Every company, public body or charity in the world has to undergo some form of auditing of its accounts. This is, of course, because accounting for the money flows also shines a fairly bright light on the organisation’s general affairs for all stakeholders and authorities, from tax to stock exchanges to regulatory bodies to (they have to be acknowledged) its banks. Some form of auditing, often involving external scrutiny, has been standard in corporate and financial affairs for centuries. Other areas have seen formal oversight structures develop, from Dickensian prisons and workhouses to schools, hospitals, charities, places of work and-it may be surprising to some-financial institutions.
But for over half a century most of the larger organisations audited or inspected have been using computers for their financial and operations records. Since the end of the last century, most organisations of any size, even sole practitioners, have kept all of their records in electronic format. That certainly includes email correspondence of all kinds, as bankers and politicians and others have learned to regret. Some of the juicier scandals were more about bonking than banking, but the principle is the same. Enron emails may have been less sexy but they put some individuals in jail.
Woven strands
Governance is the broad issue, divided into several strands that are in practical terms almost inextricable. The primary one, clearly, is the business integrity and compliance. It could cover a multitude of things from sectoral regulatory compliance and consumer data protection to corporate human relations and prevention of employee misbehaviour (bullying and sexual harassment have not gone away) including embezzlement and fraud.
The other major strand is governance of the ICT that underpins almost all of the activity in the modern organisation. These days a large part of that is concerned with data protection in all of its guises, from straightforward corporate data and intellectual property to the third party responsibilities like customer information and personal data. An increasing proportion of data will actually be the property of others, from a client’s business plans or designs to actual transactional data when part of a supply chain, managed service or outsourced business process.
All of this then gets splendidly complicated when any of the parties is working with cloud services. Even if not, each relationship is based on mutual trust. That is fairly simple and does not require much ‘proof’ if it’s a matter of straightforward buy/sell with electronic records, less so if it is an online deal with electronic payment. When it comes to managed services and business process outsourcing, the digital relationships become in many respects more complex than the business ones.
Usual suspects
As so often in matters that are nominally about systems and software, when it comes down to practical reality there are the three ‘usual suspects’ to consider: people, process, technology. That is the view of Ruth Buckley, Cork City Council head of ICT and business services.
"In any area of governance, those are the perennial factors to consider because they are where problems will occur," said Buckley. "You have to consider them when designing or buying systems and always when you are looking at the performance of systems. In our area of local government, ICT generally is probably less subject to change than in business. So it is important to keep a close eye on projects and the associated change management because that is largely where problems may arise."
She adds that for many years now, Cork and other local authorities tend to stay with off-the-shelf software if it is largely fit for purpose. "It reduces the risks hugely. These are proven products, you can see reference sites and talk to users and install with confidence and the benefit of others’ experience. Usually a modest bit of tweaking has brought such systems very close to what we might have specified if we were designing the solution ourselves. We also formally test our systems and processes regularly, say every two years or even annually."
That is why Buckley is a firm believer in a structured approach to all projects, no matter how small. Cork City’s policy is to use the well-respected PRINCE 2 methodology [PRojects IN Controlled Environments] developed in the UK and mandated by HM Government for projects in the public sector. She points also to two other general-purpose project methodologies widely consulted by public bodies in Ireland from the International Project Management Association (IPMA) and Project Management Institute (PMI) which has an Irish chapter.
"Every project has a steering group led by two senior people from the relevant business department and ICT. What it is for, what it is expected to do and the functionality required all have to be worked out and agreed before the project starts. Then you need leaders with authority to keep it on track and on time and ensure it is sticking to the brief," she says. "That includes, by the way, removing any road blocks that may pop up."
Buckley is also a believer in peer review and external advice. "There is genuinely great cooperation and peer support in local authority ICT and the LGCSB, now the LGMA, is a great resource. We all do some software and systems development work and in fact regularly pass on gratis things like specialist add-ons to systems that one of us has developed. We are not in competition, so expert peer reviews and advice are readily available. Our colleagues are knowledgeable, experienced and friendly but frank."
Auditable SLAs
In the business world, eircom is a major corporation by Irish standards with the full governance requirements of a public company, telecoms utility and as a provider of managed services including cloud computing. "We are very conscious of the fact that managed ICT services will feel like a loss of control from our customers’ point of view because the kit and the operations are not on their own premises," says Enda Doyle, eircom director of assure and customer service. "Today, more and more services are cloud-based, which distances them even further. A major part of our role then is to ensure that customers are happy with that, which translates as top level, auditable SLAs."
The rise of managed and cloud services is in many respects a reflection of the costs and difficulty of having full sets of skills in IT departments at a time when our demands for compute and storage and communications have escalated to such a degree. "As a telco and service provider over generations and following the leading edge of ICT, we have quality control and regulatory compliance in the organisational DNA," Doyle believes. "In services and today in cloud, there is a lot of value in pedigree when customers are making provider decisions. We understand and provide fully for our customers’ needs for certainty in their own governance and that includes the services they pay us for."
