Professional Documents
Culture Documents
Page 1 of 79
The following extracts are taken from a dissertation written by Helen Gray in June 2004 on the subject of IT governance, its relationship to corporate governance and the benefits that IT governance might bring to the Learning and Skills Council (LSC).
From conversations with colleagues the author believes that the research on corporate governance, IT governance and surveys of both private and public organisations may be of interest to a wider audience and therefore chapters 2, 3 and 5 are reproduced in this reduced version.
Whilst this research is primarily about governance in the public sector, it is hoped that the survey results comparing IT governance activity in the private and public sectors may be of interest to colleagues operating in the private sector.
Page 2 of 79
Contents
Contents ............................................................................................................. 3 Figures................................................................................................................ 4 Tables................................................................................................................. 5 Document Structure ........................................................................................ 6 Chapter 2 - Corporate Governance .................................................................... 7 What Is Governance?...................................................................................... 7 Driving and Steering .................................................................................... 8 Controlling ................................................................................................... 9 Openness, Transparency and Accountability .............................................. 9 Definition of Governance ...........................................................................10 What Governance Legislation Guides the LSC? ...........................................10 Summaries of Legislation ..........................................................................11 Cadbury The Financial Aspects of Corporate Governance .................11 Nolan The Seven Principles of Public Life (1st report).........................12 Turnbull Internal Control......................................................................14 Combined Code on Corporate Governance (revision of Higgs) .............14 Principles of Governance ..............................................................................15 Governance from a Public Sector Perspective..............................................17 Attributes of Governance...............................................................................23 Driving and Steering ..................................................................................23 Controlling .................................................................................................24 Accountability ............................................................................................25 Openness and Transparency ....................................................................26 Summary.......................................................................................................27 Chapter 3 - IT Governance ...............................................................................29 A Definition....................................................................................................29 Why is IT governance important?..................................................................33 What is happening outside the LSC? ............................................................34 CobiT A Global IT Governance Framework............................................37 Benefits of CobiT....................................................................................39 Government Standards and Best Practice.................................................39 The IT Infrastructure Library...................................................................41 Page 3 of 79
Project Management ..............................................................................42 Programme Management ......................................................................42 Risk Management and Information Security Management.....................43 BS7799 ..................................................................................................43 How the Different Guidelines Compliment/Support Each Other ....................43 Relationship IT Governance Principles to Corporate Governance Attributes 44 Summary.......................................................................................................45 Chapter 5 External IT Governance Survey ....................................................47 IT Governance Survey ..................................................................................48 Summary of Survey Findings ........................................................................56 Chapter 6 Analysis and Conclusions .............................................................58 Appendix 1........................................................................................................60 Appendix 2........................................................................................................61 Appendix 3........................................................................................................63 Appendix 4........................................................................................................64 Appendix 5........................................................................................................65 Appendix 6........................................................................................................67 Appendix 7........................................................................................................73 Appendix 8........................................................................................................74 Contributors ......................................................................................................75 References and Bibliography............................................................................76
Figures
Figure 1: Corporate governance legislation guiding the LSC............................11 Figure 2: Summary of governance found in English NDPBs ............................19 Figure 3: the framework of corporate governance in the public services ..........21 Figure 4: IT governance creates benefit over time............................................36 Figure 5: How CobiT fits with other standards ..................................................38 Figure 6: How IS and IT strategies fit with business strategy............................41 Figure 7: How CobiT, OGC Guidelines and BS7799 support IT governance ...44 Figure 8: How IT governance and the CobiT framework supports corporate governance................................................................................................44
Page 4 of 79
Figure 9: IT roles & responsibilities in government & non-government organisations .............................................................................................49 Figure 10: IT leadership characteristics in government and non-government organisations .............................................................................................50 Figure 11: Communication with IT stakeholders in government & nongovernment organisations .........................................................................51 Figure 12: Documented processes in government & non-government organisations .............................................................................................52 Figure 13: Internal IT controls in government & non-government organisations ..................................................................................................................53 Figure 14: Accountability for IT budget in government & non-government organisations .............................................................................................54 Figure 15: IT reporting in government & non-government organisations ..........55 Figure 16: CobiT and the IT governance lifecycle.............................................67 Figure 17: the CobiT framework .......................................................................68 Figure 18: Capability Maturity Model for Software ............................................69 Figure 19: CobiT maturity scale ........................................................................70 Figure 20: Example measures from CobiT .......................................................71
Tables
Table 1: Document structure............................................................................... 6 Table 2: Governance principles ........................................................................15 Table 3: Relationship benchmark survey to governance ..................................47 Table 4: Improvement areas for government sector arising from survey issues ..................................................................................................................57
Page 5 of 79
Document Structure
1. The document structure of the full dissertation is outlined below:
Executive Summary Chapter 1 - Introduction Chapter 2 The LSC Governance Framework Chapter 3 IT Governance Chapter 4 The ISD Environment the objective, background and scope define governance (in the general and corporate sense) identify and summarise the key governance legislation from a public sector perspective applicable to the LSC identify the principles of corporate governance develop and state the basic attributes of governance. define IT governance identify the importance and benefits of IT governance summarise what is happening in the world outside the LSC regarding IT governance summarise an IT governance framework and relevant government standards and best practice identify how the different guidelines compliment and support each other relate IT governance to corporate governance principles. identify the remit of the IS Division describe the structure, identifying what is outsourced at LSC describe how IS/IT strategic direction is set and how IS/IT activities are financed establish why IT governance in the LSC is being considered identify what evidence of IT governance can be found in the LSC. Chapter 5 External Governance Benchmarking Exercise Chapter 6 Analysis and Conclusions Chapter 7 Recommendations Table 1: Document structure summarise the results of IT governance surveys undertaken using a small sample of both government and private organisations. suggest improvements for ISD and/or the LSC based on the issues and results of analysing IT governance in earlier chapters identify potential improvement areas/actions within the LSC for each key governance attribute. recommendations for improving governance within the LSC.
Page 6 of 79
identify and summarise the key governance legislation from a public sector perspective applicable to the LSC
What Is Governance?
3. In order to research the corporate governance framework and principles that are in place within the LSC (and place IT governance in context), an attempt has been made to define what governance means. This will ensure that when discussing the subject of governance there is an understanding about what governance means to both parties and the full range of possibilities meant by the one word governance.
4.
The Oxford English Dictionary defines governance as the act, manner, fact or function of governing, sway, control. Additionally, to govern is defined as to rule with authority, to exercise the function of government, to sway, rule, influence, regulate, determine, to conduct oneself in some way; curb, bridle (ones passions, oneself), or to constitute a law for. Governing is, therefore, a range of actions, from rule through influence to self-control. By implication, it includes driving as well as steering.1
5.
Johnson and Scholes state that a governance framework describes whom the organisation is there to serve and how the purposes and priorities of the organisation should be decided2.
6.
From the above, three main themes for governance have been drawn: Page 7 of 79
driving and steering this allows the aims of the organisation to be achieved via an administrative head, be that one person or a board/committee
controlling to allow a direction and aim to be accomplished there must be controls on the organisation
openness, transparency and accountability the above activities must be undertaken in this spirit in public companies and government so that stakeholders are confident that actions taken on their behalf are legitimately done so within the particular scope of operation.
Corporate governance is at the core of the process of directing a company. It provides the leadership which gives it purpose and the strategy and processes to achieve this. It provides the values to enable it to work well with others and the checks and balances needed to ensure survival.3
8.
To further support the idea of driving and steering, Adrian Davies also states:
all institutions require a framework of governance, comprising a mission to be accomplished with clear rules and recognised conventions to guide its accomplishment.4
9.
most people have little knowledge or understanding of the structures and processes of governance.tackling that knowledge deficit is an Page 8 of 79
important and necessary step towards building a more open, inclusive and democratic system of governance in which citizens can play an effective role in the running of their region.5
10. This extract about understanding governance is from a research study into government in the North East of England. It is equally applicable to public bodies in other geographical areas such as the LSC.
Controlling
11. The theme of control in governance is supported and defined by Adrian Cadbury who stated in September 19986 Cadbury committee defined corporate governance as the system by which companies are directed and controlled.
12. This is of importance to private organisations due to stakeholder requirements concerning financial reporting. It is also important to government/public bodies in order to demonstrate that taxpayers money has been spent correctly.
