Entertain Your Customers, But DO NOT Forget Governance: Basu
A typical dilemma of CIO of a SME to Mid size industry is to keep a balance between Business Needs vs Business Fundamentals. Most of the times we speak of many ambitious plan of implementation of Mission, IT Security, Business Continuity Planning, Risk Management, Compliance of all statutory Norms, compliance of Software Licenses, Access Control, Data Security etc. But business owners are hard pressed in meeting targets, manage losses, improve the competitiveness and in the process IT Governance gets the beating. Based on my experience of almost 30 years in Manufacturing industry, I thought of putting some of my ideas where the balance can be brought in.
KYC: there is a standard terminology known as DITLOC which means Day in Life of the customer. CIO can spend with key customers over a week and understand the pain areas and where he /she is hard pressed to bye pass Governance issues and try to plug these loop holes…
Learn before Teach: a classroom training on Governance and safe work practice is must and needs to be done frequently for strengthening the knowledge base but more important for CIO is to learn the basic compliance needs of respective business. It is better to draw a spider chart where we map the business compliance needs vis a vis the IT initiative for the compliance/secured.
Be Polite but Firm to your owners/stakeholders: there are some basic Governance needs which are capable of shutting the business completely and in those cases we need to be firm and communicate the same in non-negotiable voices.
No alternative to knowledge: the Compliance regulations, Security risks and legal /statutory needs keep on changing every year and if the business is in Pharma, Banking or chemical sector these regulations are becoming stringent day by day… it is important to keep the CIO well informed himself and also institute a mechanism so that the team members are also aware off. Membership of professional bodies helps.
Prioritise the initiatives: while it is worth to look at a holistic view and try to implement all measures under the sky it is always better to take a phase wise approach. It is better to make a practice of maintaining a risk register and review the same with all key stake holders once in year and plan the initiatives. It can be also done in conjunction with point no.3 but a systematic approach can reduce the unplanned expenses and minimise the sudden untoward incidents
Governance Frame work organisation wise helps: personally I have seen that COBIT 5 provides a comprehensive frame work of IT Governance.
Budget planning: the question quite often we face is that how much is too much?
There is a catch 22 situation while planning budget for such expenses. If we plan more and cannot implement in a financial year it shows poor planning and on the other hand this is also an item for which no budget ideally can be planned. Sometimes this expense can be so huge that it can wipe out IT Budget completely. More importantly when these kinds of expenses appear business conveniently pass the buck to IT for not foreseeing this expense.
The safest method is to include this budget as a part of Business Compliance budget and run the project as a business project and not an IT Project. IT can be an executioner and mentor but not owner. Initial budget consideration may be large but the same will rationalise over period of years. There is no ball park figure readily available and the figure depends on the industry sector. But typically budgets planned are of two types:
Manpower cost + SW cost+ consultancy cost + Hardware cost: typically 10 percent of your IT Budget
Business Exigency Cost
Expenses which may have to incur if any disaster happens: 50 percent of IT cost. Target is to make this expense nil.
Third Party Support: Quite Often Organisations are not aware of all techniques and also dedicated manpower for IT Governance may not be feasible. Under such situation CIO can himself get trained on this area and deploy third party support in areas which are critical for the organization.
Can we use Governance as business enablers? a big Yes. Many of the customers see lot of value with organisations who deploy IT Governance as a framework of IT Management as data is more secure, processes become well defined and also employees are more systematic and organisations are more homogeneous.