Corporates face and manage several internal and external constraints, challenges and risks in the course of business. A well-governed organisation responds effectively and efficiently to those risks and opportunities. It restructures and reshapes business offerings, products and services, e.g. in response to political risks or economic changes. Some of those external factors can have a huge impact, for instance, change in the way products and services are offered and delivered, or which of those can the organisation continue to offer in the face of extreme challenges. In some cases, it may lead to a complete change in business and IT strategy. These factors may also have an inward/ internal impact, for instance, ways of working for staff may have had to change due to the pandemic, technology at many levels may have had to respond to ensure the workforce could continue to work. The increased reliance of the business on Information Technology means IT governance has a role to play.
Governance or Enterprise Governance to be specific is the framework an organisation has enacted to ensure that it achieves its business objectives effectively and efficiently.
Considering the role of Technology in today’s business it has been an important realisation for some that IT is the major differentiator that gives an edge over the competition for instance agility and speed to market etc. IT Governance can no longer work in a silo and must be an integral part of the Enterprise Governance. IT Governance has a huge part to play in helping achieve business objectives. The role of IT Governance is to ensure that IT resources are used responsibly and efficiently while managing the risks an organisation might face.
In the figure above, you may notice that Corporate Governance and associated activities are more about conformance and assurance. Business Governance on the other hand covers performance, strategy, implementation of strategy, managing and improving the business. In other words, Corporate Governance is a “look back/ after the fact” and Business Governance is a “look ahead/ forward” view. Most importantly, organisations require a careful balance of both in pursuit of their business objectives.
Overdone compliance monitoring, assurance activities without a purpose, associated redundant or duplicative processes can contribute to a stifled progression. The question of “what is the risk?” an assurance activity or control process is trying to mitigate should be asked more often.
Similarly, lack of effective risk management, lack of mitigation strategies or lack of an accurate picture of risk exposure can equally be a hindrance in achieving business objectives; often resulting in damage to the success of an organisation. Corporate Governance should help instil accountability and provide assurance whilst Business Governance helps in creating value and optimal resource utilisation – both providing the feedback loop to the board to then set, correct and change direction.
The foundation of good governance in a modern organisation is stood on 3 main pillars that shape the corporate culture, policies, standards and practices in an enterprise;
Transparency is essential to enable trust. By providing visibility into strategy, processes and transactions to both internal and external stakeholders organisations create a culture of trust.
Accountability is to have a sense of ownership. Accountability should help individuals realise their responsibilities and move away from a blame culture. Coupled with transparency accountability helps create the culture of “do the right thing”.
Security has become ever so important in today’s environment of ransomware attacks, data breaches, IP theft and cyber-attacks. Organisations are required to have protective measures in place, mitigate and manage risks that may lead to loss of reputation, financial loss, regulatory fines and findings.
In the next article [part 2] focus of the discussion will be on IT Governance.
Opinions
Some events such as this pandemic can have an overwhelming impact on the business, yet at the same time present new risks as well as opportunities. Increased work from home would present different risks or at least reflect a raise in the Risk Profile for certain categories of IT and Operational risks. Many organisations had not even considered such an event in their Business Continuity plans; most have been in a reactive mode. This has now made business and technology leaders ask themselves “how resilient are our business and its operations?”. There are many lessons to be learned here.
IT and technology, in general, have played a positive part where businesses have had to change and adjust their operations. There are many success stories large and small e.g. Zoom has seen massive growth. Business models that were ahead of time and would have taken some years to find success with customers have seen acceptance/ adoption much quicker. Good thing is that innovation has not stopped. In general, there has been an acceleration in the digitisation of business processes out of necessity. I recently spoke to an old friend, CEO of a SaaS company who has helped dental practices digitise their processes that were traditionally based on paper forms, the stuff dental practices must do to comply with regulations. They saw a massive adoption of their products such as online appointment booking and patient feedback etc. As an additional positive result, dental practices no longer need to store boxes and boxes of paper records, saving on space and storage costs.
Fintech, Insurtech, Healthtech, Cleantech and Regtech etc. are amongst other sectors that are making large organisations think differently. Outside the box thinking and change in strategy has been seen; with some very interesting approaches to stay competitive in the market. Most of these approaches include elements of speeding up automation, hyperautomation, Robotic Process Automation (RPA), digitisation, including design thinking, adoption of Agile methodology and platform thinking. Ideas, approaches and potential solutions will be discussed in future articles where appropriate.
The risk and threat landscape have also changed. There are new and emerging threats and risks e.g. reliance on core technologies and risks associated with providers of those technologies, the regulatory regime those providers are subject to, governmental influences or change required as a result of realities of international politics. Also, an uptick in the number of incidents related to ransomware, increased APT activity and supply chain attacks to name a few. The positive in this respect is that the board and senior business leadership have started taking Information Security and Cybersecurity seriously, hence the rise of CISO. Regulators are likely to increase focus on supply chain oversight and security which inadvertently brings non-regulated business into the picture – regulated businesses will be looking for additional assurances if your (non-regulated) business is part of their supply chain.
IT governance has become more important than ever as opportunities (digitisation) evolve and risks change. GRC functions also have an opportunity to become agile in their methodology, benefit from design thinking and potentially transform with platform thinking while contributing to reducing the cost of doing business in the long run, also play a role in aligning the business and IT. It should be the job of the leadership to devise a balanced governance approach when thinking about centralised vs localised governance and assurance structures, especially in the case of larger organisations (multinationals), it is important to have it driven centrally. However, this is not to be confused with localised IT decision making which should remain highly flexible for instance to encourage progress in opportunities for innovation or implementation of diversity and inclusion agenda. Latter shall be localised as there will always be local cultural nuances to take into account.
Some of the items I think should be focused on and need to be part of the strategy discussions are below – these topics need thoughts and a detailed look into, which I might touch upon as we go through general topics of Enterprise and IT Governance;
How to ensure efficient digitisation and transformation
How to set up IT to respond quickly to evolved and new opportunities
How governance can help with innovation
How GRC functions can be made efficient.