Governance: The new word for Best Practice

By James Pasley 

As organizations are increasingly dependant on IT, the concept of IT governance has received much attention. This has been fuelled by a number of high profile security breached, particularly where customer data is involved which have drawn attention to the risks that are associated with the use of IT. The Sarbanes-Oxley Act has also been a factor and is often referred to in this context. It primarily deals with financial reporting and auditing, but two areas have significant impact on IT. Sarbanes-Oxley recognises that a company’s use of IT affects its control over financial reporting. It also places responsibility for financial reporting firmly on the Chief Executive Officers and Chief Financial Officers. This has lead to senior executives taking more interest in and responsibility for the way in which their organizations use IT.

It is in this context that IT Governance has become more prominent. So what is governance? The following quote from the IT Governance Institute puts it very well:

IT governance integrates and institutionalises good practices to ensure that the enterprise’s IT supports the business objectives.

IT governance sets out to ensure that best practices are used at all levels within IT and goes hand in hand with Service Oriented Architecture. SOA seeks to align business objectives and IT at a functional level. In SOA, the core business functions performed by an organization are aligned directly to services provided by IT. Governance seeks to align business and IT at a non-functional level. In particular, the objectives for governance are to ensure that organizations can satisfy the quality, legal and security requirements for their information. In addition to this, management need to ensure that IT resources are used efficiently, that they understand the status of IT systems. They also need to decide one what level of control needs to be exercised.

There are a number of core concepts within governance: leadership, value, risk and control. Let’s deal with each of these in turn.

Sarbanes-Oxley makes it clear that responsibility lies with the senior executives in an organization. They should also be providing leadership and setting the agenda for the use of IT. Realistic goals need to be set together with strategies for implementation, for example, the adoption of SOA or conformance to the auditing requirements of Sarbanes-Oxley.

The value of IT within an organization needs to be well understood. There are a number of ways to look at this: the value can be a measure of the organizations dependence on IT, it is also an important factor in any decision to invest in IT. IT systems and in particular the information they contain needs to be continually reviewed in order to identify new ways of using them. This could result in new value being identified.

The purpose of governance is not to eliminate risk – that is not a realistic goal. Firstly, the level of risk needs to be understood. The organizations appetite for risk also needs to be defined – of course there are many cases in which the appetite for risk will be very low indeed. Then the organizations exposure to risk needs to be managed. Issues relating to the security or loss of information are obvious areas where risk needs to be assessed. RASP issues also need to be considered with the levels of redundancy and over capacity provided within IT systems being considered in terms of the value of the transactions that they process.

Governance sometimes gets a negative reaction from IT staff as it can be perceived as the business guys telling us IT guys how to do our job. It doesn’t have to be this way. Governance is about identifying the right level of control. For example, it is entirely appropriate for senior executives to demand that proper development practices are followed. However, it should probably be left to the IT staff to choose which of the many development methodologies are most appropriate for the organization.

When implementing governance you need to set objectives. There are a number of frameworks which can help you in defining these objectives, for example the Control Objectives for Information and related Technology (COBIT®). COBIT® assists IT Governance by making the link to business requirements and organising IT activities in a generally accepted process model. It also identifies major IT resources and defined management control objectives to be considered.

All of this requires that you have up to date information on the status of both the business and the IT systems. This is needed in order to define realistic objectives and in order to evaluate whether these objectives have been met.

Governance is an iterative process, you must start by setting objectives based on the information that you have available. Then you can proceed through the SOA lifecycle in order to achieve the objectives as shown in the figure below. Finally, you can monitor and evaluate the results of the iteration giving you the information you need to define new objectives.

Figure 1. The SOA Lifecycle 

The completion of each iteration should complete the stated objectives and improve the quality of IT within the organization and represents progress in the role out of governance. The COBIT® framework also provides a maturity model by which progress can be measured.

As IT Governance needs to be applied to all aspects of IT within an organization, no one software product can be said to provide a solution to IT governance. However, it is possible to relate the various Cape Clear products to different phases within the lifecycle as shown in the figure below.

Figure 2. The Cape Clear products positioned within the SOA Lifecycle 

 As shown in the figure above:

• A repository may be used to store information on the services provided by IT. This is increasingly important as the number of services increases and the procedures relating to how they may be reused are formalised.
• As part of the planning phase, business processes may be modelled either in BPEL or BPMN. 
• Cape Clear Studio is used during the implementation phase to create services and solve integration problems.
• The Cape Clear ESB Platform provides the hosting environment for both services and orchestrations.
• Cape Clear BAM provides the visibility into IT systems necessary to deliver the condensed and timely information that is so vital to the implementation of governance.

To summarise, governance requires that best practices be applied to all aspects of IT to satisfy the quality, legal and security requirements for information. These issues are addressed through the core concepts of leadership, value, risk and control. Governance is an iterative process which starts with the establishment of objectives based on the available information. At each stage in this process, different components of the Cape Clear ESB Platform may be used in support of the IT governance strategy.