www.ovum.com
What the board should know about IT
governance
Why it’s needed, and how to approach it
Alan Rodger
Senior Analyst, Ovum.
@AlanRodger_Ovum
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
1
Agenda
 Background on IT developments and trends
 Why boards need to know about IT governance
 ‘How to’ - IT governance practicalities
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
2
IT has become the hub of most organizations
Across industry sectors:
 Healthcare: EHR, digital prescriptions, and treatment monitoring/recording
 Transport: ticketing, reservations, taxi, and automated driving
 Telecoms/media: business model convergence, advanced content delivery
 Finance and payments: simplification/ transformation
A critical means of reaching out to employees and customers:
 Mobile, social
Achieving efficiencies:
 Cloud, process outsourcing, partnership
Key to customer service:
 Analytics enabling the Customer Adaptive Enterprise
Underpinning ‘digital transformation’
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
3
“Be digital”, and use that to focus on customers
Source: IBM Global C-suite Study 2015
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
4
IT is top of mind for CxOs

“We’re counting on technology to fuel our next wave of growth”
– CFO, Indian insurance company.

“If we gamble on the wrong thing, it could have a really negative impact on our business”
– COO, Belgian electronics firm.

“CxOs are desperately trying to cope with a technological onslaught”
- CIO of a Malaysian healthcare provider.
Source: IBM Global C-suite Study 2015
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
5
IT’s role is not going to reduce
Source: IBM Global C-suite Study 2015
Benefits

Cloud: Agility/Faster deployment; lower capex/operating costs; shared use of IT resources; collaboration
across enterprise boundaries.

Mobile: Real-time data, or customer service, to the point of need/opportunity; improve customer
engagement / experience

IoT: Opportunity to wrap services with products; instrument assets for efficiency
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
6
Why is IT Governance needed?
 IT is a critical and heavy investment that has its own risks
 With newer tech (cloud, mobile, IoT), some risks types are yet to be understood
 Security can no longer define the boundaries of the enterprise
 ……but essential to attain the benefits
 IT supports many third-party relationships:
 Business partnerships.
 Technology providers.
 Outsourcing relationships.
 Cyber security attacks are a growing threat to business
 Digital information must be guarded as a key organizational asset
 Compliance++…….. data is becoming a greater focus of legislation
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
7
Data privacy regulations will impact global business
 Current privacy laws are some way behind the realities of the digital economy
 Over 75% of organizations say their regulated and sensitive data will be present
in cloud/SaaS applications by mid-2018
 Significant trust issues may undermine cross-border business
Responses to “…please highlight the countries you believe would access your data without your permission”
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
8
Data privacy regulations will impact global business
 Data ownership, access rights, and location are blurred by technology models
 EU General Data Protection Regulations (GDPR) – in force late 2017
 52% think it will result in business fines (“up to 10% of global turnover”).
 19% expect hires in the legal function, to cope.
 31% expect hires in the technology function.
 34% expect hires in the compliance function.
 two-thirds expect it to force some change in their European business strategy.
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
9
How should IT governance address all of this?
 Ovum’s definition:
IT governance is the establishment and operation of a management framework,
by which an organization maximizes the value that it derives from IT in support
of its strategic objectives.
 The purpose is to align IT with business
 To maximize value, risks must be managed (the risk/reward balance)
 Not a solution – a process framework that can be supported by solutions
(“…governance is something you do – not something you buy”)
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
10
IT governance perspectives at different levels
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
11
Board adoption of IT governance responsibility
 ISO/IEC 38500 is the international standard for corporate governance of IT
 Since 2008, a framework for boards to understand and fulfil their legal, regulatory,
and ethical obligations in respect of their organization’s use of IT
 Sets out six principles for good corporate governance of IT:
 Responsibility – the obligation to establish clearly understood responsibilities for IT,
from the top down.
 Strategy – defined so that business and IT executives can conduct IT planning to best
support the organization.
 Acquisition – the responsibilities involved in acquiring IT resources of any kind.
 Performance - ensuring that IT performs according to enterprise needs.
 Conformance – setting out how IT must conform with formal rules.
 Human behavior – governing IT initiatives’ responsibilities to respect human factors.
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
12
ISO/IEC 38500 model for corporate governance of IT
Source: ISO
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
13
Management-level IT governance
 COBIT is the accepted standard (from Information Systems Audit and Control
Association (ISACA)) :
 extensively adopted internationally, dating since 1996
 comprehensive practical framework focused specifically on governance
 authoritative set of IT control objectives for day-to-day use by business managers, IT
professionals, and risk assurance professionals.
 Integrates risk and value management, as of COBIT 5 (2012)
 Aligns with other important standards:
 Project management (PMBOK, PRINCE2).
 Business Model for Information Security (BMIS).
 The Open Group Architecture Framework (TOGAF).
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
14
COBIT 5 coverage of governance and management
Source: ISACA
Frameworks, process descriptions, control objectives, management guidelines, and maturity models
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
15
COBIT 5 – Process reference model
Source: ISACA
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
16
Operational governance - ITIL
Scope: ITSM; Service portfolio management; Demand management;
Financial management for IT services; Business relationship management
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
17
Recommended IT governance standards
ISO/IEC 38500
COBIT
ITIL
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
18
Summary
 IT is already critical, and that won’t change
 IT-specific regulation and compliance issues are arising
 Boards need to engage with their responsibility for IT
 Well-established standards reduce the risks of adoption
 Boards are the ideal point to ensure IT serves strategic business needs
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
19
www.ovum.com
Thank you
Questions?
www.ovum.com
Alan Rodger
Senior Analyst, Ovum.
@AlanRodger_Ovum
© Copyright Informa. All rights reserved. Ovum is part of Informa Group.
20