14. Much work has been undertaken on the development of codes of good governance around the world:
the foundation of all these codes is disclosure. Transparency is the key to the governance of any organisation. Openness about the way institutions are run enables all those with an interest in their activities to influence their direction positively and constructively. Openness is also the basis of public confidence in institutions. A second common thread is the importance of the presence of independent outsiders on any Page 9 of 79
governing body...This leads on to the final point common to all codes, which is that there have to be checks and balances within any system of governance to ensure that too much power is not concentrated in one pair of hands. Openness and accountability are the governance watchwords and ethical standards are the basis on which lasting governance systems are built. 7
15. The public are becoming more aware of their rights and more demanding of public services so they want to be assured that public funds are being used efficiently and effectively: the essential point is that good governance is an aid to effectiveness.8
Definition of Governance
16. From initial consideration of the above, governance can therefore be described as:
the framework to guide the accomplishment of a mission. It should identify who to serve, how to decide purposes and priorities and provide a system of direction and control.
Page 10 of 79
Combined Code on Corporate Governance (especially recommendations by Higgs concerning non-executive directors and Smith concerning audit committees).
18. Other legislation such as Sarbanes-Oxley and BASEL II are not directly relevant as they concern accountability and transparency in profit making companies listed on the US stock exchange or the management of risk in banks or financial institutions. The themes of accountability, transparency and risk management are addressed through legislation summarised in this report. A further public sector review of corporate governance in public bodies is underway chaired by Sir Alan Langlands.
19. Figure 1 provides a timeline of when each of the above documents was published (Langlands code is expected to be published in Autumn 2004):
Higgs - Review of the role and effectiveness of non-executive directors Smith - Guidance on Audit Committees Combined Code on Corporate Governance
92
93
94
95
96
97
98
99
00
01
02
03
04
Summaries of Legislation
20. The following descriptions outline the main points of legislation to assist in the identification of common themes. Cadbury The Financial Aspects of Corporate Governance 21. Prior to December 1992 there was a concern about standards of financial reporting and accountability. This arose due to scandals associated with Ferranti, the Bank of Credit and Commerce International (BCCI) and the Page 11 of 79
Mirror Group. Additionally, following the privatisation of the 1980s and early 1990s there was a great focus on so called fat-cat directors pay notably the public controversy regarding Cedric Brown as Chief Executive Officer of British Gas. Sir Adrian Cadbury was therefore requested to chair a committee that outlined a code of conduct for listed companies concerning standards for financial reporting and accountability.
22. The main principles of the Cadbury code are openness, integrity and accountability (see Appendix 1).
23. Detailed guidance is provided for the Board, the auditing function and shareholders. Other recommendations were greater emphasis on consistent financial reporting and better development and application of accounting standards by associated professional bodies.
24. Cadbury partly addressed the general issue of director remuneration. A feeling that this area had been handled in insufficient detail led to the Greenbury Committee being asked to examine the issue of directors pay and selection. The resulting conclusions largely relate to directors of public limited companies so have been discounted in this examination.
25. The Hampel Committee established in 1995 was called to review how well the Greenbury and Cadbury recommendations had been applied, concentrating largely on financial compliance to pressure the City into effective transparent self regulation. This resulted in 1998 in the Combined Code relating to financial reporting that was again reviewed regarding aspects of corporate governance under the Higgs Investigation of 1998 (see page 14). Nolan The Seven Principles of Public Life (1st report) 26. The John Major government Citizens Charter initiative regarding the rights of the public to expect standards of performance from government bodies also prompted an examination of the standards of those in public life. Page 12 of 79
27. As a result, in 1996, at the request of the Prime Minister, the Nolan Committee spent six months inquiring into standards in British public life. They concentrated on Members of Parliament, Ministers and Civil Servants, executive NDPBsi and NHS bodies. They concluded that standards of behaviour in public life had not necessarily declined but that conduct in public life was more rigorously scrutinised than it had been in the past, that the standards which the public demanded remained high, and that the great majority of people in public life met those high standards. However, weaknesses were identified in the procedures for maintaining and enforcing those standards and as a result people in public life were not always as clear as they should have been about where the boundaries of acceptable conduct lay. This was considered by the committee to be the principal reason for public disquietii. The committee recommended standards on appointments procedures, openness, codes of conduct, training, and whistleblowing and identified seven principles of public life (see Appendix 2) namely:
Integrity Openness
Objectivity Honesty
28. In addition, the committee made recommendations covering areas of Codes of Conduct, Independent Scrutiny and Education (see Appendix 2). Further areas of the report related to the selection and appointment of operating officers and executives in NDPB organisations (see Appendix 2) based on skills and impartiality. The process to give guidance on selection mirrored the corresponding private sector review of selection requirements for Directors undertaken by Greenbury.
i ii
public bodies with executive powers whose Boards are appointed by Ministers Adapted from Nolan
Page 13 of 79
Turnbull Internal Control 29. Again as a result of general financial industry unease regarding transparency and allocation of adequate accounting provision to reflect corporate risk in accounts to shareholders a report was compiled by a working party of the Institute of Chartered Accountants in England and Wales (ICAEW), led by Nigel Turnbull.
30. It offers guidance on how directors should comply with corporate governance, focusing on internal controls and risk management. The report emphasises the importance of good internal and external reporting and states that: "This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation." The report also notes the key role that IT plays in creating internal controls and in accurately assessing the risks faced by an organisation.9
31. The principles of the guidance (see Appendix 3) covered the areas of risk identification, information and communication and the environment to achieve adequate control and monitoring of corporate activity. Combined Code on Corporate Governance (revision of Higgs) 32. This code was published in July 2003 and supersedes the 1998 Hampel Combined Code. The original Higgs review published in 2003 was prompted by the high profile collapse of ENRON the American energy company and financial/city unease regarding inadequate scrutiny of company executive directors by non-executives on behalf of shareholders. Higgs initial findings were criticised as being too cumbersome with the effective creation of separate mirror executive and non-executive boards. As a result, the initial findings were revised to increased separation of roles and to ensure non-executive and executive board focus on business objectives.
Page 14 of 79
33. The Codes overall aim is to enhance board effectiveness and to improve investor confidence by raising standards of corporate governance. Its main features were to ensure the roles of directors and chairmen are clear and that recruitment and appointment is undertaken from a wider pool of candidates. Separation of roles between chairman and chief executive officer were reinforced. In addition, there were a number of other board functional relationship improvement recommendations to develop board scrutiny and improve working. A summary of the main points of the Combined Code is provided in Appendix 4.
Principles of Governance
34. Consolidating the reviews described above, a table of principles can be constructed:
Principle Accountability Audit Audit committee Disclosure and transparency Internal control Responsibility Risk management Stakeholders Table 2: Governance principles Cadbury Nolan Turnbull Combined Code
35. Bearing in mind that the legislation reviewed above arose from scandals in corporate governance, it can be seen from the above reviews that there is emphasis on the mechanics of corporate governance to ensure that true company financial status is clear to the Board and shareholders.
36. There is an understandable primary emphasis on accountability, internal control and audit. Associated requirements for disclosure and transparency and the role of the audit committee to scrutinise internal information are emphasised. Responsibilities of key officers are of Page 15 of 79
concern to allow clear reporting resulting in the ability to reflect the true company position to all stakeholders and allowing the correct assessment of risk due to its activities for which the company has made adequate financial allowance.
37. An approach based on legislation compliance alone is creditable, but can result in a box ticking mentality by the Board, assuming this is sufficient for their role.
