Compliance isn’t a word that evokes much excitement. The thought of creating an IT governance strategy for compliance purposes probably doesn’t put an extra spring in your step — unless you’re someone who actually enjoys doing your taxes.
But, when it comes to compliance, ignorance is not bliss — ignorance is not going to save your company from a lawsuit or reputational damage.
Like it or not, IT governance is a necessary part of doing business, particularly in today’s world of social media, mobile workforces, cloud computing and bring-your-own-device work policies. But it can also make your company more innovative and competitive.
The problem is, IT has many masters — everyone wants a say in how IT is managed, from regulators to industry associations, standards bodies, consumer rights advocates, shareholder activists and stock exchanges. Just to name a few. Compliance is about bringing all of these masters together. Obviously, this is no easy task.
But if you don’t have a process in place for IT governance, you’re putting your company at risk. “You don’t want to be the CIO that can’t produce evidence in court because it’s not reliable,” said Duncan Card, partner and co-head of information technology with national law firm Bennett Jones, during a seminar last month in Toronto on IT governance (sponsored by CIPS and ISACA).
One of the biggest risks is liability, such as a breach of legal or regulatory requirements, which could result in litigation and perhaps even millions of dollars in fines. There’s also intellectual property infringement — you might inadvertently be infringing on IP if you’re not aware of policies for managing open source software or for administering blogs.
Then there’s reputational harm, which could result from IT failures, social media, leakage of confidential information or security breaches. “Sometimes the harm to the organization’s reputation is much more serious than the breach of IT itself,” said Lisa Abe-Oldenburg, a partner with Bennett Jones who spoke at the seminar.
Social media can cause a tremendous amount of damage to an organization’s reputation these days — almost instantly. And it can take years to recover from that, if ever.
Without an IT governance strategy, a company’s board of directors could be personally liable if they fail to produce records during an investigation. And yes, that could even mean jail time.
It’s a lot of effort, just to please all of these masters. But compliance doesn’t come without its benefits: An IT governance strategy not only helps to ensure compliance and mitigate risks, but it can also create efficiencies, business process improvements, innovation and even competitive advantage. So, yes, it’s effort, but you could get other business benefits out of it, too.
Clearly, it helps to have a good lawyer (or legal department, or external counsel). With their assistance, you can make sure your bases are covered. That means the C-level suite and business managers need to understand the organization’s IT infrastructure, such as how data is managed and how electronic records are maintained.
Only then can you can develop policies, processes and strategies to ensure the integrity of that IT infrastructure. In my next post, I’ll explain how Toronto’s Sunnybrook Health Sciences Centre is doing just that.