Information is a valuable business asset but is it managed in accordance with its importance – and by whom?
There is plenty of guidance available to help the IT function manage IT services from a provider’s perspective but guidance for the business on the other side of the proverbial fence is thin on the ground. Fortunately, COBIT® and BiSL® have guidance to offer because good governance implies good information management.
Governance Prescribes Management of Information
In governance circles, it is common practice to refer to information and technology as two separate entities that – although intimately interconnected – deserve to be governed and managed in their own right. For example, COBIT refers to “information and related technology” rather than to “IT”, and the King IV Report on Corporate Governance, on which the South African government has based its regulatory requirements, states that “The governing body should govern technology and information in a way that supports the organization setting and achieving its strategic objectives”.
It is always good to mention that a governing body never a part of the organization that is being governed – it is a separate entity that directs, monitors and evaluates the governed organization. An organization manages itself, but is verned by a higher authority.
Information is a Business Resource and its Management is a Business Responsibility
An enlightened way of looking at organizations in the service economy, as explored in the blog Service Science, is that they provide services to other organizations by the dynamic application of resources. Resources are not only human, physical, logical (e.g. the algorithms in software) and financial, but information is also a resource. Strangely enough, and this is probably a remnant of the goods-dominant industrial age, information is not regarded as a financial asset yet it is often most significant. The function of information is to reduce uncertainty so that good business decisions are made and acted upon. And as such, it should be managed in accordance with its importance.
The Association for Information and Image Management (AIIM) stipulates that this is a business responsibility, stating that “information management is a corporate responsibility that needs to be addressed and followed from the most senior levels of management to the frontline worker. Organizations must be held and must hold their employees accountable to capture, manage, store, preserve and deliver information appropriately and responsibly”.
Information Management is a Challenge
Yet this is more easily said than done. The State and Impact of Governance of Enterprise IT in Organizations research (University of Antwerp and Antwerp Management School, Steven de Haes, Anant Joshi, Wim van Grembergen, ISACA Journal, Vol 4, 2015) reported that 894 business, IT and audit managers said that information was the most important enabler yet the most difficult to manage. The risks of poor management are described in the COBIT® Enabling Information publication:
- Badly informed business decisions are hazardous and affect competitive advantage
- Misuse of systems or information undermines the analysis of costs and benefits in the business case
- When information or IT is handled badly, disclosure of sensitive information may accidentally occur
- Poor training leads to substantial productivity loss
- Business users abandon poor solutions, causing frustration with IT, unnecessary costs and other risks
Guidance for Business Information Management
Most IT industry guidance is aimed at IT service providers rather than at the consumers of IT services – “the business”. The aforementioned COBIT® Enabling Information publication refers to some well-established specialized guidance that has been compiled from the business perspective: “A useful reference framework to consult for more detailed management of demand and use of information is the Business Information Services Library (BiSL®)”.
High-level recommendations, based on cases where this guidance has been adopted (ASL and BiSL Case Studies, Yvette Backer, 2014), start with establishing business owners for information and systems and discussing their importance. Based on these discussions, various areas of responsibility should be organized in the lines of business. These areas of responsibility are:
- Functional user support: ensuring that users have someone to turn to when issues regarding the use of systems and information arise (this is often referred to as a key user or super user)
- Management of functionality: ensuring that the user organization understands how the various systems work, and defines functional improvements where necessary
- Management of information: ensuring that the user organization understands how information supports and drives the organization, and defines improvements where necessary
Key success factors are the inclusion of the user community in these discussions and investment in the relationship with the IT function.
While the IT function is neither responsible for nor capable of managing business information, it can discuss this with the user organization. The IT function point out how their business partners can improve their capabilities so that they can not only make better investments in information and related technology but also ensure that they realize value and get a good return on their investments.
Governance of information and related technology is not just about IT. Information is important enough to be managed in its own right. This is not the responsibility of the IT function but of the business that uses information as a business asset.
Key guidance is to establish ownership within the business and organize functional user support, functionality management and information management. The IT function can fulfil a valuable advisory role.