May 2005

It's not rocket science: ICT governance efforts aided by new Australian standard AS8015

Most organisations are now critically dependent on information and communication technology (ICT) and related services.

New Australian standard an important development

If you are an owner, board member, director, partner, or a senior executive or similar with responsibilities relating to ICT, it is worth spending a few minutes on a recently issued Australian Standard: AS8015-2005 corporate governance of information and communication technology (AS8015).

The proliferation of computers and telecommunications infrastructure, combined with applications like email, phone, web sites and faxes, has to date been irresistible across the globe. Australia has been no exception to this global trend, and there is some evidence to show we have gained tremendously from our cultural love of new technologies.

But experience has also shown that advantages delivered by ICT (such as reduced expense, speed and flexibility), have been lost or not delivered to some organisations because of problems associated with the design or implementation of management systems associated with ICT initiatives.

AS8015 applies to small and large organisations

AS8015 is intended to provide guiding principles to any organisation, from the smallest to the largest, including private and public (listed and unlisted) companies, not-for-profit organisations, associations, clubs and government agencies.

The Standard will have application to just about any organisation, either because you are a supplier of ICT related goods and services or more simply because you implement and use ICT in your business.

AS8015 doesn't just apply to computers

AS8015 applies to resources (computer-based or otherwise) used to provide information and communication services to an organisation. This includes human resources ? the 'people in the process' we hear about so much from business analysts.

Six principles of good corporate governance

AS8015 provides six guiding principles for good corporate governance and the effective, efficient and acceptable use of ICT. The six principles (and examples of each) are:

  1. Establish clearly understood responsibilities for ICT (eg, ensure individuals understand and accept their responsibilities)

  2. Plan ICT to best support the organisation (eg, ensure ICT plans fit current and future needs and the organisation's corporate plans)

  3. Acquire ICT validly (eg, ICT acquisitions should be made for approved reasons and in the approved way; on the basis of ongoing analysis)

  4. Ensure ICT performs well, whenever required (eg, ensure ICT is fit for its purpose and is responsive to changing requirements)

  5. Ensure ICT conforms with formal rules (eg, ensure compliance with external regulations and internal policies and practices)

  6. Ensure ICT use respects human factors (eg, ensure ICT meets the evolving needs of the 'people in the process')

Guidance for owners, directors, consultants and senior managers

For those who are responsible for good corporate governance of ICT, AS8015 includes a useful table which, in just three pages, lists actions to implement each of the six principles.

These are stated to be applicable "to most organisations most of the time and any variation should be well considered", and we support that approach.

Whether you are a sole trader or a stakeholder in a private business, or responsible for ICT in a club or charity, or Chairman of a large listed company, we think you will benefit from considering the framework provided in AS8015 and applying it to your own situation.

Responsibility for ICT may be delegated, so that an employee or contractor may in some cases be liable for failing to engage in good corporate governance relating to ICT. Despite this, the ultimate accountability for ensuring corporate governance relating to ICT will generally remain with the directors or senior management of an organisation.

While adherence to the Standard is clearly not mandatory, often an organisation will agree to comply with relevant Australian standards to satisfy some other business imperative eg, a financier's requirement in a loan or mortgage agreement, or a telecommunications carrier or ISP's requirement in a web site hosting or network services agreement.

What to do next

You can buy a copy of AS8015 from Standards Australia - follow the 'buying standards' link at www.standards.org.au  

After considering AS8015 and your own situation, you may find that everything is under control. Or you may identify areas where you can improve, or where urgent remedial work is required.

An ounce of prevention is better than a pound of cure and it is better however, to discover your approach to governance of ICT is wasting resources, or exposing your organisation to unacceptable risks, than to discover the same thing from the arrival of a legal suit or to find your company is unable to manage an ICT emergency through lack of resources.

If you are concerned about your organisation's implementation, use and management of ICT, AS8015 provides a benchmark to assess potential risk exposure.