Analyst Coverage: David Norfolk
Good business is about taking (effectively managed) risks. Governance is about recognising, managing and exploiting risk and is an essential component of good business. GRC (Governance, Risk & Compliance), is a subset of Governance around using tools to help an organisation implement governance.
The issue today is that customer opinion (as expressed, for example, in the Twittersphere), brand management and increased regulation can make taking risks increasingly uncomfortable. GRC in pactice should be all about managing risk and achieving ‘just enough’ governance and compliance for all involved to be comfortable with what they’re doing; and confident that there won’t be any nasty surprises from auditors and regulators:
- Governance is about doing things right—getting value for money from investment in technology and automation, without waste; by using, e.g., policy management, systems engineering and project portfolio management.
- Risk is about identifying and managing the risks/threats that could affect service delivery by using, e.g., network and data security.
- Compliance is about doing the right things sufficiently well to keep the regulators and courts happy, by using, e.g. security analytics
Governance is a hierarchy of concerns. Overall organisational governance (supported by industry initiatives such as TQM and Six Sigma) is the result of well-governed, more specific, processes (using accepted standard frameworks such as COBIT and ITIL) acting on and producing good quality data. This means that data modelling and enterprise architecture modelling, with a management-friendly interface to the models, is an important enabler for good governance—see here. This is stuff that you may be doing already, even if you aren’t using dedicated GRC tools.
Governance affects most aspects of the automated business;Bloor itself specifically concentrates on:
- IT governance, which is about knowing that your technology is being used properly, for things that support your strategic policies;
- Process governance, which is about knowing that people are following appropriate “best practices” all the time, without micromanaging what they’re doing;
- Data governance, which is about knowing that the data you rely on when making decisions is the right data, appropriately up-to-date, and as correct as it needs to be.
If you are any sort of a manager you should care about Governance or GRC because you are expected to be in control of your business, insofar as you are responsible for managing your part of it. If you are a C-level manager, you should care more, because you are responsible for the organisation’s implementation of GRC as a whole, as part of its Corporate Governance; and you may be personally subject to regulatory penalties (or your company may be put out of business) if you are unable to show ‘good governance’ in the context of any applicable regulations. At the same time, your shareholders or investors will expect you to manage risk better than your competition and deliver business success, as well as controlling theft and fraud, and GRC tools can help you to implement the governance to do this.
Various scandals and financial crises have made governments nervous and risk-averse, resulting in burdensome compliance demands (such as Sarbanes-Oxley (SOX) and Solvency II), with draconian penalties for non-compliance—board directors can go to gaol over non-compliance. This means that management can become so risk-averse that business suffers—itself a business risk.
‘Just enough’ governance lets you overcome this and get things done in business with less waste and ‘no surprises’; and, of course, a well-governed company is more attractive to investors and potential business partners. In the technology space specifically, when “the business runs on software”, as many do now, IT governance isn’t just a matter for the IT group to worry about. However, governance generally is a big, wide-ranging topic and it is important to prioritise the issues. You don’t want potential governance issues to distract you from more immediately important GRC issues (with the emphasis on compliance issues that can stop you doing business).
Managing GRC (seen just as using tools to tick compliance boxes) as a tax on the business (“do as little as possible to pass the audit and then forget about it until next time”) is a mistake. It’s better to see it as an enabler of better practice:
- Governance includes efficiency and effectiveness—using the organisation’s technology in pursuit of business outcomes without waste. Avoidance of waste benefits the bottom line.
- Risk management means that an organisation can identify, quantify and deal with its risk; so it can take more risks and go after new business that its competition is afraid to deal with
- Compliance is then an economical and maintainable by-product of governance and risk management and can be used in marketing the organisation—as evidence that the organisation is a good one to do business with.
Resources such as the IT Governance Institute (ITGI), ISACA (COBIT is ISACA’s globally accepted IT governance framework) and the ISO 38500 standard for corporate governance of information technology can help you implement a governance framework without reinventing the wheel.
The most obvious sign of good governance, although this must not be purely superficial, is perhaps the availability of management-level dashboards giving appropriate visibility into technology processes, so that management can see that its strategies are being followed and that the ‘machine under the business’ is working well. You don’t need to know how the engine in your BMW works in order to know that it is functioning properly (no red lights on the dashboard console is a good indicator), and that it’s getting you from A to B while meeting the appropriate safety regulations and legal speed limits—you should manage the technology your business runs on in a similar way. The benefits of good governance can be, and should be, measured on the bottom line, otherwise investment in governance is a waste of resources.
Governance-specific tools from the vendors below are available to help with documentary compliance; the building of models which demonstrate your understanding and control of the organisation’s data and processes; formal risk management; secure transmission of regulated information; the maintenance of audit trails; and so on
Most IT tools, however, have a part to play in supporting governance; and, in particular, tools associated with:
- Blockchain governance - Even if Blockchain is secure (often moot), its whole ecosystem needs governance.
- GDPR is this winter’s game - Why not get GDPR sorted before the May 2018 deadline?
- An interview with Stephen Deakin - ...an experienced Data and Digital Transformation expert
- An interview with Adam Carson - Head of Digital Strategy, Birmingham Women's and Children's NHS Foundation Trust
- New version of BS 10012 - a key aide to preparing for GDPR
- BMC, reports of death exaggerated? - Its forward-looking strategy is unveiled in London
- All change for Perforce Configuration Management? - Perforce Software has been acquired by equity investor Summit Partners.
- Dynatrace and Keynote
- End of an era – RIP Steve Gold
- A need for better OSS (Open Source Software) governance
The following companies offer solutions:
- ASG Software Solutions
- CA Technologies
- Global IDs
- Rocket Software
- ARC Logics
- Micro Focus
- RVR Systems
- SAI Global
- SOA Software
- Software AG
- Sparta Systems
- Sword Achiever
- Thomson Reuters
- Thomson Reuters Accelus
Further resources to broaden your knowledge:
How much is my new technology saving me? - it's all about common sense, scope, and politics
Estimating technology savings is all about common sense and scope; although politics can also be a factor.
Addressing the GDPR issue - Patterns and Antipatterns for success
Addressing GDPR for business benefit rather than as a cost
Configuration Management, is it all about TRUST - Thoughts prompted by the BCS Configuration Management Specialist Group Conference, 9/5/17
Can we trust the automated systems in the mutable business to do the right thing? We need "just enough" governance and configuration management
A focus on Business Continuity - Business Continuity should be a tested part of holistic system design, not a bolt-on afterthought
Some thoughts on Business Continuity, prompted by a new iland survey
Service Space - Configuration Management everywhere, in a virtualised world
David Norfolk is giving the opening keynote at Austria's biggest ITSM Event, "Service Space"
Learning about Innovation in Configuration Management - An ITSM conference in Vienna and the BCS CMSG Conference in London
Configuration Management is still the basis of good governance for automated business systems. Two conferences will help you keep up-to-date on its progress.
Configuration Management Specialist Group: the Conference.
The BCS CMSG annual conference
Just what is Chapter 11 bankruptcy?
Chapt 11 is not well understood in Europe.
Perforce Helix, a new incarnation of Perforce
Perforce Helix offers new distributed versioning, Git management, threat detection etc
Configuration Management, Expert Guidance – revised edition published
A practical guide to Configuration Management, based on input from actual practitioners.
BCS CMSG AGM and Xmas Quiz
Configuration management's premier networking event
More than a DevOps story
This is a review of a book: fiction about DevOps. But rather more than that