IT governance best practices are critical for business success

* The IT Policy Compliance Group offers some best practices for IT governance, risk and compliance, or IT GRC

The Society for Information Management conducts an annual survey to determine what keeps a CIO up at night. In recent years, one of the top 10 causes for worry has been "IT governance." Just what is this nagging nightmare, and what can be done to push it off the list? The IT Policy Compliance Group offers some best practices for IT governance that were discovered through a recent in-depth survey.

Every year, the Society for Information Management conducts a survey to determine the top issues of CIOs from every major industry and from all sizes of companies. In 2006, a new concern popped up on the top 10 list: IT governance. 

The timing of this issue making the list is not surprising; it closely follows the forced compliance with the Sarbanes-Oxley Act, as well as other regulations such as HIPAA (Compare Network Auditing and Compliance products).

“SOX” was enacted in 2002 in response to the numerous corporate and accounting scandals of the day. SOX spurred an increased focus on corporate governance, risk and compliance (GRC) with laws and regulations concerned with business oversight. GRC encompasses the people, processes and technology that organizations invest in to comply with regulations and manage risk as part of running the company effectively and ethically.

To put it another way, GRC connects the dots between the regulations and mandates that touch almost every organization today.

Information technology governance, risk and compliance, or IT GRC, is the offspring of GRC. IT GRC augments and complements GRC by addressing the unique role that IT plays in organizations today. IT GRC helps to ensure that IT supports the needs of an organization while also mitigating the risks associated with IT. This is crucial, given that the livelihood of the organization is intricately linked to how well the IT function manages the availability, integrity, and confidence of the information and systems used to operate core business procedures.

In an effort to correlate business results to the level of implementation of IT GRC within organizations, the IT Policy Compliance Group performed a study of more than 2,600 companies and published the findings in its 2008 annual research report titled “IT Governance, Risk and Compliance – Improving business results and mitigating financial risk.”

The most important finding cited in this report is that “organizations with best business results are the same firms with the most mature [IT GRC] practices and the organizations with the worst business results are the same firms with the least mature [IT GRC] practices.” The key takeaway from the report is this: “The way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources.” In other words, you’d better practice good IT GRC if you want to have a successful company.

The report points to impressive statistics that show that improvements to data protection and compliance are paying big dividends among firms with the most mature IT GRC management practices. For example, the organizations in the study with the most mature practices also have:

• Consistently higher revenues (17% higher than the other firms in the study).

• Much higher profits (14% higher).

• Better customer retention rates (18% higher).

• Dramatically lower financial risks and losses from the loss or theft of customer data (96% lower).

• Much lower spending on regulatory audit (50% lower).

In contrast, the companies on the low end of the spectrum for IT GRC practices are experiencing much lower business results than all other firms, much higher financial losses, and much more difficulty with regulatory and legal mandates.

From an IT practitioner perspective, you may wonder what this has to do with your role and your routine activities. There are lessons to be learned about the repeatable operational practices and procedures that mature organizations are using to attain sustainable business results. Among those lessons, it’s important to:

• Map IT policies, process frameworks and control objectives to one another.

• Protect data on PCs, laptops and other mobile devices.

• Segment the network and limit access to sensitive data. This practice is primarily for PCI compliance, but many organizations use this technique to protect all types of sensitive data, not just cardholder data.

• Correct gaps in controls and procedures.

• Have consistent configurations and common IT procedures.

• Implement IT change control and unauthorized change prevention.

• Employ automation. Among companies using best practices, typically 50% of all controls are technical controls and 100% of these are automated.

• Conduct frequent monitoring and take measurements which includes the status of information protection controls; physical security; incident response; business continuity and disaster recovery; IT access controls, including those for applications, databases, networks, and other systems; personnel security; and IT assets, configurations, and settings.

• Deliver training for employees.

The study and the results show that each organization has a different threshold or risk that it is willing to accept and control. As such, the degree to which the control frameworks described in the report are employed will be different from organization to organization. But the underlying facts are this: You need a process to identify risks, a process to manage the risks, a process to measure the success of these activities, and a process to improve them. This report outlines these IT GRC best practices at a high level and correlates their use to actual business results.

The IT Policy Compliance Group developed a series of interactive tools to help you assess the maturity of your organization’s IT GRC practices; the impacts that various IT GRC Maturity levels have on your financial and business risks and results; and the practices and capabilities proven to improve the effectiveness of IT. Click here to see how your organization compares.

You can see that IT GRC is really just a lot of common sense and best practices for IT in general. Do your part to follow those best practices and help your CIO sleep better at night.

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.