Tuesday, January 15, 2013

CIO’s GRC Management Agenda

IT Governance is a critical responsibility and a subset of Corporate Governance.

Many factors influence a CIO's choice about where to position his/her information resources along with business continuum. These factors include: the organization’s risk appetite, regulatory environment, size, stage in lifecycle, market environment and current conditions, Board's attitude to risk and reward, core systems lifecycle, maturity of the Information Systems team & processes and, perhaps most importantly, the CIO's predilection for either risk aversion or risk taking, and his/her ability to influence decisions around this. As an IT Executive, CIO should focus on Data Governance, IT Governance, and Risk Management. These are some core strategies empower IT to use consistent data terminology, effectively plan IT roadmap based on business goals & objectives, and help the organization avoid taking unacceptable risks.

1.    IT Governance

Governance is critical. It doesn’t matter what the drive is, in a well aligned and architected organization, governance must be assessed at the enterprise level. The ultimate 'governance' authority is the Board of Directors; all other governance 'authority' is derived from the authority delegated downward by the Board of Directors. Thus

  • IT Governance is a critical responsibility and a subset of Corporate Governance. for IT governance, one of the main challenges is acceptance from the Board, as well as cultural issues, as governance has costs associated with it and partly is to do with the way a business perceives risk, opposed to focusing on the benefits that a well-governed business can bring to their strategic stance.
  • Two foundational requirements:  Governance has been one of those concepts that has received a lot of "lip service" and most CIO's have depended on outside help (including Internal Audit) to guide the minimum they need to do to get a "pass" mark. Governance as a management tool - and even more as a learning tool - is not well understood and accepted. There are two foundational requirements: 1). Management commitment and 2). Discipline. If you don't have either, don't bother with any governance.
  • Present to business about benefit & cost: The thing that the management wanted to see is how the implementation of the strategy proposed will affect the existing business processes, roles, and responsibilities, and how much will it cost to change the processes in order to establish good IT governance and risk management, and of course, what exact benefits it will bring at the end.

2.    Data Governance

The CIO’s role among many things is to decide where to make IT investments, provide IT Insights (Analytics) and be the marketer for all the information. Data is growing at exponential rate. So, the data governance issues will also become pretty serious if steps are not taken immediately. IT is responsible for working with business folks to identify the business rules and provide the data insight mattering for decision making, customer insight as well as workforce analysis.
  • Data Management Life Cycle: Data governance is critical especially as we move to the cloud using SaaS; data is an asset that needs to be protected and used properly. Information (data) is a resource over which the governing body should exercise oversight, for which the governing body should delegate certain responsibilities and for which the governing body may well define some policy regarding how decisions are made. Then, we can correctly see data management as being the tasks and responsibilities delegated to management as part of the governing body’s governance activities.
  • Data Quality:  Data Governance, for the most part, relates to the maintenance of quality data. In order to provide meaningful and insightful reporting or business intelligence, data governance is essential. Think about it, you will not be able to understand the performance of your company or measure it without good quality data and data governance ensures that you can get your hands on it.
  • Compliance: One more thing needs to always keep in mind is regulatory compliance. That will be the driving principle behind your data or IT governance. Once you've taken care of compliance, governance seems to flow out rather easily if no other reason than compliance, which takes a lot of effort and controls these days.

3.    Risk Management

Risk management is very personal and culture driven. It falls from, "it feels good, let's do it" to "the numbers must be 110% in line before we move an inch". It is too inextricably linked to the company's culture and its personalities.

  •  Emphasize Risk Management Aspect with Double Asterisk: The reason is that the rate of change in IT Infrastructure landscape whether it is management and monitoring or just alternate delivery and consumption models (Cloud, BYOD., etc.), is faster than the risk management capabilities of companies. This is compounded by the fact the threat matrix is large enough to put the entire organization at risk. How the risk management will actually work in order to solve the highest risks and issues appropriately. Speaking about IT risk, almost all departments were somehow involved, more or less. And here comes the first obstacles - if the risks spread among the different department, who will cover the costs? The financing structure and procedures are of course complicated, and CIOs have to take into account of internal politics, budgets, etc. 
  •  Explore “WHY” & “WHAT”, besides “HOW”: IT delivery should be transparent to users and managers in organizationsCIO also need concentrate on the business information requirements that support company growth. it's the value (often undervalued) of corporate information as a resource and defining how it should be used strategically to best  business advantage.  It's a bit of a paradox really if IT get obsessed by risk and ongoing governance,  it hampers the ability to deliver flexibly and effectively, but if ignore risks,  then it opens the whole organization to a different set of risks. That said, governance and risk management are important but should be handled and prioritized in such a way that they're inherent in the way we ask our staff to work and don't negatively impact our flexibility to deliver clear solutions and concise information to key decision makers. The balancing act is taken along a continuum of risk and reward. Effective risk and governance shouldn’t stifle innovation, operational efficiency, and agility.
  • Four components in GRC framework: IT governance and risk management must be integrated with overall risk management and governance processes, It is unrealistic to consider a "once every 5 years" approach to governance and risk management strategy. It's not possible to "set and forget.". Strategies for governance and risk management must be woven into the fabric and aligned with the business culture and process. The governance/risk management framework has four components: 
        (1). organizational relationship (that defines responsibility and accountability), 
        (2). Operational delivery (managing results)
        (3). Commitment compliance (meeting legal, regulatory, corporate requirements) 
        (4). Risk management (assessment and reviews). 
        All of these are applicable to the entire IT organization (data, security, operations). 

A CIO owns delivery of one of any organization's key assets - its information. A failure to deliver because IT function is so tied up with risk or its own governance rules is unforgivable. IT governance, Data Governance, Risk Management- all of these are very fine balancing act on the part of any CIO. The core strategy of any IT function  is to support the business and even drive business growth. If a CIO has got his/her strategic plan in order, then the governance and risk assessment should be an integral part of it and the best implementations tend to be very tailored, the measurement of the importance of governance depends on the maturity of the organization.











2 comments:

Risk Management is the process of managing risk as it relates to specific circumstances. The techniques and processes used to manage risk are quite pragmatic and common-sense. Options Trading

Hi, just a moment back I was searching for the information on the same topic agenda management software and now I am here. So much information, really well executed blog. This is really informative and I will for sure refer my friends the same. Thanks

Post a Comment