38. In addition to the above, as identified in the definitions of governance at the beginning of this chapter, but not reflected in the legislative compliance, is the need for the Board to examine the strategic position of the company and impart this to the Chief Executive Officer and operation units.
a shared strategic direction and commitment to pursue it strong processes to effect strategic management10
40. Leadership as well as compliance is therefore key, apart from the strategic outlook, there should be emphasis on good leadership and legitimacy of action based on consent from stakeholders. This emphasis reflects into the public sector; in his book Cornforth outlines that effective leadership and public management is seen by the government as crucial to the success of the [modernisation] strategy because good leadership clearly makes a difference to the performance of an organisation, staff morale and motivation, public satisfaction and the ability to address change11 and that board legitimacy derives both from the extent to which the organisation represents its stakeholders (including government) and is accountable to them, and from its performance. There is, then, a need for Page 16 of 79
clear statements of missions and objectives that incorporate purposes, outcomes and the need to represent the whole range of stakeholders..Stakeholder representation is therefore vital in the legitimation of a board.12
41. The above considerations can be placed in the context of reviews of public governance outlined below.
the issues which arise in the governance of voluntary agencies, public sector bodies and professional organisations are broadly similar to those that arise in the governance of companies.13
43. The need for guidance on this subject for government organisations has been recognised by the Office for Public Management and Sir Alan Langlands is chairing a commission to develop a common code of good governance for all public services by Autumn 200414. The commission has undertaken and published initial research and recognises that good governance is crucial for effective public services and improved social outcomes. Further, that governance has been strengthened significantly through public sector reviews and consultations (Cadbury, Greenbury and Higgs reports). Outcomes of this work resulted in The Combined Code: Principles of Good Governance and Code of Best Practice15. However, the Langlands Commission initial research stated there is no equivalent code of good governance for the thousands of non-departmental public bodies, local public sector authorities and voluntary sector contractors that serve the public. Hence there is a need to develop a common code of good governance for all public services.
Page 17 of 79
44. The Langlands Commission has researched governance structures and guidance currently available in English public service organisations. Taking the Langlands Commission research data, Figure 2 on page 19 summarises the various governance models found in English NDPBs. It outlines the purpose, roles and responsibilities concerning corporate governance in NDPBs (including the LSC). Generally Ministers/officials/the Queen (1) appoint the members of the Board (2) that is then charged (3) to develop a corporate plan. The Board agrees with Ministers/officials (4) the policy and resources framework to discharge their duties and determine key strategic objectives and targets. This policy and resources framework includes financial performance and the agreement of strategic objectives and milestones (5). Board purpose, role and responsibility are listed (6) together with that of the Chair (7) (8). The governing body (9) includes the Board and the Chair which are accountable to and for those listed at (10). Reporting to the Board, the Chief Executive (11) has a range of responsibilities listed at (12) to deliver and control the required Board targets.
Page 18 of 79
ac
co
un
ta
bl
to
in
an
po
fo
3. c o r p o r a te p la n
ag re
ap
S e c re ta ry o f S ta te P a rlia m e n t u se rs o f se rv ic e s c itiz e n s & sta ff ste w a rd sh ip o f p u b lic f u n d s m e e tin g k e y p e rfo rm a n c e ta rg e ts & o b je ctiv e s re la tio n sh ip w ith sp o n so r d e p a rtm e n t d e fin e d re g u la rly in f o rm P a rlia m e n t & p u b lic a b o u t a c tiv itie s & e x p e n d itu r e p r o d u c e & m a k e p u b lic A n n u a l R e p o rts
2. th e B o a r d
9. g o v e rn in g b o d y
7. C h a ir
11 . C h ie f E x e c
& i t ie le bil ro n s i o sp s
es &r
po
ns
ib
ie ili t
re
4. p o lic y & re so u rce s fra m e w o r k:to d isc h a r g e d u tie s to d e te r m in e k e y stra te g ic o b je c tiv e s & ta rg e ts 5. fin a n c ia l p e rf o rm a n ce e ff ic ie n c y & e f fe c tiv e n e ss q u a lity o f se rv ice s o r a g re e stra te g ic o b je c tiv e s & m ile sto n e s
12 . 8. a c c o u n tin g o ffic e r re sp o n sib le to P a rlia m e n t & a c c o u n tin g o f fic e r o f re sp o n sib le d e p a rtm e n t fo r re so u r ce s m a in p o in t o f c o n ta c t b e tw e e n b o d y & sp o n so r d e p a rtm e n t d o e sn 't sit o n b o a rd b u t a tte n d s B o a rd m e e tin g s to re p o r t & p ro v id e a d v ice re sp o n sib le fo r o v e ra ll o r g a n isa tio n , m a n a g e m e n t & sta f fin g , & fo r p ro c e d u r e s in f in a n c ia l & o th e r m a tte r s e g c o n d u c t & d isc ip lin e le a d e rsh ip & v a lu e s e m b o d ie d in 7 P rin c ip le s o f P u b lic L if e - su p p o rte d b y B o a rd
6.
in c lu
de
c o rp o ra te re sp o n sib ility c o m p ly sta tu to ry /a d m in re q u ire m e n ts fo r u se p u b lic fu n d s e n su re b o d y n o t e x c e e d p o w e rs/fu n c tio n s o r e x p e n d itu re (a d v ise d b y C E ) e n su re d e p a rtm e n t re q u ire m e n ts f o r C S R m e t e n su re h ig h sta n d a rd s co rp o ra te g o v e rn a n c e o b se rv e d e sta b lish o v e ra ll str a te g ic d ire c tio n w ith in a g re e d p o licy & re so u rc e s fra m e w o r k e n su re b o a rd o p e ra te s w ith in lim its o f a u th o rity & u se o f p u b lic fu n d s ta k e a c c o u n t o f sp o n so r d e p a rtm e n t g u id a n c e in d e cisio n m a k in g re sp o n d p u b lic r e q u e sts f o r in fo r m a tio n - b e o p e n & re sp o n siv e sp e cif ic re sp o n sib ility f o r su sta in a b le d e v e lo p m e n t e n su re stra te g y fo r e n v iro n m e n ta l p o licie s m o n ito r p e rf o rm a n c e C E & o th e r se n io r sta ff p ro d u c tio n o f a n n u a l re p o rt to sp o n so rin g d e p a rtm e n t, P a rlia m e n t & p u b lic
stra te g ic le a d e rsh ip h ig h sta n d a r d s o f p ro p rie ty p r o m o te e f fic ie n t & e ff e c tiv e u se o f re so u rc e s ta k e a c co u n t o f M in iste r ia l/ d e p a rtm e n t g u id a n ce re p re se n t v ie w s o f b o a r d to p u b lic e n su re b o a rd m e e ts re g u la rly & m in u te s a c c u r a te ly re c o r d d e c isio n s ta k e n c o m m u n ica te w ith M in iste r o f sp o n so r d e p a rtm e n t u n le ss a g re e d o th e rw ise
Page 19 of 79
45. Additional information is provided in the Langlands Commission research16 about the ways of working and recruitment and appointment of the Board, and support for governors and the governing body (see Appendix 5).
46. Whilst Langlands believes that a code of good governance does not exist for government organisations useful guidance was developed by the Fdration des Experts Comptables Europens (FEE) Public Sector Committee in 200017. This committee defined a framework of corporate governance principles and standards for those European organisations responsible for the delivery of public services. For them, corporate governance is concerned with structures and processes for decisionmaking and accountability, controls, and behaviour, at the top of organisations. The aim is to achieve better quality decision making and hence better quality business performance or in the public sector better quality service performance for the same input of resources18. They recognised a developing characteristic of government in risk taking and built upon the Turnbull report on internal control in private companies. In this FEE report, risk is related to managing innovation and modernising government. The FEE redefined the Cadbury principles of corporate governance to reflect the public services context, namely:
Openness to ensure stakeholders have confidence in the decision-making processes and actions of public services in the management of their activities and in the individuals within them
Integrity
straightforward dealing and completeness, based upon honesty, selflessness and objectivity and high standards of propriety and probity in the stewardship of public funds and the management of a bodys affairs
Accountability
the process whereby public service bodies and individuals within them are responsible for their decisions and actions, including their stewardship of public funds and all aspects of performance and submit themselves to appropriate external scrutiny.
Page 20 of 79
47. The report draws heavily on Cadbury, supplemented by Turnbull and this is reflected in their diagram for the framework of corporate governance in public services (see Figure 3).
Integrity
Accountability
Standards of behaviour
48. The FEE provide detailed guidance on standards of corporate governance in the public services in the following areas:
Organisational structures and processes a) statutory accountability b) accountability for public money c) communication with stakeholders d) roles and responsibilities e) balance of power and authority within the management group Risk management and financial reporting a) annual reporting b) risk management including internal controls and internal audit
Page 21 of 79
c) audit committees (in some countries) d) external auditors Standards of behaviour a) leadership b) codes of conduct (selflessness, objectivity and honesty).
