Information Technology

WHAT IS IT?

Information Technology (‘IT’) is the application of computers, telecommunications equipment and software to store, retrieve, transmit and manipulate data, in the context of a business or other enterprise (and in personal activities and endeavours).

The term is commonly used as a synonym for computers and computer networks, but it also encompasses other information distribution technologies such as television and telephones.  Several industries are associated with information technology, including computer hardware, software, electronics, semiconductors, internet, telecom equipment, e-commerce and computer services.

Strategic Assurance is a strong feeling of confidence about your organisation’s management of its objectives and the means of achieving them, including its structures, policies, procedures, systems, controls and reporting processes – and the associated risks.

VALUE PROPOSITION

The principal features that drive the value added by strategic assurance services are the ASSURANCE, INSIGHT AND OBJECTIVITY provided to the governing body which has the duty and responsibility to plan and oversee the organisation’s activities and achievements.

These services are essential to you because it is not feasible for the governing body itself to meet all of the IT requirements associated with an organisation or to perform the detailed analysis and interpretation required to document and monitor the organisation’s IT plans and operations on an ongoing basis.  This is work for a highly qualified specialist with a relevant university degree and strong experience and knowledge in the field.  It may be necessary to outsource part or all of the duties related to managing the IT function.

Irrespective of whether or not the role is full-time, part-time, performed by employees or outsourced, the value added by effective IT planning and operations is substantial – in at least three areas:

  • Assurance (for the governing board and senior management) is derived from governance, risk management and control processes which are supported directly by IT activities.

Effective IT management provides a key element of assurance to the governing board on the organization’s ability to meet or exceed its objectives over time.

  • Insight comes from a catalyst(s), analyses and assessments by the IT Manager and other staff.

IT strategic plans and operations provide objective bases for monitoring, analysis and assessment over time for the benefit of the whole organisation but, particularly, the governing board and the chief executive officer.  Periodic reports provide a sound basis for the governing board to assess and evaluate the need for change to the direction or intensity of its IT performance and risks.

  • Objectivity comes from the application of integrity, accountability and independence

With a commitment to integrity and accountability, independent IT professionals provide value to governing boards and senior management as an objective source of sound advice.

THE IT MANAGEMENT AND CONTROL PROCESS

Due to the specialised nature of IT planning and operations, SAS provides services directly in the following areas:

  • Environmental controls;
  • Application controls;
  • Risk assessment;
  • Software needs planning and specification;
  • Review of licence and contractual arrangements;
  • Performance measurement and monitoring; and
  • Facilitating appointment of specialised service providers for particular services such as:
    • IT strategic planning;
    • IT security reviews and risk assessments;
    • Reviews of efficiency and effectiveness of IT activities;
    • Access controls and penetration testing; and
    • Compliance assessment in relation to authorised software, etc.

ISSUES IN IT MANAGEMENT

IT Planning Issues

  • Defining the planning period – usually three or five years, based on financial years;
  • Identifying planning assumptions about the environment in which the plan will be rolled out, based on an ‘Environmental Scan’ and ‘SWOT’ Analysis at the beginning of the planning period – including likely and anticipated new directions in technology products, services, suppliers and buyers;
  • Identifying the IT strategies needed to meet the organisation’s overall objectives;
  • Identifying and assessing the risks arising from the IT strategies chosen and the treatments proposed in the context of the organisation’s ‘Risk Appetite’;
  • Evaluating the realism of those strategies in a specialised technical environment which is the subject of constant (and often rapid) change over reasonably short periods;
  • Quantifying particular strategic issues relating to capacity, processing, asset management and replacement needs, the physical environment, etc.
  • Setting objective key performance targets for each IT strategy with which to monitor progress and take remedial action if required;
  • Identifying the equipment, software, communications, human and financial resources required to implement the IT strategic plan – and the extent to which those requirements are to be outsourced to consultants or other third parties;
  • Resource needs included in the organisation’s Asset Management Strategy, Workforce Strategy, Financial Management Strategy and Integrated Financial Model;
  • Identifying approval processes for the IT strategic plan and updates;
  • The organisation structure and reporting lines required to implement the IT strategies; and
  • Intellectual property required to support the delivery of the IT strategies chosen.

Operational IT Matters

At least the following matters will require ongoing attention if the IT function is to be managed effectively:

  • Access controls;
  • Capacity of hardware, file servers and storage to exceed the current needs of the organisation;
  • Access to expert support advice internally and/or externally on a 24-7 basis at a realistic cost;
  • Back-up arrangements on site and offsite;
  • System and file retrieval testing processes and frequencies;
  • Comprehensive and complete documentation for all data processing and communications systems;
  • A comprehensive disaster recovery plan for IT functions and operations which is tested regularly and completely;
  • Downtime logging and prompt reviews;
  • Audit trail processes to support the accuracy and completeness of output reports;
  • Help desk activity levels – qualitative and quantitative measures;
  • User satisfaction survey and other responses; and
  • How, when and to whom is operational performance to be reported and monitored?

Monitoring and Reporting Issues

  • Setting objective key performance targets for each IT strategy and operating activity with which to monitor achievements and take remedial action if required;
  • Measuring activity levels to compare with throughput, speed, timeliness, access, downtime and other targets;
  • Compare operating and capital budgets for IT with actual outcomes and obtain explanations of significant variances;
  • Comparing key performance measures with industry benchmarks; and
  • Evaluate impacts of chosen IT strategies on the organisation’s risk profile, technological obsolescence, security, information flows and compliance.

