Actions

IT Governance

IT Governance refers to the systematic and structured approach that integrates processes, frameworks, and decision-making mechanisms to direct and control the use of Information Technology (IT) within an organization. This management strategy ensures that the IT Infrastructure supports and enables the achievement of organizational goals, objectives, and strategies.

A key aspect of IT Governance is the establishment of well-defined policies, procedures, and controls. These provide guidelines for all IT-related activities and decisions within the organization, ensuring consistency, security, and adherence to best practices and legal requirements.

IT Governance aligns IT initiatives and investments with the overall organization's strategic objectives. This involves evaluating, prioritizing, and approving IT projects, investments, and capabilities based on various factors. These factors include but are not limited to, business needs, risk management considerations, stakeholder interests, and the efficient allocation of resources.

Effective IT Governance also emphasizes strong communication and collaboration across various departments, teams, and stakeholders. It fosters involvement, engagement, and informed participation from relevant stakeholders, enabling diverse perspectives and expertise to be considered in decision-making processes.

Accountability is another integral aspect of IT Governance. By defining and assigning roles and responsibilities, the organization can ensure clarity regarding who is responsible for specific decisions, actions, and outcomes relating to IT.

Continuous improvement is a cornerstone of IT Governance. It involves regularly monitoring, evaluating, and enhancing IT practices and decision-making processes to adapt to evolving technological landscapes, organizational needs, and industry best practices.

IT Governance incorporates comprehensive risk management practices. This includes conducting regular risk assessments, implementing mitigation strategies, and maintaining ongoing monitoring to identify, address, and prevent risks associated with technology adoption.

Furthermore, IT Governance is integrated with broader enterprise governance, ensuring a holistic and coherent approach to management across the entire organization. This integration enables informed decision-making regarding IT investments, optimizing the utilization of IT resources, mitigating risks, and ensuring that IT initiatives contribute effectively to the achievement of business objectives.

In conclusion, IT Governance is a comprehensive and structured approach that guides how organizations manage and utilize IT to achieve their objectives. It includes various elements ranging from policy development, strategic alignment, stakeholder engagement, accountability, continuous improvement, risk management, and integration with broader governance.

Simply put, IT Governance ensures:

  • effective and efficient use of information technology
  • alignment between IT Strategy and business strategy
  • maximum returns on IT investments

Essentially, IT Governance uses formal and informal mechanisms to monitor and control key information technology capability decisions - in an attempt - to ensure the delivery of value to key stakeholders in an organization. Where IT Strategy sets the approach for using IT for business value, governance sets the direction.



Key Elements of IT Governance

Here are the key elements of a robust information technology governance:

  1. Systematic and Structured Approach: Utilizing processes, frameworks, and decision-making mechanisms to direct and control the use of IT within an organization.
  2. Establishment of Policies, Procedures, and Controls: Setting clear guidelines for IT-related activities and decisions, ensuring consistency and adherence to best practices and legal requirements.
  3. Strategic Alignment: Aligning IT initiatives and investments with the organization's strategic objectives and goals.
  4. Evaluation and Prioritization of IT Projects: Assessment, prioritization, and approval of IT projects, investments, and capabilities based on various factors, including business needs, risk management, stakeholder interests, and resource allocation.
  5. Effective Communication and Collaboration: Facilitating strong communication and collaboration across various departments, teams, and organizational stakeholders.
  6. Stakeholder Engagement: Fostering involvement, engagement, and informed participation from relevant stakeholders in IT decision-making processes.
  7. Accountability and Defined Roles: Ensuring clarity regarding who is responsible for specific IT decisions, actions, and outcomes.
  8. Continuous Improvement: Regularly monitoring, evaluating, and enhancing IT practices and decision-making processes.
  9. Comprehensive Risk Management: Incorporating practices such as regular risk assessments, mitigation strategies, and ongoing monitoring to manage IT risks.
  10. Integration with Broader Governance: Coordinating IT Governance with broader enterprise governance for a holistic approach to organizational management.
  11. Informed Decision-Making regarding IT Investments: Making well-informed decisions about IT investments, considering factors such as cost, benefits, risks, and alignment with strategic goals.
  12. Optimization of IT Resource Utilization: Ensuring efficient use of IT resources to maximize the organization's benefits.
  13. Mitigation of IT Adoption Risks: Addressing potential risks associated with technology adoption, including security, compliance, operational, and financial risks.
  14. Contribution to Business Objectives: Ensuring that IT initiatives support and contribute effectively to achieving overall business objectives.


