Where the organisation has decided to implement the recommendations of the King III report, it is suggested that the following be implemented to fulfil the requirements of the IT governance chapter of King III:
13.1 A Board IT governance awareness programme be undertaken to ensure the directors understand all aspects of IT governance, for which they are accountable.
13.2 An IT charter be established, setting out the objectives of the IT function in support of organisational objectives, including sustainability objectives, and governance requirements of the IT function. The charter should also define all key IT governance structures and roles, and their decision-making responsibilities and accountabilities.
13.3 A set of policies, procedures and standards be implemented to guide behaviour in IT, in line with the IT charter.
13.4 A formal IT risk management function be implemented, with the CIO accountable for effective IT risk management and a specific person responsible for ensuring compliance with the required IT risk management practices. Under this process a formal IT risk register should be implemented.
13.5 An IT internal control framework be implemented, to match the IT risk register. The controls should be designed to clearly specify what actions are to be undertaken, at what frequency, by whom, and what evidence of executing these actions should be retained.
13.6 IT be awarded a dedicated section of the integrated report required by King III, with regular IT submissions being made.
13.7 A formal IT strategic planning process be implemented, including a procedure for the continual re-alignment of the IT objectives to those of the organisation.
13.8 The impact of IT impact on society and the environment be considered and how IT could promote sustainability.
13.9 An IT governance framework be established for the organisation, providing guidance on the process, structures and practices to be implemented to achieve effective IT governance.
13.10 An IT Steering Committee be established to oversee IT investment, priorities and resource allocation, on behalf of the Board.
13.11 The CIO should be the single point of accountability for IT to the Steering Committee.
13.12 An IT Strategy Committee be established or the combined responsibility for IT strategy and IT investment, priorities and resource allocation be made the combined responsibility of the IT Steering Committee, to involve the Board in strategic IT decisions.
13.13 The IT Steering Committee should monitor significant investments for value in terms of IT strategy and appropriateness of resource allocation to the investment. Compliance with the procurement policy should also be monitored.
13.14 An IT vendor management process be implemented.
13.15 At a minimum, a basic IT value management process be implemented. Where feasible, IT portfolio management be implemented to track the value derived from IT investments.
13.16 IT should submit regular reports to the IT Steering Committee to enable the Board to monitor the execution of the IT strategy and IT service delivery in general.
13.17 A risk assessment process be implemented that requires at least an annual, comprehensive IT risk assessment and regular updates to the IT risk understanding, all of which are documented and monitored in a formal IT risk register.
13.18 The agendas of all risk and audit committee meetings should provide for a section on IT-related risk and control reporting.
13.19 Business continuity management should not be regarded as an IT responsibility, but IT should be able to clearly demonstrate how its IT service continuity planning satisfies business continuity management requirements, as is expected of all departments in the organisation.
13.20 Formal information management practices be implemented to monitor the quality of data and information, compliance with privacy regulations and stakeholder requirements, and information security management.
13.21 An IT compliance framework be implemented to ensure that all IT stakeholders’, legislative, regulatory, and corporate requirements are met.
Participant comment
ISO/IEC38500 – Recommendation 14
14.1 An IT role player matrix should be implemented, showing all roles’ responsibilities and accountabilities, as well as which roles need to be consulted or informed in the performance of IT duties.
14.2 Performance management should be implemented at staff, structure and process levels, to monitor how responsibilities are being fulfilled.
14.3 An IT PMO should be implemented if no EPMO exists to manage all projects, including those in IT. The PMO accepts responsibility for the implementation of IT projects.
14.4 The systems development lifecycle and project management methodology should be formalised as mechanisms for implementing strategy.
14.5 A process should be implemented for integrating IT strategic planning and the operation of the IT PMO, in order to translate IT strategy into execution.
14.6 An enterprise architecture function should be implemented to blueprint core aspects of the business and the manner in which IT should enable it.
14.7 IT Infrastructure management should be implemented, with renewal plans to ensure that the execution of IT strategy is sustained at an infrastructural level.
14.8 Strategic sourcing should be practiced as part of the IT vendor management process.
14.9 An IT assets lifecycle management process should be implemented to support IT planning and ensure the optimal use of IT assets.
14.10 Formal IT service support and service delivery processes should be implemented to ensure consistent, efficient IT services.
14.11 The key IT metrics should be defined, monitored and reported on an ongoing basis.
14.12 Formal processes should be implemented for IT planning, IT service management, project management, the systems development lifecycle, information security management, IT risk management, and EA.
14.13 Risk and control self assessment should be implemented as a mechanism to continually monitor compliance.
14.14 IT roles and responsibilities should be formalised, including the following:
14.14.1 Formal job descriptions should be implemented;
14.14.2 Incompatible duties should be segregated;
14.14.3 Performance management should be practiced in line with job descriptions;
14.14.4 Formal planning should be done for skills development and retention; and 14.14.5 Formal performance management should be implemented.
Participant comment
IT Sub Processes – Recommendation 15
It is recommended that sub processes for the IT environment be formalised under each of the IT governance major processes in line with the desirable practices recommended in this paper. Each process should be supported by policies, procedures and standards setting out the mechanisms, structures and controls for effective operation of the process.
Participant comment
IT Control Framework– Recommendation 16
As part of the proposed IT governance framework, it is recommended that IT controls be formalised in an IT control framework, based on the COBIT 4.1 control objectives and other relevant control objectives, e.g. those contained in ISO/IEC27000, for information security. The COBIT sub paragraph above has dealt with COBIT in detail.
Participant comment
Supporting Documents– Recommendation 17
It is recommended that the policies, procedures and standards required to govern each key (high-priority) process be formalised, that a risk assessment be performed to highlight all high risk areas, and that an IT control framework be implemented to mitigate the identified risks. These documents should be reviewed and updated at least annually. The ultimate accountability for the effectiveness of policies, procedures and standards, and for the execution of risk assessments, resides with the CIO.
Participant comment
Architecture – Recommendation 18
Enterprise architectrure (EA) is an important mechanism for integrating IT and the business. The proposed IT governance framework recommends that organisations should, at a minimum, embark upon an exercise to investigate an appropriate approach to enterprise architecture and to document their findings for consideration once the organisation has reached a level of maturity where a formal architecture function becomes feasible. The framework is not prescriptive about the roles within the EA function or what reporting lines should be followed.
Participant comment
Portfolio Management– Recommendation 19
Recognising the developing nature of portfolio management, it is recommended that organisations should, (i) explore how portfolio management will be utilised in future IT investments and management; (ii) establish a mechanism to align IT spend (and related projects) to organisational
objectives; (iii) take note of the development and maturing of the ValIT framework; and (iv) consider how the ITIL Service Portfolio Management process could benefit the organisation.
Participant comment
Summarised Recommendation on Desirable Practices– Recommendation 20
To summarise the recommendations in this section, Table 1 maps the practices discussed in this paper to the IT governance major processes they are recommended to support.
Table 1 – Summary of Practices Supporting IT Governance Major Processes Participant comment