Governance is how corporations follow business practices that conform to rules. Executives have these rules to balance their own best interests with that of governments, employees, suppliers, customers, and other stakeholders. Some may find these rules inconvenient. But with the mobility of threats in the age of remote workstations, cloud storage, and increasing regulations, companies need excellent IT governance. Absent policies create risk of data loss, government penalties, and many other threats.
An Example of Poor Governance
At one financial corporation, lower-level managers and employees grew increasingly frustrated with the time it took to get the IT department to keep up with their business needs. Although well-meaning, they pieced together systems that consisted of spreadsheets and stand-alone databases that ran on any number of devices.
Unsurprisingly, this sort of anarchy quickly led to problems:
- Multiple compliance citations and security beaches.
- Inefficiencies of redundant data and duplicate efforts.
- None of these systems had disaster recovery plans in place.
- Few of these self-created systems had been documented. As a result, if the employee left, so did the knowledge of that system.
It’s fair to assume that the company’s IT department moved slowly for several reasons. Most likely, the developers had to follow IT security and compliance policies that people in other departments did not even know about. Critical computer systems need documentation, backup plans, and security. Some companies might benefit from allowing other departments to develop their own systems; however, they need to follow the same IT governance policies as the IT department does.
A Rose by Any Other Name Would Smell As Sweet: Great IT Governance Leads to Great Corporate Performance
In an organization like the one in the example above, employees may have directly contributed to the problem. However, upper management and executives didn’t immediately stop it. It wouldn’t take state-backed hackers, a government whistleblower, or a terrible catastrophe to cause problems for this company. The situation created a perfect storm of accidents that were simply waiting to happen.
Good IT governance doesn’t happen by accident. Executives must analyze business risks and government regulations in light of their business needs. They need cooperation from IT and from other business units. Obtaining that cooperation takes two-way communication about the many ways this effort can benefit the company and the individuals involved. Only then can established IT governance policies get developed and communicated to the entire company.
Getting Pricked: Consequences of Noncompliance with IT Governance
Typically, along with making sure that everybody knows the rules, companies must also let their people know the consequences of breaking them. This must go beyond consequences that may occur if data gets lost or stolen, or a government regulation gets broken. If employees get caught breaking the rules before an awful event occurs, they may also need to feel the consequences for their actions as well. This also means that upper management needs to find a way to gather information about how data and software get accessed.
Of course, it’s better if companies can urge compliance in a positive way. Shop managers and salesmen may not be eager to give up the mobile devices that have helped increase their productivity. Buyers and risk managers may be accustomed to sharing data with third parties in the cloud. It’s much better if these favored business processes can be modified to comply or replaced with an alternative that is just as good or even better.
Substandard IT governance can risk a company’s reputation and even their ability to conduct business. The fast and ad-hoc solution won’t improve efficiency when it gets hacked, destroyed, or forgotten. Certainly, executives hope to create policies that benefit everybody, so it may take some effort to ensure cooperation from all stakeholders.
Smelling the Roses while Avoiding the Thorns: Navigating Control of IT Governance
Implementation of compliance takes analysis, cooperation, and communication. In some cases, it also takes the right software and data management solutions. These solutions ensure that all stakeholders adhere to business practices that conform to corporate and government regulations.
Be sure to check out Aberdeen’s latest comprehensive report on governance, risk, and compliance management using integrated GRC solutions.