Why do Organizations Need IT Governance?

IT governance is essential for organizations as it provides a framework and structure for effectively managing and aligning IT with business objectives. Here are some key reasons why organizations need IT governance and its importance:

  1. Strategic Alignment: IT governance ensures that IT activities, initiatives, and investments are closely aligned with the organization's strategic goals and objectives. It helps bridge the gap between IT and business, enabling IT to support and contribute to achieving strategic priorities. By aligning IT with business strategy, organizations can maximize the value and impact of technology on their overall success.
  2. Risk Management: IT governance establishes processes and controls to identify, assess, and mitigate IT-related risks. It ensures that appropriate security measures, data protection practices, and regulatory compliance requirements are in place. Effective IT governance helps organizations safeguard sensitive information, protect against cyber threats, and ensure business continuity.
  3. Decision Making and Accountability: IT governance provides a framework for decision-making and accountability within the IT function. It defines clear roles, responsibilities, and decision rights, promoting effective decision-making processes and ensuring that decisions are aligned with organizational goals. This clarity and accountability enhance organizational efficiency and effectiveness.
  4. Resource Allocation and Optimization: IT governance facilitates efficient and effective allocation of IT resources, including financial, human, and technological resources. It helps prioritize and optimize IT investments, ensuring that resources are allocated to initiatives that deliver the most value and align with strategic priorities. Through IT governance, organizations can avoid wasteful spending, optimize resource utilization, and improve return on investment.
  5. Performance Measurement: IT governance establishes performance metrics and monitoring mechanisms to track the performance of IT initiatives, projects, and service delivery. It enables organizations to assess the effectiveness and efficiency of IT operations, measure the achievement of objectives, and identify areas for improvement. Performance measurement through IT governance promotes a culture of continuous improvement and informed decision-making.
  6. Stakeholder Engagement: IT governance involves engaging and involving key stakeholders, including senior management, business units, IT teams, and external partners. It fosters collaboration, communication, and a shared understanding of IT-related matters. By involving stakeholders in decision-making processes and providing them with visibility and transparency, IT governance builds trust, enhances relationships, and improves the overall IT-business alignment.
  7. Compliance and Audit: IT governance helps organizations meet regulatory and compliance requirements specific to the IT domain. It establishes control mechanisms, policies, and processes that ensure legal, industry, and internal standards adherence. Through IT governance, organizations can confidently undergo audits, demonstrate compliance, and mitigate legal and regulatory risks.

Overall, IT governance is crucial for organizations as it provides a structured approach to effectively managing and leveraging IT resources. It enables organizations to make informed decisions, manage risks, optimize resource allocation, measure performance, engage stakeholders, and ensure compliance. By implementing effective IT governance, organizations can harness the power of technology to drive innovation, enhance operational efficiency, and achieve their strategic objectives.

If an organization lacks proper IT governance, several negative consequences and challenges may arise. Here are some potential outcomes of lacking IT governance:

