HelpSource Q&A

HelpSource Q&A
Author: Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CDPSE, AMIIB, MCA
Date Published: 1 July 2019

Question  We are an organization providing IT-based services, but we belong to the small and medium enterprise (SME) sector. Is enterprise governance of IT (EGIT) relevant for SME organizations? Are the available frameworks, particularly COBIT, different for different organizations?

Answer  EGIT is relevant and, in today’s environment, a must for all types and sizes of organizations. That said, organizations must choose the framework that they would like to adopt wisely. The decision to adopt a framework itself is a great step forward.

Research on IT governance has typically been done on large organizations. Research on smaller organizations has been limited, and research that does comes to mind indicates that IT governance structures in SMEs is quite limited. SMEs tend to have an idiographic profile with characteristics that differ strongly from large enterprises.1

Broadly speaking, SMEs differ from large organizations in many ways such as technology and environment, organizational size, and structural differentiation. These, in turn, influence the nature of instituted decision-making processes and structures, including IT. Governance structures in SMEs tend to be characterized by centralized decision structures as opposed to the hierarchical and institutionalized decision structures of large organizations.

IT governance is necessary to ensure that the business gains value through IT, which enhances shareholder value. It enables value creation by optimizing risk and the utilization of resources. This paradigm is true for all organizations that depend on IT for competitive advantage, efficiency, effectiveness, compliance, security and reliability of data.

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC)'s ISO/IEC 38500 Information technology -- Governance of IT for the organization2 is the standard for IT governance, and COBIT 20193 is the framework for implementing IT governance within the organization.

The challenges faced by SMEs can be broadly viewed along two areas:

  • The ability to ensure that management is cognizant of the value IT brings to the table
  • Adequate resources on the IT team that make it capable to enable the previous point

Indeed, the primary focus of IT governance in COBIT is value creation achieved by realizing benefits and optimizing risk and resources.

SMEs generally face challenges in adopting COBIT due to its generic nature. They are good at setting business goals but find it difficult to set IT goals since IT is a comparatively small function. But it is interesting to see that many times their IT investment as a percentage of overall investment is the same as any large enterprise.

One COBIT user states that:

The organization must identify for itself what it needs from IT and how expansion can serve those needs. Within this paradigm, however, COBIT 5 offers a set of structured processes to smooth the transition and ensure that such growth is a symptom of improvement, directed by a knowledgeable and engaged board. In an ongoing application of COBIT 5, in fact, this should become a matter of course as the framework develops and provides the components of a continual improvement life cycle. This enables the enterprise to fully leverage COBIT’s strengths, thereby developing a mature, flexible and effective IT function.4

A blog post summarizes that, “It really is a misperception that COBIT 5 and IT governance is only relevant to large organizations when, in reality, it is an equally if not more essential ingredient for the SME."5

These suggestions should be considered while implementing IT governance in SMEs:

  • SME senior management should be involved in IT governance interactions with a focus on enhancing performance of IT efficiency, effectiveness, reliability, security and compliance.
  • Although SMEs, corporate executives and operational executives are busy and small in number, they should be involved in IT governance processes.
  • SMEs should develop and implement a framework for risk management, defining business goals and IT goals.
  • Communication of IT governance policies, guidelines and practices within the organization should be established using a number of accessible channels.
  • SMEs should develop and implement a mechanism for performance monitoring of resources to optimize them.
  • It is important to establish periodic review meetings with corporate and operational executives to make corrections in long-term strategies based on risk and performance monitoring.

Considering the current trend of start-ups that bring innovative concepts and ideas to market, it is fair to assume that more and more SMEs will be in business. SMEs are essential for globalization and, therefore, they should focus on IT governance.

Endnotes

1 Lee, M.; “IT Governance Implementation Framework in Small and Medium Enterprise,” International Journal of Management and Enterprise Development, vol. 12, iss. 4-6, 2013, http://www.inderscienceonline.com/doi/abs/10.1504/IJMED.2013.056445
2 International Organization for Standardization/International Electrotechnical Commission ISO/IEC 38500 Information technology—Governance of IT for the organization, http://www.iso.org/standard/62816.html
3 ISACA, COBIT 2019, USA, 2018, xhrj.yutb.net/COBIT
4 Milner, L.; “COBIT 5 Advantages for Small Enterprises,” COBIT Focus, 17 November 2014, xhrj.yutb.net/COBIT/focus/Pages/COBIT-5-Advantages-for-Small-Enterprises.aspx
5 Lane, M.; “IT Governance for Small and Medium Business,” Orbus Software, 5 September 2014, http://www.orbussoftware.com/blog/it-governance-for-small-and-medium-business/

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Has worked in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various positions in different industries. Currently, he is a freelance consultant in India.