Governance is like a brake, the purpose is not to stop the car, but keep it running smoothly.
Governance has been one of those concepts that has received a lot of "lip service," the speed of business is accelerated, opportunities and risks co-exist, and a CIO owns delivery of one of any organization's key assets - its information. A failure to deliver because the IT function is so tied up with risk or its own governance rules is unforgivable. Data governance, IT governance, and corporate governance, CIO need master them all.
1. CIO’s Governance Strategy
Many factors influence a CIO's governance strategy as well as the choice about where to position his/her information resources along that continuum. These factors include: the organization’s risk appetite, regulatory environment, size, stage in lifecycle, market environment and current conditions, Board's attitude to risk and reward, core systems lifecycle, maturity of the Information Systems team & processes and, perhaps most importantly, the CIO's predilection for either risk aversion or risk taking, and his/her ability to influence decisions around this.
- Data governance is critical especially as organizations move to the cloud using SaaS; data is an asset that needs to be protected and used properly. Data Governance, for the most part, relates to the maintenance of quality data. In order to provide meaningful and insightful reporting or business intelligence, data governance is essential. If you think about it, you will not be able to understand the performance of your company or measure it without good quality data and data governance ensures that you can get your hands on it.
- IT Governance The CIO’s role among many things is to decide where to make IT investments, provide IT Insights (Analytics) and be the marketer for all the information to ensure consistency and compliance and can assist in risk management. Done properly, IT Governance facilitates faster, better execution through visibility and formal decision making.
- Corporate Governance/Risk Management: Data/IT governance is an integral component of business governance. IT governance is also converging with corporate governance. Investing in defining and implementing data / its governance, and risk management strategies are critical in enabling how IT becomes a competitive advantage for supporting the business goals and objectives. The core three strategies empower IT to use consistent data terminology, effectively plan the IT roadmap based on business goals and objectives, and help the organization avoid taking unacceptable risks, through effective risk management.
- Governance is an integral part of Business Strategy: this is a very fine balancing act on the part of any CIO. The core strategy of any IT function is to support the business - no business = no jobs & no IT function. IT does this by adopting technologies that support (or help change) the business model and make staff more effective and one of the key strategies may be the use of highly innovative technology. If a CIO has got his/her strategic plan in order then the governance and risk assessment should be an integral part of this. It's a bit of a paradox really, but it's true.
Any company today has threats from everywhere. Understand that it is only a matter of time that somebody hacks into your server unless you have implemented and practice Risk management. IT governance and risk management must be integrated with overall risk management and governance processes, only then the governance strategy will actually work.
2. How to Implement Governance Strategy Effectively
After well defining “WHAT”, the thing that the management wanted to see is HOW the implementation of the strategy being proposed will affect the existing business processes, roles, and responsibilities, and how much will it cost to change the processes in order to establish good IT governance and risk management, and of course, what exact benefits it will bring at the end.
- Manage Quick Win: Once completely understood by the higher management (which did take a couple of interactions with the steering committee, data analysis, comparison, simulations etc.) they focused on the project with much higher attention, however, it was important for them to see the quick wins as soon as possible. Reach the quick wins through detailed risk assessment and pointed to the issues that needed to be solved first. That was the strategy in application - how the risk management will actually work in order to solve the highest risks and issues appropriately - and even talking about IT risks, almost all departments were somehow involved, more or less.
- Overcome Obstacles: And here come the first obstacles - if the risks spread among different departments, who will cover the costs? The financing structure and procedures were, of course, complicated, and CIOs have to take into account internal politics, budgets, etc... So IT have to very clearly define the process and the story went out of the CIO's "hat" just like that - but then it actually become the real story! Understandable in a way, as governance has costs associated with it and partly is to do with the way a business perceives risk, opposed to focusing on the benefits that a well-governed business can bring to their strategic stance.
- Doing Governance just Right: Sometimes IT get obsessed by risk and ongoing governance, it hampers the ability to deliver flexibly and effectively, but if we ignore them, we open the whole organization to a different set of risks. Governance and risk management are important but should be handled and prioritized in such a way that they're inherent in the way we ask our staff to work and don't negatively impact our flexibility to deliver solutions and clear and concise information to key decision makers. Thus, agile or lean governance is needed.
The measurement of the importance of Governance - IT and Data, and Risk Management Strategies, depends on the maturity of the organization. The balancing act is along a continuum of risk and reward. More focus on risk and governance means less focus on innovation, operational efficiency, and agility. So balance is the key.
3. What is the Value of in-house vs. Consulting when implementing Governance strategies?
It is unrealistic to consider a "once every 5 years" approach to governance and risk management strategy. It's not possible to "set and forget". Strategies for governance and risk management must be woven into the fabric and aligned with the business culture. In that respect, outsourcing governance and risk management strategy formulation seems foolish, although bringing external expertise into shine new light may be useful in a stale environment.
- The best implementations tend to be very tailored. There is no silver bullet. whether you implement utilizing in-house or professional services to define and implement the strategy. Most companies have their own Risk Management groups to manage the Risks as governance and risk management can be very culture-driven. For the IT Governance, big consulting companies can be contacted but require in-house oversight. For Data governance, an in-house advocate or evangelist is necessary. Issues of governance and risk management have an underlying generality applicable to most, but the best implementations tend to be very tailored.
- Build a Governance Framework: Governance as a management tool - and even more as a learning tool need be well understood and accepted. There are two foundational requirements of governance framework: 1). Management commitment 2). Discipline. The governance framework has four components: 1). Organizational relationship (that defines responsibility and accountability), 2) Operational delivery (managing results) 3). Commitment compliance (meeting legal, regulatory, corporate requirements) and 4). Risk management (assessment and reviews). All of these are applicable to the entire IT organization (data, security, operations). Through framework, CIOs can leverage better solutions.
- Governance takes Focus: Without that focus, each department will push and pull for their unique needs/wants potentially creating the quicksand that slows these efforts to Glacier speed. When considering an approach, one thing must always keep in mind is regulatory compliance. That will be the driving principle behind data or IT governance. Once you've taken care of assuring compliance, governance seems to flow out rather easily if for no other reason than compliance takes a lot of effort and controls these days. These initiatives are very important and you do need a repeatable plan for each; implementation will be in-house, but you should get some external input to better focus the effort; to engage consultants in implementing governance will not result in the necessary management commitment and discipline that could be fundamental to the long term successful governance.
Governance is a crucial focus for CIOs, the reason is that the rate of change is faster than the risk management capabilities of companies. This is compounded by the fact that the threat matrix is large enough to put the entire organization at risks. Governance is like a brake, the purpose is not to stop the car, but keep it running smoothly. Too often CIOs who should know better diving for the technical detail of apps and infrastructure rather than concentrating on the business information requirements that support company growth, That's one of the challenges a CIO faces, and it's no way new - explaining at all levels that his/her main role isn't electric string, it's the value of corporate information as a resource and defining how it should be used strategically to best advantage.