  1. Lack of Strategic Alignment: Without IT governance, there is a higher risk of misalignment between IT initiatives and the organization's strategic goals. IT projects and investments may not be adequately prioritized or linked to business objectives, leading to inefficiencies, wasted resources, and missed opportunities for value creation.
  2. Inefficient Resource Allocation: Without a governance framework, IT resources such as budgets, personnel, and infrastructure may be allocated haphazardly or without proper oversight. This can result in suboptimal resource utilization, duplication of efforts, or underutilizing critical IT assets.
  3. Increased Risk Exposure: The absence of IT governance can leave an organization vulnerable to various risks, including cybersecurity breaches, data breaches, regulatory non-compliance, and operational disruptions. Without defined processes and controls, there may be a lack of oversight and accountability in managing and mitigating these risks, potentially leading to significant consequences.
  4. Lack of Accountability: IT governance establishes clear roles, responsibilities, and decision-making processes, promoting accountability across the organization. Without governance, accountability may be ambiguous or fragmented, making it challenging to track ownership, resolve issues, and ensure effective decision-making.
  5. Ineffective Decision-Making: A lack of IT governance can result in ad-hoc decision-making processes without proper evaluation, analysis, or consideration of broader organizational implications. Decisions may be made in isolation, without a comprehensive understanding of their impact on IT operations, resources, and strategic outcomes.
  6. Inefficient IT Operations: The absence of governance may lead to fragmented IT operations, redundant systems, and inconsistent practices. Standardization, coordination, and collaboration across IT functions may be lacking, resulting in inefficiencies, suboptimal service delivery, and increased operational costs.
  7. Compliance and Legal Risks: Without IT governance, organizations may struggle to meet regulatory requirements and comply with industry standards. This can expose the organization to legal risks, penalties, reputational damage, and loss of customer trust. Lack of proper controls and documentation can make audits and compliance assessments challenging or even impossible.
  8. Limited Innovation and Adaptability: IT governance frameworks often provide mechanisms for innovation, such as evaluating emerging technologies, conducting research, and fostering experimentation. Without such frameworks, organizations may struggle to leverage technology advancements effectively, hindering their ability to innovate and adapt to changing business and market dynamics.

The absence of IT governance can lead to a lack of strategic focus, inefficient resource allocation, increased risks, inadequate accountability, ineffective decision-making, and compliance challenges. These factors can hinder an organization's ability to leverage IT effectively, achieve its objectives, and respond to evolving business needs and technology trends. Implementing robust IT governance practices is essential for organizations to mitigate these risks, optimize IT operations, and drive business value.


IT Governance Key Points

  • IT Governance is a process. It is not a point-in-time event. It is not a committee. It is not a department.
  • The objective of IT Governance is to ensure the delivery of business results not "IT systems performance" nor "IT risk management" - that would reinforce the notion of IT as an end in itself. On the contrary, IT Governance is about IT decisions that have an impact on business value.
  • The process, therefore, monitors and control key IT decisions that might have an impact - positive or negative - on business results.
  • The concept of governance is meaningless without the recognition of both ownership and responsibility. The key stakeholders in an organization have an "ownership" stake in the organization. The management is responsible to these stakeholders.
    • We must recognize the ownership stake of not just shareholders but also of the other stakeholders such as customers, vendors, employees etc.
    • The "management," i.e. the people entrusted with making key decisions, is responsible to these stakeholders.
  • Therefore, the objective of IT Governance is not just the delivery of risk-optimized business value but also to engender the trust of the key stakeholder in the people to who they have entrusted their money and/or livelihood!
    • One can argue that this trust results in more business value. No doubt. But the fact remains that it is a means to that end and must be recognized independently as a motivation for IT Governance.
    • In a sense, IT Governance acts upon the old adage of "trust but verify!"


Corporate Governance of Information Technology (CGIT)

Information Technology Governance is an essential element of corporate governance so it is sometimes referred to as the corporate governance of information technology.

IT governance is a broad concept that is centered on the IT department or environment delivering business value to the enterprise. It is a set of rules, regulations, and policies that define and ensure the effective, controlled, and valuable operation of an IT department. It also provides methods to identify and evaluate the performance of IT and how it relates to business growth. Moreover, by following and implementing an IT Governance Framework such as ISACA's COBIT Framework, an organization can comply with regulatory requirements and reduce IT business while attaining measurable business benefits.IT governance uses, manages, and optimizes IT in such a way that it supports, complements or enables an organization to achieve its goals and objectives.[1]


Other Definitions of IT Governance

There are many definitions of IT Governance.
Notable among them are the following:

  • IT governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures, and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategy and objectives. (ITGI, 2005)
  • IT governance is specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. (Weill & Woodham, 2002)
  • IT governance is the organizational capacity exercised by the board, executive management, and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT. (Van Grem-bergen, 2000)
  • Weill and Ross define IT governance as "the decision rights and accountability framework to encourage desirable behavior in the use of IT." They identify three components of governance:
    • IT Decisions Domains: What are the key IT decision areas?
    • IT Governance Archetypes: Who governs the decision domains and how is it organized? Who decides or has input, and how?
    • Implementation Mechanisms: How is the decision and input structures formed and put in place?[2]
  • The IT Governance Institute (ISACA) defines IT Governance as follows:

