Business operations are often complex, involving data rich systems which provide diverse services. With new technology comes different terminology, definitions, ways of doing things, opportunities for innovation and new threats to business viability.
The great challenge for the leadership and management of public, private and not-for-profit organizations is to stay up to date with this evolution, in order to survive and maintain a competitive advantage.
The importance of standards
For decades standards have contributed to the organization of businesses and how they operate. In particular, the International Standards produced by the IEC and ISO Joint Technical Committee for information technology (ISO/IEC JTC 1). The broad scope of JTC 1 work covered by its subcommittees (SCs) includes among others artificial intelligence (AI), biometrics, internet of things (IoT), information technology security techniques and IT service management and governance.
Given that IT has penetrated most industries in the modern global economy, Standards benefit all these sectors. They address the specification, design, development, integration and interoperability of systems, services, tools and applications.
JTC 1/SC 40: IT Service Management and IT Governance, was established in 2013 to bring the governance, service management and business process of outsourcing activities together in one subcommittee.
Interview with Chair of SC 40
e-tech caught up with Jan Begg, Chair of JTC 1/SC 40, to discuss the latest developments and challenges in the field.
What does SC 40 do?
Unlike other JTC 1 subcommittees, which deal with particular types of technology or applications of a technology, whether programming languages or the technology that goes into IoT, SC 40 is more business focused and provides a link with corporate governance. In other words it looks at how these technology areas or opportunities are managed within an organization, and then for people with responsibilities at governance level (board or executive managers) and how they think about their governance responsibilities when it comes to technology.
The SC 40 foundation Standard ISO/IEC 38500, Governance of IT for the organization, is a principle-based guidance document; the six principles can be applied to any technology or service which is enabled by technology.
“New technology often brings with it different terminology, definitions, ways of doing things, opportunities for innovation or new threats to the business viability. Just keeping up-to-date can be challenging for our market – the leadership and management of our public, private and not-for-profit organizations”, says Begg.
SC 40 experts must think about how their Standards can be used in this new context or if there is a gap where new Standards need to be developed.
“We’ve found over the years that we need to show people how to apply the principles, so in 2015 we published an implementation guide ISO/IEC TS 38501 and in 2017 ISO/IEC 38505-1 for the Governance of data -- Part 1: Application of ISO/IEC 38500 to the governance of data and this year Part 2: Implications of ISO/IEC 38505-1 for data management (ISO/IEC TR 38505-2), which includes case studies.”
What is the impact of new technologies, such as AI, IoT, algorithms and cyber security?
Increasingly, businesses are applying new technologies. In the case of healthcare, many organizations may use AI combined with some type of robotics to support their work, for example to supplement what a human can do. This may include AI for decision making or combined with robotics to assist in operating on a patient or helping a frail person recover from an operation.
Begg explains that strategically speaking, one organization might decide not to use AI because it is worried about automated decision making, ethics and possible risks. This sort of strategic decision could be made from applying the SC 40 foundational governance Standard. However, another board might decide it needs a strategy that utilizes IoT, AI and is cognizant of cyber security risks, to give it the advantage over another organization and develop new ways of doing things. This could result in a deliberate request to management to come up with plans for a new business process or how to use new technologies to achieve something better than their competitors. Again this is a direct application of the SC 40 foundation governance Standard and could involve another of the ISO/IEC 30105 series of Standards relating to IT-enabled business process outsourcing.
“The way managers and leaders of organizations, such as the governing body or board, think about this using our Standards is to say what is it in our organization that we do, how do we do it, and what do we need to be aware of when we are making our decisions?”
Organization leaders don’t have to know what the new technology is or know a great detail about it, but for a business to develop a new strategy or understand its risk profile, whoever is advising it needs to know how that new technology might be applied in its industry or might be applied by one of its service suppliers.
“Even if they don’t chose to use a specific technology through our service management Standards it’s about understanding that you’ve bought a service from somebody else, such as the outsourcing of your helpdesk or payments. This external service provider might be using AI and you might not even be aware of it. Part of our guidance is around saying, what other questions do you need to ask and what other things do you need to be aware of?”
With so many interdependent technologies how important is it for SC 40 to liaise with other groups?
Over the last couple of years businesses have had to deal with big data and the analysis of it has become practical, whether it is done internally or outsourced. In order for people to better understand how to apply ISO/IEC 38500 Standard to that, SC 40 produced a new Standard 38505-1, which went through the types of terminology in data and analysis. It also showed a connection between the foundation Standard 38500 and the six principles, and how to apply them when thinking about data. In addition, a Technical Report 38505-2 was produced which included real case studies from organizations.
“This makes it a lot more practical for people, so for AI, the new ISO/IEC 38507 project that has recently been approved will cover how we apply our 38500 governance of IT to AI. We will need to work with JTC 1/SC 42 AI experts to understand AI technology and how this affects the way businesses operate and how we produce a new guidance document to help people get ahead of that and start thinking about it. It’s very exciting and a great way to show collaboration within JTC 1.”
SC40 already liaises with a number of JTC 1 subcommittees and ISO technical committees, which cover IT security techniques, software and systems engineering, cloud computing, blockchain and governance of organizations. It is also actively involved with the Joint Technical Coordination Group (JTCG) set up by ISO/Technical Management Board, in which it shares its experience on writing ISO Management System Standard (MSS) standards. Soon a practical guide on the application of another foundation standard that is an MSS, ISO/IEC 20000 on Service Management will be published.
“Some people believe it’s better to wait for technologies to mature or for people to agree on terminology and definitions, but businesses can’t wait. They’re in an evolving market and need guidance sooner rather than later, because by the time we’ve defined it all, someone may have put them out of business.”