The COBIT 2019 framework defines seven components of a governance system that individually and collectively contribute to the good operations of the enterprise system over information and technology. Among those components is information flow.
Information flow is defined as the movement of information between people and systems. COBIT focuses on information required for effective functioning of the governance of the enterprise. Understanding information flow is a critical component for the governance system to succeed. The lack of understanding of this component has led to many boards being deemed ineffective.
The question is how to build information flow models that can support organizational structures overseeing information technology. There are internal and external committees assigned the responsibility over IT and such structures have different levels of authority. Therefore, any model adopted should take into consideration the requirements of these committees and should ensure that adequate information sharing exists among these committees.
The committees share information about the organization’s strategies, risks, challenges and successes. Information misalignment within these committees can result in delayed decision-making or lead to rushed decisions that may not have a positive impact in the management of the organization. The diagram below depicts typical organizational structures that manage the governance of enterprise IT and the information flow between them.
Information flow from IT management to the board represents a bottom-up approach. What are the issues raised at the IT management level? The issues that are raised at IT steering committees and the information that is finally shared with the board relies heavily on the maturity level of an organization’s information flow level.
Different understanding exists at the IT management level and at the internal committee level. The degree to which information is distorted among these different committees also affects the final product shared with the board. Sub-committees of the board such as the audit, risk and technology committees need to have mechanisms that will ensure that there is adequate information sharing. Both management and the board need to ask relevant questions to guide them in gathering the right information upon which they can make reliable decisions. The board should be empowered to ask the right questions concerning information flow while management should be good stewards to communicate relevant, accurate and easily understandable information.
What is key is to note that good information flow makes the board effective. EY’s report Board Effectiveness – Continuing the Journey suggested six questions be asked pertaining to information flow at the board level:
- How do you ensure that as a non-executive director you have all the information you need, presented in an appropriate manner to enable you to carry out your role?
- Does the board decide on the information it needs from management to make informed long-term decisions for the company?
- How have you influenced the content/length/structure of board papers over the past few years? What could be done to improve them further?
- Are your board information and agendas structured to reflect the interests and objectives of the board?
- How do you demonstrate the quality of board information and decision-making to shareholders?
- What information sources (outside of board papers) do you have access to and make use of to obtain a holistic view of the market and the industry? Does the company furnish you with these resources?
Although the above questions address board members, IT management and internal committees can use the answers to the questions to build information flow models that support effective governance systems within the organization. It is therefore essential that when reviewing components of a governance system using the COBIT framework, that the component of information flow and items be analyzed critically.