"...leadership, organizational structures and processes to ensure that the organization's IT sustains and extends the organization's strategies and objectives."[3]

  • According to Gartner IT governance (ITG) is defined as "the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals." IT demand governance (ITDG — what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation, and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG — how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.[4]
  • CIO Magazine defines IT Governance as "putting structure around how organizations align IT Strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance." It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs, and what return IT is giving back to the business from the investment it’s making.[5]


Different Names of IT Governance

IT Governance is also known as:

  • Information technology governance
  • Information and communications technology governance (ICT Governance)
  • Corporate Governance of information technology (CGIT)
  • Corporate governance of information and communications technology
  • Enterprise governance of information technology (EGIT)


History of IT Governance[6]

The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organization's strategic objectives, business goals, and IT management within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the chief information officer or business management. The primary goals for information and technology (IT) governance are to
(1) assure that the use of information and technology generates business value,
(2) oversee management's performance and
(3) mitigate the risks associated with using information and technology.
This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact the successful achievement of strategic objectives, and institutionalizing good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organization's strategic objectives. Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s

  • Committee of Sponsoring Organizations of the Treadway Commission (USA)
  • Cadbury Report (UK)
  • King Report (South Africa).

As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that information technology was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance. In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008. IT governance process enforces a direct link of IT resources & processes to enterprise goals in line with the strategy. There is a strong correlation between the maturity curve of IT governance and the overall effectiveness of IT.


IT Governance Landscape (Figure 1.)[7]

IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, leadership, and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?" It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of your customers to be satisfied with the exact same product or service configuration for any given product or service that your company produces. Therefore, a number of IT governance-related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape. IT governance is a subset of enterprise governance which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted at enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs and is a subset of IT and product development governance. Development governance encompasses the |software development lifecycle. Figure 1. illustrates these relationships, highlighting development governance.


IT Governance Landscape
Figure 1. source: IBM


Domains of IT Governance (Figure 2.)[8]

Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy, and education of information systems, assurance, and security has developed some useful guidance that separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:

  1. Strategic Alignment: Strategic Alignment is concerned with how IT supports the enterprise strategy and how IT operations are aligned with current enterprise operations. Alignment involves:
    • Understanding the needs of the business
    • Developing IT strategy and objectives
    • Resource allocation – portfolio management
    • Demand management
    • Communication
  2. Value Delivery: Value Delivery ensures that value is obtained from investment in information technology and is an essential component of IT governance. It involves selecting investments wisely and managing them throughout their life cycle—from inception to final retirement. It involves making sure that IT delivers appropriate quality on time and within budget and examines how the actual cost is managed and how the ROI is determined.
    • Identifying project value drivers
    • Identifying service value drivers
    • Project management
    • External benchmarking
  3. Performance Management: Performance management looks at how IT tracks and monitors implementation strategy, how the success of the project is determined, resource usage, and the ensuing process performance and service delivery
    • Customer satisfaction
    • Service level management
    • Business value measurement
    • Process improvement
  4. Risk Management: Risk Management is about safeguarding IT assets, disaster recovery, and continuity of operations including security and information integrity.
    • Organizational risk appetite
    • Project and investment risk mitigation
    • Information security risk mitigation
    • Operational risk mitigation
    • Compliance regulatory mandates
    • Audit
  5. Resource Management: Resource Management looks at how IT optimizes and manages critical IT resources
    • Hardware and software asset management
    • Third-party service providers & Outsourcing
    • Standardized architecture
    • Financial management – service costing


Domains of IT Governance
Figure 2. source: Maciej Rostanski,Marek Pyka et al.


What is perhaps most important here, however, is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards, and best practices contained in the domains are considered and applied in accordance with the needs, requirements, and capabilities of the business. As such the ISACA model is arguably most useful when it is considered a basic guideline for injecting IT governance best practices into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.


