IT Governance: Guidelines for Directors
By Alan Calder
()
About this ebook
Aligning IT with the business is a key board objective. Better shareholder returns, greater competitiveness and fewer compliance issues are typical benefits of an IT governance framework.
This is not a technology book.It has been written specifically for those directors, managers and their professional advisers who want to leverage IT more effectively to compete in our information economy.
It argues that getting real value from IT is about leadership and shows how the board and CEO can take that lead - and avoid security breaches, project failure, compliance exposure, reputation damage, job loss and jail time. It’s a book for business leaders of today - and tomorrow.
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
ISO 22301:2019 and business continuity management - Understand how to plan, implement and enhance a business continuity management system (BCMS) Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5PCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsIT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Nine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5The Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5A concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsIT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsThe Green Agenda: A Business Guide Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratings
Related to IT Governance
Related ebooks
IT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5Governance of Enterprise IT based on COBIT 5: A Management Guide Rating: 5 out of 5 stars5/5Governance of IT: An executive guide to ISO/IEC 38500 Rating: 0 out of 5 stars0 ratingsISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5Practical IT Service Management: A concise guide for busy executives Rating: 0 out of 5 stars0 ratingsIT Governance to Drive High Performance: Lessons from Accenture Rating: 0 out of 5 stars0 ratingsIT for Business (IT4B): From Genesis to Revolution, a business and IT approach to digital transformation Rating: 0 out of 5 stars0 ratingsData Risk Management Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Implementing an Integrated Management System (IMS): The strategic approach Rating: 5 out of 5 stars5/5ISO/IEC 38500: A pocket guide, second edition Rating: 4 out of 5 stars4/5Secure Your Business: Insights to Governance, Risk, Compliance & Information Security Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsI/T Architecture in Action Rating: 0 out of 5 stars0 ratingsEverything you want to know about Business Continuity Rating: 0 out of 5 stars0 ratingsCompliance by Design: IT controls that work Rating: 5 out of 5 stars5/5Outsourcing IT: A governance guide Rating: 3 out of 5 stars3/5Governance and Internal Controls for Cutting Edge IT Rating: 0 out of 5 stars0 ratingsData Governance: Governing data for sustainable business Rating: 0 out of 5 stars0 ratingsTen Steps to ITSM Success: A Practitioner’s Guide to Enterprise IT Transformation Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5IT Asset Management: A Pocket Survival Guide Rating: 4 out of 5 stars4/5IT Risk Management Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsRisk Appetite A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsIT Management A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratings
Computers For You
SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratings101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsThe Self-Taught Computer Scientist: The Beginner's Guide to Data Structures & Algorithms Rating: 0 out of 5 stars0 ratingsDeep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5Childhood Unplugged: Practical Advice to Get Kids Off Screens and Find Balance Rating: 0 out of 5 stars0 ratingsArtificial Intelligence: The Complete Beginner’s Guide to the Future of A.I. Rating: 4 out of 5 stars4/5People Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5ChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsGoing Text: Mastering the Command Line Rating: 4 out of 5 stars4/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5Master Builder Roblox: The Essential Guide Rating: 4 out of 5 stars4/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5
Reviews for IT Governance
0 ratings0 reviews
Book preview
IT Governance - Alan Calder
978-1-849281-05-8
About the author
Alan Calder is the founder director of IT Governance Ltd (www.itgovernance.co.uk), a information, advice and consultancy firm that helps company boards tackles governance, risk management, compliance and information security issues. He has many years of senior management experience in the private and public sectors.
The company’s website also provides access to a range of unique books, tools and other publication on governance, risk management, compliance and information security.
Other books by Alan Calder:
IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799, 3rd edition, with Steve Watkins (Kogan Page, June 2005)
IT Governance Today: a Practitioner’s Handbook (IT Governance Publishing, May 2005)
The Case for 7799 (IT Governance Publishing, May 2005)
Nine Steps to 7799 Success (IT Governance Publishing, June 2005)
For homeowners and home-based businesses:
The NON-Geek Guide™ to Wireless Security (IT Governance Publishing, 2005)
The Internet Highway Code (IT Governance Publishing, 2005)
Other books by Alan Calder are planned for publication during 2005 and 2006; see the website for details.
CONTENTS
INTRODUCTION
‘Can IT align with the business?’¹
Your immediate response to this question gives a sense of the adequacy or otherwise of your IT governance arrangements. If you think it’s a good question, one worth pursuing, then you’ve just identified the first, and most critical, symptom of inadequate IT governance: a disjunct between your most important business enabler and the business itself.
