Three Simple Principles of Governance in Financial Services
The word governance comes from the Greek word kubernan, which means “to steer a ship.” This definition applies to what governance is: a methodology of successfully steering a company through waters that are oftentimes rough. Successful seafaring relies on 3 simple principles:
- Any activity that is done must bring value. This is called value delivery.
- Wherever there is value, there is risk. Risk must be managed. This is called risk management.
- Resources must be utilized properly. This is called resource optimization.
This is how you govern. And it is how you govern any organization, of any type or size.
Let’s examine briefly how these principles can be applied to governing information technology (“IT”).
1. Value Delivery.
Value can be delivered in many different ways. For instance, the decision to invest in a new IT project or application can increase a company’s revenue stream. Or, the decision to outsource a service can curb costs and increase margins. But value is not just money. It can be intangible. This is why the book value of a company is different from its market capitalization. The difference comes from assets that are intangible.
In the last 50 years, we have seen most company assets move from being tangible to being intangible (e.g., customers, innovation, processes). Intangible assets are not measurable through typical financial means. You cannot put a price on innovation, or the processes or customers you have. But they deliver value. And good governance demonstrates this.
Similarly, effective regulatory compliance can deliver value. Regardless of how one feels about governmental regulation, it exists, oftentimes to protect our companies and the companies of our competitors from systemic risk. Organizations must abide by them or face penalty and untold liability. Therefore, decisions regarding the pillars of governance – leadership, organizational structure, and processes – deliver value, not only in the self-preservation of company assets, but also in limiting regulatory exposure and potential unfavorable judgments. This is particularly important as IT departments try to secure information from potential existential cyber threats.
2. Risk Management.
Risk management can be summarized in two words: establish accountability.
To understand the concept of accountability, it is helpful to distinguish it from the concept of responsibility. Though these terms are used interchangeably, they are distinctly different, particularly when it comes to risk management. Essentially, you can have ten people responsible for managing IT risk, but you must make one person accountable. In other words, if the risk is not managed correctly, the one who is accountable is the one that gets “shot” if something goes wrong. Given such stakes, chances are good that the risk will be managed properly.
Having established accountability, you must structure your organization accordingly. The golden rule here is that anyone who manages risk should not report to anyone who delivers value. In other words, the risk management head should not report to the CIO, a value deliverer. The CIO will always view risk or security management as a necessary evil and look for ways around it. This can only lead to one thing: trouble for the entire organization.
3. Resource Optimization.
IT resources include people, data, applications, technology and facilities. From an IT governance perspective, people and data are the most important. After all, given enough time and money, you can develop applications and technology, and you can rebuild your facilities. But if you lose your data, or the loyalty of your people, you have essentially lost your business, because they represent your knowledge.
To be sure, 80% of an American company’s value today is based on its knowledge. When IT first started to proliferate in the 1950’s, it was called data processing. Then, in the mid 1970’s, people started to realize that all this stuff was not just data. They depended on it. It was information. So they started to call it information processing. But when a tremendous amount of information is generated, it starts to add value, and that becomes knowledge. Now we call this area knowledge management, and IT is charged with managing and protecting it from loss or attack.
Human capital has a similar history. In the 1950’s, when they talked about the success of a company, when they talked about capital, they mostly talked about the financial. Then, the transitions that took place were technological. Technological superiority determined which company was better. Today, the superiority of an organization is driven by human capital because it is the innovation capability of human beings that brings out new products and services.
It is critical that an organization’s people and data are utilized properly. This can be achieved by simply making sure: (i) adequate human skills exist and are retained through proper training and education; and (ii) appropriate processes are put in place to manage IT projects and operations.
So there you have it, the 3 seaworthy principles of governance. In closing, I am reminded of what an admired professor, the one who taught me everything I know about governance, once told me, “ Complexity is a combination of many simplicities. Once you understand these simplicities, you can understand the complex.” By simplifying governance to 3 core principles, hopefully navigating the waters, regardless of how complex they may be, becomes easier. Thanks Jay.
 Jay Ranade, renowned governance professor at ISACA NY Chapter, adjunct professor at N.Y.U and St. Johns, and World Power Breaking Champion.