Step 3: Assess IT/business alignment and identify required actions. Organizations can benefit by reviewing the processes and disciplines that support business alignment and IT strategy to determine what specific enhancements are required to make them effective.
This review can be conducted using frameworks such as Information Technology Infrastructure Library (ITIL) or Control Objectives for Information and Related Technology (COBIT) to guide the analytical process and include the appropriate processing considerations.
Step 4: Use architecture as a filter. Once process-improvement initiatives are identified and prioritized, requirements for each initiative can be defined. These requirements should include specifics regarding the use of people, processes, technology and controls.
To help drive architectural leverage and consistency, new requirements should be analyzed to determine how existing architectural services (e.g., a controls services or security process) might be used, and how new services that must be created can be effectively integrated into the architecture to enhance its overall processing capabilities (e.g., improving its structure, its service capabilities, or its overall processing control and work management).
The results of this process will be a detailed plan for specific initiatives that are consistent with the organization’s architecture and leverage its capabilities.
Step 5: Execute the plan. Once the requirements are known and the plan is in place, the work to improve the key IT processes can begin. For most organizations, this plan will be phased in over some period of time, with the activities prioritized to maximize early benefits and to spread the cost over a reasonable period.
One of the highest priorities, however, should be to put into place those aspects of governance that can act as a “shield” to mitigate the risk of old problems recurring as the organization moves forward in carrying out the plan.
Step 6: Maintain continuous improvement. Most organizations derive significant benefits from incremental improvements in IT strategy, IT architecture, change management and IT governance. In addition to working toward the desired state in each of these areas, organizations should continuously monitor their current effectiveness.
Missed deadlines, dissatisfied users, cost overruns, processing vulnerabilities, manually intensive business functions and difficulties in responding to business changes are all indications of the need for additional improvements.
While organizations have had great difficulty in meeting various regulatory or other compliance requirements, what they have learned has empowered them. Information they now have about management, risk, and controls can help leaders view their organizations in new ways. It can also change how they conduct business and operate in the future.
To fully leverage the opportunities afforded by compliance efforts, organizations should recognize the value of IT, invest in it, and build the necessary support to make it a reliable agent of change and a major contributor to fundamental business effectiveness.
Richard Anderson, based in New York, is a principal in KPMG LLP’s Information Risk Management practice and can be reached at 212.872.5588 or [email protected].
Steven Hill, based in Dallas, is a principal in KPMG LLP’s Advisory Services practice and can be reached at 214.840. 4455 or [email protected].