Definition of “Framework”:
A basic conceptual structure used to solve or address complex issues.
IT Governance Framework
An IT Governance Framework is a system by which the current and future use of IT is directed and controlled. At the centre of an IT Governance Framework is the assignment of decision-making authority and accountability of individuals for the decisions they make, particularly when these decisions impact on the organisations strategic goals.
An IT governance framework comprises 3 tiers:
- At the Board level: directors Evaluate, Direct and Monitor the performance of IT against plans, internal policies, external obligations and strategic objectives.
- At the Management Level: management Plan, Supervise, Check and Act to effectively and efficiently leverage IT resources and to drive continuous improvement. (A management system that includes policies, plans, organisational structures, processes and governance mechanisms is used to enable the effective management of IT resources and ensure continuous improvement.)
- At the Process Level: activities are performed, controlled and checked in alignment with business objectives.
Governance occurs at the strategic, tactical and operational levels through the assignment of decision‐making authority and accountability to encourage desirable behaviour in the use of IT. The Board approves the IT Charter and assigns responsibility to the CIO to implement IT Governance. The CIO uses the accountability framework to clarify who is assigned which responsibilities for the various roles in IT and the business.
An accountability framework is the first step to clarifying the assignment of responsibilities across a number of roles. Current role descriptions are mapped to the key tasks that underpin the IT services provided using process models (e.g. CobiT and ITIL) as a reference. Duplications are removed and gaps closed.
Authorisation Framework / RACI Workflow Chart
Further granularity in the assignment of responsibilities and decision‐making rights is established through the analysis of the workflow between individuals, and between the processes they use.
A structured set of activities that achieve a specific purpose is a process.There are a number of process frameworks that are useful reference sources for information about IT processes. Popular frameworks are ITIL, CobiT, ISO 12207 and ISO 15288. However the best process framework is the one that evolves internally.
IT Controls Framework
Control activities occur throughout the organisation, at all levels and in all functions. Put together in a generally accepted process model, they form a controls framework. Control activities are part of the processes by which an enterprise strives to achieve its business, financial reporting, operational, compliance, health, safety, social, environmental and sustainability objectives.
Control activities are the policies, procedures, general, application, user and company‐level responses that help ensure risk responses are properly executed.
A controls framework describes a single, holistic approach to mitigating risks through the selection and implementation of controls.