In the global context today, sourcing is a hybrid model of in-sourcing and outsourcing, with a multi-vendor strategy to leverage best of breed specialist vendors bringing industry best practices to your doorsteps. Decision making on business solutions is faster and more practical as the Centers of Excellence drive the strategies. While business dimensions (as shown in the picture below) continue to be managed by the CXOs, the IT dimensions are largely driven by the outsourcing directives. Governance plays a crucial role in managing the two dimensions while controlling the outsourcing components to various vendors. The key governance objectives are as follows:
Architectural Governance
Architecture Governance is the management and control of enterprise-level architectures. Conceptually, it is an approach, a series of processes, a cultural orientation, and set of owned responsibilities that ensure the integrity and effectiveness of the organization's architectures.
There are three important elements of Architecture Governance strategy that relate particularly to the acceptance and success of enterprise architecture with the stakeholders, partners and vendors of the enterprise.
| |
 |
A cross-organizational Architecture Board consisting of technical, business and management representatives to formulate and oversee the implementation of the IT governance strategy |
| |
|
A comprehensive set of Architectural Principles to guide, inform and support business in implementing its mission through IT
|
| |
|
An Architecture Compliance strategy to ensure compliance of all project teams (in-house and vendor outsourced) to the agreed Architectural principles. |
Information Security Governance
One of the greatest risks facing an outsourcing engagement in the financial services sector is a lapse in information security and the consequences thereof. Therefore, Information security governance needs to be a critical component of any overall Project Governance framework. Unfortunately, Information Security Governance is not well understood and even less well executed.
Information Security (IS) governance is the action of developing and managing consistent, cohesive policies, concepts and procedures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification or loss.
The main components of IS include:
| |
|
Data security: Ensuring the security of data being processed through measures like data scrambling |
| |
|
Network security: Addressing issues related to unauthorized access by ensuring the isolation of the network |
| |
|
Personnel Security Reducing risks of human error, theft, fraud or misuse by undertaking measures like background checks on all employees with access to sensitive information |
| |
|
Physical Security addresses risk inherent to organizational premises and ability of physical infrastructure to protect assets
Having a governance structure on top of these four components is necessary for the successful implementation and monitoring of IS policies. |
| |
|
|
Adopting the right Architecture and IS governance strategy
The decision on what checks and balances to put in place and what approach to take while formulating a framework for architecture and IS governance is not one that can be made in isolation. It has to be derived from what the sourcing model envisioned for the engagement is.
The larger question "Why is this sourcing initiative being considered?" is critical. Unfortunately, traditional architecture and IS governance frameworks haven't considered this aspect. The bottom line is that not all sourcing relationships are equal. The purposes and the expected outcomes of the deals vary widely and therefore everything about them including IS governance should vary as well. Understanding and choosing which relationship best fits a company's business strategy and which IS governance approach best suites the sourcing model, lays the groundwork for all subsequent decisions on security.
Conclusion
In order to manage complexity and risk organizations need to create governance structures that span across legal, financial, performance, resource, architectural and information security. While traditional project governance frameworks have focused on legal and financial aspects, architecture and IS governance haven’t been considered until late in the process (if at all). There is however a growing realization of the criticality of these components especially for the financial services industry. Any lapse in information security or architecture governance could have disastrous consequences including interruptions in business. Hence it is prudent to ensure that metrics for information security are quantified and benchmarked to guarantee the complete security of the information assets of your organization before embarking on an outsourcing exercise. Similarly, it is critical to have an Architecture Board that has the stakeholders’ buy-in, architectural principles that are in tune with the philosophy and culture of the enterprise and the strict enforcement of the same across the organization.
