Making IT Governance Work in a Sarbanes-Oxley World / Edition 1 available in Hardcover
- Pub. Date:
This book discusses a dilemma common to many corporation’s IT departmentsthe tension between top-down governance directives and the challenge to get everything properly functioning on a bottom-up basis. Making IT governance work does not simply mean adherence to an ABC of (a) going more deeply into rules, (b) implementing a framework, and (c) registering good results. Neither is this book a guide to frameworks and compliance. Its goal is to describe an entire repertoire of resources that can assist in arriving at better IT governance. Among these resources are CobiT, bottom-up governance principles such as distributed leadership constitute another, and portfolio management.
This book provides a realistic governance of information and IT in corporations. The authors' view is that "new technology" can only achieve its optimum impact when it is properly managed. Money and behavior are key factors: the money that information and IT must generate and the activity and latitude of people in the organization from top to bottom. This book:
- Presents a clear view on the relationship of corporate governance and IT governance.
- Provides recent Sarbanes-Oxley history and the compliance consequences for organizations.
- Offers in-depth insight into IT portfolio management.
- Provides an overview of various IT governance opinions from such groups as Gartner, Forrester, and IT Governance Institute.
Energetic, thoughtful and highly informative, this book provides a valuable and timely guide to IT governance and the complexities of IT management in an increasingly regulated world. The authors are great at focusing on the things that really matter for practitioners. The book is also very readable.
Leslie P. Willcocks
Professor of Technology, Work and Globalization
London School of Economics
|Product dimensions:||6.42(w) x 9.17(h) x 1.00(d)|
About the Author
Jaap Bloem is a senior analyst with the Research Institute for New Technology (ViNT). He has coauthored two books: one on components in business and IT architecture, and the other on governance of information and technology in the context of corporate and financial governance. He was a consultant with KPMG and cofounder of the IT Trends Institute.
Menno van Doorn is a manager of ViNT and contributor to several management and IT periodicals. He coauthored a book on the governance of IT in the context of corporate governance. For many years, he was a business consultant working with leading multinational corporations.
Piyush Mittal is the U.S. National Delivery Manager for Sogeti, a CapGemini company. He works closely with businesses and IT teams on major initiatives including global delivery, outsourcing, large systems development, and ERP deployment.
ViNT is part of Sogeti Netherlands B.V. and is directed by an advisory board that sets the research agenda of the institute. Members of the board are top executives of international organizations.
Read an Excerpt
Making IT Governance Work in a Sarbanes-Oxley World
By Jaap Bloem
John Wiley & SonsISBN: 0-471-74359-3
Chapter OneTypes of Governance, Business Performance, and Common Sense
Choices and Adjustments
Governance is a heavily loaded term. It implies a rigorous approach to a concept that is grasped only with difficulty. It involves important strategic matters-the making of choices and adjustments.
IT Governance: A Condition of Credibility
Each form of governance, whether it is corporate, financial, or IT, has a direct relationship to business-economic performance. Because of the business value of IT, the high costs of technology, and the problems arising in the e-business experimental phase, IT is an outstanding example of a domain in which governance is necessary. Additionally, when a governance "catch-up" effort is needed to reestablish confidence in IT and to build credibility, IT must be reined in administratively.
Full-Cycle Business Governance of IT
Although the notion of IT governance has become well established, closer inspection reveals that this concept is misunderstood. The main focus should be on the business value of IT, a value that needs to be demonstrated.
"Full-cycle IT governance" means that governance processes and guidelines involve the entire organization and are appropriately applied everywhere within it. Processes and guidelines must influence behavior so that the organization performs better. This means that the same processes and guidelines must be evaluated over time in terms of the organization's competitive and financial performance, another cycle that has a direct impact on business.
* * *
FROM THE SEPARATION OF POWERS TO SARBANES-OXLEY
Many different interests are involved in business-economic performance, i.e., those of employers, employees, financiers, business partners, government authorities, customers, environmental activists, IT suppliers, and others.
There is every chance that these interests will conflict or, at the very least, create frustration; such conflicts must be dealt with effectively. Ever since Charles de Secondat (1689-1755), better known as the Baron de Montesquieu, discussed the separation of powers in the 18th century, it has been commonly acknowledged that absolute power must not be placed in the hands of any single institution or person. Montesquieu, who was the originator of this idea, hoped that conflict in the top echelons of society could be peacefully resolved by an evenly weighted system of power. In the business domain, to avoid conflicts among the various stakeholders, an objective system of issues, agreements, and processes has been constructed.
