Governing information technology in 2019: a roadmap
By David Schneider
Edmonton Police Service shares its framework for making effective IT investment decisions
By David Schneider
The world is changing and nowhere is this more evident than in the field of information technology.
Hardware and software advances are forcing organizations to rethink how to operate, advance and take advantage of their information technology (IT) services to meet the evolving demands of their client base.
But is all of this change necessary? How do we determine if a technology change will actually improve the effectiveness of an organization? How do we differentiate between changes that are truly necessary or simply “nice” to have?
To address these questions, the Edmonton Police Service’s (EPS) Informatics team has adopted a globally accepted governance framework as a way to guide its business development and continuous improvement activities. After two and a half years of planning and implementation, their effort and success has been recognized by one of the top audit firms in the world, and the impact has been felt throughout the organization.
What exactly is an “IT governance framework?” The Edmonton Police Commission’s (EPC) chief internal auditor, Vivianna Botticelli, states:
“IT governance is essential for any large organization that has multiple teams and multiple priorities. The word itself gives a connotation of rules, but it’s actually guidance — a set of principles and processes that enables the mitigation of risk while maximizing the quality and enhancing the delivery of IT services.”
The business of policing
With over 2,600 police officers and civilian support employees, the EPS’s mission is “to increase public safety through excellence in the prevention, intervention and suppression of crime and disorder.”
Within the EPS, the Informatics Division is responsible for technology, information, evidence and security. As these key areas continue to change and grow, the division is focused on harnessing technology, connectivity and data to:
• Anticipate trends within federal and regional policing
• Leverage smart, connected hardware and systems to give officers the tools they need to make risk-based, real-time decisions
• Assess and continuously improve business processes to provide effective and efficient collaboration within the EPS and the Canadian network of law enforcement agencies
• Maintain the highest level of cyber security to protect and ensure continuity of operations to citizens and officers
With the rapid changes and advancements in policing technology and information management, EPS Informatics has the daunting task of recognizing and anticipating the needs of the EPS, while providing transparency in how they manage investments in new technology, security and information management.
Applying a fresh perspective
In the spring of 2012, the EPC requested a risk assessment on the EPS Informatics Division. One of the key observations in the review was the lack of functional and fundamental IT governance processes. The results of the review described Informatics as a “reactive workforce,” which was limiting their ability effectively address the needs of the broader organization.
Recognizing that changes were required, the chief of police at the time retained Brock Kahanyshyn, the EPS’s first civilian chief information officer. The necessary technical background and experience to lead Informatics in developing and implementing an industry-leading IT governance framework was key.
“In the past, IT was seen as a department that creates and imposes rules relating to technology and information systems,” Kahanyshyn says. “But now, technology and IT infrastructure is one of the most important investments an organization can make. It is an enabling platform for employees to amplify their efforts and ideas. Governance gives us guiding principles to make effective IT investment decisions. It ensures that our investments align with business priorities, and that as we implement these, we are adhering to industry best practices or identifying gaps. This starts to build a culture of continuous self-assessment, analysis and improvement.”
Ongoing executive support from the chief’s office was a key imperative to the success of this initiative, as well as ownership from key departments. Managed by Michael Smith, a governance consultant, the team also included Shawn Rehill, director of IT Architecture; Tim Jenkins, director of IT; Peter Clissold, director of Cyber & Physical Security; and Bernard Loughlin, the inspector in charge of the Information Management Branch.
Since IT and technology investment decisions impact everyone in the organization, the team wanted to make sure this important initiative was rolled out with active engagement across the entire EPS organization.
A better chance of success
After evaluating several potential governance frameworks, EPS adopted COBIT 5, which is a globally accepted business framework for Enterprise IT governance and management. COBIT 5 bridges the gap between technical issues, business risks and control requirements, with a framework that covers the critical areas of:
• Governance principles, policies, practices and activities
• Governance processes and organizational structures
• Information and technology risk, security and assurance principles
COBIT 5 is recognized across the world to ensure that the quality, control and reliability of information systems — and therefore the overall integrity of technology and information — are addressed. It takes a holistic approach to business decision making, as it relates to IT and technology and reduces the risk of IT implementations. In today’s modern business environment, and especially one like the EPS, this is of paramount importance.
“In looking at the different types of governance frameworks, we decided to use COBIT 5 because of its expansive nature, and because it is built to align operational and business teams,” Smith comments. “By establishing consistent methods for allocating and measuring operational and project resource costs and tracking risk, it gives the organization a baseline for future strategic planning.”
Successful implementation of a governance framework requires a strategic focus, with a clear and concise idea of what an organization is trying to achieve. It is critical to have the right team with representation from IT, data management and key business teams, and to socialize the framework so that it gets widely adopted across the business.
Though this may seem challenging to initially implement, it can quickly lead to significant benefits in an organization. These benefits can be long lasting and can have a positive shift on the organization’s entire planning and performance evaluation framework.
For police organizations, key gains of a well-adopted IT governance framework include:
• Dramatically less downtime of IT services to the business. This is particularly important to critical services such as patrol officer radios and the 911 call centres.
• Increased success in rolling out large scale infrastructure and service level projects, with a clearer understanding of how to ensure business intent and objectives are met.
• More robust performance measurement and assurance analysis to manage continued improvement and feedback.
• Better alignment to the business priorities through business planning for long term IT investments and prioritization.
• Clarity of roles and responsibilities required to achieve the “informatics governance objectives.”
In addition to these, one of the most important benefits of adopting a governance framework is the ability to build a practice of continuous change, one that encourages best practices to be adopted and allows for a consistent audit practice through self-assessment and formal audits.
By using best practices and third-party audits, organizations have a defined and objective model to implement and measure against. They can know with certainty their investments are being operationalized, that they are making the right decisions and that their governance is effective.
Once the governance framework was implemented, Ernst & Young, as directed by the EPC, conducted two significant audits to measure its effectiveness: a governance audit in 2017 and a control audit in 2018.
“Informatics has made significant progress in applying international governance frameworks in a relatively short period of time,” the 2018 Ernst & Young review found. “The EPS is more strongly positioned to better manage the business decisions of the future.”
Digital Boundary Group, a provider of cyber security and physical security auditing services for Canadian police services, and as EPS’s primary cyber and physical security auditor, has also noted in its 2018 review that “in the last several years, we have seen continuous improvements in EPS’s cybersecurity infrastructure and practices. This has positioned them as a leader in Canadian law enforcement.”
The results of the audits have given the EPS (as well as the EPC) leadership, confidence their IT investments and operations will be successful as they continue towards building safer communities.
Kahanyshyn agrees governance is about more than accountability and rules; it is a way to align teams and priorities to business objectives.
“We are a publicly funded organization with a mandate that has real consequences on every person who lives in Edmonton,” he says. “That is a huge responsibility. We are accountable to the citizens of Edmonton on a daily basis, in more than one way. It is time for us as a business and a public safety organization to be confident in the way we invest in our IT infrastructure, and to know that our decisions are being made at the right time, with the right results.”
“Information Technology has shifted from being a corporate support function to a strategic business partner that enables our performance,” says EPS Chief of Police Dale McFee. “As crime and our methods of preventing and managing it all change, we rely even more on technology and IT than we ever have before… Continuous modernization of technology, systems and security are critical to our effectiveness as police officers. With a well-implemented governance framework, we can now all speak the same language around our IT investments as a business priority.”
David Schneider is the director of media relations with the Edmonton Police Service.