All about IT Governance

It is because,

a. Senior management of companies do not believe, they need to invest into something that *may* happen

b. DR is expensive - if you are not a storage company, your DR costs can skyrocket to the extent of listing them on your 10-k!

But think about it, what is not expensive? Automation is expensive, Regulation is expensive, Business Process Transformation is expensive.  Atleast, DR enables you to do the best at something you are good at - do it once, do it the best!

Yes - if handled right.

What values does it add? It will definitely stabilize the environment and avoid outages.

If SOX is embedded into day-to-day operations, SOX does add value. For that matter, any mature and proven process does add value.

However, SOX ‘values’ starts becoming visible when you formalize the changes - Systems, People, Day-to-day processes and Auditors.  For example, if there is a clear ‘training’ checklist to follow when a new hire is welcomed into the operations team or an employee is terminated, it avoids a lot of unwanted surprises due to changes performed by a new hire.

In our experience, SOX has specifically avoided surprises - people tend to ask questions, figure the rational behind the ‘urgent needs’ and tend to move towards a repeatable task.

When can SOX not add value? When SOX is not embedded within the day-to-day operations or when SOX is handled as a separate process from the day-to-day operational tasks.

MSP - new glorified keyword for ‘outsource vendors’ - Managed Service Providers.

MSP is glorified because, gone are those days where your project/program managers, Business Analysts, DBAs help run the Oracle ERP implementation while the rest of the team are all outsourced engineers.

Today, MSP is about giving an outsource vendor full responsibility of delivery - Design, Develop, Test. You build the requirements & delivery program while your production team will simply inherit the applications built to the your standards and to match the business requirements.

However there are inherent risks with this - Resource risks. People granted access to privileged accounts as part of MSP task needs to be terminated as soon the MSP employees leaves the company - the risk is, your confidential or sensitive data could be put in somebody’s hands who cannot be directly controlled by you. If you add culture difference between the companies and the country where the development is being performed, it is hard to not consider the risk.

However, by developing trust while meeting as frequent as once per week to understand who accesses have to be disabled would help reduce the MSP risk to a minimal.

I remember somebody asking me, why is there such a big fuss about program management - why is it so important?

Here is my response: Lets say, I have diabetis and I would like to lead a structured and sustainable life - exercise every day, eat small portions and more often, take medications,  avoid bruises etc. The keywords ‘Sustainable’ and ‘Structured’ is what makes a set of tasks ‘Program’.

The program should have objectives, plans, timelines and should be measurable.  Example Programs would be SOX program, DR Program, Outsource Management Program, IT Service delivery program etc.

What makes these a program? They all require a methodology to ’sustain’ the tasks/processes involved.