Control Ownership - Release Notes 1416



  • All,
    Odd ownership question…
    If you have a major business application with periodic release patches and one of the in scope controls is to have business review of those release notes to determine implementation based on business requirements, would the ownership reside in IT or would this be more appropriate as a business control?
    We are having some serious disageement as to who ‘owns’ this control and I was just hoping for some reinforcement of my opinion (which I won’t give here as I don’t want to lead anyone).
    Has anyone else faced issue with ownership of business requirement definition type controls?
    Thanks.



  • Hi - This is a good question and hopefully you guys won’t have to flip a coin 😉 🙂
    I’ll vote that the business side is the owner . The IT area is only a service entity within an organization that’s designed to deliver and support automated solutions.
    The business side is the true owner of their application systems – or at least they should be. They are also in the best position to assess whether the ‘release notes’ in question meet business goals and functionalities. While many IT folks know the business side (which I’ve personally endeavored to do), the professionals on the business side are in the best position to acertain true business needs.
    With that said, I see IT assisting in this process (e.g., providing an inventory of changes, review sessions, etc). However, I believe the true ownership rests in the business area.



  • Agreed. Project Manager who is normally from the business side is the owner.



  • This is a tough one to answer. We have struggled with this as well. In a top-notch company, this isn’t an issue because there is good partnering between systems users and the IT teams.
    I think that the answer is that it depends on the situation. If the patches are security-related or will help the software run more efficiently, the end user generally doesn’t care about it too much as this probably does not impact it’s functionality. If the patches are to add enhancements, then the user does care and wants to be involved.
    In our company, the software vendor relationships are generally with our IT team. To me, this would indicate that the IT team would receive the initial communication of patches and should review them for content. If there is something that would impact the end user, then the IT team should pass the information on to the end user for review. They should then work together to determine if and when the patches should be installed.
    Each business is structured differently and should have internal policies addressing this issue.



  • In a top-notch company, this isn’t an issue because there is good partnering between systems users and the IT teams.
    Indeed – That’s the definition of utopia 😉 🙂
    If the patches are security-related or will help the software run more efficiently, the end user generally doesn’t care about it too much as this probably does not impact it’s functionality.
    While I believe the business area is still the ‘ultimate owner’ of their applications, kymike makes excellent points regarding an entrusted or sometimes delegated relationship with IT. In fact, a review by IT is often required to determine both business and technology impacts associated with patches or the next version of a product.
    The original post centered around ‘business related changes’. In thinking about this further, even these changes would probably 1st be reviewed by the IT side as they are most likely the single point of contact by the vendor.
    Each business is structured differently and should have internal policies addressing this issue.
    There’s always a need for good partnership between IT and the business centers, and they ‘both need to be working for the same company’. When new workload requirements like SOX emerge, there will be a natural resistance to take on new work and responsibilities, esp. in our leaner-and-meaner work environment today.
    As a bottom line, I like the approach of the business area owning the process and IT helping out and providing added value to end result.



  • I would straightaway grant the ownership of SOX to the business.
    IT acts only as a support function(supposedly i shud add).
    Harry was bang on target to state that resistence would be the first thing that would come from business(especially with an act like SOX taking away a good chunk of their so called ‘independence to work’)
    If resistence is forthcoming with the Business guys being the owners, think of the level of interest to support and help if IT accepted the ownership.
    Anyways, business owns the application(s) and effectively designs it( they give us the reqmt), they will be in a better position to defend the application structure and design better than IT( which just develops and implements it).
    :lol: :lol: Make those ppl the owners, whom you always wanted to get loaded with work 😛 😛
    cheers guys


Log in to reply