49. In addition, the FEE provide a useful checklist on good corporate governance which was used to develop a questionnaire to research IT governance within UK government bodies, the highlight results of which are outlined in Chapter five.
50. Additionally, a number of studies undertaken by a range of people and edited by Cornforth19 provides some useful insights into governing boards in government organisations. These outline that the three common purposes for all public and voluntary bodies are:
stewardship and a point of accountability for the executive to give expression to the interests of stakeholders20.
51. Cornforth21 recognises that boards often play an important role in at least shaping strategy. The argument is developed for strong involvement by the board in strategy and performance issues as this may clarify organisational objectives and priorities. However, if the role becomes one of formulation as opposed to evaluation, then the board is taking on a specifically management role. The argument against this is that strategy formulation is an executive task and that if strategic planning and control are in the hands of a single body, then there is a loss of an independent evaluation of the strategic plan. There therefore needs to be a balance of roles between the non-executive board and the Chief Executive Officer to Page 22 of 79
ensure a strategic outlook is maintained. The non-executive board also has a critical role in ensuring probity, independent evaluation and as a balance to the domination of managers.
Attributes of Governance
52. From consideration of the external reviews it is clear that a basic governance attributes framework can be described. This framework will expand the initial three main themes of governance and definition (paragraphs 7 to 16, pages 8 to 10) from earlier in this chapter. This will form the basis of a subjective comparison of governance as applied across the organisation and in the IT area of the LSC.
53. Key attributes have been grouped into four major headings and described below:
Page 23 of 79
c) Leadership the administration/executive must demonstrate that it can motivate and galvanise the organisation at all levels to ensure that the aims of the organisation are accomplished. d) Strategic vision as well as leading the organisation on a day-to-day basis the executive/administration must be aware of the environment it operates within and be able to change its roles and organisation to meet those challenges. Emphasis on the areas of bureaucratic compliance of running the organisation without an ability to change the organisation to meet external environment and stakeholder requirements will result in organisational failure.
Controlling
This area of activity allows the organisation to respond to change efficiently and understand when an aim has been accomplished. It also enables the aims to be achieved without understanding tasks that would jeopardise the whole organisation. Attributes required are: a) Information and communication good reporting pathways should be established in the organisation that have accurate information available for use by the executive and stakeholders in a timely manner. Communication internally and externally should be clear and unambiguous to help maintain the integrity of the organisation. b) Monitoring the structure and information system in the organisation should be able to be scrutinised independently to allow the executive/administration to have unbiased advice as to the status of the organisation. This could be provided by internal or external bodies (ie internal audit function, external audits of accounts etc). Regular reviews by the executive of organisational functions and of its own role by non-executive directors or shareholders also demonstrate this attribute.
Page 24 of 79
c) Control of environment and activity within the organisation, activities should be coordinated to allow effective achievement of aims. Inconsistent decision making of activities/structures within the organisation away from the direction set by the executive would demonstrate a failure of this attribute.
d) Identification of risk risk should be identified in all activities undertaken in the organisation and significant risk areas reported to the executive/administration and stakeholders so that a decision can be made as to the acceptability of that activity. Where possible, this should be established in advance, and good practice should be to incorporate this area of work within forward planning as well as retrospective reports (such as company accounts).
Accountability
Associated with the controls within an organisation, there should be clear accountability of persons and functions. For particular information and functions an independent view on the efficacy of these controls should be obtained. Attributes in this area that can therefore be derived are:
a) Quality of information to stakeholders information produced must be comprehensive, timely and accurate for both executive and stakeholders. This is important to allow the organisation to survive in its business environment while keeping consent to its activities from its stakeholders (be this shareholders or central government or indirectly electorate).
b) Clear reporting lines information and responsibility reporting lines should be unambiguous and clear within the organisation, with defined roles for all staff. Executive members should be clearly nominated for key functions and activities so that responsibility is clear to external stakeholders.
Page 25 of 79
c) Independent audit of information and function to enable stakeholders to have confidence in the information and activities of the organisation, there should be mechanisms to allow key information or functions to be audited by external bodies. For example, in the private sector this would be the annual accounts sign off for the annual general meeting (AGM) reports and for government this could be via the NAO or Select Committee.
b) Communication this should be developed so that all stakeholders and the organisation are aware of the organisational activities and are able to voice concern to the executive/administration if there is unease with these activities (ie via shareholder annual accounts and AGMs etc). Placing the organisation activity in the context of the wider government/business environment should enable the stakeholders to appreciate the information imparted so that the message is not opaque.
Page 26 of 79
c) Disclosure of information information on activities undertaken by the organisation should be available to stakeholders so that they can examine the organisation activities independently. d) Independent scrutiny the organisation should have systems in place to enable controlling areas of the organisation to be placed under independent scrutiny to allow the stakeholders to gain an accurate overview of that particular function.
Summary
54. In this chapter governance has been defined as:
the framework to guide the accomplishment of a mission. It should identify who to serve, how to decide purposes and priorities and provide a system of direction and control.
55. The governance legislation that guides the LSC has been summarised, namely:
Combined Code on Corporate Governance (especially recommendations by Higgs concerning non-executive directors and Smith concerning audit committees).
56. From analysis of this legislation, a table of governance principles has been constructed and each of the separate items of legislation supporting these principles has been identified (see Table 2: Governance principles page 15).
Page 27 of 79
57. From research of corporate governance in the public sector, a commission chaired by Sir Alan Langlands to develop a common code of good governance for all public services by Autumn 2004 has been identified and key areas mapped to the NDPB organisation of the LSC. Further research has identified guidance for the public sector developed by the FEE Public Sector Committee in 2000 from which a questionnaire has been developed to research IT governance within UK government bodies that could be used in the LSC context.
58. An overview of the corporate governance structure within the LSC has been provided together with information about funding and risk management. Finally, four basic governance attributes have been developed:
Controlling
Accountability
Page 28 of 79
Chapter 3 - IT Governance
59. The objectives of this chapter are to:
define IT governance
summarise what is happening in the world outside the LSC regarding IT governance
summarise an IT governance framework and relevant government standards and best practice
identify how the different guidelines compliment and support each other
A Definition
60. When governance is spoken of in ISD it is often coupled with project and programme management. LSC staff outside of ISD have little knowledge or understanding of what IT governance is or what benefit it might be. There is a tendency to believe it concerns the computing technology (hardware, applications etc) used by the organisation. Therefore the term IT governance may be inappropriate, since it implies nothing more than the control and management of technology. Much more significant than this are issues surrounding the governance of information its security; accuracy, availability, transparency, cost and value.22
61. A number of recognised industry authorities, such as the Butler Group, National Computing Centre (NCC), IT Governance Institute (ITGI) and
Page 29 of 79
IT governance represents the management, policies, and procedures necessary to ensure that an organisations information systems support the organisations objectives, are used responsibly, and that IT-related risk is minimised. Effective IT governance is one element of a compliance and corporate governance programme, but an increasingly important one, because many regulations apply to an organisations information, much of which resides within IT systems.23
a structure of relationships and processes to direct and control the enterprise in order to achieve the goals of a business by adding value while balancing risk versus return over IT and its processes.24
IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied will have an immense impact on whether the entity will attain its vision, mission or strategic goals. (Robert Roussey CPA, 2002/2003 President ISACA & ITGI)25
IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure
Page 30 of 79
that the organisations IT sustains and extends the organisations strategies and objectives.26
66. The OGC issue guidelines for government departments and a source for the area of IT governance is How to Manage Business and IT Strategies27 where governance is described as the framework within which strategy is formally managed. It includes elements such as:
reporting arrangements
the policies and standards (both enabling and restraining) that ensure consistent and coherent implementation of the strategy throughout its lifecycle (such as standards for project management and for technical aspects such as e-GIFiii)
arrangements for managing IT infrastructure (though this is likely to have been delegated to a service provider).28
67. The Butler Group reminds us that meeting these objectives requires not just support at the highest level within the organisation, but an appreciation of information as a critical asset, and an understanding that strong IT governance can both protect this asset, and help maximise its value.29
68. The NCC supports this view and goes on to say that in a rapidly changing business environment, management requires increased quality,
iii
Page 31 of 79
functionality and ease of use from their IT, delivered faster and faster, constantly available and at lower costs than ever before.30
69. The ITGI identified five key objectives of the IT function, which an overall IT governance programme should address:
Strategic alignment aligning with the business and providing collaborative solutions
Performance measurement to ensure plans on track and deviations identified and corrected.
