A good organizational structure and its documentation form the basis, while an efficient IT strategy sets the direction: As a sub-discipline of corporate governance, IT governance makes a decisive contribution to this. It is to be understood as a living framework.
The Holy Trinity
Corporate governance is described in the German Corporate Governance Code 2022 (hereinafter DCGK 2022), corporate governance is described as a “legal and factual framework for the management and supervision of a company. A subset of corporate governance is IT governance, whose focus is on integrating IT into the organization’s strategies and goals. As part of corporate governance, IT governance is also a “matter for the boss,” i.e., it is the responsibility of the Executive Board,
and Principle 5 of the GCGC 2022 in turn defines compliance as adherence to legal requirements and internal guidelines – and thus sees this as a component of corporate governance. Consequently, IT compliance should also be seen as a component of IT governance. As such, it is imperative that IT compliance be integrated into IT governance. One example of this is the consideration of the separation of functions in the design of the organizational structure, for example between IT run and IT change in the units IT operation and IT development.
Governance includes the “responsible management of business risks” (Principle 4 GCGC 2022). IT risk management can be understood as a subset of this, which accordingly enters into a triangular relationship with IT compliance and IT governance.
Figure 1: IT governance, IT compliance and IT risk management as closely related topics
 German Corporate Governance Code. (April 28, 2022). dcgk.com. Retrieved from dcgk.com: https://www.dcgk.de//files/dcgk/usercontent/de/download/kodex/220627_Deutscher_Corporate_Governance_Kodex_2022.pdf
Because the three topics are so closely intertwined, they are often referred to collectively as “GRC” (governance, risk, compliance) Vendors offer GRC management tools that address all three topics. However, this should not lead to the conclusion that this is an exhaustive list – IT governance encompasses numerous other topics, such as the implementation of value contributions or resource management.
IT governance and IT organization
In principle, the definition of a target image for the IT organization is a good starting point for deriving the organizational structure and process organization, the written order (hereinafter referred to as sfO) and the resources. We therefore understand IT governance as the creation of structures that follow from the strategic goals of the IT strategy, form the organizational framework for the management of IT, and assign responsibilities and resources to positions. IT governance thus aims to define principles that govern actions and behavior within the organization. This creates orientation for the employees to fulfill their original activities. This also includes the definition of roles and responsibilities in IT, as these have a direct impact on the organizational structure and processes. This also includes the creation of central units taking into account the three-lines model within IT.
The IT setup organization: Structural basis
The Three Lines
The Three Lines should be used as an essential orientation for the organizational structure. They allow early recording, identification, analysis, assessment and communication of risks as well as higher-level coordination of responsibilities. In addition to the three traditional lines, external auditors such as the annual auditor and the supervisory authority are frequently integrated into the line model, as they independently review the work of the entire company on a regular and ad hoc basis.
Figure 2: Three lines model, extended by the4th and5th lines as external lines of defense
The IT setup organization is derived from the goals of the IT strategy and must be integrated into the enterprise-wide governance model. Based on this and the three-lines model, the following guidelines can be derived for guidelines:
Figure 3: Points of reference for the structure of the IT setup organization
Quality before quantity
As a rule, IT governance measures do not start on the proverbial greenfield site, but build on existing structures and processes. In order to prevent employees from being overburdened during a reorganization, existing structures must also be considered: existing employees, especially managers and experts, as well as the previous distribution of processes and employees.
Reorganization also involves various change processes and structural efforts. These result, for example, from the necessary revision of the identity and rights management, as well as from the handover and takeover of activities and the merging of the new teams. So instead of making minor adjustments several times, it is advisable to tackle a well thought-out and comprehensive, but one-off reorganization.
What can the IT setup organization look like?
As an example and for better understanding, the following figure shows an IT organizational structure. In addition to the points already mentioned above, the diagram provides orientation and takes us deeper into the design of the organizationIt provides for a separation of the IT setup organization into the areas of strategy and governance, IT projects (application development), IT operations and IT compliance.
Figure 4: Exemplary IT structure organization
This design of the IT organization takes into account the separation of run and change on the one hand and the dedicated provision of units for compliance issues, which are becoming increasingly important, on the other. In addition, the Strategy and Governance unit is a key department created for the CIO to manage and develop IT. mandatory The CIO should not be located outside IT, since as the second line he or she is the guideline giver and controller of the first line. This separation can avoid conflicts of interest between the CIO and the information security officer.
The size and exact cut of the individual units is always institute-specific. However, the uniform structuring as defined in corporate governance with areas, departments and teams, for example, also lends itself to IT.
The IT workflow organization: processes based on roles and responsibilities
With the roles and responsibilities established in the course of the IT setup, processes and workflows can be defined as an IT workflow organization. This is where the IT processes should be described and roles and responsibilities assigned. When defining IT and compliance processes, common standards such as ITIL or COBIT can be used as a guide. Standardization of processes is interesting against the background of reducing complexity and enabling efficient and attractive work for all participants.
From the outset, it is advisable to define the processes at level 3 and to map the process map in a tool. In this way, business impact analysis and process management can be linked together well. In addition, process interfaces and responsibilities are documented transparently in this way and a cross-process representation is made possible. Classically, process responsibility lies with the process owners, who are essentially based in the first line IT departments.
The written order: documentation
The specifications and the IT structure and process organization are documented in the institute’s sfO. In addition to the processes, the other documents of the first Line such as guidelines, work instructions and specialist concepts together with the specifications and guidelines of the second Line form the written order.
Figure 5: The elements of the sfO
When naming the individual document types, it is imperative to define a document structure that takes first and second line resposibilities into account. This is anchored in the respective guideline, as are the roles and responsibilities. Depending on the size and maturity level of the institute, it is advisable to set up an SfO management system that includes the linking of second-line specification and first-line implementation. On the one hand, this ensures that the SfO is complete and up to date and, on the other hand, makes it possible to verify the implementation of specifications within the framework of the so-called internal control system.
Resource management: Who can do what?
When technical responsibilities and processes are assigned to organizational units, the question of necessary know-how and resources inevitably arises. The initial anchoring and, if necessary, the initial set-up of these topics can cause change efforts in addition to the run efforts that have to be planned regularly. If necessary, these one-time expenses can be served by external support.
IT governance also includes the validation of resource allocation and that of the business units. Furthermore, requirement profiles must be created that define the requirements for roles and functions.
We are at your side!
Where do you stand with your IT governance? In the past year alone, BaFin conducted 94 special audits in accordance with section 25a (2) of the German Banking Act. 1 of the German Banking Act (Kreditwesengesetz) was performed at Less Significant Institution and examined its proper business organization. Are you prepared for a visit from BaFin?
With several years of experience in implementing regulatory requirements for IT, you can rely on ADWEKO’s IT security team. From gap analysis to audit preparation, audit support and audit follow-up, we are happy to assist you in all aspects of IT governance. In doing so, we focus on the specific circumstances of your institute and work with you to develop a solution that is right for you. Please feel free to contact us!
 Federal Financial Supervisory Authority. (May 3, 2022). bafin.de. Retrieved from bafin.de: https://www.bafin.de/dok/17809722