The eircom team is totally familiar with the wide range of standards and regulations that are essential compliance requirements for its customers, Doyle points out, because they are literally daily business. "We cover PCI compliance, which is business-critical for so many, and literally all of the relevant ISO standards for governance and quality in ICT. Other demands are for Sarbanes-Oxley, which has not gone away, and for certified security standards. Where project work is done for our clients or in developing our services, we are committed to using ITIL and other methodologies and rigorous testing before deployment."
Service catalogue
The eircom strategy for providing compliant solutions has been formalised in recent years to a tightly defined and controlled service catalogue, each element of which incorporates the SLA and compliance mandates. That supports a standardised set of services which can be assembled into a tailored solution to support each client’s governance needs.
The acknowledged world leader in software testing is SQS, which has had a Dublin office for well over a decade. "We are a ‘soup to nuts’ service consultancy-anything in ICT with a Q in it," says Richard Power, director of service delivery. "I’ve been with SQS for 10 years and have seen a marked change in what clients want in recent years. Traditional functional and non-functional testing is still growing-we check to ensure that systems do what they claim and we try to break them. What may be very good for 500 concurrent users may start to creak at 800 and crash somewhere above that. But that traditional testing has been joined in a big way in recent years by briefs to define and implement quality governance frameworks. An important element of that is developing formal vendor management processes for our clients to manage their service providers."
It is becoming the norm to set quality and test expectations in the Invitation to Tender document, which are then followed through in the contracts and through the systems life cycle. "In general there are reasonably good quality governance frameworks in place," Power says, "Although consistent enforcement is required. Surprisingly often we see clients implementing testing that the service provider is obliged to undertake-and is being paid for."
Complications
Cloud services can complicate the picture for governance. "Is it a massive shift in service delivery or just an enabler and effectively another location? Some of our clients will simply not accept the idea at all. You certainly have to look at the sensitivity of the data and what guarantees can be given," Power says. "More and more service providers do commit to levels of rigour around security, performance and service quality generally. We recommend that clients place controls and measures in place to be satisfied that SLAs are being met, a structured system of measuring service providers against their commitments."
Asystec is a Limerick-based data management solutions consultancy that has developed a strong focus on the technology component of governance, risk and compliance. "This entire broad area is becoming critical," says Brendan McPhillips, director. "There are already serious penalties for third party and personal data loss or mishandling and even more onerous EU legislation coming down the track. When they are talking percentages of revenue that could be in millions, data governance becomes very important indeed. Irrespective of where such data resides-potentially a moot point in this cloud era-the manager or controller is responsible. That means ensuring that your controls and the systems that support them as effective as possible."
There are now a variety of tools to help organisations with Enterprise Governance, Risk and Compliance (EGRC), McPhillips says, but they generally help to implement certain key concepts:
- Map users to their data and permissions and ensure the profiles are reviewed and updated regularly
- Identify higher risk data sets and transient or moving data, including backup systems and media
- Automate the workflow processes that review permissions according to pre-set criteria meeting corporate policy
- Log all actions that could be sensitive, right down to file and spreadsheet level, to enable forensic examination if necessary
- Remove or curtail all unnecessary data access privileges to prevent ‘permission creep’
McPhillips is very clear that technology is essential in managing EGRC but it is the business owners of data that understand and have responsibility for access and delegated decision making such as purchasing. "IT does not have all of the contexts around access and decisions and degrees of risk. But with clear policies and rules, technology can ensure that the practical, day to day business processes conform to the EGRC requirements."
Tech and objectives
IT Alliance Group is an Irish company that has expanded into the UK market with a range of technology services including white label outsourcing for the trade (through its Dublin shared services centre) and expertise resourcing for projects and ongoing relationships. Mark O’Loughlin leads its Service Management Competency activity and is highly conscious of the rising importance of EGRC across all sectors. "There are the business and organisational strands and then the ICT involved. But they should not be decoupled although we have to talk about them separately in practical implementation terms. For instance it is all corporate governance but data protection is a specific and very significant area where the technology is what achieves the objectives."
The role of the IT department is changing in this regard, O’Loughlin says, becoming more like a broker of services and their accompanying SLAs. That in turn includes confirming and testing that the SLAs are being consistently delivered, especially in everything that impacts on the overall EGRC. "Service providers are already becoming more open and transparent about this, as they must if they are to compete in a market where ICT and other services are essentially links in a quality and compliance chain. That applies whether the service is a project with a life span or something continuous like systems or process outsourcing-or indeed whether the service is being provided in a regulated industry or not. It certainly includes cloud services, where the control systems are perhaps not as mature but we have to push for the best we can achieve."
Visibility
"From our point of view," O’Loughlin says, "It is essential to work and comply with the relevant best practice standards and methodologies and frameworks-and to be seen clearly as doing so. That can range from Cobit 5 to ISO:38500, which is still not as widely known as it should be. Project governance is essential in risk mitigation, as is structured and formal change control across all systems. Governance is in a sense aspirational, a set of objectives. But ICT controls are hard, defined, practical and increasingly sophisticated. They have to be to meet the risks and challenges. "
Subscribers 0
Fans 0
Followers 0
Followers