IT Governance is defined as the leadership and organisational structures and processes that ensure that the organisations IT sustains and extends the organisation's strategies and objectives
Expanding further, IT governance is the Management board's ability to direct and control the enterprise's use of IT resources in line with strategic goals. Leadership, organisational structure and processes are used to leverage IT resources and drive alignment, ensure delivery of value, management of risk, optimisation of resources and performance measurement.
Harley Davidson Motor Company began its operations in 1903 at Milwaukee, Wisconsin in the USA. It is well known to be the oldest manufacturer of heavyweight motorcycles in the US and the rare distinction of procuring record revenues for the past 20 years. Apart from the motorcycles themselves, the company also deals with motorcycle parts, accessories and other related services. This can then be classified into two major sectors in which the company operates: Motorcycle related sector and the financial services. The motorcycle related sector deals mainly with the production, sales and services of heavyweight custom , touring or performance motorcycle which Harley markets under its signature brand names "Buell" and "Cagiva".Apart from manufacturing the five families of Harley Motorcycles, this sector also deals with motorcycle related accessories, performance parts , cosmetics and general accessories like clothing etc. The financial services sector deals with all finances and loans to both the companies' dealers and costumers
Need for IT Governance
In 2003, it was seen that Harley Davidson had a limited IT Controls in place and a major chunk of the staff had very little or no control knowledge. The following gaps were observed.
No standardized user process to access data and IT applications, which made life difficult for users and exposed the application to hackers.
No defined change management process to capture information about who made changes to IT infrastructure components and why.
There was no impact analysis of proposed changes; this caused even seemingly trial changes to cascade into issues in other connected systems and cause unexpected chain reaction.
There was limited documentation about processes and most of the work done in IT was person dependent.
There was no clear strategy of Backup and recovery process. Also the recovery process was never tested to ensure seamless recovery after a disaster.
Overall there existed a very minimal organisational standard.
The challenge was also in getting management, information technology (IT) and audit speaking the same language and working toward increased control, while still respecting the company's unique culture.
With the implementations of the Sarbanes-Oxley Act, and the fact that regulations became tighter worldwide, Harley Davidson created a completely new department on IS compliances and began implementing many of the general compliances models sourced from vendors .Later Harley Davidson implemented COBIT. They converted their entire control framework into COBIT and were able to choose individual areas and control needs instead of doing the entire process at random.
IT has a significant impact on the success or failure of an organization. This impact was realized by the stakeholders and hence the need for IT to be used effectively for competitive advantage became paramount. Management needs to ensure that Information is being handled effectively so that it is:
More likely to achieve the desired objectives.
Presence of a continuous improvement process to ensure past learnings are incorporated.
Able to ensure effective Risk management in its working.
Agile enough to recognize new opportunities and act upon it.
IT Governance in Detail
Organization's success depends upon how IT is effectively able to align with the business objectives and strategy. Successful organizations have been able to leverage IT not just as a support entity but also to grow the business.
For an organization to have an effective IT department it needs to address various concerns:
Align with business objectives.
Able to measure the business value of IT investments effectively.
Generate value from existing IT investments.
Maintain good relationship and communication path between IT and Business.
Demonstrate the ability to manage and mitigate risk effectively.
Without a good Governance Model it is difficult to achieve the above objectives. IT Governance needs a universally accepted model which is clearly understood by the various stakeholders. The Governance Framework should be able to:
Have a link to business requirements.
Transparency in measuring performance against these business requirements.
Able to identify resources that can be leveraged.
Define the management control objectives to be considered.
Organisations can use a number of frameworks as a basis to develop their own governance model. The two best known models are IT Infrastructure Library (ITIL) and COBIT (Control Objectives for Information and Related Technologies). Both Frameworks are complimentary to each other, ITIL focuses on providing Best Practices around effective IT Services such as helpdesk management, network security and IT Operations. ITIL is useful in improving IT operations efficiency and customer services quality. COBIT provides guidelines around a whole range of IT related activities including planning, acquisition, delivery, support and operations. COBIT is a useful tool to improve the quality and measurability of IT Governance
Harley Davidson choose COBIT as the Governance Model for the following reasons.
