services; Business relationship management

18 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Recommended IT governance standards

ISO/IEC 38500

COBIT

ITIL

19 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Summary

IT is already critical, and that won’t change

IT-specific regulation and compliance issues are arising

Boards need to engage with their responsibility for IT

Well-established standards reduce the risks of adoption

Boards are the ideal point to ensure IT serves strategic business needs

www.ovum.com

20 © Copyright Informa. All rights reserved. Ovum is part of Informa Group.

Thank you

Questions?

www.ovum.com

Alan Rodger

Senior Analyst, Ovum.

@AlanRodger_Ovum