If you find the question incomprehensible – because, to you, it’s axiomatic that IT aligns with the business – you may not need this book. However, before putting it aside, consider this: a late-2004 global study² of North American and European businesses found that only one-quarter of the respondents considered their business and IT strategies to be ‘fully integrated and developed simultaneously’ – which is a backward step from the findings of the same study in 2002, in which one-third of respondents considered these processes to be fully aligned.
Symptoms of inadequate IT governance
1. How does your board assess (measure) the real contribution made by any of your IT systems to improving the organization’s competitiveness?
2. What divergence is there between the views that your sales/operational management has of the benefits of IT systems and projects and those of the IT management? Who is right and how do you find out? Are you getting maximum value (maximum business benefit for minimum actual total cost) for each of your IT investments? How would you know? How
¹ Computer Business Review, March 2005
² ‘Why Today’s IT Organization Won’t Work Tomorrow,’ AT Kearney, 2005
would you know if your IT spending is putting your company at a cost disadvantage?
3. What is your board’s process for comparing the (fully costed) ROI on your technology projects to those of any other strategic options, including acquisitions, and how does this affect strategic planning?
4. What is your board’s view on the relationship, in your organization, between the potential impact of a compliance or information security failure (in financial terms) and the (fully absorbed) cost of meeting the compliance and security objectives? What is the total actual (direct and indirect) cost of all the compliance and information security incidents in your organization in the last twelve months?
5. What is the real, financial value to your organization of its information and intellectual capital and how are you leveraging it?
6. How are you driving up the intellectual capital/headcount ratio? What’s the relationship between this ratio and the IT intensity (IT investment to headcount) ratio?
7. Do all your IT projects come in on time, to budget and to specification?
8. How does your D&O insurance deal with the personal consequences for directors of IT failures arising from inadequate board oversight of core business processes and significant financial transactions?
If you organization has a clear, widely understood set of answers to these questions, complete with meaningful metrics, then you probably have an effective IT governance framework in place. The fact is, very few organizations do. There are a number of reasons for this.
Competitiveness
The first is that IT and IT governance simply don’t feature on the CEO’s top 10 list of challenges. Tighter cost control makes it in at number seven; transferring knowledge/ideas/practices within the company (which could, arguably, be linked to using IT as an enabler), makes it on to the list at number 10.
What are the top three challenges?
Not surprisingly, they are all related to competitiveness as measured by revenue growth. The Conference Board’s annual survey for 2004³ listed the top three challenges identified by CEOs worldwide:
1. Sustained and steady top-line growth
2. Speed, flexibility, adaptability to change
3. Customer loyalty, retention
This focus on top-line revenue growth is as much a challenge in the public, voluntary and not-for-profit sectors as it is the private one. Information technology is, surprisingly, only a subsidiary issue in responding to this challenge, as is evidenced by the IT Governance Institute’s ‘IT Governance Global Status Report 2004’⁴, which found that:
1. 93 percent of business leaders recognize that IT is important for delivering the organization’s strategy, yet
2. 93 percent of respondents experienced IT problems in the previous year; 40 percent of respondents identified operational failures, incidents and an ‘inadequate view on how IT is performing’;
3. 75 percent of the IT community recognize that IT has problems that need resolving;
4. More than 80 percent of the IT community thinks that IT governance has some part to play in resolving these issues.
In the AT Kearney survey⁵, only 28 percent of IT leaders ranked IT as a top 10 percent issue; only 37 percent of ALL the executives surveyed ranked IT as being this important.
³ ‘Conference Board CEO Challenge 2004’, Executive Summary
⁴ ‘IT Governance Global Status Report, Executive Overview’, IT Governance Institute, 2004
⁵ ‘Why Today’s IT Organization Won’t Work Tomorrow’, AT Kearney, 2005
Historically, therefore, the CEO community has not rated the importance of IT governance nearly as highly as does the IT community. However, while shareholder and regulatory pressures have been driving IT governance up the board agenda, the over-arching reason for IT to become a key board room issue in the 21st Century is the extent to which information and information technology is now driving and shaping the competitive environment.
Shareholder accountability
Institutional investors carry part of the blame for the fact that IT has not historically been on the CEO’s agenda. ‘One of the key problems with IT is that the City just doesn’t get it. When analysts sit down with CEOs and finance directors, attention is focused on the financial performance of the business and its strategy moving forward. As a key driver of the competitive profile of the business, IT systems and plans should be rigorously studied. But very few analysts know the right questions to ask to assess how IT will support the business goals.’⁶
Institutional shareholders are becoming more muscular. Technology is as significant a component of the organization’s cost base as its headcount, but usually consumes substantially more capital. Driven, in part, by the changing corporate governance climate and, in equal part, by the poor record of IT projects, stakeholders and institutional shareholders increasingly seek transparency around IT. This is hardly surprising, when you consider the extent of project disaster made possible by the historic culture of opaqueness around IT governance.