It is an internationally accepted standard for IT governance and control practices.
It can be used by management, end users, and IT audit and security professionals, and it provides a common language.
It provides a means for benchmarking controls compliance.
Use of the COBIT framework, including tools and templates
Other leading standards, including ISO 17799, ITIL and NIST, harmonize and map to COBIT.
The company was able to gain agreement with the external auditor on the same framework and control objectives.
The IT Governance Framework Model (COBIT)
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management, created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices, to assist them in maximizing the benefits derived through the use of information technology, and developing appropriate IT governance and control in a company. - (Wikipedia)
Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT's good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.
For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
Making a link to the business requirements
Organising IT activities into a generally accepted process model
Identifying the major IT resources to be leveraged
Defining the management control objectives to be considered
Harley Davidson Motorcycle Company implemented COBIT into their business environment as a means of IT governance.
Business Benefits
The use of a globally accepted Governance Model - COBIT brought about an agreeable terms with the auditor on implementation of control and governance. Different sectors within the company which even included non-technical staff like motorcycle experts and builders were educated regarding concepts of methods of controls and their importance. As the company desperately needed an effective control system the implementation of COBIT changed the perception among control owners that "a lot means more" to "a few but effective" is much better in terms of business. By this they received a better understanding on the fact that a fewer resources and less amount of time didn't matter provided the final outcome was feasible in terms of business.
Prior to implementing the COBIT framework, areas the external auditor audited were chosen randomly or on loose justifications. Now the areas selected for auditing are firmly based on business value and control needs.
The breadth and depth of COBIT have naturally allowed it to be used successfully as a central control model. In addition, benefits Harley-Davidson has found by using COBIT as a control model include:
IT governance personnel can map frameworks "behind the scenes."
End users need to be aware of only one standard.
IT can easily show compliance with multiple frameworks.
It helps establish a consistent focus.
It gains external audit agreement on the company's control position.
It establishes the ability to use control objectives to help identify root causes.
There is a comprehensive view of the risk and control environment.
It provides a foundation for all future internal and Sarbanes-Oxley-related audits.
One of the biggest advantages of the implementation of COBIT to Hardly Davidson Motorcycle Company was the fact that it became an invaluable tool in the company's internal comparison method. All the information was made available to the management in a clearer prospective specially when it came to overall buy-in.
Peer comparison can be done in a much unbiased manner using the COBIT framework and has become a part of IT audit. Most of all key discussions about the company's position were invited using this framework. Before the implementation of COBIT the areas meant for audit were randomly chosen and was based on unclear criteria. Now they are firmly chosen on control needs and their business value.
Usually the introduction of an entirely new framework would confuse the work force and some of them might be quiet resistant to the change, COBIT eliminates this issue as it is well organised and methodological …. The people in charge of leading their respective teams in the Hardly Davidson work environment can easily follow these steps and later pass them on the rest of the work force.
Analysis
The key to the success of any Governance model is to have management involvement; Harley Davidson had full executive sponsorship of this new Governance Model. Employees participating in establishing the framework need to know the measurable outcomes the controls and process put in place. IT Governance using COBIT was successful in Harley Davidson because it had management involvement as a key stakeholder. They also did a good job of getting grass root level employees involved in the process. This would not have been possible without effective communication from the management about the value of the new process. Harley Davidson also maintained a good issue tracking mechanism to track and report findings so that steps are taken to ensure follow up with Management action plan owners to address the issues.
In my view most forms of Governance are generally looked upon with cynicism by employees and hence it could result into employees getting a feeling that management lacks trust. This could result in employees failing to be creative and taking initiative. Management needs to involve employees from within the group rather than completely driven by external consultants / auditors to bring about these changes. The controls need to be driven slowly rather than introducing it abruptly without taking employees into confidence. There needs to be a balance maintained between controls and still maintaining an environment where creativity is encouraged.