70. This reflects the ITGI view that the IT function is a strand of overall corporate governance, and a major element given modern business reliance on information and control of costs. These principles are equally valid in the public sector, particularly an organisation such as the LSC which is heavily dependent on its information.
Management, policies and procedures used to direct the IT function within the organisation, the ability to achieve monitoring and control of the function, identifying risks while achieving the organisational strategic aims and objectives.
Page 32 of 79
73. Additionally, in the need to meet the requirements of the Modernising Government Agenda and recent Chancellor announcement (BBC News, 12 July 2004 Chancellor announces Comprehensive Spending Review) on reducing the civil service by 84,000 posts by 2008, technology has the potential to dramatically change government organisations and assist in the overall reduction of costs. 74. The Hawley Report32 recognised that information is a major asset of the organisation and is at the heart of supervising what an organisation does. The LSC is dependent upon its information, systems and technical infrastructure to realise its objectives and is currently investing circa 50million per annum in information systems and technology. With the outsourcing of much of the LSCs service delivery (Fujitsu) and applications development (Xansa), the LSC is dependent upon these partner organisations. With specialist skills being key to business delivery vested in the contractors, there is a need to retain highly skilled contract managers within the organisation to get best value from the contract and develop the IS/IT strategies. Too much contracting out can result in the loss of the key knowledge base in an organisation that results in insufficient contract monitoring. An example of this is Railtrack who failed to understand the state of its key assets as the critical areas had been totally devolved to contractors with fatal results33.
75. Butler Group believes that no organisation can afford to ignore IT Governance for any length of time. The potential risks of doing so include wasted IT investments, lack of flexibility, loss of competitive advantage,
Page 33 of 79
and an ineffective or obsolete IT infrastructure. Most compellingly of all, lack of IT Governance risks failure to comply with information regulations, resulting in legal action against the senior executives of the companies concerned.34
76. IT governance will help manage IT external costs and assess the value of internal IT overheads by focusing on the efficient running of the IT function, the alignment of that function with business objectives, the development of an IT strategy, and the introduction of the necessary controls and monitoring to provide visibility and feedback. The Return On Investment (ROI) of an IT governance programme will therefore be derived from a better-organised and more effective IT function, and the ability for senior management to understand and address these areas of internal spend.35
77. By ensuring ownership by the board and executive management of IS/IT issues, their understanding of the significance of IS/IT to the business and the impact of potential risks will increase. Better dialogue and shared activity for IS/IT initiatives will develop trust between the business and IS/IT. It will also evolve so that the IT function governance is integral to business governance and strategic thinking. A collective and balanced approach to business needs and priorities will result, leading to increased transparency, understanding of actual performance and service levels. This in turn will inform the improvement of IS/IT skills, processes and infrastructure, provided outcomes and systems are adequately monitored.
79. The article went on to report that IT governance was a problem as many senior business managers did not appreciate that IT could make or break a company and that IT governance was not something that could be done in isolation but needed to be embraced by corporate governance.36 The article does not mention whether or not the people attending the meeting were aware of the Information Systems Audit and Control Association (ISACA TM) who are an international professional, technical and educational organisation dedicated to being a single source provider for those concerned with the effective governance of information and its related technologies.37 It has members in more than 100 countries which enables it to bring together IT control practice standards for the world and its strategic alliances with other organisations in financial, accounting, auditing and IT professions enables it to keep up to date and therefore inform the development of best practice in these related areas.
80. The IT Governance Institute (ITGI) was founded by ISACA in 1998 in recognition of the increasing importance of IT in enabling the achievement of business goals. An overview of this importance is shown in Figure 4. Due to this significance, the governance of IT should be as important to a management board as corporate governance. The ITGI believe that effective IT governance:
maximises business investment in IT and appropriately manages IT-related risks and opportunities.38
Page 35 of 79
81. Its aim is to assist enterprise leadership in ensuring long-term, sustainable enterprise success and increased stakeholder value by expanding awareness of the need for and benefits of effective IT governance. The institute develops and advances understanding of the vital link between IT and enterprise governance, and offers best practice guidance on the management of IT-related risks.39
Aligned
IT risks
time
Secure Controlled
service quality
Better
time time
stakeholder value
delivery time
service cost
Cheaper
Faster
time
time
82. In summary, the benefits that IT governance brings are that it ensures:
optimised costs
Page 37 of 79
WHAT
HOW
reproduced by kind permission of ISACA
84. CobiT was developed based on global best practice from many sources, for example:
technical standards
Codes of Conduct
industry practices and requirements from industry forums and government-sponsored platforms
Page 38 of 79
85. The framework connects business risk, control needs and technical issues. It presents IT activities in a manageable and logical structure, and documents good practice across this structure. This helps optimise information investments and provides a benchmark to be judged against.
Benefits of CobiT 86. Due to increasing electronic business and technology dependence, there is the need to demonstrate increasing levels of security and control. At the same time every organisation needs to understand its own performance and measure its progress. Benchmarking and measuring progress against peers is one way of achieving a competitive level of IT security and control. Pragmatic guidance in the form of maturity models is provided in the CobiT management guidelines together with critical success factors and suggested performance measures (see Appendix 6). The management guidelines focus on performance management by using the principles of the Balanced Business Scorecard. Key goal indicators identify and measure outcomes of processes, and key performance indicators to assess how well processes are performing (as IT is a major enabler of business, the relationship between business goals and measures is very important).
87. From its pedigree and rounded approach, the CobiT model would appear to be worth considering as an IT governance framework for the LSC.
Page 39 of 79
from government departments for delivering Civil Service modernisation. As a public body, this affects the Learning and Skills Council.
89. The government wishes to obtain efficiency savings in the running of the civil service and in a budget speech to the House of Commons, the chancellor said we are investing more than 6bn in modern technology creating the potential for greater economies in back office and transactional services.40
90. The Office of Government Commerce (OGC) is an independent Office of the Treasury reporting to the Chief Secretary. It was established to improve the efficiency and effectiveness of central civil Government procurement and is now the authority for IT-related best practice in commercial activities in UK government. OGC has assumed a key role in assisting government departments to develop skills and expertise in project and programme management. In support of this activity OGC has published a number of guides for IT strategy, programme, change and risk management. The guide How to Manage Business and IT Strategies41 proposes a governance framework. It summarises the governance of Information Systems and Information Technology as being concerned with decisions about:
organisation the organisational units and structures, groupings, hierarchies and coordinating mechanisms (such as committees) established within the organisation and in partnership with external bodies
management the roles and responsibilities established to manage IS and IT, and the scope of the power and authority which they exercise
policies the frameworks and boundaries established for decisionmaking, and the context and constraints within which decisions are taken42.
Page 40 of 79
Business strategy
Organisation, management and policies (OMP) Administration Organisation Roles Responsibilities Relationships Management-focused
43
91. Governance of IS and IT is considered as separate topics, with IS being the concern of the business management of the organisation and IT the concern of provider organisations (internal or external). The relationship between the business and provider organisations and interdependence between IS and IT must be defined and managed. IS strategy therefore should be seen as an element of the wider business strategy and the governance of IS will need to be consistent with the wider governance issues in the organisation. The LSCs IS and IT strategies were developed based on these OGC guidelines. The IT Infrastructure Library 92. The IT Infrastructure Library (ITIL) provides guidance on IT service management. ITIL is owned by the OGC and was developed in recognition of the increasing dependence of organisations on IT to satisfy corporate aims and meet business needs. This dependence leads to an increased requirement for high quality IT services. ITIL covers seven main areas:
Page 41 of 79
Service Support Planning to Implement Service Management ICT Infrastructure Management The Business Perspective
93. The ITIL processes both support and are supported by the British Standards Institutions Standard for IT Service Management (BS15000). Training, qualifications, implementation and assessment tools are available to support the guidance. Project Management 94. Projects in Controlled Environments (PRINCE) is a project management method covering the organisation, management and control of projects. PRINCE was first developed by the Central Computer and Telecommunications Agency (CCTA), now part of OGC, in 1989 as a UK Government standard for IT project management.
