Strategic IT Governance: From Tactical to Practical

By David Thompson

(Back to article)

CIOs today have an opportunity and a challenge: helping their organizations implement critical processes, policies, and procedures that not only yield immediate, short-term results but also long-term business gains.

In the past, CIOs focused a great deal of time and resources on enabling their organizations to meet industry and government regulations. In truth, they had little choice. The very nature of regulations requires companies to either comply or suffer the consequences.

And while meeting the demands of such regulations as Sarbanes-Oxley have cost publicly traded companies in the U.S. millions—some say, billions—of dollars over just the past year, few organizations have seen much return on their compliance investments.

That’s not surprising, considering the difficulties of putting in place the many controls needed to cover every regulatory base. However, when compliance is considered in combination with governance, organizations have a framework that yields not just tactical results but significant strategic advantages as well.

Tactical to Strategic

IT plays a critical role in corporate governance, particularly since nearly all business operations and processes today rely on information systems and a technology infrastructure to provide vital services. IT governance is guided by the set of processes, policies, and technologies an organization establishes to direct, control, or administer resources to align IT with business strategies.

IT governance is not the same as regulatory compliance. Where compliance is tactical in nature, governance is strategic. Governance is less about demonstrating to a regulatory agency that information is safeguarded, and is more about reducing risk and controlling change in order to stimulate growth and ensure business continuity over time.

Governance is about doing things more efficiently and effectively—and it doesn’t always go hand-in-hand with compliance, which is often characterized as burdensome and even oppressive. A look at the procedures and controls encompassed in various sections of Sarbanes-Oxley make it clear that demonstrating the viability of internal controls is easier said than done.

Nevertheless, it has to be done. Perhaps that’s the biggest difference between compliance and governance. Regulatory compliance is something an organization does because it has to.

Governance, in contrast, is optional. Organizations do it because they want to. And they want to not because they’ll avoid penalties, fines, or other negative backlash, but because they’ll be better positioned to ensure transparency and fairness throughout the organization as well as protect the integrity of their critical information assets.

A Step Beyond

When organizations evaluate various business initiatives from a governance perspective, their short-term tactics begin to reflect long-term strategies. Take reporting, for example: Organizations are compelled by government and industry regulations to report on a wide range of immediate issues, which requires them to focus on the here and now.

But looking at reporting from a governance perspective broadens the evaluation—and the results. Rather than doing only enough to satisfy certain requirements today, the organization considers how reporting on other elements as well might offer greater benefits throughout the entire organization both today and tomorrow.

Of course, without the appropriate infrastructure, good corporate and IT governance is virtually impossible. An audit committee is often necessary to oversee the company’s governance strategy and objectives, with an inter-business unit global risk council driving governance activities and reporting to the committee.

Each business unit is often comprised of working groups and project teams; an IT business unit, for example, might be made up of a privacy working group, an anti-fraud working group, a records retention project team, and so forth. By working through such an inter-business organizational infrastructure, companies have a more comprehensive view of governance strategies and activities and are more likely to produce the far-reaching results they desire.

While demonstrating regulatory compliance is a good starting point for corporate and IT governance, its often reactionary and tactical nature stands in contrast to governance, which is more proactive and strategic. Both are essential for organizations looking to yield short-term competitive advantage as well as long-term economic gains.

David Thompson is CIO of Symantec. Prior to joining Symantec, Thompson was senior vice president and CIO for Oracle and oversaw its Global Information Technology group.