Every enterprise faces a wide range of risks, including enterprise business operations, the business and related market factors, general economic conditions, and an endless list of other enterprise risk factors. In order to have effective IT governance practices, an enterprise needs to have an effective program for assessing and managing overall risks, significant risks within an enterprise, and specific risks facing IT operations. Exhibit 2.5 outlines some IT governance risk issues and summarizes some effective strategies for managing those risks.
IT Governance Enterprise Organization Issues
Exhibit 2.6 also mentions jurisdiction and boundary issues as an IT governance component. Although not too many years ago an enterprise’s IT resources existed behind highly secured locked doors and often as a separate facility island from other enterprise operations, we must always think of IT operations as a key component in the continuous process of other enterprise operations. However, we should always remember that boundaries exist, and IT, finance, and other operations should recognize the boundaries between various areas of responsibility when establishing governance processes.
IT Governance Legislative and Regulatory Issues
The theme of the risk requirements and strategies outlined in Exhibit 2.5 is that an enterprise needs to have an understanding of the various types of IT risks that it faces as well as the costs and alternative strategies for taking corrective actions if such risk events occur. An important term and concept here is what is called risk appetite. That is, how great of a risk is a senior manager and the overall enterprise willing to accept? The individual investor who places his money in AA-rated corporate bonds has a much lower appetite for risk than does the investor in speculative technology stocks. An understanding of enterprise risk issues is a requirement for implementing effectiveITgovernance processes.
IT governance issues and concerns extend well beyond just the IT department and its resources, and must include many enterprisewide issues and concerns. We should always consider the IT resource in an enterprise not as just one unique element but a specialized unit or component of the overall enterprise. Some of these governance issues are outlined in Exhibit 2.6. The message in this exhibit is that although IT management may develop governance processes and procedures affecting their own IT systems and operations, they should always think of them in the much larger context of the overall enterprise.
IT Governance Legislative and Regulatory Issues
Legislative and regulatory rules and issues are important components of effective IT governance processes. Enterprise management should monitor these rules and take steps to assure their compliance.
IT Governance Security Issues
Because enterprise IT operations are connected both internally and to outsiders through the Internet and many other data connections, security matters are major IT governance issues. Many IT consumers and users recognize that their systems and data are vulnerable to a wide range of outside intruders whose interests range from just disrupting someone’s IT operations to sabotaging systems and data for profit or gain. Effective IT security controls are an important element of IT governance. Today’s business executive should have a high-level general understanding of the more significant security issues that are important for effective IT governance. Although there are many and varied issues here, a business manager should understand IT security threats and risks but should seek specialized technical help within the enterprise to more effectively implement the types of IT governance security processes outlined in Exhibit 2.7.
IT Governance Internal, External Threats
To more specific IT governance issues, an enterprise faces a wide range of internal and external security threats. The external threats can range from such matters as terrorist attacks to foreign government espionage to cloud computing risks and more. IT governance internal threat processes can often be better monitored and controlled. While we never know when some totally unexpected intruder will attack our IT systems, we can reduce the risks of internal threats by establishing strong internal policies and procedures.
No comments:
Post a Comment