95. Since its introduction, PRINCE has become widely used in both the public and private sectors and is now the UK standard for project management. Although PRINCE was originally developed for the needs of IT projects, the method has also been used on many non-IT projects. The latest version of the method, PRINCE2, is designed to incorporate the requirements of existing users and to enhance the method towards a generic, best practice approach for the management of all types of projects.
96. As PRINCE2 (project management methodology) and ITIL have both been developed by OGC the two methods are compatible. Programme Management 97. MSP (Managing Successful Programmes) was developed by OGC to assist organisations to manage change and deliver business benefits from a set of related projects. A programme is defined as a portfolio of projects and activities that are co-ordinated and managed as a unit such that they achieve outcomes and realise benefits44. Page 42 of 79
Risk Management and Information Security Management 98. M_o_R (Management of Risk: Guidance for Practitioners) is owned and developed by OGC. It provides a framework for taking informed decisions about risk at a strategic, programme, project and operational level to ensure that key risks are identified, assessed and that action is taken to address them. It was developed by experts from both public and private organisations. Training, qualifications and consultancy are available to support the use of this guidance on the management of risk. Risk analysis, known also as security risk analysis, is essential in ensuring that controls and expenditure are appropriate with the risks to which any organisation is exposed. BS7799 99. The British Standard for Information Security Management (BS7799/ISO 17799) is a very detailed security standard. It covers 10 areas in detail:
Business Continuity Planning System Development and Maintenance Compliance Security Organisation Asset Classification and Control
System Access Control Physical and Environment Security Personnel Security Computer and Network Management Security Policy
Page 43 of 79
IT Governance Attributes
Strategic Alignment IT Resource Management Risk Management Value Delivery Performance Measurement Governance
x x x x x x
x x
x x x
x x x
x x x x
CobiT Framework
Performance measurement
Monitoring
Figure 8: How IT governance and the CobiT framework supports corporate governance
Page 44 of 79
BS7799 x x x
Prince2
CobiT
MSP
MoR
ITIL
102. Some areas of IT and corporate governance are not directly reflected in CobiT definitively, however they cover the same areas.
103. The above mapping shows the high level relationship between the various models that have been introduced. CobiT breaks down the IT and corporate governance areas into 34 processes which are grouped together under the four headings shown in Figure 8. The detail of these processes map into the IT and corporate governance areas giving good coverage of all the key principles. As such, it provides a good base model that embodies the best aspects of IT and corporate governance. This model is further developed and used to assess governance in ISD in the next chapter.
Summary
104. In this chapter IT governance has been defined as:
Management, policies and procedures used to direct the IT function within the organisation, the ability to achieve monitoring and control of the function, identifying risks while achieving the organisational strategic aims and objectives.
105. IS/IT systems have been highlighted as a key facilitator in the role of allowing the aims of the business to be achieved, particularly within the public sector in the light of the recent spending review. Focus on project delivery and value for money will be key in this area and the need for the establishment of firm principles and practices by an organisation to allow effective implementation of IS/IT systems is vital.
106. Research indicates that the profile for IT governance has been raised in recent years for both private companies and public organisations. Summaries of the world recognised CobiT IT governance framework and the relevant government guidelines concerning strategy development, IT service management, programme, project, risk and information security Page 45 of 79
management have been provided and how the different guidelines compliment and support each other has been identified.
107. Finally, the five main principles of IT governance have been mapped to the four main corporate governance principles, concluding that the CobiT framework is a valid model with which to approach analysis of IT governance in the LSC.
Page 46 of 79
109. Having assessed the ISD function internally to CobiT, IT and corporate governance models, it is logical to undertake an assessment against the rest of government and the private sector to benchmark the ISD function of the LSC.
110. A questionnaire was developed as part of this study (see Appendix 8). The relationship of the survey to the main models described in chapters 2, 3 and 4 is detailed in Table 3 below:
Leadership Controlling Risk management Acquisition and Implementation IT resource management Accountability Value delivery Delivery and Support Accountability for IT Budget Openness and transparency Performance measurement Monitoring Communication with Stakeholders Internal Controls Internal Controls Statutory Accountability
111. CobiT was too detailed to use for the survey due to the extent of the data collection required and the likelihood of the survey getting completed by respondents. As identified in chapter 3, IT governance models are a Page 47 of 79
subset of the corporate governance attribute areas, and thus the main corporate governance model was used as the survey basis.
IT Governance Survey
112. Research of the OGC website indicates that no surveys have been undertaken with regards to the level of IT governance in place within the UK government departments. Although insufficient responses were received to provide a more accurate picture of the state of IT governance across the whole government sector, the results here provide an indication against which the LSC can be compared.
113. Two areas were surveyed in the public and private sectors. The small sample of private organisations from health, finance and retail business that participated had over 5000 employees and 75% had an income exceeding 500million per annum. Public sector respondents were IT professionals, so the sample is largely made up of persons involved in the sector.
114. A small but broadly representative group of UK government bodies (education, defence, finance, home/Scottish/Welsh office, law, work and pensions) responded to a survey about IT governance in their organisations (14 responses out of 200 issued). This survey was undertaken through the OGC Centres of Excellence (CoE) special interest group and through IT contacts in educational bodies. The survey was run at a CoE meeting where disciplines including procurement, IT and business change in public bodies came together to share experience and knowledge in these and related subjects. The results are provided as a percentage of the total completed questionnaires, but it should be noted that more than one response was from education, law and finance sectors (which make up 71% of total responses). Both private and government sector results are presented under the corporate governance attributes (with the section titles from the questionnaire on the figures for reference) and a comparison undertaken.
Page 48 of 79
Head of IT?
0%
20%
40% government
60% non-government
80%
100%
115. It can be seen in Figure 9 that the role of IT and accountability to a high level within the organisation is recognised in both the private and public sectors. However, there is a definite difference between the public and private sectors with regards to recruiting staff against a defined role description with required skills. Surprisingly in the public sector only 79% said that IT staff were recruited against a defined role description with required skills. This could indicate poor value for money from recruitment processes and poor HR management to allow recruitment to go ahead without a clear business role description or that insufficiently skilled staff are being recruited against a defined role description. This may be one of the contributing factors for government IT projects failing (much has been reported in the UK press on this subject). If the role description is not defined then the staff may not be aware of their objectives, responsibilities or accountabilities. If staff with insufficient skills are recruited, perhaps due to budgetary reasons, then hidden costs such as training, insufficient knowledge to progress work as quickly as a skilled person or making the wrong decisions (because they have insufficient experience or knowledge) may cause a project to fail or business not to be developed. This could be addressed through a combination of training, team working and mentoring Page 49 of 79
allowing staff to develop but not placing them in a position of responsibility, which is outside of their experience to manage.
recognis es individual contributions com m unicates well gives pos itive direction understands team m otivation sens itive to team needs creates a good team environm ent em powers others to m ake decisions clear, cons is tent approach actively m anages ris ks intutitive m aintains com posure under stres s good financial m anagem ent s kills s ets & m aintains high s tandards sets clear boundaries without stifling innovation focus es on realis ation of bus ines s benefits influences & engages with s takeholders us es change to advantage vis ionary 0% 10% 20% 30% 40%
Government
50%
60%
70%
80%
90%
100%
Non-Government
116. As can be seen in Figure 10 above, non-government organisations have greater strengths in the areas of planning (visionary, uses change to advantage, influences and engages with stakeholders, gives positive direction) and financial evaluation (good financial management skills) than government organisations. However, government organisations are stronger on supporting (creates a good team environment, sensitive to team needs, understands team motivation) and risk evaluation (actively manages risks). Both types of organisation are similar in their approach to initiation (sets and maintains high standards, empowers others to make
Page 50 of 79
decisions), however non-government organisations have a greater focus on realising business benefits than government organisations.
