About two weeks ago I led a one day seminar on Delivering Value through Governance. The seminar was part of the education programme for the Wellington Chapter of ISACA.
The day went fairly well from based on feedback from attendees and from my perspective as well.
Given that governance is a topic about which we hear a lot these days, I decided to post my presentation on my blog. The presentation is entitled – Realities of Governance.
In it I visit some contextual aspects and then pose a series of illustrative case studies for discussion by participants. The cases invite participants to think about the situations from a variety of perspectives.
I have used the Slideshare application to embed the presentation.
In addition I have made the limited speaking notes for the presentation available as part of this post.
They are over the break.
The case study exercises generated a fair amount of discussion. After the seminar was over a number of the attendees told me they recognised issues they had seen in their own organisations from the illustrative examples.
It is my strong belief that unless there is an appropriate value system in place in an entity then rules and regulations will not be enough. Further, the value system has to be seen to be believed in from the top down. Else governance will fail.
Enron clip to set the scene. I contemplated using a video clip, but did not on the day. It is included in this post.
The clip is the trailer for the film ‘Enron the smartest guys in the room’
As I worked on putting this presentation together I found myself reflecting on a number of different situations I have found myself in over a career spanning some 40 years, initially as an auditor, then as a consultant and latterly as a senior executive with a major corporation.
One thing that is clear to me is that with the best of intentions and even the most sceptical of viewpoints one can find oneself sucked in.
I can recall a friend and mentor telling me of how he thought that at the end of the day he had been hoodwinked by Robert Maxwell, despite knowing Maxwell’s reputation.
Thirty five years ago, this month, I joined what was then Coopers & Lybrand who were at that time the auditors of Pergamon Press. Robert Maxwell’s publishing company, though at that time he was not involved in the day to day management. Approximately 12 months later I was sent up to Oxford to do some analysis on a Price Commission submission. Sitting in the large room that formed the finance office, I was suddenly asked what I was doing by a large man in a double breasted suit. It was Maxwell prowling around as he was wont to do. I duly explained, to be told in response “I shall be as open and frank with the Price Commission as I am with everyone else”.
Welcome to the realities of governance.
Maxwell is a prime example of no matter what process you have in place, if the values from the top are wrong – the objectives of governance can be subverted.
Cadbury is arguably one of the seminal documents from which much else in the field of governance has flowed.
Over time this has come to be seen as including ensuring that both board and management have appropriate information systems which deliver the reports and other information required to make decisions and monitor events, with an assurance as to the integrity of the information provided.
The definition formulated by Cadbury has stood the test of time. It provides clear delineation of the respective roles of owners, directors and managers. Further, it makes reference as well to the over-riding governance of the law and regulations. Increasingly, it has been argued that this includes to the community at large.
When thinking about material for today, I came to the decision that it made sense to set the illustrative examples against the backdrop of the recently issued ISO38500.
Today for many, if not most, organizations that we are likely to come into contact with IT is a fundamental tool; few can function effectively without it.
IT is a significant factor as well in future business plans.
Expenditure on IT may well represent a very significant spend by an entity, yet returns on investment are often not fully realized and the adverse effects of failure on organizations can be significant.
Despite many of us being aware of the reasons for such failure, the failures still occur and the reasons tend to be the same.
Arguably a critical factor, perhaps the most critical factor , is a failure to focus on the business context of IT use, instead there is a tendency in many instances to focus on technical, financial and scheduling aspects.
As we proceed to look at some of the issues, we should bear these 3 definitions in mind.
Whilst I have used the backdrop of ISO 38500, the principles apply quite broadly, so in some examples in the case study you may be asked to look at something from a lateral perspective in order to illustrate an issue.
Principle 1: Responsibility
Individuals and groups within the organization understand and accept their
responsibilities in respect of both supply of, and demand for IT. Those with
responsibility for actions also have the authority to perform those actions.
Principle 2: Strategy
The organization’s business strategy takes into account the current and future
capabilities of IT; the strategic plans for IT satisfy the current and ongoing
needs of the organization’s business strategy.
Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of appropriate and
ongoing analysis, with clear and transparent decision making. There is
appropriate balance between benefits, opportunities, costs, and risks, in both
the short term and the long term.
Principle 4: Performance
IT is fit for purpose in supporting the organization, providing the services, levels
of service and service quality required to meet current and future business
Principle 5: Conformance
IT complies with all mandatory legislation and regulations. Policies and
practices are clearly defined, implemented and enforced.
Principle 6: Human Behaviour
IT policies, practices and decisions demonstrate respect for Human Behaviour,
including the current and evolving needs of all the ‘people in the process’.
Evaluate current and future use of IT
Direct preparation of plans and policies to ensure alignment of IT and business objectives
Monitor conformance to policies, and performance against the plans
Slide 9 et seq
These slides deal with the case study exercise and conclusion. They are self explanatory.