Technology Governance: Concepts & Practices

Technology

Governance

Concepts & Practices

Azhar Zia-ur-Rehman

AuthorHouse™ UK

1663 Liberty Drive

Bloomington, IN 47403 USA

www.authorhouse.co.uk

Phone: 0800.197.4150

© 2017 Azhar Zia-ur-Rehman. All rights reserved.

OECD (2017), OECD Publishing, Paris.

No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means without the written permission of the author.

Published by AuthorHouse  02/14/2017

ISBN: 978-1-5246-7815-9 (sc)

ISBN: 978-1-5246-7816-6 (hc)

ISBN: 978-1-5246-7822-7 (e)

Any people depicted in stock imagery provided by Thinkstock are models,

and such images are being used for illustrative purposes only.

Certain stock imagery © Thinkstock.

Because of the dynamic nature of the Internet, any web addresses or links contained in this book may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

Contents

Foreword

Preface

1. What is Corporate Governance?

2. What is Technology?

3. The Conglosphere

4. Corporate Governance Principles & Codes

5. Governance of IT

6. Technology Governance

7. COSO & Technology Governance

8. King & Technology Governance

9. ISO38500 & Technology Governance

10. CobIT 5 to CoTiE

11. Technology Governance Process Reference Model

12. Implementing Technology Governance

13. Assessing Technology Governance

14. Conclusion

Foreword

I t is with great pleasure that I have accepted the invitation to write this foreword to the book Technology Governance Concepts & Practices authored by my dear friend, and fellow governance professional, Azhar Zia-ur-Rehman. I can’t think of anyone more suitably qualified to write and publish this important work. Azhar has an outstanding track record of accomplishment in the field of technology, audit, assurance and governance. This includes 17 years with Etisalat UAE, the Emirates Telecommunications Corporation, one of the largest mobile network operators in the world, with a total customer base of more than 167 million in 17 countries. With Etisalat, Azhar was Director IT Assurance, and subsequently Group Director responsible for Technical, Process and Governance audits and Fraud Management within all companies in the G roup.

Why is this book timely, and why is Technology Governance so important? To answer that question, let’s reflect on the causes of the last financial crisis. During the height of the crisis there was an estimated USD $ 900 billion of bank bailouts, failures, crisis mergers and acquisitions. According to the Financial Crisis Enquiry Report of the US Government it is stated: We conclude dramatic failures of corporate governance and risk management at many systemically important financial institutions were a key cause of this crisis. The CCP Research Foundation reports that the global banking industry has incurred more than £166 billion in fines, settlement fees and provisions in the past 7 years as a direct consequence of their failures in the governance and risk areas. The IFC-World Bank Group noted that the central irony of the governance failures that became apparent in the crisis is that many took place in some of the most sophisticated banks operating in some of the most developed governance environments in the world, notably the US and the UK.

Now we are on the brink of the 4th Industrial Revolution (4th IR). In his book with this title, Klaus Schwab of the World Economic Forum describes the 4th IR as being characterized by a fusion of technologies blurring the lines between the physical, digital and biological spheres. By this he means advanced robotics and humanoids, artificial intelligence and machine learning, smart factories, gene sequencing, nanotechnology, renewable energy, quantum computing, self-driving cars, train, buses, and trucks, AgTech, FinTech, RegTech, MedTech, and the list goes on. These are all new technologies, driven mainly by young bright entrepreneurs, operating in a lightly regulated environment, with insufficient governance oversight. Last month saw the founding by several technology-world elites of the Ethics and Governance of Artificial Intelligence Fund. The Fund has raised USD 27 million for research that hopes to protect humanity from the rise of AI. Prof Stephen Hawking believes we should be scared of robots and artificial intelligence because, as he says: The real risk with AI isn’t malice but competence. A super intelligent AI will be extremely good at accomplishing its goals, and if those goals aren’t aligned with ours, we’re in trouble.

