When you start out implementing IT governance, you have to begin by knowing where you stand. Some policies may be in place, some you will have to create. The existing policies may themselves need review, amendment, or be replaced completely with more up-to—date ones. You must determine whether all that you are doing is in line with the law of the land. There’s a lot to do.
Begin by asking yourself a few questions:-
1. Is establishing effective IT governance a performance goal for your organization? If not, get your managers to work out a goal, and the schedule and budget to achieve that goal.
2. Has the steering committee to implement governance been set up? IT governance requires that frequent monitoring be done by the right people, including both external and internal members.
3. Have all the governance policy documents been inventoried? This is important, because much of the policies you need may already be in place, given that Sarbanes-Oxley has been around eight years now. Nevertheless, bringing them all together will help you know about and plug the gaps.
4. Do you understand thoroughly all the existing policies? This is because you will be making future policies, and may have to amend existing older policies to bring them in line with regulations enacted later.
5. What are the major IT governance and compliance issues to be sorted out between you and legal/audit departments? The answer to this will help you set priorities.
Once you have got the answers to these questions, you will know how much and what you need to be doing.
It is important to understand what is meant here by ‘effective’. Simply put, you need to know
1. Which regulation or regulatory body defines compliance means for your IT organization.
2. Whether the company has appropriate governance in place to document the IT organization’s compliance.
Effectiveness is about achieving the most with the least effort, hence the operant policy in IT governance is “create only as much IT governance as you need to manage corporate users, protect corporate data, instruct vendors and partners, and meet requirements of Compliance, Legal and Audit departments”. Any less may fall foul of the law, any more may hamper decision-making freedoms within your organization.
To help you define and achieve an effective governance framework, the toolkit provides you with a very detailed Instructions and Overview module, including several templates you can use to obtain data to answer the questions above.
Once you have established the background, and you have charted the way forward, it is time to set up the Steering Committee. This is the core group of people, who under a mandate from the board, are responsible for implementing IT governance on the ground. The people who sit on it must not only be knowledgeable, but also have great personal integrity and no conflicts of interest.
The Steering Committee, as the name suggests, cannot be rudderless. You must define a firm charter of what its responsibilities and powers are, what goals it is expected to deliver on, and what interventionary and/or punitive actions it is empowered to take, towards implementing IT governance. A template for preparing such a charter is included in the IT Governance and Compliance Toolkit, along with proformas for maintaining agendas and minutes of the committee meetings.