For instance, the Standish Group’s research on IT project failure⁷ found that:
• 16.2 percent of software projects completed on time and on budget;
• 31 percent of projects were cancelled before completion; and
⁶ Justin Urquhart-Stewart, HP IT Governance Roundtable, November 2002
⁷ ‘The Chaos Report’, the Standish Group, 1995
• 53 percent of projects would cost over 189 percent of their original estimates.
There hasn’t been a significant improvement since then. A Conference Board survey in 2001 found that:
• 40 percent of projects failed to achieve their business case within one year of ‘live’;
• Where benefits came through, it was six months later than expected;
• Implementation costs were, on average, 125 percent of budget;
• Support costs were, on average, 120 percent of budget.
But it’s not only about project failure. 80 percent of corporate assets today are digital⁸ and, as shareholders and boards focus on the extent to which information and intellectual capital are fundamental to their competitive position and long term survival, so they recognize the fiduciary nature of their responsibility to shareholders in respect of the organization’s information assets and IT.
Compliance
Regulatory compliance and risk management appear to go hand in hand. The best companies have always addressed strategic risk from the boardroom; Basel 2 and today’s corporate governance regimes increasingly expect risk management to be pervasive throughout the culture of all organizations.
Across the world, a proliferation of sometimes competing data protection, privacy and computer misuse legislation, little of which has clear implementation guidance or established case law, creates new challenges for corporate boards. Governance regimes – particularly Sarbanes Oxley - have substantial IT compliance components. Securing information against organized crime and cyber terrorism ought to be high on corporate agendas, but isn’t: just 20 percent of the respondents in a global survey strongly agreed that
⁸ Testimony of Jody R Westby, PwC Managing Director, to the House of Congress Committee on Government Reform, September 2004
their organizations perceived information security as a CEO level priority.⁹
Is it therefore surprising that authorities are increasingly looking to regulation to force the issue up the agenda? ‘The road to information security goes through corporate governance. America cannot solve its cyber security challenges by delegating them to government officials or CIOs. The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’¹⁰
Directors’ personal liability
Historically, the outside, or non-executive, directors of companies have been personally immune – financially, if not in terms of reputation – from the legal consequences of failure of the companies on whose boards they sit. A Stanford University study, for instance, found only four US cases, by 2003, where individual defendants had been forced to contribute personally to the settlement securities class actions.
However, in 2004, an ex-Chairman of Global Crossing made a substantial (US$30 million) personal contribution to settling a class action.
In January 2005, substantially all of the outside directors of both WorldCom and Enron agreed to settle class actions by contributing personal funds to the settlements. Ten Enron directors agreed to contribute an aggregate US$13 million; ten WorldCom directors agreed to contribute an aggregate US$18 million, which reportedly represented approximately 20 percent of their wealth. These personal contributions were in excess of the amounts provided by Directors and Officers insurance, which was exhausted by the cases.
While these settlements don’t constitute an admission of liability or of wrongdoing by any of the settling directors (the cases are still, at
⁹ Ernst & Young, ‘Global Information Security Survey 2004’
¹⁰ ‘Information Security Governance: a Call to Action’, US National Cyber Security Summit Task Force, April 2004
the point of finalising this book, subject to court approval, with the WorldCom agreement in serious jeopardy), they point to significant changes in the personal exposure of outside directors. There is an argument that the WorldCom and Enron settlements are aberrations and that, once the dust has settled, courts will return to the ‘norm’.
In the UK, Equitable Life is suing its former auditors, Ernst & Young, and its previous directors, both executive and non-executive, for professional negligence in relation to its near collapse in 2000. While hearing the £2.6 billion claim started in April 2005, the UK’s Commercial Court had already ruled in 2003 that the company could proceed with a claim that its non-executive directors were negligent over implementing a strategy which later proved to be unlawful.
The Disney case, in which the company is taking action against its directors in respect of the hiring – and later firing – of Michael Ovitz, provoked the comment that the alleged facts in the case: ‘suggest that the defendant directors consciously and intentionally disregarded their responsibilities, adopting a we don’t care about the risks
attitude concerning a material corporate decision. Knowing or deliberate indifference by a director to his or her duty to act faithfully and with appropriate care is conduct, in my opinion, that may not have been taken honestly and in good faith to advance the best interests of the company.’¹¹
In a similar vein, the former Chief Justice of Delaware commented, in March 2005: ‘Directors are expected to act—indeed are presumed to act, unless the presumption