There is already sufficient evidence to demonstrate that IT Governance is sub-standard across the world in many corporations and governments. Recently we witnessed the hacking of the e-mail system of John Podesta, the Chairman of Hillary Clinton’s presidential campaign, with the resulting damage to the election process due to the release of thousands of messages. It is suggested that his computer password was in fact password. In 2014, there was a massive data breach resulting from a cyber-attack against the US bank JPMorgan Chase that is believed to have compromised data associated with over 83 million accounts and 7 million small businesses. The data breach is considered one of the largest data breaches in history. In 2016 thieves stole $81 million from the central bank of Bangladesh by gaining access to the S.W.I.F.T. international bank messaging system. This month, a Turkish hacker, Ercan Findikoglu, was sentenced to eight years in a U.S. prison for his role as one the masterminds behind three cyber-attacks that enabled $55 million to be siphoned from automated teller machines globally. The message is clear. Criminals no longer need to enter a bank to rob it, money is now virtual, and the hackers are getting smarter. Client data has value, that is why Facebook is valued at USD 387 billion, so data is worth stealing.

Azhar starts his book with the following text: The concept of ‘technology governance’, or rather the lack of it, has been troubling me. I can only echo that opinion. Fortunately, there is a solution. This book provides clarity on the definitions, the standards, and the framework for technology governance which is an important source of information for both students and practitioners. Then Azhar brings his expertise to the forefront in Chapter 11 - Technology Governance Process Reference Model, where he merges the key requirements and principles of COSO, King IV, ISO38500 and COBIT 5. These are then used as the basis for a proposed Model comprised of 24 Processes, each of which contains sub-processes, goals and activities. This leads the reader to Chapter 12 - Implementing Technology Governance, with a step by step guide to the implementation of technology governance, consisting in total of 12 Steps. So far so good. But having accomplished the implementation steps, how do we seek assurance that all is working as planned? This is covered in Chapter 13 Assessing Technology Governance, where Azhar recommends that the assessment of technology governance requires a framework that includes process reference and assessment models, and concludes that such framework is provided by the ISO/IEC33001 Information Technology -- Process Assessment standard.

I would like to commend Azhar Zia-ur-Rehman for this serious work that addresses Technology Governance, one of the most important topics we face today in our rapidly changing world, with so many new technology challenges and risks.

Philip Weights, Managing Director

Enhanced Banking Governance GmbH

CH-8636 Wald Zürich

Switzerland

[email protected]

February 13, 2017

Preface

T he concept of ‘technology governance’, or rather the lack of it, has been troubling me since the very beginning of my professional career in 1980. I was working in a company that was manufacturing sophisticated telecommunications equipment and was using state of the art technologies of that time. These technologies included at least three sets –firstly, those related to the conception, design and development of telecommunications equipment, secondly those dealing with the design, development and use of manufacturing and testing equipment for these telecommunications equipment, and, thirdly, technologies that helped manage the financial, material and human resources of the company. These three sets of technologies were handled without much synergy between them and no formal coordination except at the highest level. The term ‘information technology’ had not become common yet – ‘data processing’ in glass houses was the norm. With time, personal computers started becoming common and they were used all over the company – design and development, production planning and control, manufacturing, testing, etc. Although they were ‘PCs’ all over, there was no central control of their efficient and coordinated use. I always wondered why all technologies in an organization are not managed in a synergetic and coordinated manner.

As I gained familiarity with more industries and got involved in the use of computers in industries as diverse as telecommunications, electronics, heavy engineering, manufacturing, health, yarn, textiles, retail, real estate, petroleum, construction, banking, government and municipal administration, I witnessed the same state of affairs everywhere. Then I saw some method appear in the madness of the telecommunications industry. The Telemanagement Forum¹ was formed to view technology from a higher perspective and define best practices for its use. No other industry I know of, has been able to bring a similar method into its respective madness.

I was lucky to get interested and involved in corporate governance, a domain dominated by lawyers and finance professionals. I saw corporate governance from the IT governance aspect and noticed the narrow view that governing bodies have on technology. While they understand the legal and the financial aspects, they rely heavily on the managers on technology aspects. As a result, I witnessed technology decisions in many companies that served more to enrich the curriculum vitae of technology personnel than the business of the company. I also witnessed technology decisions being taken in silos of technology domains, resulting in duplicated investments and mutually contradicting projects.

The concepts and practices that I have developed over many years and have presented here