|
 As founder of the Truth to Power Association, Cass Brewer serves as steward, advocate, and minion of the T2P community. She has more than 15 years of experience managing technology research, including 5 years focusing on IT governance, risk management, and business process management. Prior to founding T2P, she directed the IT Compliance Institute.
|
|
Should IT governance be a board-level issue? |
 |
 |
|
A comment about ISACA's new COBIT and Val IT survey on Dan Swanson's GOV_DG list got me thinking about where the buck stops with IT governance. A common strain of thought says IT should be a board-level issue. After all, IT is big money and data breaches have increasingly material potential—as the still-rising tolls from the Heartland and TJX failures illustrate. But is IT, in concept and practice, still too mechanical for board-level attention? Should it be?
The answer to the first question is certainly yes. Even the most strategic IT governance standards—ISO/IEC 8500, COBIT*, and Val IT—live squarely in the domain of How. Val IT might come closest to corporate governance in its coverage of IT investment management, which implies the evaluation of the value of business processes enabled by technology. In this sense, it's similar to GAO-04-394G: Information Technology Investment Management. Still, even the value-oriented frameworks are insular and inward-looking. In their world view, IT investment is governed by the CIO. The bigger picture—integration of IT risk and value into business process (and process performance) risk and opportunity is still outside of the sphere. Because of this insularity, IT itself should not and cannot be the purview of the board. The board's concern is with the performance of business: market relevance, business performance, high-level strategy, financial processes, risk posturing, etc. While IT can enable these business concerns, whether it does (or doesn't) and how are relatively atomic considerations that, from the board's perspective, should remain "under the hood." Of course, boards are concerned with the oversight of large investments (and IT is nothing if not a large investment), as well as risk and compliance issues---two areas where the IT governance substratum is closest to the surface of general corporate governance: - In the case of investment management, the board should primarily respond to management (and audit) evaluations about how well IT expenditures represent good-value responses to business-process opportunities or risks. This consideration is subsidiary to whether particular business processes (e.g., tailored approaches to ERP, CRM, SCM) are good-value responses to business performance opportunities and risks. And the business-process consideration is itself subsidiary to the consideration of whether identified business performance opportunities and risks represent market-relevant and market-responsive business goals. So, even in this context, you can see how IT governance would still exist at a line-item level in the board's considerations.
- In the case of risk and compliance management, business factors such as market timeliness requirements; reporting integrity and timeliness; and general information integrity risks and regulations also deserve the board's attention. But, again, that attention should be at the policy and business-impact level. Information security is subsidiary to information protection; which is subsidiary to information CIA; which is subsidiary to the issues that should be top-of-mind board concerns, such as brand reputation, innovation, agility/flexibility, reporting obligations, and speed to market.
IT is a complex and powerful function that needs governance; however, confusing IT and business governance supports neither function. It's like confusing the body with the person. Yes, "what am I going to do today" is somewhat dependent on "what are my physical capabilities and limitations." But our decisions to cook, ski, job hut, buy a new television, etc. don't begin—and usually don't end—with the consideration of our physical capacity to do them.
Between IT governance and corporate governance, there are also other process layers that deserve more refinement and attention than they're getting. IMHO, business performance measurement and management, business process measurement and management, and information assessment and governance (including, but not limited to electronic information) top this list.
Your thoughts? |
|
|
Twits! |
|
|
|
Twitter is a terrible solution to an intensive need. To use it is to constantly forgive its failings. But we do use it, because it provides an indispensable, instantaneous information stream. How Twitter fails: - Noise. A constant information stream with low relevance density. Some of this is intrinsic to the communication mode, but it's amplified by Twit culture.
- Chaos. Lots of ways to amass information, no way to organize it
- Usability. Nightmare interface.
- Reliability. Continual service outages and hiccups.
How Twitter succeeds: - Brevity. Turns out, we can absorb more information from 140-word tweets than from 140-page white papers.
- Simplicity. You talk at people. Sometimes they talk back. No formatting options, no burden of conversation, no need (or opportunity) for clarification.
- Promiscuity. Twitter is the delta for many communication channels.
- Timeliness. The right mix of subscriptions can simulate an ideal news service.
Why do I care about this? As I see it, a resource that I continue to use even though it's annoying is a learning opportunity. My interest in Twitter is this: How can T2P meet the same human communication needs that Twitter does without failing in the same ways. Or can we? We have always believed that people in governance, risk, and compliance positions want to communicate and have a lot to say. Facilitating that communication is part of our mission. Another part is providing a practice context for those communications. And yet a third part is to contribute to those communicaitons with internally produced research. Although we've seen a measure of success in some of these goals, we're clearly missing something that Twitter, for all of its failings, does very well. In essence, I think we need to find more ways to let you be brilliant briefly...maybe even casually. We need to offer more communication channels and mechanisms for the aggregations and consolidation of community members' insight and wisdom. I'm very interested in hearing what kinds of new community channels you'd like to see on this site. Do you use Twitter? Would something like that, but focused on information governance, be good here? Should we have forums or discussion boards? Do you use the communication options available to you through your profile pages? And why, or why not? You can post your response in the comments section for this article (click here, scroll down). Or write me directly at
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
. |
|
Read more...
|
|
Will companies love open source to death? |
|
|
|
As I write T2P's 2009 outlook for open source, I can't help but wonder how a tsunami of non-contributing adopters will affect the open source development ecosystem. Most of the companies using open source software will not directly contribute to its development, nor will they directly recognize or compensate the developers who've contributed to their systems. Furthermore, developers who indirectly generate code for even thousands of mission-critical systems will have no way to cite that achievement. I've said it before and I'll say it again: The open source movement is not a populist revolution. It's a technocratic oligarchy. If, as Eric Raymond suggests, prestige is the capital of open source development, the net impact of widely uncredited, unrecognized, and therefore uncompensated work could be quite oppressive, couldn't it? In other words, when the majority of software users don't know or admire the developers, will those developers take their PHP and go home? Or will mainstreaming catalyze new open source business models that, by directly compensating developer communities, cultivate a richer, better supported, and more diverse open source market? What do you think? |
|
Forgotten risk vectors and the shifting audit 'verse |
|
|
|
Monday, 05 January 2009 23:21 |
|
It's natural to stick to what you know. This impulse can serve us well in risk management, since it predisposes us to find problems in existing process. However, from the broader view of business performance, sticking with what we know (and have) can present something of a problem. Risk exists on many fronts and has at least a couple of faces. Still, the risk management field as a whole tends to focus fairly narrowly on internal operational risks and their likelihood of causing failure. Meanwhile, we ignore external factors that can sink the ship altogether. And we fail to recognize opportunity risks; that is, opportunities that, if we only acted on them, would improve the bottom line. A more comprehensive risk management approach must look beyond our immediate environment and seek to assess factors that act upon the business, such as... |
|
Read more...
|
|
|
|
|