Management, accountability, and supervision-the three principle components of governance-are explicitly separated in this system. If the system is constructed properly, all relevant interests can be weighed and protected effectively and efficiently. Such a system of fundamental protection of interests and their effects-designed to avoid unwanted entanglements of interests and to serve an organization's principle goals-this is governance.
When most people say "governance," they really mean "good governance." In general, this concept works for the fundamental protection of interests required to maintain a system and its various subsystems in harmony. Thus we are able to avoid frustrating relevant internal or external interests or inflicting damage on them. The practice of good governance requires good consultation and collaboration, as well as making accountable choices, while constantly paying attention to the principle objectives of the business over both the short and the long term. Governance begins with the separation of powers, in the trias politica of Montesquieu; such a separation is at the heart of Deming's model of corporate performance and has been the main issue in the recent Sarbanes-Oxley legislation (see Exhibit 1.1).
An example of how substantial damage can occur is the negative cascading effect that the overenthusiastic global embrace of IT had on business operations during the tech run-up of the late 1990s. The cascade had an enormous negative impact on financial markets and the global economy, creating a crisis of faith.
The current conviction is that a better (or more rigorously observed) form of governance among the full range of businesses operating in the late 1990s could have prevented this situation. In this sense, governance safeguards trust-trust that the statistics are correct, trust that the facts are accurate, and trust that the stakeholders in the organization are acting competently and in the best interest of the organization, free of self-interest and the desire for personal gain.
The institutions, laws, and regulations to which businesses and other organizations should have remained attentive were fundamentally flawed. It was undoubtedly governance that failed. Ironically, if there is anything that has the potential to make things better, it is also governance. With better supervision and more effective widespread implementation of sound governance practices, perhaps the course of history would have been different. Therefore the well defined distribution of power and authority, as well as the proper supervision of both entities, is critical for avoiding the problems of the past, particularly in such a strategic and expensive endeavor as IT.
The separation of power and authority is absolutely crucial for the proper promotion of special interests oriented toward the accomplishment of the principle goals. This entails making choices and making such choices possible in the first place, recognizing progressive attitudes and insight, while also acting on their basis-in other words, implementing a program of continuous adjustment and improvement.
Because IT consumes large quantities of money and because disappointing experiences have surrounded IT in the past, reliable reporting to owners of the current status and state of IT is a critical concern. The American Public Company Accounting Reform and Investor Protection Act, otherwise known as the Sarbanes-Oxley Act (which was implemented in 2002 after the billion-dollar frauds at Enron and WorldCom became known), makes management responsible for a company's reported results and reporting procedures,3 including reports about the status of IT.
The intent of the legislators had already been established in legislation such as the IT Management Reform Act of 1996, better known as the Clinger-Cohen Act. Since the implementation of this act, IT performance management using a portfolio management approach has become mandatory in all government departments. Amendments to the Clinger-Cohen Act enacted in 2003 affect the design and use of IT-related architecture. It is not expected that IT performance management in business will deviate from that of government departments. In fact, the legislation just described for the regulation of government was established in consultation with private sector organizations.
Rules for the management and reporting of IT have been legally determined in laws that apply to all businesses with large interests in the United States. According to the Sarbanes-Oxley Act, a maximum $5 million fine and up to 20 years in prison are the penalties for deliberately issuing a misleading report. One would thus expect that reporting standards will be improved all over the world.
CORPORATE GOVERNANCE IS GOOD MANAGEMENT
Although corporate governance is different from other types of governance within organizations (such as financial or IT governance), most people think of corporate governance when the term "governance" is used.
For this reason, a brief survey of a number of central issues involving corporate governance is given here. Corporate governance must be regarded as the principle form of governance. The governance of divisions within organizations should contribute to more competitive and better financial business performance. Ultimately corporate governance involves the return of money to those who invest in and own the corporation. Hence, governance is specifically concerned with real profits, the return of invested capital, and the maximizing of profits for shareholders.
Corporate governance is the system that manages and controls organizations. The idea of corporate governance stands for a coherent and cohesive whole comprising organizational management, its supervision and accountability for policy, and its management. Although corporate governance is a complex notion, at its most simplistic level it involves good or sound management.
First, corporate governance is specifically concerned with accountability to shareholders, the owners of the business, and the avoidance of self-interested activity by management. The notion of corporate governance has been extended to include responsibility to the various stakeholders in a business. In addition to the attainment of financial goals, such responsibility includes the vision, mission, and social standing of the business.
