Pretend for a moment that Alberta is not a province but a really large company that has managed to enter a lucrative market at just the right time with some great products and is experiencing some tremendous growth. This is the point where, amid the scramble to milk as much revenue as possible and scale the business, problems within the IT systems creep in which prove fatal, or least near-fatal, when the company enters a rough period. That’s what makes the recent Alberta Auditor General report so important.
According to Fred Dunn, whose staff conducted a sweeping review of all the government departments, the systems that manage public data lack the controls, or anything that would measure the effectiveness of Alberta’s IT investments, the risks to which they are exposed or any real best practices.
“No department has an overall well-designed IT control framework, or has completely implemented well-designed and cost-effective IT controls and processes,” the report says. The implications Dunn’s team outlined are that Alberta’s systems could face security breaches, data could be lost, or service costs could escalate due to downtime or other problems.
What’s interesting about Dunn’s report is the case it makes for COBIT, or Control Objectives for Information and Related Technology. As I reported earlier this year, the IT Governance Institute (ITGI), which publishes COBIT, conducted a survey this year which showed many companies have a high awareness of COBIT but say they lack the employee or other resources to properly implement it as a framework. This is the kind of excuse you might expect the government of Alberta to make, but Dunn’s report pre-emptively responds to it.
“This process does not have to be onerous, time consuming or expensive. The cost of adopting a control framework is, in itself, not high. The cost increases only as specific controls are implemented,” the report says. “And, a disciplined approach requires organizations conduct a risk assessment, determine their exposure to risks, quantify the costs of mitigating them, and then implement controls only if they are cost effective. For example it is not cost effective to implement a control costing $10,000 to safeguard an asset worth $1,000.”
The same thing could probably said of many other private sector organizations that have put off COBIT adoption or ignored the need for an IT controls framework altogether. The impression I sometimes get from organizations is that controls projects never seem to end, and that’s exactly true. As your environment changes and evolves, controls may have to be updated in tandem, depending on your goals and the level of governance you’re trying to reach. ITGI recently said, in fact, that it will be coming out with an additional framework later this year, which one executive described to me as a sort of add-on to COBIT, that deals specifically with risk management. Although Alberta is reportedly set to implement COBIT within the next year, Dunn’s office may suggest they look more specifically at the risk management piece.
Although the current boom in Alberta doesn’t necessarily mean everyone there is getting rich, it puts more pressure on the government there to show it can manage its good fortune effectively. Its IT systems will be a part of that, because a good controls framework ensures things won’t just run well when the oil strikes, but when everything dries up, too.