Many people, even those working in information technology (IT), are not sure about what is IT governance. Some are even unsure that technology and governance need to go together. That is despite the fact that this discipline has been in place ever since the dawn of computing and is essential for any organization that uses IT. The issue could be that it is nowhere near as exciting as the rest of IT, but it is just as challenging. This article will look at IT governance and why it is essential today and for the future.
Information technology governance is an element of corporate governance that is aimed at improving the overall management of IT and deriving improved value from investment in information and technology. Corporate governance, as defined by The Governance Institute, is:
“a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders are balanced.”
Establishing a framework for corporate governance of information technology can help an organization comply with requirements of laws and regulations for business, such as the DPA (Data Protection Act) 2018 and the GDPR. IT governance planning in an organization will help you to define and maintain appropriate policies and procedures that will help you to meet these requirements for data security and privacy.
It can also help to maximize the return on your investment in IT. It does this by helping you to evaluate, prioritize, and select which investments are most likely to give you the best returns, and ensuring that and ensure that IT purchases and activities are aligned with overall business objectives.
Planning coupled with the proper structure can help to ensure that IT is operated in an effective, efficient, safe, and regulatory compliant way. Establishing a framework can also help with the management of IT-related risks, for example, through using IT security governance to manage the risks from cyber-attacks.
Technology governance as a part of IT governance can reduce the costs of IT support by encouraging the use of a standard set of technologies. Through the application of frameworks such as COBIT, it can also be used to standardize all IT-related processes, reducing costs and improving customer service. Other benefits include:
The history of this discipline started a long time ago, at the dawn of computing. Ways were devised to control which developments would get funded and to ensure the quality of deliverables, but this early IT governance was not recognized as a separate discipline within IT. The formal history first emerged in 1993 as a derivative of corporate governance. This provided a focus on linking IT management with the organization’s strategic objectives and business goals, highlighting the importance of value creation and accountability for IT.
Following some high-profile governance failures involving corporate fraud and deception, in the 1990s, several countries decided to establish some formal codes and regulations for corporate governance. These include:
These led to a realization that governance of IT systems and management were essential to support strong corporate governance, as IT underpinned the daily operations of most businesses. IT was seen as an enabler of corporate governance and a value creator that required stronger governance.
This led to the development of a standard, the AS8015 Corporate Governance of ICT, which was published in Australia in January 2005. In May 2008, this was used to fast-track the publication by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) of an international standard for IT Governance, ISO/IEC 38500. Publication of this standard was a milestone in the history of IT governance. It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.
For good IT governance developing a successful strategy is crucial. IT strategy and governance must be tightly coupled, as following a technology-based strategy alone is unlikely to meet the organization’s business objectives.
Objectives should not sit in isolation; they should be a key part of the overall IT strategy that should be part of the organization’s corporate strategy. IT governance exists within organizations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:
The goals and objectives for any organization should include the following aspects:
Why is IT governance important? To start with, it underpins corporate governance. For corporate governance why is it important to include the governance of IT? Because just about every organization today relies on IT systems in some form. The importance of it relative to the activities of the organization will, of course, vary between different types and sizes of business. But it cannot be ignored. Corporate governance failures can result in fines and even the imprisonment of Executives. Blaming IT is no defense. Hence if you consider what is corporate governance and why it is important to include IT in the scope, this should help to persuade you its importance.
IT governance provides an organization with a structure of relationships and processes that direct and control how IT is provided and operated. Using this type of governance helps the enterprise to achieve its goals by adding value from IT whilst balancing the risk versus reward of IT investments and processes. It provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives.
IT projects should also be in the scope of governance. The organization might have separate governance arrangements for projects, but where this is the case, there must be a strong link with the approach used to govern IT; otherwise, there a risk that projects may be delivered on time but not align with the necessary requirements for governing IT. This is key when considering what is project governance and why is it important.
The benefits will vary between different organizations. For those that are in highly regulated industries, such as healthcare or aerospace, the benefits of good governance are clear. Maintaining compliance with the governance requirements of these sectors is not just something that is nice to do; it is mandatory if the organization wants to stay in business.
As well as maintaining compliance, there are several other potential benefits. Many of these are shared with what can be achieved through applying corporate governance best practices and are not unique to IT. But they all should be considered as potential benefits when carrying out IT governance planning. The potential benefits include:
There is no single process that can be used to govern IT. A number of different processes and practices are required, which should be used on an ongoing basis. It is not something that you do once or once a year. It has to become an inherent part of how you operate IT, using processes that are repeatable, scalable, and controllable. They should be regularly reviewed to ensure that they continue to deliver the expected value to both internal and external customers.
It is common practice to use several different but related processes, each focusing on a different area of IT. This integrated collection is often referred to as an IT governance landscape, the scope of which includes IT systems, architectures, services, developments, networks, infrastructure, and processes. As each of these has different characteristics, they are often subject to different governance approaches linked by a common strategy. Here are some examples of the process:
IT governance models define a set of rules, regulations, and policies that define and ensure the effective, controlled, and valuable operation of an IT function. They also provide methods to identify and evaluate the performance of IT and how it supports the business. Many organizations define their own model; some widely-used models can be adopted then tailored to suit the needs of the specific organization. This is very similar to the approach used by many organizations for IT security governance, which takes the ISO/IEC 27001 information security standard model, then selects which governance controls are relevant to their circumstances.
