Welcome to the SJ+/PRC blog. Commentary on general IT Governance and software development issues as well as musings and information about PRC.
In the first article of this series we introduced IT Governance in general, some of its history and some of the regulations that compel us to embrace it. We’ve acknowledged that it is, for many of us, an unpopular necessity. But we’ve also seen the golden promise of good that can come from it. In the second article we talked about some of the specific legislation, their common underlying IT Governance requirements, the two widely accepted frameworks for guidance and how that guidance specifically deals in controls. We talked about what controls are, and how there are preventive and detective controls, as well as manual and automated controls. And we have posited a persuasive argument for why automated controls are better. In many cases the automated controls require a greater initial effort, while the benefits are reaped over time. Because of this, companies often opt for manual controls initially. That initial period can stretch out to eternity, and end up being costly. The reality is that while it is probably necessary to take things one step at a time, it is important to have a plan for the next step and to stay motivated. That motivation can come from having a clear of understanding of what can be gained by implementing automated controls and overall IT Governance. Even if there were no direct, tangible return on investment, having good practices in IT governance is still a good idea. We can all agree on the long-term, perhaps less direct, tangible or financially obvious benefits of a more productive, responsive and transparent IT infrastructure. But SHOW ME THE MONEY!, right? There is real money to be found in this effort – savings, efficiencies. Actual, calculable financial benefit. A couple of examples found in a Tech Republic article:
- Proctor & Gamble US$500m over 4 years, savings.
Morton Cohen, P&G manager of global service management, said, “When IT processes are done by 5000 people consistently across one company, service management can deliver tremendous savings.”
- Ontario, Canada government – by adopting ITIL, the government created a virtual service desk that not only improved response time and reduced trouble tickets but also decreased support costs by 40 percent.
- Dell Computer includes CobiT best practices as part of its Control Self Assessment (CSA) corporate policy, a set of auditing checks and balances that helps the company maintain its high quality.
So what holds us back? The number one thing is that we – as IT professionals – are already stretched pretty thin. And we don’t know where to start.And if we can get started, how do we get a clear roadmap of how to get where we are trying to go in manageable steps?And we don’t know how to measure the benefit if we did gain any.
<more to follow>
Last issue we introduced IT Governance in general, some of its history and some of the regulations that compel us to embrace it. We’ve acknowledged that it is, for many of us, an unpopular necessity. But we’ve also seen the golden promise of good that can
Are any of the new regulations going to affect you and your company? In a word: yes. It is very likely that these – or other regulations that impact IT governance – will affect you.One of the most far-reaching ones is the Payment Card Industry Data Security Standard or PCI DSS. This one applies to anyone that accepts payment cards (credit or debit). The requirements impact fees and rates – the better the compliance, the lower the fees and rates. Money is a great motivator! Prison can be a great motivator, too – the Sarbanes-Oxley act in the US has opened avenues for criminal prosecution along with whistle-blower protections. From securities and banking to health privacy and credit cards, regulations are being created or tightened that have to do with protecting data and controlling IT access and change. If your industry doesn’t have requirements – yet – you won’t have to feel left out for long. If you are not a publicly traded company in the US your country is bringing similar requirements to you. Not publicly traded at all? Not to worry, the definitions are broadening to include most companies that even do business with any publicly traded companies. One way or another, sooner or later, regulations that impact IT Governance are going to touch your organization.
The United States first came up with the Sarbanes–Oxley ACT of 2002. It was introduced as an attempt to prevent the type of financial fraud that occurred at a number of large publicly traded US and global companies. The headliners were, of course, Enron, Tyco and Worldcom but there were many others. The congressional act was immediately nicknamed SOX and proceeded to create havoc at publicly traded companies in the US and to a lesser extent, abroad. Then, because SOX exists (and for almost no other reason) it began to be adopted in other countries. And the nick-names just won’t quit – Japan has J-SOX, the EU has E-SOX. Meanwhile there has been some refinement back in the US. A seam loosened here, a nip and a tuck there. More importantly, with experience came some published guidelines. There is nothing to be done about the time and money wasted by the largest companies in the US which were first – but things have gotten better for those that are coming along later. Other government-specific and industry-specific regulations have followed SOX and still more are on their way.