IT governance integral part of corporate governance
20 May 2016
IN the world today, Information Technology (IT) has become so indispensable to our daily lives to an extent that no organisation, be it for profit or non-profit, can operate efficiently and competitively without some form of automation or a robust IT system.
For any modern day business to stay agile, relevant, competitive and profitable, it has to rely and invest in IT as a major component of its business strategy.
Automating a company’s functions, apart from requiring significant financial investments, also requires the incorporation of powerful internal control mechanisms into computers (hardware), software and networks to manage operational IT risks.
In view of the above, IT governance is now considered as a bread and butter issue for businesses to thrive. The emerging trend is that IT governance and corporate governance can no longer be separated.
IT governance now constitutes a key component of every company’s strategic plan and consequently it has become a standing agenda item at board meetings.
There are also other factors that have catapulted focus on IT governance. IT systems and e-commerce, despite their advantages have also brought with them a lot of operational risks which organisations need to mitigate.
Cybercrime has become a very big challenge to organisations with computer database hacking, data corruption, manipulation and loss, phasing, identity theft, card fraud, virtual money laundering etc becoming more rampant globally. This has produced disastrous consequences not only to organisations, their customers and stakeholders, but also to global economies and stability.
The rise in cybercrime has placed organisations in “panic mode” catalysing them to invest more in risk mitigation measures as part of their IT governance framework.
This article aims to highlight the importance of IT governance and why it should be taken as an integral part of corporate governance in an organisation. For ease of reference the term company will be used, but this discussion equally applies to all organisations, be they for profit and non-profit.
Although I have covered this topic in the past, I felt it is important that we look at it again albeit in a different context.
IT governance: Part of corporate governance
IT can no longer be considered as a “technical issue” or solely as an “enabler” of a company’s performance. IT is now regarded as an integral part of every company’s corporate strategy. Corporate governance best practices now consider IT governance as a key component/facet of corporate governance which should be aligned to a company’s strategic objectives.
“IT governance provides the structure that links IT processes and information to enterprise strategies and objectives. IT governance integrates and institutionalises optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance. IT governance is integral to the success of enterprise governance by assuring efficient and effective measurable improvements in related enterprise processes. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage.”
IT governance is broader and includes the following: Business strategies and processes, IT equipment, IT systems, operational risks and internal control systems, cyber security, compliance issues (regulatory requirements and best practices), sustainability and business continuity, IT investments and expenditure, training, human capital issues etc. All these issues are crystallised into an IT governance framework.
Corporate governance codes
The Zimbabwean corporate governance code addresses the importance of IT governance.
Chapter five of our code provides for information management and disclosure.
The King III report on Governance for South Africa, Chapter 5 deals in detail with governance of IT and identifies IT as an integral part of the business and its risk management process.
The board should have an understanding of the company business, its processes and requirements. This will enable it to give strategic guidance to management for ensuring that there is a robust IT governance framework in place.
Directors should ensure that IT governance is not isolated, but is part of overall corporate governance.
Directors should have an appreciation for and a basic understanding of IT and the risks and opportunities associated with it for them to be effective in giving direction and guidance on IT governance.
Directors should also ensure that IT governance is part of the board meeting agenda and the board takes time to discuss IT governance.
Section 283 of the Zimbabwe code provides that “the board must ensure that an information security management system is developed, implemented and recorded in an appropriate and applicable information security framework”.
Management on the other hand is responsible for crafting/developing IT governance policies for board approval and ensuring that, once they are in place, these policies are implemented company-wide.
Management decides on the level of risk it is willing to accept (risk appetite). Risk tolerance must, however, be weighed against the cost. Management recommends for board approval IT policies, control systems and costs thereof for implementation.
Two areas that need to be emphasised as being critical components of IT governance are cyber crime and cyber security. Directors should take interest in this.
Cybercrime has become the biggest threat to IT governance. The most common cybercrimes globally are: Hacking (eg Julian Assange, Edward Snowden cases in the United States), card fraud, phishing, identity theft, virtual currency laundering etc. In Zimbabwe the most common crimes are phishing, mobile money fraud, and internet fraud especially for online car sales.
The Reserve Bank of Zimbabwe (RBZ) has produced a report on cybercrime in Zimbabwe and globally. According to the RBZ report illicit proceeds from cybercrime in Zimbabwe in 2015 were estimated to be US$1,8 billion. The report further states that proceeds from cybercrime globally are estimated at 3,5 percent of global gross domestic product or a whopping US $1 trillion. The cost of cybercrime to the United Kingdom alone was estimated at £27 billion.
Proliferation of cybercrime has resulted in governments across the globe investing heavily in cyber security and increasing international cooperation initiatives to fight cybercrime. A Zimbabwe Common Market for Eastern and Southern Africa workshop was concluded recently in Harare that focused on cybercrime and proposed some cyber security measures that have to be put in place by regional governments to mitigate the scourge of cybercrime. It is a cause of concern that the Zimbabwe Cybercrime Bill is yet to be finalised and promulgated into law. Companies cannot win the cybercrime war without government interventions.
The most common threats to IT hardware and systems are: Malware (programmes designed to harm computers ie. virus, worm, Trojan horse, rootkit etc), hacking, physical damage to hardware and networks, sabotage and so on.
The Government of Zimbabwe defines cyber security as a body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorised access.
Cyber security is a critical component of a company’s IT governance framework and requires that a company puts in place IT risk management measures in place to protect/safeguard its IT systems and hardware. Cyber security policy is an indispensable element of IT governance framework policy in a company.
As a guide, cyber security policy should include the following internal controls to mitigate operational IT risks ie malware protection (ie virus, worm etc), firewalls, access to IT systems (PIN), storage and access to hardware, restriction on use of own devices on company network by employees i.e. personal lap tops, external drives/USB sticks etc, controls over use of company computers at home etc.
Hardware disposal procedures at end of its life i.e. staff sales, donations, auctions etc should not be done randomly. Measures should be in place on how to deal with computer equipment once its offline.
Sanitisation procedures of hardware before disposal should be put in place for data protection to mitigate hacking.
Computer equipment should not be disposed of before it is sanitised (cleaned) to rid of data which was stored in it to prevent hacking.
Management should ensure that the IT governance framework is internally publicised and that there is a company-wide awareness drive to all employees on the importance of cyber security.
All IT users should be aware of the operational risks inherent in IT systems and the role that individual employees can make in-order to manage the risks.
The board should ensure that, apart from creating awareness in-house, management is also aware of local/international laws and international best practices governing IT governance, and in particular cyber security.
There are a lot of protocols and international best practices that deal with cyber security and companies should access these on the internet for information.
Ultimately the board has full responsibility in ensuring that the company has a robust IT governance framework which safeguards assets and enhances efficiency and competitiveness, thus enabling the company to meet its objectives and create value for the shareholders invested in it.
Source: The Financial Gazette, Zimbabwe