Principles of IT Governance[9]

  1. Actively design governance: Actively designing governance involves senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point. Not only does overall governance require active design, but each mechanism also needs regular review. Focus on having the fewest number of effective mechanisms possible. Many enterprises with effective IT governance have between six and ten integrated and well-functioning mechanisms. One goal of any governance redesign should be to assess, improve, and then consolidate the number of mechanisms.
  2. Know when to redesign: Rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Thus, governance redesign should be infrequent. Transformations involve many other issues besides IT and take many months to implement.
  3. Involve senior managers: CIOs must be effectively involved in IT governance for success. Other senior managers must participate in the committees, the approval processes, and performance reviews. For many enterprises, this involvement is a natural extension of senior management's normal activities. Senior management necessarily gets involved in strategic decisions. This means that senior management is rarely concerned with the exception process. However, if an exception has strategic implications, it may reach the executive-level IT Steering Committee.
  4. Make choices: Good governance, like a good strategy, requires choices. It's not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate. As the number of tradeoffs increases, governance becomes more complex. Top-performing enterprises handle goal conflicts with a few clear business principles. The resulting IT principles reflect these business principles.
  5. Clarify the exception-handling process: Exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise. There are three common elements to their exceptions procedures:
    • The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.
    • The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.
    • Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.
  6. Provide the right incentives: A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. Whenever incentives are based on business unit results, a chargeback can be a point of contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood. It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.
  7. Assign ownership and accountability for IT governance: Like any major organizational initiative, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.
    • IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.
    • The person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to the governance of financial or any other key asset.
    • IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.
  8. Design governance at multiple organizational levels: In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. Usually, the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.
  9. Provide transparency and education: It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. The less transparent the governance processes are, the fewer people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less will there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.
  10. Implement common mechanisms across the six key assets: There are six key assets through which enterprises accomplish their strategies and generate business value: Human assets, Financial assets, Physical assets, IP assets, Information, and IT assets, and Relationship assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.


IT Governance Frameworks

IT Governance Frameworks [10]
There are three widely recognized, vendor-neutral, third-party frameworks that are often described as 'IT governance frameworks'. While on their own they are not completely adequate for that task, each has significant IT governance strengths:

  • ITIL®: ITIL, or IT Infrastructure Library®, was developed by the UK's Cabinet Office as a library of best-practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be achieved. On our ITIL page, you can access a free briefing paper on ITIL, IT service management, and ISO 20000.
  • COBIT®: Control Objectives for Information and Related Technology (COBIT) is an IT governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management, and aligning IT strategy with organizational goals. COBIT is an internationally recognized framework. In particular, COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT Capability for the 37 identified COBIT processes.
  • ISO 27002: ISO 27002 (supported by ISO 27001), is the global best-practice standard for information security management in organizations.

The challenge, for many organizations, is to establish a coordinated, integrated framework that draws on all three of these standards.[11]


IT Governance Implementation and Life-Cycle

IT Governance Implementation (Figure 3.)[12] IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executives, and enabled objectives and benefits that are clearly expressed in a business case. Successful implementation depends on implementing the appropriate change in the appropriate way. The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:

  1. Core continual improvement life cycle—as opposed to a one-off project
  2. Change enablement—addressing the behavioral and cultural aspects
  3. Program management—following generally accepted project management principles


IT Governance Implementation Lifecycle
Figure 3. source: BusinessOfGovernment.Org


The implementation life cycle and its seven phases are illustrated above:

  • Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
  • Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interests.)
  • Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.)
  • Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
  • Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined, and monitoring established, ensuring that business alignment is measured, achieved, and maintained.
  • Phase 6: sustainable operation of the new or improved IT Governance initiatives and the monitoring of the achievement of expected benefits.
  • Phase 7: the overall success of the initiative is reviewed, further requirements for IT Governance are identified, and the need for continual improvement is reinforced.

Over time, the life cycle should be followed iteratively while building a sustainable approach to the IT Governance of the enterprise.

To ensure the success of the IT Governance implementation initiative, a sponsor should take ownership, involve all key leadership executives, and provide for a business case. Initially, the business case can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities; a business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:

  • Business benefits, their alignment with business strategy, and the associated benefit owners.
  • Business changes needed to create the envisioned value. This could be based on health checks and capability gap analyses and should clearly state both what is in scope and what is out of scope.
  • Investments needed to make the IT Governance changes (based on estimates of projects required)
  • Ongoing IT and business costs.
  • Expected benefits of operating in a changing way.
  • Roles, responsibilities, and accountabilities related to the initiative.
  • How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
  • The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).


