Governance and cloud computing

Over the next two or three years, different organisations, in the form of alternative business structures, will be offering legal services. Many will emerge from the outside the legal sector and will almost certainly employ IT models currently in use within the commercial sector. One such model is cloud computing.

There are two types of cloud computing, a web-based hosting service sometimes known as SaaS (software-as-a-service). Public cloud computing is subscriber-based, universally available and scalable for single or multiple organisations whose data is hosted on farms of virtualised servers around the world. Private cloud computing is similar but delivered as a service to internal customers using internet technologies.

Cloud computing is available on an infrastructure, platform and application basis. The variety, type and number of services capable of delivery in the cloud model pose a significant management problem. They promise to proliferate faster than the ability of cloud consumers to manage them.

Risks

Some key risks arise from cloud computing. Principally, they revolve around the management, confidentiality and security of data. The storage of vast amounts of outsourced data in server farms across the world presents the potential for data leakage, contamination and interference.

Equally problematic is the location of data. The Data Protection Act 1998 contains strict provisions governing the storage and transfer of data internationally. With data located globally in server farms, how can an organisation be sure of: its location; the competence of its management, its protection from interference; its confidentiality; its security; the ability to secure access to it; its safe return; and the competence of the supplier in the whole operation?

Another concern is performance reliability and standards – unscheduled downtime or unexpected faults in the supplier’s systems can result in significant loss to an organisation.

Although a simple concept, the cloud model has the potential to develop into a complex range of IT projects. Some organisations may have a need to ”˜mix and match’ their portfolio of IT functions, outsourcing more complex, tailored services through a traditional dedicated supplier, while entrusting more commoditised services, such as e-mail, to a cloud provider. Others may opt for a combination of dedicated single tenant services and multi-tenant services – and even combine them with traditional in-house or outsourced services.

A major safeguard against the risk of cloud project failure through mis-management is the adoption of governance principles at three levels: corporate governance, IT governance and project governance.

Corporate governance

At board or partnership level, corporate governance is defined as:

  • clearly defined roles of responsibility and accountability;
  • transparent decision-making;
  • taking account of the interests of shareholders and other stakeholders;
  • risk management, including compliance and information security.

Sections 171-177 of the Companies Act 2006 govern directors’ duties in listed companies which may be summarised as:

  • acting within their powers;
  • promoting the success of the company;
  • exercising reasonable judgement;
  • exercising reasonable care and diligence;
  • avoiding conflict of interest;
  • declining benefits from third parties; and
  • declaring any interest in transactions and arrangements

IT governance

IT governance is a framework of leadership, structure, business processes, standards and compliance requirements designed to ensure that an IT strategy is always aligned with an organisation’s objectives. It is a matter for the board or partners.

The framework most commonly advocated for implementation comprises:

  • the board of directors or partners to identify, set and drive the strategy;
  • a management board to ensure implementation and compliance;
  • a technology board to bring expertise where required;
  • an operational board to address implementation;
  • a project team to progress and manage the project; and
  • a programme management team to manage the organisation’s portfolio of current IT projects.

These frameworks can be applied equally to partnerships. Most medium-sized and large partnerships in many ways resemble large corporate bodies and delegate the operational direction of strategic partnership decisions to partnership committees.

Partnerships of any size usually assign specific management functions to specific partners and it is common for there to be a managing partner, a risk partner and a finance partner, although, curiously, an ”˜information security’ partner is rare.

Certain standards and methodologies have been developed to support IT governance frameworks:

CobiT (Control Objectives for Information and related Technology) is a standard for best practice. It is a control framework for maximising investment in IT and providing controls. CobiT helps ensure that IT strategies and projects remain aligned with business requirements through management of controls and resources. See www.isaca.org/cobit

ISO/IEC 38500:2008 is the international standard for Corporate Governance of Information Technology. It identifies six principles which organisations should adopt for effective governance of IT.

COSO (www.coso.org) is a committee of sponsoring organisations, created in 1985 from a number of influential organisations to address fraudulent financial reporting through internal controls, ie measures introduced by a board of directors, or partners, designed to provide confidence in the organisation’s operations, financial reporting and legal and regulatory compliance.

Project governance

Outsourcing IT using the cloud model is a project in the same way as any other undertaking by an organisation. Project governance is a framework for the delivery and achievement of a project’s objectives through application of the governance principles. In the governance hierarchy, project governance sits below corporate governance, alongside IT governance, and above project management.

Projects frequently fail – particularly IT projects. The reasons for project failure vary widely because all projects, and organisations, are different. Some of the most common reasons for project failure include:

  • lack of leadership;
  • lack of ownership at board or partner level;
  • misalignment of the project with business objectives;
  • lack of project management skills;
  • mismanagement of resources; and
  • escalation of cost;

Project governance principles are based on those of corporate governance and IT governance and in many respects they mirror them. The key features of a project governance framework are:

  • leadership and commitment from the board or partners;
  • a clear management and executive, committee structures,
  • monitoring and audit processes;
  • clear responsibility and accountability at all levels;
  • clear communication channels;
  • specified objectives communicated to all stakeholders;
  • project procedures and processes that provide a return on investment,
  • adoption of recognised project management methodologies; and
  • dedication of adequate and relevant resources.

The objectives of a project governance framework are:

  • that the project should remain aligned with the organisation’s objectives;
  • to provide a continuing auditing of resources against cost;
  • the deployment of resources for maximum value and benefit;
  • to provide a formal and structured approach to risk management; and
  • to apply recognised best practice project management methodologies.

Project governance tools help with the application of governance principles to management of a project in order to maximise the chance of the project fulfilling its business objective:

PRINCE2 (Projects in Controlled Environments – prince2.com) introduces seven key themes of project management: the business case; the organisation; planning, project risk; progress monitoring; quality control; and issues and changes. It can be adopted for all types of project, large or small.

BS 6079:2002 is the current standard of certification for project management and provides guidance for various personnel on the techniques of planning managing and implementing projects. Work has begun on an international standard, ISO21500.

Programme portfolio management (PPM) organises projects so as to enable an organisation to ensure it adopts a mix of projects aligned with business objectives and consistent with governance principles

Val IT 2.0 is a governance framework based on CobiT and is concerned with the management of an organisation’s portfolio of project investments so as to ensure an adequate return on investment.

Conclusion

Mismanagement of organisations, their IT strategies and their IT projects invariably arises from failure to apply governance principles, either effectively or at all.

As IT functions develop in a variety of models: internal IT departments; traditional outsourcing of the function; private and public cloud computing; there will be considerable pressure on law firms and legal services providers to ensure their IT function performs to maximum effect as competition becomes increasingly fierce, both nationally and globally.

Effective application of governance principles throughout an organisation at all levels and by all personnel is a sound basis for achieving this.

Rupert Kendrick is a solicitor and director of Web4Law Limited, a risk management consultancy, specialising in IT and internet risk issues.

Email Rupert@web4law.biz.

The above is taken from a recently published book by Rupert Kendrick, Outsourcing IT: A Governance Guide, IT Governance Publishing, 2009, ISBN 978-1-84928-025-9.