Governance and Managment

  • Agile Methodology:

    • Concept/Definition: A flexible, highly iterative approach to project management and software development.

    • Explanation: Originating as an alternative to rigid, sequential Waterfall methods, Agile emphasises rapid delivery in short cycles (sprints), continuous customer feedback, and cross-functional team collaboration to adapt quickly to changing business requirements.  

  • Balanced Scorecard (BSC):

    • Concept/Definition: A comprehensive strategic performance management framework.

    • Explanation: Developed to overcome the limitations of relying solely on lagging financial metrics, the BSC measures organisational performance across four balanced perspectives: Financial, Customer/Stakeholder, Internal Processes, and Learning & Growth. It directly links daily operational KPIs to long-term strategic objectives.  

  • COBIT (Control Objectives for Information and Related Technology):

    • Concept/Definition: A globally recognised IT governance and management framework created by ISACA.

    • Explanation: COBIT 2019 bridges the gap between technical IT issues, business risks, and internal controls by organising 40 core governance and management objectives into five domains, ensuring that IT investments are optimally aligned with enterprise value creation.  

  • Data Custodian:

    • Concept/Definition: The role responsible for the technical safeguarding and storage of data.

    • Explanation: Typically held by IT personnel, systems administrators, or database managers, the custodian executes the security protocols, backups, and access controls mandated by the Data Owner.  

  • Data Owner:

    • Concept/Definition: The individual is strategically and legally accountable for specific datasets.

    • Explanation: Usually, a senior business manager or director, the Data Owner determines the data's classification (e.g., public, confidential, restricted), defines the acceptable use, and authorises who is granted access to the information.  

  • Enterprise Architecture (EA):

    • Concept/Definition: A conceptual blueprint that maps and defines the structure and operations of an organisation.

    • Explanation: EA clarifies complex technology choices by ensuring that the IT infrastructure, applications, and data flows are optimally designed to efficiently support the enterprise's core business processes and strategic goals.  

  • Enterprise Governance of Information and Technology (EGIT):

    • Concept/Definition: A board-level system ensuring IT aligns with and sustains enterprise objectives.

    • Explanation: EGIT is the overarching responsibility of the board of directors and executive management. It provides a structured mechanism for all stakeholders to contribute to IT decision-making, ensuring value delivery, risk management, and resource optimisation.  

  • IIA Three Lines Model:

    • Concept/Definition: An organisational structure framework for effective risk management and governance accountability.

    • Explanation: The first line consists of operational management (who own and manage the risk), the second line consists of compliance and risk oversight functions (who monitor the risk), and the third line is internal audit (which provides independent assurance to the board).  

  • Information Technology Infrastructure Library (ITIL):

    • Concept/Definition: A widely adopted, comprehensive framework detailing best practices for IT Service Management (ITSM).

    • Explanation: ITIL focuses heavily on structured processes, stability, and governance across the entire service lifecycle, ensuring that IT services are delivered consistently, reliably, and in compliance with corporate policies.  

  • IT Portfolio Management (ITPM):

    • Concept/Definition: The centralised, strategic management of IT investments and projects.

    • ITPM treats IT projects as financial investments, continually evaluating, prioritising, and balancing them to ensure the portfolio aligns with the business and delivers the highest ROI.  

  • Key Control Indicator (KCI):

    • Concept/Definition: A specific metric used to evaluate the operational effectiveness of internal controls.

    • Explanation: KCIs measure how well a specific safeguard or control mechanism is functioning in the real world to reduce the likelihood or impact of an identified risk event.  

  • Key Performance Indicator (KPI):

    • Concept/Definition: A quantifiable metric used to evaluate success in reaching a target.

    • Explanation: KPIs are used extensively for performance monitoring to assess how effectively an organisation, IT team, or specific operational process is achieving its predetermined strategic goals.  

  • Key Risk Indicator (KRI):

    • Concept/Definition: A predictive metric providing an early warning signal of increasing risk exposure.

    • Explanation: KRIs monitor changes in the risk environment and use predetermined numerical thresholds that, when breached, trigger automated alerts to management, enabling proactive risk mitigation.  

  • Quality Assurance (QA):

    • Concept/Definition: A proactive, systematic set of processes designed to prevent defects.

    • Explanation: QA provides management with adequate confidence that an IT product or service will conform to established technical and quality requirements by ensuring the development process itself is sound, whereas Quality Control (QC) tests the final output.  

  • Risk Appetite:

    • Concept/Definition: The broad, aggregate amount of risk an enterprise is willing to accept.

    • Explanation: Defined by the board of directors, the risk appetite sets the absolute boundaries for risk-taking in pursuit of the enterprise's strategic objectives, market expansion, and value creation.  

  • Risk Tolerance:

    • Concept/Definition: The acceptable level of specific variation from the broader risk appetite.

    • Explanation: While risk appetite is a macro-level concept, risk tolerance dictates the permissible deviation management is willing to allow in specific operational circumstances, individual projects, or isolated systems.  

  • SABSA (Sherwood Applied Business Security Architecture):

    • Concept/Definition: A framework specifically utilised for developing risk-driven enterprise information security architectures.

    • Explanation: SABSA adapts traditional enterprise architecture concepts to ensure that comprehensive security controls are embedded at every layer of the enterprise's design, rather than being applied as a reactive afterthought.  

  • Separation of Duties (SoD):

    • Concept/Definition: A foundational internal control principle ensuring no single individual controls all phases of a transaction.

    • Explanation: By segregating the custody of assets, authorisation, and record-keeping, SoD prevents internal fraud, intentional malicious acts, and catastrophic errors by requiring collusion to bypass controls.  

  • Six Sigma:

    • Concept/Definition: A highly structured, data-driven quality management methodology.

    • Explanation: Focused obsessively on process improvement and defect reduction, Six Sigma primarily utilises the DMAIC (Define, Measure, Analyse, Improve, Control) roadmap to systematically eliminate variability in IT and manufacturing operations.  

  • TOGAF (The Open Group Architecture Framework):

    • Concept/Definition: A dominant, process-driven enterprise architecture framework.

    • Explanation: TOGAF provides a comprehensive, step-by-step approach—known as the Architecture Development Method (ADM)—for designing, planning, implementing, and governing an enterprise's business, data, application, and technology architectures.