Most organizations in all sectors of industry, commerce, and government are fundamentally dependent on their information systems (IS) and would quickly cease to function should the technology (preferably information technology–IT) that underpins their activities ever come to halt. The development and governance of proper IT infrastructure may have enormous implications for the operation, structure, and strategy of organizations. IT and IS may contribute towards efficiency, productivity, and competitiveness improvements of both interorganizational and intraorganizational systems. On the other hand, successful organizations manage IT function in much the same way that they manage their other strategic functions and processes. This, in particular, means that they understand and manage risks associated with growing IT opportunities, as well as critical dependence of many business processes on IT and vice-versa. IT risk management issues are not only marginal or ‘technical’ problems but become more and more a ‘business problem.’ Therefore, in this chapter, a corporate IT risk management model is proposed and contemporary frameworks of IT governance and IT audit explained. Also, it is depicted how to model information systems and supporting IT procedures to meet ‘always-on’ requirements that comes from the business. In fact, a number of IT metrics proposed in the chapter support the alignment of IT Governance activities with business requirements towards IT.
TopIntroduction: Managing It Risks Is A Business Not A ‘Technical’ Problem
In the early days of implementing IT in the business, it was often seen as a technical support function and was typically managed by finance departments. When evolving from technology providers into strategic partners, IT organizations typically follow a three-stage approach. Each evolutionary stage builds upon the others beginning with IT infrastructure management (ITIM). During this stage, the IT’s role in the organizations focus on improving the management of the enterprise (technological) infrastructure. Effective infrastructure management mainly is associated with maximizing return on computing assets and taking control of the infrastructure, the devices it contains and the data it generates (ITGI, 2003). The next stage, IT service management (ITSM), sees the IT organizations actively identifying the services its customers need and focusing on planning and delivering those services to meet availability, performance, and security requirements. In addition, IT contributes to the businesses by managing service-level agreements, both internally and externally, as well as by meeting agreed-upon quality and cost targets. Ultimately, when IT organizations evolve to IT business value management (IT Governance), they are transformed into true business partners enabling new business opportunities (Hunton, Bryant, & Bagranoff, 2004). In that stage, IT processes are fully integrated with the complete lifecycle of business processes improving service quality and business agility. (see Figure 1)
Figure 1. Evolvement of IT as corporate function
While early IT implementations were clearly focused on automation of clerical and repetitive tasks, in today’s highly competitive business environment, effective and innovative use of information technology (IT) has the potential to transform businesses and drive stakeholder value (Weill & Ross, 2004; Peppard & Ward, 2004). According to the recent ITGI-PricewaterhouseCoopers study results, IT is quite to very important to delivery of the corporate strategy and vision (ITGI, 2007). On the other hand, poorly managed IT investment or badly implemented IT projects will lead to value erosion and competitive disadvantage (COSO, 2004; ITGI & PricewaterhouseCoopers, 2006; Weill & Ross, 2004). A number of or company–level studies and analyses show that IT contributes substantially to company's productivity growth. This contribution is by all means strong where IT strategy is linked with business strategy, thus IT can initiate major changes in organization structure, business processes and overall activities. In one study, Brynjolfsson and Hitt (1993) concluded 'that while computers make a positive contribution to productivity growth at the firm level, the greatest benefit of computers appears to be realized when computer investment is coupled with other complementary investments; new strategies, new business processes, and new organizations all appear to be important.' Central message from the research literature, and one that is universally accepted, is that technology itself has no inherent value and that IT is unlikely to be source of sustainable competitive advantage (Peppard & Ward, 2004). The business value derived from IT investments only emerges through business changes and innovations, whether they are product/service innovation, new business models, or process change.
Therefore, successful organizations that manage to derive business value out of IT investments also understand the importance of IT control environment and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on IT (Spremić, Žmirak, & Kraljević, 2008; Spremić & Strugar, 2002). This in particular means that they manage the risks associated with growing IT opportunities. The risks associated with business processes conducted through IT support are not only any more marginal or ‘technical’ problems and become more and more a key ‘business problem’.