Guidelines on the corporate governance of ICT developed by Standards Australia have been adopted as an international standard by the ISO (International Standards Organisation).
The ISO38500 standard, which gives business leaders a broad set of high level guidelines on how to make better decisions with regards to ICT, was released internationally earlier this week after several years of hard work by its predominantly Australian authors.
The standard is in fact an international adaptation of AS8015, developed within the auspices of Standards Australia and released in January 2005 in an effort to reduce the amount of ICT projects that wind up on the scrapheap.
Contributors to AS8015 included representatives from the Australian Computer Society, the Australian Institute of Company Directors and the Australian Bankers Association.
Mark Toomey, an Australian corporate governance expert and project editor for ISO38500, said that a good 90 per cent of the international standard has its foundations in AS8015.
"The ISO standard is absolutely faithful to AS8015," he said.
ISO38500 achieved 100 per cent consensus among standard bodies the world over after its technical committee spent five months resolving any criticisms noted during the vote.
Toomey said the interest from the international community, especially in Europe, has "delightfully astounded" him. Especially, he says, because the AS8015 standard on which it was based has just about been ignored in Australia.
"I'm a bit jaded by the Australian psyche," he says. "As the saying goes, a prophet is rarely heard in his own land."
The problem is a cultural one, he said: ICT governance in Australia is too often left to those with specific technical knowledge and abdicated by directors and other senior decision-makers that don't want to be held responsible for decisions they don't fully understand.
"Australian business leaders suffer from the perception that IT is a black box, that it isn't discussed in the boardroom," Toomey said. "Whenever there is problems with IT projects, abdication of responsibility is seen as OK. So to address that, the first principle of the ISO38500 standard is about how responsibility should be allocated."
"Intrinsic to the message of the standard is that IT is about achieving business goals and not technical goals," Toomey said. "Part of the problem in Australia is this view that IT is special and complex and requires technical people to oversee it. That's just rubbish. Could you imagine a mining company abdicating responsibility for a new mine because nobody on the board is a mining engineer?"
While there has been some take-up of AS8015 at home, Toomey admits that it "hasn't been the Holy Grail for most Australian organisations".
"Australians tend to pick up on IT governance looking for recipe books or defined processes, whereas this standard contains principles and guidelines on how to think."
This mindset is, to some degree, understandable. The ISO38500 standard is exceedingly broad, driven by key concepts rather than concrete examples. Being an international standard, it can't directly reference Australian regulations or typical ICT scenarios but looks instead at over-arching delegation of responsibility when evaluating, directing or monitoring the use of ICT.
Many business and IT leaders feel they are already following best practice by adhering to such frameworks as COBIT (Control Objectives for Information and related Technology) or ITIL (The Information Technology Infrastructure Library).
Such process improvement frameworks are useful, says Toomey, but they tend to be internally implemented to IT departments and do not embrace wider decision-making as the ISO standard does.
"The [ISO38500] standard doesn't replace frameworks, it complements them," he said. "If you apply the six principles of this standard to the processes in COBIT, for example, pretty often there are gaps — an opportunity for improvement."
"The value of the standard for directors is that it gives them a way at looking at the behaviour of the organisation when making decisions," he explained. "It gives them a way of validating that an organisation was behaving the right way, which is what a company director is eminently qualified to do. It's about the core behaviour that lies behind decision-making."
Toomey has high hopes that more Australian organisations will take the standard seriously now that it is embraced internationally.
"We have this long term history of IT going wrong," he said. "It would be delightful if this standard reversed that trend. There are enormous economic benefits in reducing the rate of failure of IT projects and enormous value in getting more out of the IT we've got."
The ISO38500 standard is available here.