Corporate governance is an extremely broad field. Political and economic structures are involved in its manifestations, laws, practices, and processes. Taken together, these establish contexts for a business's boundaries, concrete goals, and underlying strategies.
Despite many conceptual and operational differences, legal, financial, and business experts in the world's business centers agree on one thing: Corporate governance is a collection of formal and informal mechanisms that must bring managerial behavior in line with the interests of the company owners. The idea is that business managers should strive to achieve agreed-on business and operational goals, whereas corporate owners-especially when they are quite distant from the operation, as is the case with shareholders-should primarily seek (and expect) a good return on their investment. Boards of directors must therefore always explain to the shareholders why certain decisions affecting the business's performance and the shareholders' investment were made.
Articles of incorporation, legal provisions, or self-selected regulations and institutions establish the practices of corporate governance, which are the key processes of supervision, management, and accountability. Directors, for example, can be legally obligated to run the business in a proper manner and must be accountable to the shareholders. In the context of governance, the shareholders have a full scale of rights and roles, e.g., the appointment of a board of directors, the assignment of voting rights at shareholder meetings, and the right to obtain diverse information about the company.
Others, inside and outside the company, do not actually have any formal roles, although such relationships and responsibilities have been hotly debated over the past ten years, especially in the European Union, as well as because of the stakeholder issue noted above ("stakeholders" being deemed "interested parties" in a broader sense than merely financial).
The economic dimensions of governance complicate the issue even further; for example, think of the range of structures of corporate ownership and the divergent effects on the market each type of structure can potentially have.
As a result, guidelines for governance must involve the following three important elements:
1. The structure, role, and duties of the directors.
2. The role and rights of the shareholders.
3. The regime for disseminating information, accounting, and auditing.
These issues can be determined collectively or imposed by the appropriate governance authorities.
Historically, there have been significant differences between continental European corporate governance, in particular the German model, and the Anglo-American approach. Characteristic of the continental European type are the close and stable relationships between suppliers of capital and management, concentrated ownership, and explicit considerations given stakeholders (especially company employees). The Anglo-American type is oriented toward various markets, shareholders, and the formal exclusion of other stakeholders.
The European type of corporate governance is called insider friendly, and the Anglo-American type is considered outsider friendly. The position of a business's employees is a controversial issue in the Anglo-American model, less so in the European type. In the Anglo-American view, a larger role for employees is, to some people, a threat to a company's competitive position; others would like to strengthen the status of employees so that the democratic quality of corporate governance can be increased.
Although there is a trend toward the Anglo-American model of corporate governance worldwide, the position of the shareholders, the information they receive, and the quality of that information remain problematic.
In 1994, Mark Roe examined this problem in his book, Strong Managers, Weak Owners. Despite good corporate intentions, guidelines and processes, pragmatic business-economic thinking remains prevalent. As a starting point, every business must, of course, operate in a sound manner on a daily basis, unhindered by fundamental or indirectly relevant issues. Thus it is of the utmost importance to avoid problems by practicing good governance on a daily basis.
GOVERNANCE IN CORPORATIONS: ALL ABOUT BUSINESS PERFORMANCE
Each type of governance in business (e.g., financial and IT) is also a system of management, accountability, and supervision. Governance in business must guarantee a constantly adequate and objective assessment and promotion of the business's domain-specific interests that have an essential relationship with business performance, and ultimately with economic performance. The primary goal is to improve the competitive and financial performance of the business.
In practice, an "essential relationship with business performance" often means that large intrinsic risks and unavoidable complexity are directly associated with the interests in question. Organizations are not confronted with easy choices, yet they still want to progress rapidly. This substantially increases the chance of economic and organizational damage and the frustration of strategic interests.
Governance can be also be seen as the measurement and control system of management, accountability, and supervision that is necessary when interests, risks, and complexity exceed the competence of the firm's various management lines of authority and organizational layers. In the context of governance, everything must be defined, controlled, and designed so that it is possible to examine what is happening objectively-and to formulate an appropriate way of acting accordingly.
Consequently, governance has a sky-high level of ambition. Unfortunately, governance in daily practice is too frequently regarded as "the rules and provisions that people have to obey." Such a pragmatic qualification is a significant underestimation (and lack of appreciation) of what governance should be.
It is therefore important to discuss effectively the different tasks and responsibilities that come under the head of management, accountability, and supervision, as outlined below.
1. Management. The manner in which plans, decisions, and initiatives are formulated and how the results are measured.
2. Accountability. The justification of plans based on business value, expressed in terms of financial metrics.
3. Supervision. How we make sure that plans are executed and how we intervene when the results are not according to plan.