117. Figure 11 shows that both sectors favour an IT committee or steering group that represents the interests of the organisation. In both sectors the membership is from the business and external stakeholders with only the government sector inviting independent members. In the non-government sector, membership is either appointed or elected, whereas in the government sector it is largely appointed. There is a higher tendency in government organisations to not having fixed term membership. For both sectors, the purpose of the meeting is to make decisions about IT priorities and direction, although only the non-government sector makes decisions about IT budget and processes at these meetings as well. Government Page 51 of 79
organisations tend towards monthly meetings where the frequency of meetings in non-government organisations is equally split between monthly and quarterly meetings. Controlling Documented Processes in Government & NonGovernment Organisations non-government
government Monitor
Support
Purchasing
0%
20%
40%
60%
80%
100%
118. As can be seen from Figure 12 both sectors are strong in documenting processes for monitoring and supporting IT services and purchasing IT goods and services. Non-government organisations demonstrate a greater strength in documenting the process for developing strategic plans, whereas the government sector demonstrates greater strength in documenting processes to manage risks. The private sector therefore has a slightly better emphasis on strategic planning and a keen emphasis on monitoring areas where liabilities are incurred (ie purchasing).
Page 52 of 79
Escalate risks?
Risk register? Independent audit function 0% 20% 40% government 60% non-government 80% 100%
119. From Figure 13 it can be seen that both sectors are regularly audited by an independent audit function and whilst only 50% of non-government organisations had a risk register (compared with 64% in government organisations), the organisations that had a risk register regularly reviewed it, took action and escalated risks to the corporate level if necessary. Again, when a system is in place within a non-government organisation (such as a risk register) its use is in line with audit compliance (ie 100%) to allow it to produce approved accounts. This link between mandatory statutory financial reporting requirements and risk management (established via Turnbull) means that there is no partial compliance as demonstrated in the government sector.
Page 53 of 79
Accountability
Accountability for IT Budget in Government & NonGovernment Organisations
PIRs
Business Cases
ITT
0%
20%
40% government
60% non-government
80%
100%
120. Figure 14 shows that the use of tendering and business cases to ensure IT funds are used economically, efficiently and effectively is strong in both sectors. The non-government sector also uses post-implementation reviews to ensure the project worked and was delivered to timescale and budget. In the government sector reliance is placed upon work at the planning and start up stage but less is done to review the activity once it is complete to ensure the objective was achieved efficiently and effectively.
Page 54 of 79
121. Figure 15 shows that whilst all non-government organisations surveyed published an IT report, only 50% of government ones did so. Whether government or non-government the report was more likely to be issued to Business Directors and all staff in non-government organisations as opposed to Head of Organisation and Senior Management Team in government organisations.
122. The content of the report in the non-government sector is largely about budgets, deliverables and benefits whereas in government organisations it is largely about deliverables, availability and risks. Reports are therefore particularly weak on budget information in government organisations. Approximately one third of organisations in both sectors use the report to provide information on strategic direction.
Page 55 of 79
123. Whilst the difference in audience for the report will account for some of the differences in content the difference in budget reporting between the two sectors (14% government, 75% non-government) indicates a lack of openness and transparency about the resources committed in IT activities in the government sector.
Page 56 of 79
Attribute
Issue
Improvement Area for Government documentation for purchasing support and ensuring that any expenditure will further the strategic aim of the organisation.
Risk
Ensure risk register is current and up-to-date so that the risk of various project liabilities can be monitored. Monitoring to be independent of the project management so that the business aims are paramount.
Accountability
Consistently apply a post implementation review process in the government sector. This will allow better financial and project control. It would also increase accountability of project managers and allow feedback to other project managers so that lessons are learnt from mistakes.
Examination of what the internal reports are aiming to achieve with regard to audience, with more emphasis on delivery, cost and achievement of business aims.
Table 4: Improvement areas for government sector arising from survey issues
125. The overall conclusion from these surveys is that non-government sector has a greater emphasis on finance and value for money. They have strong financial controls and are clear about accountabilities and responsibilities. This is not so obvious in the government sector.
Page 57 of 79
Controlling
Accountability
127. Research and analysis of information about IT governance has identified that IT governance is a subset of good corporate governance. Investigation of the CobiT framework shows that this framework mirrors the principles in both corporate and IT governance and that therefore it is a good model for IT governance for the LSC to adopt. The shortfalls in certain CobiT framework areas (ie honesty, integrity etc) can be discounted because of the public sector Nolan values embodied in the Civil Service code and LSC governance more than address this omission in CobiT.
128. In conclusion therefore it would be sensible for the LSC to adopt the CobiT model for IS/IT governance due to the fact it embodies both principles of previous reviews and is specifically tailored to this business function.
Specific findings and recommendations concerning the LSC have been removed from this version
Page 58 of 79
Appendices
Page 59 of 79
Appendix 1
Cadbury The Financial Aspects of Corporate Governance 1. Details of the main principles of the Cadbury code are:
Principle Openness
Description as a basis for confidence between the business and its stakeholders disclosure of information ensures efficient working, effective action of boards and allows scrutiny by shareholders and others
Integrity
means straightforward dealing and completeness financial reporting should be honest and present a balanced picture of the state of the companys affairs the integrity of the reports is dependent upon the integrity of those who prepare and present the reports
Accountability
board of directors is accountable to the shareholders is supported by the quality of information from directors to shareholders dependent upon shareholder willingness to exercise responsibilities as owners
Page 60 of 79
Appendix 2
Nolan The Seven Principles of Public Life (1st Report) 2. Details of the seven principles of public life identified by the Nolan Committee:
Principle Selflessness Description Holders of public office should take decisions solely in terms of the public interest. They should not do so in order to gain financial or other material benefits for themselves, their family, or their friends Integrity Holders of public office should not place themselves under any financial or other obligation to outside individuals or organisations that might influence them in the performance of their official duties Objectivity In carrying out public business, including making public appointments, awarding contracts, or recommending individuals for rewards and benefits, holders of public office should make choices on merit Accountability Holders of public office are accountable for their decisions and actions to the public and must submit themselves to whatever scrutiny is appropriate to their office Openness Holders of public office should be as open as possible about all the decisions and actions that they take. They should give reasons for their decisions and restrict information only when the wider public interest clearly demands Honesty Holders of public office have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts arising in a way that protects the public interest Leadership Holders of public office should promote and support these principles by leadership and example.
Independent Scrutiny
Education
Page 61 of 79
conduct in public bodies, in particular through guidance and training, including induction training.
4. Further areas of the report related to the selection and appointment of operating officers and executives in NDPB organisations:
selection on merit should take account of the need to appoint boards which include a balance of skills and backgrounds. The basis on which members are appointed and how they are expected to fulfil their role should be explicit. The range of skills and background, which are sought, should be clearly specified
each panel or committee should have at least one independent member and independent members should normally account for at least a third of membership.
Page 62 of 79
Appendix 3
Turnbull Internal Control: Guidance for Directors on the Combined Code 5. The detailed principles of the Turnbull guidance are:
PRINCIPLE Risk
DETAIL clear business objectives communicated risk assessment and control ongoing assessment of risk board acceptance of risk risk policy and strategy culture etc support business objectives and risk management senior management commitment decisions and actions by appropriate people and coordinated employees understand responsibilities skills and tools to achieve business objectives and manage risks adjust processes/controls to meet change management/board receive timely, relevant, reliable reports information needs and systems reassessed to meet change periodic reporting procedures balanced and understandable whistle blowing channels monitor policies, processes activities re internal control and risk management monitor ability re-evaluate risks and adjust controls (in response to change) appropriate response to changes in risk and control communication to board on risk and control
Monitoring
Page 63 of 79
Appendix 4
The Combined Code of Corporate Governance (revision of Higgs) 6. The main points from the code are: new definitions of the role of the board, the chairman and the nonexecutive directors;
more open and rigorous procedures for the appointment of directors and from a wider pool of candidates;
formal evaluation of the performance of boards, committees and individual directors, enhanced induction and more professional development of non-executive directors;
at least half the board in larger listed companies to be independent non-executive directors, with a definition of independence of nonexecutive directors;
the separation of the roles of the chairman and the chief executive to be reinforced;
closer relationships between the chairman, the senior independent director, non-executive directors and major shareholders; and
Page 64 of 79
Appendix 5
Summary of the Langlands Commission Research Data 7. Additional information about the ways of working and recruitment and appointment of the Board, and support for governors and the governing body: Ways of working a) ethics, values, conduct for example a code of practice for board members.
b) openness and transparency the preparation of an annual report on activities annual open meetings and public meetings to consult or inform the public compliance with the Code of Practice on Access to Government Information and the nine principles of public service delivery complaints procedures.
d) use of committees the delegation of responsibility for specified matters establishment of an audit committee (chairmanship, membership and responsibilities).
