Establishing strong IT governance is essential for any organization that uses IT. To be successful, the role of IT governance in an organization must be clearly defined. Depending on the organization’s size, this governance might be done by a whole team or just by one individual. Whichever organizational model you choose to implement, the scope of the IT governance roles and responsibilities must cover all aspects of the necessary governance. This article will take a look at the IT governance responsibilities and what are commonly seen IT governance roles.
IT governance responsibilities vs IT management responsibilities
There is often confusion both inside and outside of IT about the differences between governance and management. Management and governance are not the same thing and have different responsibilities. To understand these differences, let us take a look at the responsibilities of each of them.
Henri Fayol defined these responsibilities of management in his 1916 book ‘Administration Industrielle et Generale’:
- to forecast and plan
- to organize
- to command or direct
- to coordinate
- to control (In the sense that a manager must receive feedback about a process in order to make necessary adjustments and must analyze any variance)
Management is primarily concerned with maintaining the daily operations of the business. Within IT, these management responsibilities focus on the day-to-day operation of IT. For example: Planning new software releases, organizing support rotas, and telling a development team what to work on next. Good IT management doesn’t automatically lead to effective IT governance, but it can enable it.
Governance is concerned with using and regulating influence to direct and control the actions and affairs of management and others. The person or group with responsibility for governance is accountable for the performance and conformance of the organization. The IT governance team roles and responsibilities in any organization should include the design, implementation, and ongoing compliance with these five responsibilities of IT governance:
- Determine the objectives for IT. These objectives define the purpose of IT and describe how the purpose will be fulfilled. They should be included in any IT vision or mission statements and implemented using a strategic IT plan.
- Design and implement the IT governance framework. The framework includes the objectives for IT, governance principles, policies, IT governance roles and responsibilities, and processes. The framework must be aligned with the organization’s wider governance responsibilities and support the achievement of the company’s goals and strategic objectives. Frameworks should, wherever possible, attempt to utilize industry standards and best practices such as COBIT. The framework should be regularly reviewed and updated as required.
- Define the ethics of the IT organization. Ethics are based on morals and values. They define the rules or standards that will shape how IT staff at all levels conduct themselves within the organization and what behaviors are expected from them.
- Create the culture of the IT organization. The culture drives how IT staff interact with each other and with those outside IT. IT governance is unlikely to be successful unless this governance responsibility is taken seriously. Cultural change does not just happen; it has to be led and nurtured by those at the top of IT. The willingness of people to be ‘governed’ and to support the IT governance system is at the heart of an effective governance culture.
- Ensure compliance. This is an ongoing governance responsibility. It aims to ensure that IT continually meets any regulatory, statutory, and legal obligations supports the organization’s objectives while working within the defined ethical and cultural framework, and follows the IT governance framework. Compliance also includes checking that the IT governance roles and responsibilities are still relevant.
IT governance roles
To ensure the efficient governance of IT, roles should be defined that include appropriate governance responsibilities. IT management’s task is to achieve the objectives of the organization, working within the defined ethical and cultural framework, complying with the governance ‘rules’, and providing assurance back to the governing body that this is being accomplished.
The IT governance roles and responsibilities should be defined in the governance framework and should include a definition of the levels of authority and responsibility given to each role. There are typically four levels of IT governance roles. Each has a distinct purpose with a specific level of authority for decisions that can be made at that level.
The highest level with IT governance responsibilities is Strategic. This level of governance primarily focuses on the alignment between the IT strategy and the business strategy. This governance role is typically provided by a group of senior executives from across the business, including the CIO. This group sets the vision for where the business is going and how IT is expected to help it get there.
The next level of IT governance roles is the Executive level. This is also typically provided by a group drawn from across the business but at the next level down in the organization. This group is responsible for the prioritization of all IT projects, allocating resources, and ensuring the achievement of the business benefits. The CIO normally chairs this body.
The third layer that contributes to the role of IT governance in an organization has two parts: Program governance and Business process governance. Program governance oversees the delivery of specific IT projects. They deal with escalated project issues, organizational change management, and benefits realization. They are typically formed on an ad-hoc basis for a specific project or group of related projects and are disbanded when the project is closed.
The business process governance role is responsible for how organization-wide processes involving IT are executed and amended.
The lowest level of IT governance roles is the Operations layer. This layer typically sits within the operational IT service management functions, concentrating on the governance of incidents, problems, and approving change requests. An example of an IT governance role in this layer is a Change Advisory Board with responsibility for the governance of changes to IT systems.
The primary objective for all IT governance roles and responsibilities is to ensure that policies and strategies are designed and applied so that IT helps the business to meet its objectives. Irrespective of how specific responsibilities are allocated to roles or how the individual roles are organized, it is important to keep a constant focus on this primary objective.