Few would doubt the need for proper enterprise governance, which, ultimately, ensures that direction is set, benefits are realized, risk is managed and resources are reasonably used. These four conditions summarize what governance is all about.
But sometimes seeing the negative side of a concept can help to better understand its meaning. Organizations that have exemplified the results of no or ineffective governance have:
- Drifted without a clear direction set before they eventually collapsed
- Made important investments that did not realize the promised benefits because there was no one to monitor that realization
- Not carried out a proper risk assessment (risk identification, risk evaluation) and, therefore, were blind to threats putting their strategies at stake
- Did not monitor their consumption of resources (e.g., time, capital, people) and, therefore, did not use them in alignment with what makes sense for the organization
These examples indicate that governance is necessary to run a profitable and sustainable business. As we head into 2022, there are several factors that create uncertainty for enterprises and, therefore, drive them to tighten up governance mechanisms for a matter of business survival or, more precisely, for a matter of sustainability. Those factors include emerging technology, emerging regulations, contextual factors, democratization of technology and interest in environmental, sustainable and social issues.
Emerging Technologies
New technologies related to the application of blockchain, artificial intelligence (AI) and advanced data and analytics are not just gadgets to bear in mind. They are technologies that could benefit business. The use of these emerging technologies could create radical change, enabling new business models that can create opportunities for an organization and challenge traditional business models. These technologies not only affect the business model, but also support functions (e.g., finance, human resources, IT), pushing forward digital transformation.
Emerging technologies also need to be monitored by governance. This is because they can drive business opportunities that organizations should watch. Organizations may want to invest in these opportunities if the benefits outweigh the accepted uncertainty and risk. They can enable the business to grow or evolve.
On the other hand, it is important to keep an eye on these opportunities because they may turn out to be a threat to the business. If other business models evolve, it may leave the organization in a gradually shrinking corner of the market.
Emerging Regulations
Public organisms are gradually developing more regulations that intend to create limitations, responsibilities and obligations related to certain technologies or business models.
Addressing these regulations is not as simple as implementing internal controls to comply with regulations. Good governance practices are also needed. For example, the EU General Data Protection Regulation (GDPR), was created to set limitations to what organizations can and cannot do with personal data. There are also regulations on what enterprises can and cannot do with algorithms, what decisions can be made by algorithms and the transparency enterprises should have with the algorithms being used in their AI.
Contextual Factors
Contextual factors (i.e., stability of the economy, of governments, of systems) have always been important. However, this context is changing in an accelerated way. Enterprises can either turn a blind eye to it and keep working as they always did, or they can start monitoring these contextual factors as part of their governance practices to make sure that the direction that is set ensures that the most important evolving contexts, risk and opportunities are monitored, and resources are used in accordance with enterprise priorities.
Democratization of Technology
As technology gets closer and closer to the end user (it is as easy to start using as it is to pay with a credit card), certain technologies are easily encompassed in shadow IT. In that sense, complying with relevant regulations, applying proper risk management, protecting business information in accordance with its value and undertaking other governance activities become challenges, because the use of certain technologies is not in the control of the IT and information security functions.
This democratization of technology (pushed by the use of mobile devices and the development of pay-per-use cloud applications in Software as a Service mode) entails risk and opportunities.
The democratization of technology needs to be covered by governance practices because if democratization occurs due to the lack of internal control, the enterprise cannot be sure it is managing risk in a consistent way.
The democratization of technology needs to be covered by governance practices because if democratization occurs due to the lack of internal control, the enterprise cannot be sure it is managing risk in a consistent way.
Interest in Environmental, Sustainability and Social Issues
As investors and shareholders have increasingly demonstrated an explicit interest in environmental, social and corporate governance (ESG), it has become more evident that these domains must be scrutinized by the enterprise governance mechanisms (e.g., dedicated resources, follow-up by C-level) to ensure that objectives are clear, direction is set and the organization works effectively in the right direction. If direction is not clear, even if responsibilities are formally defined, the effective realization of objectives in these domains, or ESG as a whole, might be at stake. This is why large and specially listed organizations have formalized appropriate committees to regularly tackle the ESG strategy and monitor the execution of their plans.
Conclusion
Good governance practices are more necessary than ever. The 4 main factors of governance should be considered when setting the basis to strengthen existing governance mechanisms. Because the environment and the context in which enterprises operate are changing at such a rapid pace, translating into threats and opportunities for business, only robust, solid and strong governance practices will enable enterprises to evolve in the right direction for their long-term survival.
Ramón Serres, CRISC, CISM, CGEIT, CSX-P, CDPSE, COBIT Foundation, CCSK, CISSP
Is an industrial engineer who, after a long career in various IT domains, is leading the information security function at ALMIRALL (Barcelona, Spain). Serres has an extensive business and IT background in various positions and industries, including business partner, IT manager for strategic projects, IT factory manager, ebusiness consultant and management consultant. He is a passionate advocate for IT governance, risk management and all the disciplines covered by information security. He is also a regular collaborator with ISACA® as a contributor to the ISACA® Journal and a governance topic leader on ISACA Engage.