Recruitment and appointment a) appointment procedures, length of terms of office b) any exclusions from eligibility to be a governor
Page 65 of 79
c) job descriptions/person specifications d) induction arrangements e) time commitments/expectations Support for governors and governing body a) training, development and support (no information provided in the report) b) remuneration c) performance and appraisal of governing bodies (no information provided in report) d) performance and appraisal of individual governors e) information for governors and governing bodies f) staffing to support the governing body g) liability
Page 66 of 79
Appendix 6
Overview of the CobiT Model
MO NIT O R
ALIGNMENT
TASK ENVIRONMENT Ethics & Culture Laws and Regulations Mission & Vision Role Models Industry Practices
E E E E ATE C E C E CR E
PE R ME FOR M AS UR ANC EM E EN T
EX EC U TE
IT WHY ? R AN ES AG OU T M C SK EN RS EM RC O A RI EM CO NT TU TO G EN E CA RK R O R IT N DI O NA TR L Y T A IN E W O O MO M CE M L M
B D C PR JEC EL SF A C T IV S TI CE ES S
A AN FR CP d RM ES F O O C O an R PE T P R F, C Y I CS KE OB C
LUE VAL ER Y R IV IV D D EL
C TE RO
129. The main theme of CobiT is business orientation. It is based in business objectives and provides comprehensive guidance for management business process owners. The CobiT framework groups IT processes into four broad categories:
Monitoring
130. It then defines high-level Business Control Objectives for the processes, linked to business objectives, and supports these with detailed Control Page 67 of 79
Business Objectives
Criteria
effectiveness efficiency efficiency confidenciality confidenciality integrity availability compliance compliance reliability
IT RESOURCES
PO1 Define a strategic IT Plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage Projects PO11 Manage Quality
data data application systems application systems technology facilities facilities people
Identify automated solutions Acquire and mantain application software Acquire and maintain technology infrastructure Develop and maintain IT procedures Install and accredit systems Manage changes
131. The Control Objectives are supported by audit guidelines which enable auditors and managers to review specific IT processes against these in order to help assure management where controls are sufficient, or to advise management where processes need to be improved. The third main component is CobiTs management guidelines.
132. Managers in every organisation need to understand the status of their own IT systems and decide what security and control they should provide. As well as the need to measure where the organisation is in this respect, there is also the need to decide the right level of security and control and for continuous improvement in this respect. The CobiT management guidelines help with these issues by defining: Page 68 of 79
performance and key goal indicators of the IT processes for their outcome and their performance
Maturity Models 133. The CobiT maturity model is derived from the Software Engineering Institutes Maturity Model for software development capability.
1 Initial
2 Repeatable
3 Defined
4 Managed
5 Optimizing
software process ad hoc few processes defined success depends upon individual effort
basic project management processes established to track cost, schedule, functionality process discipline in place to repeat earlier project successes with similar applications
software process for management and engineering activities documented, standardised and integrated into standard software process for organisation all projects use approved tailored version of organisation's standard software process for developing and maintaining software
detailed measures of software process and product quality collected software process and products quantitatively understood and controlled
continuous process improvement enabled by quantitative feedback from process and from piloting innovative ideas and technologies
134. In addition to these five levels, CobiT provides a sixth level of 0 = nonexistent. Against each of these levels, developed for each of CobiTs 34 IT processes, management can map:
Page 69 of 79
135. Figure 19 provides an example of how this might appear. For example, the organisation rates itself as achieving a maturity level of 2 (Repeatable processes follow a regular pattern), which compares against an industry best practice rating of 3 (Defined processes are documented and communicated). The organisation itself is aiming for a maturity rating of 5 (Optimised best practices are followed and automated).
LEGEND FOR RANKINGS USED 0 Non-Existent 1 Initial 2 Repeatable - Management processes are not applied at all - Processes are ad hoc and disorganised - Processes follow a regular pattern - Processes are documented and communicated - Processes are monitored and measured - Best practices are followed and automoted
International Standard Guidelines 3 Defined Industry Best Practice I 4 Managed 5 Optimised Enterprise Strategy
Page 70 of 79
136. A Balanced Scorecard approach, based on critical success factors, is used by management to achieve control over its IT processes. The critical success factors identify the most important things management must do, strategically, technically, organisationally or procedurally. An example of this approach is given in Figure 20.
Amount of errors and Learning Staff productivity & # of staff trained in Value delivery per
employee up new techno/services morale
Increased availability
knowledge systems
reproduced by kind permission of ISACA
137. Key goal indicators define measures that tell management after the fact whether an IT process has achieved its business requirements, usually expressed in terms of the following information criteria:
138. Key performance indicators define measures to determine how well the IT process is performing in enabling the goal to be reached. They are also lead indicators of whether a goal will likely be reached or not and are good indicators of capabilities, practices and skills.
Page 72 of 79
Appendix 7
ISD CobiT Maturity Assessment Interview Findings Specific findings to the LSC have been removed from this version
Page 73 of 79
Appendix 8
Sample of the Questionnaire
Page 74 of 79
Contributors
With grateful thanks to all those who contributed to this research:
Name Bruce Allen Helen Atkinson Paul Frost Carol HartleyBurdett Kevin Hayes Peter Holmes Gary Johnson Jon Luke Neil Morrison Rob Wye
Title and Organisation CORGI Registration Manager General Manager Commercial, CORGI Services Ltd Director of Information Systems, Learning and Skills Council LSC Internal Auditor
IT Security Officer, Learning and Skills Council Head of the Chairmans Office, Learning and Skills Council
Page 75 of 79
ISBN 0-566-08074-5
2
Exploring Corporate Strategy by Gerry Johnson and Kevan Scholes, 6th edition published by
ISBN 0-566-08074-5
4
ISBN 0-566-08074-5
5
The Governance of Public and Non-Profit Organisations What do boards do? (Who Governs
the North East?) Edited by Chris Cornforth, published by Routledge, 2003, ISBN 0-415-25818-9
6
ISBN 0-566-08074-5
7
ISBN 0-566-08074-5
8
ISBN 0-566-08074-5
9
ISBN 0-566-08074-5
11
study by Alan Greer, Paul Hoggett and Stella Maile - Edited by Chris Cornforth, published by Routledge, 2003, ISBN 0-415-25818-9
12
study by Alan Greer, Paul Hoggett and Stella Maile Edited by Chris Cornforth, published by Routledge, 2003, ISBN 0-415-25818-9
Page 76 of 79
13
ISBN 0-566-08074-5
14
15
16
Overview of current governance structures and guidance for public services, Paper 4 (Draft),
The Governance of Public and Non-Profit Organisations What do boards do? Edited by
study by Alan Greer, Paul Hoggett and Stella Maile Edited by Chris Cornforth, published by Routledge, 2003, ISBN 0-415-25818-9
21
The Governance of Public and Non-Profit Organisations New governance structures in the
NHS, a study by Lynn Ashburner Edited by Chris Cornforth, published by Routledge, 2003, ISBN 0-415-25818-9
22
Who is the godfather of governance? By Martin Butler, Information Economics Journal, March
2004
23
http://www.nccmembership.co.uk/ncc/myITadviser/archive/issue8/business_processes.cfm -
accessed 16-01-04
25
Page 77 of 79
26
27
http://www.nccmembership.co.uk/ncc/myITadviser/archive/issue8/business_processes.cfm -
accessed 16-01-04
31
Making a virtue out of necessity by Tim Jennings, Information Economics Journal, March
2004
32
Information As An Asset, The Board Agenda, The Hawley Committee, KPMG IMPACT
A cost-effective way to lose control of your business by Michael Skapinker, Financial Times,
web advert for Ensuring Alignment, Minimising Risk A Butler Group Strategy Briefing,
Making a virtue out of necessity by Tim Jennings, Information Economics Journal, March
2004
36
IT Management: The Future of the IT Organisation know the risks and take charge, by Julia
38
39
40
IT will drive civil service reforms by Sarah Arnott Computing 25 March 2004
Page 78 of 79
41
MSP, Managing Successful Programmes, The Stationery Office, 2003 ISBN 0-11-330917-1
45
July 2003
Page 79 of 79