Effective IT Governance

Achieving Effective IT Governance Implementation [13] There are seven critical success factors for achieving effective IT governance implementations. These are widely accepted as important by companies that have had successful IT governance implementation:

  • Get executive sponsorship.
    • The higher in the organization the better. If IT governance is seen as “optional,” it won’t work.
    • Certainly on the IT side, the CIO should be a visible, vocal champion.
    • On the business side, it would be ideal to have a C-level executive. CFOs in particular are powerful persuaders because it’s clear they’re speaking on behalf of the company’s bottom line.
  • Put client resources on the team.
    • This is spoken from a consultant’s point of view, but the concept is equally valid for internal implementations.
    • Success depends on strong teamwork and alliances across IT and the business side.
    • By exposing both key business-side and IT users to the system early, taking the time to acquaint them to it, and explaining its benefits, you create champions who carry the story across the company.
  • Understand the problem.
    • Aim before you fire. Take the time to determine where you’re starting from in the Capability Maturity Model. If you’re at level one, you have basic process work to do before you are ready to implement a transformational solution.
    • Pick an attainable target to start with, ideally a particular pain point that is costing you time and money. It might be poor project performance resulting from a lack of visibility and control; slow, labor-intensive handling of routine business requests of IT; mistake-prone application change management that endangers your all-important business systems; a lack of standards for comparing the potential value of various projects in the IT portfolio; or a combination of these. Start with one and work from there.
  • Envision the solution.
    • Think hard about what you want to accomplish initially. Set goals high, but don’t make them unattainable—it demoralizes people.
    • Make sure your requirements are clearly defined and universally understood among all the stakeholders.
    • Stick to the original plan once you’ve adopted it. Keep the vision firmly fixed in your mind. Don’t listen to the siren song of scope creep. Achieve your mission first, and then build on success.
    • Focus on process improvement areas. Look for every opportunity to streamline workflow and remove steps. If you’re not already using a standard framework such as ITIL, you should seriously consider embracing it. It will help you employ processes in a proven and effective way.
  • Pick the right software solutions for the right reasons.
    • Recognize that successful IT governance requires clear, enforceable processes and standards. Your software should provide real-time visibility of projects and activities in easy-to-use desktop dashboards. It should also include built-in enforcement mechanisms.
    • Think beyond your initial implementation. Make sure the software is built to be an enterprise-level solution—scalable, in other words. Check to see that it is easily configurable and flexible in its use.
    • Also be sure the software is compatible with, and leverages, best practice frameworks such as ITIL and CMMi, and supports such quality issues as Six Sigma.
  • Take small steps.
    • Don’t “swing for the fences.” Start with a pilot project or group, ideally one where the new system will show clear value to users and gain support.
    • Training is extremely important. Don’t expect people to move to the new system seamlessly. If you throw them in over their heads, you risk drowning the initiative.
    • At some point, you’ll find the new IT governance system positioned to replace some standalone existing application that has a following in the company. Some amount of resistance at this point is natural. Take it slow, and at these critical junctures, take the time to win recalcitrant users over through collaborative engagement.
    • Still, you have to keep moving forward once you’ve started. Small steps will get you there, but not if you let pockets of resistance stall the effort for extended periods.
  • Include post-implementation activities.
    • This is one of the most overlooked parts of the process, though it is potentially the most important.
    • Make sure you have developed clear plans for the transition to the new system and that you implement them methodically as soon as the implementation is complete.
    • This is a critical time to assess the effectiveness of your training. Make the investment in one-on-one customized training with end users as a reality check on the usability of the system and the level of engagement it elicits in users.
    • This is also the time to evangelize the system on the business side. Set up customized C-level and executive dashboards and deploy them to users, being sure to acculturate the executives to the new system, and emphasizing the real-time visibility and control it provides them to “twist the dials” and extract more business value from IT.
    • Actively ask for feedback. In effect, immediately transfer ownership of the system to the end users by requesting and documenting user comments and suggestions for enhancements. Implement the best suggestions right away, so front-line users see that they’re being listened to. They’ll embrace the system faster.


