A Robust Governance Approach Can Yield Benefits and Control Business Risks
Short staffed. Limited budgets. Increasingly complex infrastructures. Growing regulatory compliance burdens. It is no secret that these have all become standard operating conditions in IT departments at virtually every company. While enterprise infrastructure, resource management and IT resource infrastructure and portfolio management solutions can help to mitigate these burdens, they do not facilitate visibility into the interdependencies of resources across business processes, policies, and regulatory compliance mandates. As a result, understanding cross functional risks and the impacts of these risks in ways business units can understand - and in ways these risks can be easily managed - has been difficult, if not impossible. But now, with the growing sophistication of governance approaches, IT departments can align assets with business goals, determine the impact of IT risks on business units, evaluate and map resultant event impact to specific business units, and automate remediation activities.
In other words, with a governance approach, IT departments can, for the first time, offer business units within an enterprise much more than straightforward management of networks, applications, transactions, and data. With a robust governance approach, they can link these assets to specific business policies and processes, delivering a contextual framework for determining how the IT infrastructure can be leveraged and optimized to enable more effective enterprise governance through improved management of regulatory, technology and other business risks.
A Web of Interdependencies
The limitation with existing ITmanagement paradigms is that, all too often, they are silo-based, capturing and managing information for a restricted set of applications and transactions. Database applications, for example, are typically managed independently of ERP systems, which are managed separately from security systems. Yet, from a business performance perspective, no IT resource actually functions as an island of automation - all are inexorably linked in a web of interdependencies that span multiple business policies, processes, and regulatory mandates.
A failure in an access control security system for an ERP solution may create a material impact on SOX compliance or privacy regulations. Similarly cascading interdependencies are created when enterprises adopt best practice standards such as COBiT, ISO, and ITIL. A change in server configuration can cause issues when one server supports multiple applications that support multiple business processes that impact multiple standards.
Without a business context perspective that provides visibility into these interdependencies, it is impossible to gain a comprehensive understanding of organizational risks across the enterprise. To reach this goal requires that IT process and policy be moved out of three-ring binders and institutionalized, in an automated way, into the day to day operations of the IT organization.
Looking for Links in All the Right Places
To optimize risk management in a way that reflects the complexities of the relationships between IT assets and business policies requires, first and foremost, an ability to physically see these interdependencies - an impossibility when IT management information is completely silo-based. The reason is that a silo approach is driven by individual system owners who do great jobs in their own domains, but lack a context for relating these individual domains to others in the overall IT infrastructure, or to specific business units and their particular needs.
With the right governance approach, diverse and distributed IT risk management data is discovered, consolidated, and presented in a business context with a single interface that lets IT managers clearly see how technology assets are related to specific business processes. In this way, it becomes evident that a single IT process may map to multiple business requirements; and, as a result, the risks associated with resources required to drive those processes can be managed together to achieve efficiencies of scale.
In multiple risk and compliance environments, for example, resources required to fulfill the requirements of one mandate, may be leveraged to comply with another. Organizations may find, for instance, that business policies and access controls relied upon to meet privacy requirements specified by Graham Leach Bliley may be leveraged to enable compliance with the California Data Privacy Act, PIPEDA in Canada, and the EU Data Directive. In other words, a single control that addresses how records are stored and accessed can satisfy the privacy mandates of all four regulations, thereby eliminating the need for, and costs of, four separate controls.
With visibility into where and how IT resources converge in the execution of business processes, organizations can evaluate risk exposure, determine where controls are needed, create and execute policies that control business risks, and streamline compliance with federal regulations as well as industry standards.
But How?
The key to achieving these objectives is implementation of an enterprise governance approach that enables interdependencies of process, risks and associated controls to be discovered and understood, and that facilitates management of these interdependencies across resources, processes, policies, and regulations. In other words, what's needed is a single system of record that provides IT managers visibility to these links, and ensures that interdependencies are leveraged, resource redundancies eliminated, and objectives met as cost-effectively as possible. The approach also should be able to automatically determine when risks exceed pre-set thresholds and launch remediation workflows that minimize potential losses.
There are four critical areas that a governance approach must address in order to fulfill these goals:
- Risk management;
- Policy and regulatory compliance;
- Business alignment;
- Service delivery and best practice adoption (COBiT, ISO, and ITIL).
Business risks are influenced by a wide variety of factors, from regulations to industry standards, to business policies. Only with a governance approach that enables enterprises to view IT resources from the perspective of these factors, can they gain the unprecedented ability to clearly identify risks, how they are interrelated, and how technology assets can be utilized to control them in a manner that meets overall business goals--whether that control requires remediation activities and policies, or simply development of preventive policies.
An approach that links IT resources to risks, and risks to processes, also enables enterprises to determine if those processes are effectively managing compliance with regulatory requirements. Processes that mandate privacy specifications, for example, may be seen to be inadequate if the technology assets responsible for delivering this functionality are not, themselves, securely protected against illicit access.
Put another way, by understanding the interdependencies of IT resources with business processes, enterprises can be enabled to not only streamline management of those resources, but also to determine if processes need to be realigned with business objectives. Aligning resources and processes with business goals is a critical requirement for a governance approach because this alignment delivers a context for evaluating the enterprise's ability to meet business, industry, and regulatory requirements.
Finally, a governance approach should also facilitate monitoring of pre-specified metrics associated with each resource, process, and policy - as well as the interdependencies between these entities - to ensure that the services it delivers are meeting performance expectations. These metrics may be related to industry standards such as COBiT, ISO, and ITIL, or based on internal requirements. But whatever standards are used, only if services are continually monitored will the governance approach enable IT to cost-effectively manage business risks in a way that ensures prioritization of the most critical actions. In so doing, the approach can ensure complete compliance with all regulatory mandates, industry requirements, and business policies, and empower IT to meet performance and governance objectives.
by Brian Cleary, vice president of marketing for OpenPages