Which of the models is most appropriate for you depends on what type of business you are. For example, an IT organization that specializes in managing the delivery of IT projects would be best suited to an IT project governance model, such as PRINCE or PMBoK. An organization that encompasses every discipline in IT might be better suited to an IT governance model based on the COBIT framework, possibly enhanced by the ISO/IEC 20000 standard for IT service management.
ISACA, a leading global provider specializing in governance, has developed some useful guidance that separates IT governance models into 5 separate domains. No organization is mandated to use all of these domains – but they are advised to consider all of the recommendations, standards, and best practices associated with the domains against their needs, compliance requirements, and capabilities.
Some IT governance models also include a maturity model, which can be used to assess the maturity of an organization’s governance approach. This diagram illustrates the components of a typical IT governance model:
There are typically five components of IT governance models. The detail within each of these components will vary between each organization’s implementation, but the overall structure is likely to contain these common components:
Governance framework: A framework for the governance of IT should include all of the processes, responsibilities, policies, guidelines, metrics, and activities necessary for effective governance. This will help to ensure that a standardized governance approach is used throughout the organization, which is well known by all employees and delivers consistent results. This critical component of IT governance will define the ‘who’ and ‘how’ elements of the operating model, providing the framework for how decisions are made and communicated.
Business Benefits: A key component is understanding what business benefits are expected from the governance of IT. These benefits can take many forms. They can include tangible benefits such as regulatory compliance or reduced costs of wasted investments. They can also include intangible benefits such as improved employee satisfaction. But unless these benefits are quantified and communicated, there is a risk that the governance activities will not achieve the desired goals, as employees see them as unnecessary to the future of the organization.
Management: The other components are useless without effective management. That includes management of the governance activities themselves, benefits management, strategic management, and portfolio management. It should be an inherent component of all management activities conducted within the organization. It should never be seen as something that is only the IT manager’s responsibility or the internal audit team.
Optimizing Risks: Good models for risk management include both IT and business continuity planning, alignment to any legal and regulatory requirements for managing risks, and an approach that includes a risk appetite and tolerance methodology that can assist with making risk-based decisions about IT systems and services.
There are three widely recognized and vendor-neutral frameworks that contain these components in some form or other. Each has different governance strengths:
Governance and management are terms for activities that every organization should be carrying out. But what are the differences between IT governance vs IT management? In small organizations, the same individual might be doing activities related to both of these without realizing that there is a difference, but they should be thought of as having separate roles and responsibilities. When considering the differences, it is important to recognize that both are concerned with controlling an organization so that it can achieve its goals. However, there are subtle differences between them.
The word ‘governance’ comes from the same root as ‘government.’ Most people understand what the role of the government is. It sets out what an organization must do now and what it should become in the future. So, governance in IT is concerned with setting the direction for IT, defining and ensuring compliance with the necessary rules and regulations, and making any required changes in policies to avoid any conflicts with the goals of the organization.
In IT, management is a much more commonly used term than governance. Management is concerned with the day-to-day operation of IT, including decision-making and resource allocation. The role of IT management is to ensure the smooth running of IT. Management operates at multiple levels, including top management, IT team management, and IT process management.
Hence in summary:
These examples should help to further illustrate what it is all about.
There are several widely recognized frameworks that organizations can use to give them a starting point. Organizations can use one of these framework examples to help them define their own governance model. Some organizations adopt only one of these examples. Others take an integrated approach, using parts of several frameworks to deliver the results that they need. The most commonly seen IT governance model examples include:
Other useful sources of model examples include:
Most failures of governance within IT do not get publicized as they can easily damage the reputation of an organization and lose their customers. The failures that we do get to know about tend to be from government organizations or large corporates. Failure examples from these organizations are often about poor governance concerned with IT investments. These include:
Many failure examples cite similar reasons. These include:
All of these could have been avoided by the adoption of a strong framework for the governance of IT.
Having a structure for the governance of IT is a key part of any governance framework. A structure example will help to define the “who?” and “what?” questions of governance: Who is doing the governance and what are they governing. The “how?” is defined by the processes and policies in the governance framework, illustrating how IT in the organization is governed.
There should be multiple levels of governance. Each level has a distinct purpose and specific decisions that can be made at that level. The highest level of governance is Strategic. Typically comprised of senior executives, this level of governance primarily focuses on the alignment between business strategy and the IT strategy. This group sets the vision for where the business is going and how IT will help it get there.
The next level of governance in this structure example is the Executive level. of governance. This group is responsible for prioritizing all IT projects, allocating resources, and ensuring the achievement of the business benefits. The CIO normally chairs this body, with representatives from across the business.
The third layer of governance consists has two parts: Program governance and Business process governance. Program governance oversees the delivery of specific IT projects. They deal with escalated project issues, organizational change management, and benefits realization. They are typically formed on an ad-hoc basis for a specific project or group of related projects and are disbanded when the project is closed.
Business process governance is responsible for how organization-wide processes that involve the use of IT are executed and amended.
The final level of IT governance is the Operations layer. They exist within the operational IT service management functions, concentrating on managing incidents and problems and approving change requests. A typical example for this layer is a Change Advisory Board who is responsible for the governance of changes to IT systems.
IT is fundamental to how most organizations do business today. Having robust governance over IT is essential if you want to stay in business, maintain any competitive advantage in your business sector, support your enterprise’s growth, reduce the risks of IT, and avoid issues of non-compliance with regulatory requirements. To be successful in how you govern IT, you should:
IT governance is no longer optional; it is an essential component of any successful business.