Change Management Issues

  • Business cases supporting the analysis of options for new or upgraded hardware and/or software, programmed maintenance, consulting services and independent advice and reviews should be documented, reviewed and authorised at senior management and often governing board levels, depending on the size, impact and cost of the project;
  • Consideration of alternative sourcing options for IT services and support, including sharing IT services with related or other entities;
  • New IT service options such as additional databases to improve data availability and reporting; and
  • Introducing new systems and/or procedures effectively, on-time and on-budget.

Risk Management Implications

  • Processes to translate IT risks from the IT planning process to operational management and treatment; and
  • Quality assurance processes to support operational IT service delivery.

Compliance Matters

Impacts, if any, of proposed IT strategies on:

  • Key contracts with employees, customers, suppliers and service providers may all have IT and  related risk implications requiring understanding, recording and monitoring and may include onerous provisions and clauses governing and/or restricting the collecting, processing and reporting of data;
  • Periodic reporting to the governing board and its committees (if applicable);
  • Supporting compliance with central agencies’ security policies and guidelines and any attestation requirements; and
  • Compliance with professional IT and industry-based standards (such as the Payment Card Industry Data Security Standard).

RESOURCES AND TOOLS

  • Central agencies’ IT security policies and compliance requirements;
  • Control assessment tools;
  • Change management tools and consultation processes;
  • Console log reviews;
  • Project management software;
  • ‘SWOT’ Analysis;
  • Exception Reporting against Norms;
  • Cause and Effect Analysis (‘Fishbone Diagrams’);
  • Root Cause Analysis;
  • Porter’s Five Forces Analysis;
  • Determining the Critical IT Success Factors of the organisation;
  • The Plan-Do-Check-Act (‘PDCA’) Cycle;
  • Analytical models for evaluating change management options;
  • Industry research and statistics; and
  • Action plans, responsibilities, budgets, timelines and performance targets.

FREQUENTLY ASKED QUESTIONS

1.   Why bother preparing an IT strategic plan?

Experience shows that the organisations that take the trouble to research and document an IT strategic plan arrive, at the end of the period, much closer to achieving or exceeding their objectives that those that operate without a documented, formal, approved plan.  It also makes the task of reducing inherent IT risks more manageable for the governing board.  Complete success may not be certain but it’s a much higher probability.

 2.    How can I plan effectively over a number of years when so much about the future in IT is changing, unknown and/or uncertain?

A plan necessarily starts with what we know today; it forms a baseline.  Then we can add a mix of what we want  to see happen (the objectives and strategies) and what we consider will occur in the future (especially in technological change, our markets, financial conditions, etc).  At that point, the framework of the plan is complete.  Then, resourcing needs (people, facilities and money) and constraints on them can be overlaid on this preliminary plan.  That is the first planning phase – to document and consult with stakeholders on what we know and can forsee as high probabilities, including the related risks.  After the governing board has approved those strategic IT directions, it is incumbent on management to update the plan when significant internal or external factors change.  It is rarely possible to know everything about the next three to five years (or longer) at the beginning of the planning period but some trends will already be apparent; others will emerge over time.

3.     How can I manage my organisation’s IT function when I have no IT training or the time or will to start now?

As with other parts of the organisation’s activities, you can’t be across every detail of every activity all of the time.  So there are a mixture of solutions available to the governing board and the chief executive officer (and other members of the management team) including:

  • Employing one or more full-time or part-time IT professionals to advise on IT issues and manage the IT operations – in a larger organisation;
  • Outsource IT management to a specialist on a fee and performance basis for both implementing the IT strategy and operating the system on a day-to-day basis;
  • Train a medium to senior level employee as the organisation’s network administrator, with external support when required;
  • Engage consulting services as required for particular needs, including risk assessment, security analysis, penetration testing, preparing a strategic IT plan, etc.

4.      What should be included in an IT Strategic Plan?

At least the following items should be included so that the governing board has a coherent set of IT strategies to approve based on a detailed analysis of system and operational requirements and recommendations to meet its strategic objectives:

  • Strategic Purpose or Objective for the IT function;
  • An environmental scan of the present position of IT internally and externally and the likely environment that will apply during the planning period;
  • Strategic IT Goals;
  • Measurable Targets for the Strategic IT Goals;
  • An IT Strategy Statement – or Mission; and
  • An IT Strategy Map linking the organisation’s Vision, Key Results Areas or Critical Success Factors with [not more than 10] overarching Strategic IT Directions.

Preferably, the IT Strategic Plan should not be lengthy and it should be phrased in accessible language for all stakeholders.  More detailed considerations required to implement the IT Strategic Directions should be included in each annual IT business plan prepared during the planning period.

5.      The cost of any of the options above would be high.  Is it all necessary once a system is installed properly?

Most organisations place heavy reliance on their IT systems for information to use in keeping the organisation solvent and running efficiently and effectively.  On the other hand, few people employed in most organisations have been trained or have acquired specific and detailed IT skills and competencies beyond those required to use a standalone computer, mobile phone, tablet or similar device.  Very few know how to fix this equipment or install, test, maintain and/or operate a network.  So it is not surprising that a significant cost is associated with having these skills available when they are needed and on call at other times.  The alternative can be business failure or at least unsatisfactory performance of the organisation and low returns on investment.

Where can I get expert help with my organisation’s information technology and managing its associated risks ?

Simply .  .  .

Call me on:  +61 417 373 589

Email:  peter@strategicassurance.com.au

Visit (by appointment only):  Level 7, 470 Collins Street MELBOURNE VIC 3000 | ABN 62 064 547 275

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s