This site has been retired. It is now a static archive. Some links may not work. Find Rob at TealUnicorn.com

The third castor: IT Assurance

Submitted by skeptic on Wed, 2011-07-06 10:57

Share this post with

The IT Swami long ago had the vision of the three legs (or castors) of the IT Management chair: Service, Governance and Assurance.

Service is well established now, thanks to ITIL - at least in our minds if not so much in practice yet.

Awareness of Governance is slowly growing, sadly not as fast as misuse of the word (slapped on anything that measures or assures).

Much that is called "governance" should, I believe, be labelled Assurance. Here I use the word as a catch-all for assuring the safety of the organisation.

Those who assure are the agents of the governors. Assurers are the governors' representatives on the ground executing against the governance directives, ensuring the organisation

follows rules;
stay within bounds;
protects itself;
and complies with policy and anything else it needs to comply with.

Assurance covers two main areas, risk and compliance. It covers such topics as:

security
audit
problem management
PMO
quality
architecture
standards
human safety
suppliers
operational readiness
professionalism

All of these are aspects of monitoring and measuring the IT organisation to assure the interests of the shareholders and the safety of the organisation.

I believe there needs to be an active IT Assurance function. One CEO said to me "we have auditors for that". I replied that IT Assurance exists to ensure that there is nothing for the external auditors to find. (Actually I think it is worth leaving something for auditors to criticise, to make them happy).

[Update: the IT Assurance function aren't auditors (though one of their instruments is audit). They try to prevent a situation arising that would get an auditor's attention after the fact. It is a formalisation of what all those areas I listed already do: think quality control, architecture enforcement, safety education... It is a delegation of the CIO's responsibility to look out for the safety of the organisation. As such it sits under the CIO and reports directly. Why would a CIO wait to be audited in order to find out what is wrong with their department?]

assurance

Comments

Submitted by mbuzina on Wed, 2011-07-06 17:45.

Who pays for the auditors?

I believe there needs to be an active IT Assurance function. One CEO said to me "we have auditors for that". I replied that IT Assurance exists to ensure that there is nothing for the external auditors to find. (Actually I think it is worth leaving something for auditors to criticise, to make them happy).

I agree with you if and only if the auditors are reporting externally, to customers, to governing bodies or in some cases to the owning organization.

If you call in and pay the auditors yourself - they are your Assurance function. So you can use the auditors as that.

But I must challenge the Swami - I miss the 4th leg called change.

Service -> Will make sure I know what I need to provide to my customers/business side or whatever I strive to support. Demands change, so this results in new requirements.
Governance -> Takes in requirements from outside as well as own management to define what we want to do. Rules, regulations and strategy change, so again this results in new requirements.
Assurance -> Makes sure (I guess thats where the name comes from) that rules, regulations and strategy is met. It will audit (that is where your CEO was right) and produce findings. Findings require implementation of changes -> again new requirements.

So the basic production unit of future IT mangement is not Service, not Governance nor Assurance. It is Flexability allowing Change to happen as all these 3 result in change.

There is no better place to be to find inspiration for new blog posts than your blog Rob. Thanks for that! It gets me thinking.

Submitted by skeptic on Wed, 2011-07-06 18:44.

IT is losing Change

We in IT Management, from the CIO down, are losing control of the centre, of Production (will be a blog post on this if I ever get it finished, and I've spoken of it at conferences). In particular we are losing control of Change. To Agile developers in the business; to business units signing up for SaaS and Cloud; to end users who will run whatever platform they bloody well like and buy a new one when they like, and customize it constantly with apps downloaded from outside. This is the future. IT Change is controlled by the business and the users. We can only defend and attempt to influence.

As for the IT Assurance function, they aren't auditors (though one of their instruments is audit). They try to prevent a situation arising that would get an auditor's attention after the fact. It is a formalisation of what all those areas I listed already do: think quality control, architecture enforcement, safety education... It is a delegation of the CIO's responsibility to look out for the safety of the organisation. As such it sits under the CIO and reports directly.

"The IT Skeptic™", "The Skeptical Informer™", "The IT Swami™", "Chokey the Chimp™" and "BOKKED™" are trademarks of Two Hills Ltd.
ITIL® is a Registered Trade Mark of AXELOS Limited
PRINCE2® is a Registered Trade Mark of AXELOS Limited
M_o_R® is a Registered Trade Mark of AXELOS Limited
P3O® is a Registered Trade Mark of AXELOS Limited
MSP® is a Registered Trade Mark of AXELOS Limited
P3M3® is a Registered Trade Mark of AXELOS Limited
MoV® is a Registered Trade Mark of AXELOS Limited
MoP® is a Registered Trade Mark of AXELOS Limited
ITIL® is registered in the U.S. Patent and Trademark Office.
ITIL Live™ is a trademark of TSO, The Stationery Office.
prISM® is a registered trademark of itSMF International Inc.
COBIT® is a Registered Trade Mark of the Information Systems Audit and Control Association and the IT Governance Institute.
Microsoft® is a Registered Trade Mark of Microsoft Corp. in the United States and/or other countries.
USMBOK™ is a trademarks of the SM101.
CMM® and CMMI® are Registered Trade Marks of Carnegie Mellon University.
ISO® is a Registered Trade Mark of the International Organisation for Standardisation.
KCS was developed by the Consortium for Service Innovation™, www.serviceinnovation.org The KCS Academy, KCS and Adaptive Organization are service marks of the Consortium for Service Innovation™.
DevOps isn't a trademark of anyone.
Except where indicated otherwise, all contents of this site are © Copyright Two Hills Ltd www.twohills.co.nz.

Except where indicated otherwise, the text on this page by Two Hills Ltd is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Content must be attributed to "© Copyright Two Hills Ltd www.twohills.co.nz by Rob England, The IT Skeptic" plus the URL of the source material.
RSS feeds may be used without permission. Permission is granted for anyone to link to this site.
By accessing or viewing this site, you are deemed to have agreed to the Terms and Conditions and to our Privacy Policy.
The contents of this site are unmoderated submissions from authenticated and unauthenticated users. As such they cannot and do not represent the views of Two Hills Ltd.
Use of any trademarks on this website is not intended in any way to infringe on the rights of the trademark holder.
This site is developed, maintained and hosted by Two Hills Ltd

Made in New Zealand by Rob England