Benefits of IT Governance

Benefits of Implementing IT Governance (Figure 4.) [14]
The key benefits of implementing an IT governance model include: • Strategic alignment, resulting in increased business partner satisfaction • Enhanced value delivery, driven by improved project prioritization, leading to a reduction of the IT budget • Improved performance and resource management, lowering the total cost of IT ownership • Better quality of IT output, resulting in a reduction in IT control issues


Figure 4 illustrates the typical benefits and impacts seen when implementing IT governance for clients across various industry sectors.
Benefits of IT Governance
Figure 4. source: Cognizant


IT Governance, Risk Management, and Compliance

IT Governance, Risk and Compliance (IT GRC)(Figure 5)[15] "Adopting a unified IT Governance, Risk and Compliance (IT GRC) approach, and managing the associated activities coherently will create efficiencies, provide a holistic view of the IT environment and ensure accountability."

IT GRC ensures that:

  • Activities and functions of IT organization (s) support objectives investments are maximized.
  • IT delivers envisioned benefits against the strategy, costs are optimized, and relevant best practices are incorporated.
  • The optimal investments are made in IT and critical IT resources are responsibly, effectively, and efficiently managed and used.

IT Governance, Risk and Compliance (IT GRC
Figure 5 source: PWC

Some important issues:

  • Profitability
    • Firms with above-average IT governance performance had more than 20% higher profitability than firms with poor governance
    • Effective IT governance is the single most important predictor of the value an organization generates from IT
  • Regulatory and industry requirements
    • Organizations need to satisfy quality, fiduciary, and security requirements for information as for all other assets
    • Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines a widely accepted control framework for enterprise governance and risk management also requires a framework for control over IT
    • Sarbanes-Oxley, Basel II
    • Industry-specific regulations
    • General calls for greater transparency


IT Governance Maturity Model (Figure 6.)[16]

The figure below illustrates the capability maturity model for the IT governance process. This capability maturity model (CMM) describes a maturity curve on these capability levels: initial/ad hoc, repeatable, defined, managed, and optimized, along with these parameters: strategic alignment, value delivery, risk management, resource management, and performance management.


IT Governance Capability Maturity Model
Figure 6. source: Knowledge Leader


How IT Governance Creates IT Value[17]

IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value. The overall objective of IT governance is to understand the issues and the strategic importance of IT so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:

  • Alignment of IT to support business operations and sustain advantages;
  • Responsible use of IT resources;
  • Appropriate identification and management of IT-related risks;
  • Facilitation of IT aid in exploiting opportunities and maximizing benefits.

A structured IT governance committee or policy along with corporate managers combine to ensure that IT is synchronized with the business and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans. Firms typically make five types of IT decisions:

  • IT principles decisions dictating the role of IT in the enterprise.
  • IT architecture decisions on technical choices and directions.
  • IT infrastructure decisions on the delivery of shared IT services.
  • Business application requirements decisions for each project.
  • IT investment and prioritization decisions.

IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm’s goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds the expectations of the firm.


More on IT Governance (corporate governance of information technology)

IT governance is merely a subset of enterprise regulation, which ensures that the organization’s IT sustains strategies and objectives. The need to oversee technology investments is even more important, at a time when many high-ranking officials are blatantly violating set norms. Information security accountability is dependent only on effective management and adherence to legal and regulatory norms. The CXO challenge is not to understand every aspect of technology infrastructure but understand its role as a strategic business driver.