ESSENTIALS OF IT GOVERNANCE
In the case of information and IT, we stand at the threshold of a coherent ordering of processes, rules, and testing criteria (key performance indicators [KPIs]), frameworks, and tools, which must form and further facilitate objective management, accountability, and supervision.
Excerpted from Making IT Governance Work in a Sarbanes-Oxley World by Jaap Bloem Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
PART ONE: Management: Governance and Its Human Dimension.
Chapter 1: Types of Governance, Business Performance, and Common Sense.
From the Separation of Powers to Sarbanes-Oxley.
Corporate Governance Is Good Management.
Governance in Corporations: All about Business Performance.
Essentials of IT Governance.
Plain Common Sense.
Chapter 2: Impact and Challenges of Betrayed Trust.
Progress and Its Crisis of Faith.
The Role of IT and the Internet.
The American President Intervenes.
Eight Challenges Plus the Millennium Problem.
Insight as the Basis of Realism.
PART TWO: Accountability: An Economic-Based Business Focus for IT.
Chapter 3: A Basis for IT Management.
IT Measurement: Turning a Three-Leaf into a Four-Leaf Clover.
IT Is Infrastructure and E-Business.
Where Are We in Terms of the Micro- and Macro-Economics of E-Business?
E-Business and the Shift from Decree to Dialogue.
The IT Democracy.
Not Dialogue but Babble.
Limits to the Babble, but Almost Any Governance Structure Will Do.
exT: Death of IT.
Keep It Simple, Stupid!
Money Makes the World Go Round: Rapid Economic Justification and Total Economic Impact.
The Strategic Role of the CIO.
Strategic Focus and Alignment.
IT Governance: From Structures to Mechanisms and Techniques.
Chapter 4: IT Portfolio Management.
What Is Involved in a Portfolio Approach?
An IT Portfolio Approach in Practice.
IT Portfolio Management Begins with Outlines, Architecture, and Calculation.
Maturity and IT Portfolio Management.
Governance, Projects, Programs, and Performance.
The Portfolio Approach as an Aggregation of Balanced Scorecard, Activity-Based Costing, and Economic Value Added.
After 50 Years of Portfolio Thinking, IT’s Turn Has Come.
Thou Shalt Practice IT Portfolio Management.
Nine Initial Practical Lessons, Plus One.
Portfolio Management? By All Means, but.…
Chapter 5: Activity-Based Costing, Economic Value Added, and Applied Information Economics.
Hence ABC, but How?
ABC: The Right Price and IT.
Real Economic Value and the ROI of IT.
Some Critical Remarks.
Applied Information Economics.
The Human Measure of Ambition and Limitations.
PART THREE: Supervision: Stimulating Desirable Behavior.
Chapter 6: Take Action When Necessary.
Desirable Behavior as a Blind Spot.
Economics of Governance.
Supervision: A Lot or a Little?
Good Mores or Good Laws?
Arguments and Misunderstandings.
Keep IT Governance Simple and Make Goals Apparent.
The Balance of Supervision and Intervention.
Chapter 7: Leadership: Overseeing Change.
IT Governance and Leadership.
From Control to Distributed Leadership.
People No Longer Put up with Control.
Eight Leadership Roles.
Realists at the Helm.
Cooperation instead of Coercion.
No Prospects without Building Trust.
Management as Institutionalized Mistrust.
Back to IT Governance and Leadership.
Leadership and Language.
The Charisma and Leadership Paradox.
Chapter 8: Issuing Rules Is Maintaining Supervision.
The Legislator as Supervisor.
The IT Management Reform Act of 1996 (Clinger-Cohen Act).
Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley).
European Legislation: Comply or Explain.
A European Example: Dutch Legislation.
Chapter 9: Frameworks and Accountants as Means of Supervision.
Management Goals for Information and IT.
COBIT Will Do This, but...?
COBIT and the Balanced Scorecard.
Six Sigma: Plus or Minus Three Times the Standard Deviation.
Information Orientation and the Importance of Desirable Behavior.
Accountants Overlook IT Value.
Which Framework Should We Choose?
APPENDIX A: From Control to Drift.
APPENDIX B: The COBIT IT Governance Maturity Model.
APPENDIX C: Ten Definitions of Corporate Governance in the European Member States.
APPENDIX D: KIMBIA, the Portfolio Model of Rabobank Nederland: Management/Business ICT Alignment Implementation Chains.