To make IT governance a talking point, experts recommend a multi-pronged strategy:

  • Enable IT-Board Coordination: Many technology tools are now available to foster innovation. More frequent communication, ease of document sharing and materials, as well as reports and analytics help boards, gain insight into an organization’s risk management processes.
  • Balancing Technology Risk: There is a multiplicity of risks associated with technology. Relatively few people understand the nature of these challenges. Board influencers and decision-makers need to identify critical segments and minimize liabilities.
  • Business-Technology Strategy: Most executives need to understand how technology strategy works at multiple levels:
    • How information technology enhances the organization’s ability to understand the financial, operational, and reputational aspects of a company.
    • Creating a business idea that works in real-time.
  • Effective ROI: When conceptualizing a project with long-term implications, carefully study every aspect business-related: the financial, operational, and reputation-based projects of technology investments.
  • Stakeholder Analysis And Education: Democratizing access and educating every stakeholder is integral to making technology ubiquitous. In most organizations, many stakeholders are unaware or cannot connect due to multiple reasons. Also, educating relevant stakeholders about proper technology facets enhances the impact. Long-term viability and sustainability a function of how IT permeates into the organization ethic.[18]


10 Important Factors to Consider When Developing Your IT Governance Strategy

  1. Establishing effective IT governance is crucial for organizations to ensure their technology investments align with business objectives.
  2. Implementing strong IT governance practices can help organizations manage risk better and comply with regulatory requirements.
  3. Adhering to industry standards and best practices is a key component of sound IT governance.
  4. Fostering a culture of accountability and transparency is essential to the success of IT governance initiatives.
  5. Ensuring that IT governance policies and procedures are clearly defined and communicated is critical to achieving organizational goals.
  6. Embracing agile IT governance can help organizations to respond more quickly and effectively to changing business needs and technology trends.
  7. Engaging organizational stakeholders is essential to developing a comprehensive IT governance framework.
  8. Regularly assessing and evaluating the effectiveness of IT governance practices is important to ensure continuous improvement and value creation.
  9. Developing a roadmap for IT governance can help organizations to prioritize initiatives and allocate resources effectively.
  10. Leveraging technology to support IT governance processes can improve efficiency, transparency, and accountability.


See Also

IT Governance refers to the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. It involves the leadership, organizational structures, and processes that ensure that the organization's IT sustains and extends its strategies and objectives. IT Governance is a critical part of corporate governance and addresses the management and control of key IT resources including infrastructure, applications, data, and human resources.

  • COBIT (Control Objectives for Information and Related Technology): A framework for IT governance and management created by ISACA. It provides a comprehensive set of best practices, analytical tools, and models designed to facilitate effective IT governance.
  • ITIL (Information Technology Infrastructure Library): A set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL guidance supports organizations and individuals to gain optimal value from IT and digital services.
  • ISO IEC 27001: An international standard for information security management systems (ISMS), providing a systematic approach to managing sensitive company information so that it remains secure.
  • Risk Management: The process of identifying, assessing, and controlling threats to an organization's capital and earnings. In the context of IT governance, this involves managing risks related to digital information and IT infrastructure.
  • Compliance: The act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures. Within IT governance, compliance includes ensuring IT practices meet legal and regulatory requirements and standards.
  • Strategic Alignment: The practice of ensuring that the organization's IT strategy both supports and is supported by the organization's overall business strategy. This involves aligning IT projects, assets, and processes with business goals.
  • Value Delivery: An essential component of IT governance focused on ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.
  • Resource Management: The process of planning, allocating, and managing the organization's IT resources, including hardware, software, networks, and personnel, to ensure they are used effectively and efficiently.
  • Performance Measurement: The process of monitoring and evaluating the efficiency, effectiveness, and compliance of IT operations. This typically involves the use of metrics and KPIs (Key Performance Indicators) to assess IT's contribution to business objectives.
  • Stakeholder Engagement: Involves consulting and involving those affected by or interested in decisions and activities of IT governance. This ensures that the needs, concerns, and objectives of internal and external stakeholders are considered in IT decisions.
  1. IT Strategic Planning
  2. Enterprise Architecture (EA)
  3. IT Risk Management
  4. IT Compliance and Regulations
  5. Business IT Alignment
  6. IT Portfolio Management (ITPM)
  7. IT Performance Metrics
  8. Project Portfolio Management (PPM)
  9. Information Governance (IG)
  10. E-Governance
  11. Cloud Computing Governance
  12. Data Governance
  13. Risk Governance

Effective IT Governance ensures that IT supports business goals, adds business value, manages IT-related risks and resources efficiently, and measures IT performance. It's a strategic element of overarching corporate governance, requiring attention from top management and board directors to succeed.

References


Further Reading