is a process used to monitor and control key information technology capability decisions - in an attempt - to ensure the delivery of value to key stakeholders in an organization. Here are the key points in this definition:
- IT Governance is a process. It is not a point in time event. It is not a committee. It is not a department.
- The objective of IT governance is to ensure the delivery of business results not "IT systems performance" nor "IT risk management" - that would reinforce the notion of IT as an end in itself. To the contrary, IT Governance is about IT decisions that have an impact on business value.
- The process therefore monitors and control key IT decisions that might have an impact - positive or negative - on business results.
- The concept of governance is meaningless without the recognition of both ownership and responsibility. The key stakeholders in an organization have an "ownership" stake in the organization. The management is responsible to these stakeholders.
- We must recognize the ownership stake of not just shareholders but also of the other stakeholders such as customers, vendors, employees etc.
- The "management," i.e. the people entrusted with making key decisions, is responsible to these stakeholders.
- Therefore, the objective of IT Governance is not just the delivery of risk optimized business value but also to engender the trust of the key stakeholders in the people who they have entrusted their money and/or livelihood!
- One can argue that this trust results in more business value. No doubt. But the fact remains that it is a means to that end and must be recognized independently as a motivation for IT Governance.
- In a sense, IT Governance acts upon the old adage of "trust but verify!"1
IT governance is a broad concept that is centered on the IT department or environment delivering business value to the enterprise. It is a set of rules, regulations and policies that define and ensure the effective, controlled and valuable operation of an IT department. It also provides methods to identify and evaluate the performance of IT and how it relates to business growth. Moreover, by following and implementing an IT governance framework such as COBIT, an organization can comply with regulatory requirements and reduce IT business while attaining measurable business benefits.IT governance uses, manages and optimizes IT in such a way that it supports, complements or enables an organization to achieve its goals and objectives.2There are many definitions of IT Governance.
Notable among them are the following:
Different names of IT Governance
- Weill and Ross define IT governance as: the decision rights and accountability framework to encourage desirable behavior in the use of IT. They identify three components of governance:
- IT Decisions Domains: What are the key IT decision areas?
- IT Governance Archetypes: Who governs the decision domains and how is it organized? Who decides or has input, and how?
- Implementation Mechanisms: How are the decision and input structures formed and put in place?3
- The IT Governance Institute (ISACA) defines IT Governance as follows:
"... leadership, organizational structures and processes to ensure that the organisation's IT sustains and extends the organisation's strategies and objectives." 4
- According to Gartner IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG—what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG—how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.5
- CIO Magazine defines IT Governance as: Simply put, it’s putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.6
IT Governance is also known as:
Emergence of IT Governance7
- Information technology governance
- Information and communications technology governance (ICT Governance)
- Corporate governance of information technology
- Corporate governance of information and communications technology
The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organisation's strategic objectives, business goals and IT management within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the chief information officer or business management. The primary goals for information and technology (IT) governance are to (1) assure that the use of information and technology generate business value, (2) oversee management's performance and (3) mitigate the risks associated with using information and technology. This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organisation's strategic objectives. Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s:
- Committee of Sponsoring Organizations of the Treadway Commission (USA)
- Cadbury Report (UK)
- King Report (South Africa).
As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that information technology was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance. In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008. IT governance process enforces a direct link of IT resources & process to enterprise goals in line of strategy. There is a strong correlation between maturity curve of IT governance and overall effectiveness of IT.The IT Governance Landscape (Figure 1.)8
IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, leadership, and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?" It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of your customers to be satisfied with the exact same product or service configuration for any given product or service that your company produces. Therefore, a number of IT governance related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape. IT governance is a subset of enterprise governance, which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs, and is a subset of IT and product development governance. Development governance encompasses the software development lifecycle. Figure 1. illustrates these relationships, highlighting development governance.Figure 1.
source: IBMDomains of IT Governance (Figure 2.)9
Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy and education of information systems, assurance and security has developed some useful guidance which separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:
- 1. Framework for the Governance of Enterprise IT
Organizations need to implement an IT Governance framework which stays in continuous alignment with enterprise governance and the key drivers (both internal and external) directing the company’s strategic planning, goals and objectives.
- This framework should wherever possible attempt to utilize industry standards and best practices (COBIT, ITIL, ISO, etc.) in accordance with the explicit needs and requirements of the business.
- The IT Governance model should be driven at the top level of the organization with roles, responsibilities and accountabilities fully defined and enforced across the organization.
- 2. Strategic Management
To be effective in enabling and supporting the achievement of business objectives, business strategy must drive IT strategy. As such, the strategy of business and IT are intrinsically linked and efficient and effective business operations and growth relies on the proper alignment of the two.
- Some of the most effective methods for achieving this alignment are the proper implementation of an enterprise architecture methodology, portfolio management, and balanced scorecards.
- 3. Benefits Realization
IT Governance helps the business realize optimized business benefits through the effective management of IT enabled investments. Often there is considerable concern at a board or senior management level that IT initiatives are not translating into business benefits.
- IT Governance aims to ensure IT benefits through the implementation of value management practices, benefits realization planning and performance monitoring and response.
- Key to benefits realization is the establishment of effective portfolio management to govern IT enabled investments as well as the design and utilization of appropriate performance metrics and reporting methods which are managed and responded to accordingly. The realization of a culture focused on continuous improvement can further help ensure benefits realization is achieved through a constant focus on improving business performance.
- 4. Risk Optimization
In an increasingly interconnected digital world, the identification, assessment, mitigation, management, communication and monitoring of IT related business risk is an integral component of an enterprises governance activities.
- While activities and capabilities for risk optimization of IT will differ widely based on the size and maturity of the organization and the industry vertical in which they operate, of most importance is the development of a risk framework which can demonstrate good governance to shareholders and customers in a repeatable and effective manner.
- Some important components of this dimension include business continuity planning, alignment to relevant legal and regulatory requirements and the development of a risk appetite and tolerance methodology used to assist with risk based decisions.
- 5. Resource Optimization:
To be effective, IT requires sufficient, competent and capable resources (people, information, infrastructure and applications) in order to meet business demands and execute on the activities required to meet current and future strategic objectives.
- This requires focus on identifying the most appropriate methods for resource procurement and management, monitoring of external suppliers, service level management, knowledge management, and staff training and development programs.
What is perhaps most important here, however, is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards and best practices contained in the domains are considered and applied in accordance with the needs, requirements and capabilities of the business. As such the ISACA model is arguably most useful when it is considered as a basic guideline for injecting IT governance best practices into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.IT Governance Frameworks10
There are three widely recognized, vendor-neutral, third-party frameworks that are often described as 'IT governance frameworks'. While on their own they are not completely adequate to that task, each has significant IT governance strengths:
The Importance of IT Governance11
ITIL, or IT Infrastructure Library®, was developed by the UK's Cabinet Office as a library of best-practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be achieved. On our ITIL page, you can access a free briefing paper on ITIL, IT service management and ISO 20000.
Control Objectives for Information and Related Technology (COBIT) is an IT governance control framework that helps organisations meet today’s business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organisational goals. COBIT is an internationally recognised framework. In particular, COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 37 identified COBIT processes.
- ISO 27002
ISO 27002 (supported by ISO 27001), is the global best-practice standard for information security management in organisations.
The challenge, for many organisations, is to establish a coordinated, integrated framework that draws on all three of these standards.
IT Governance Implementation (Figure 3.)12
- Compliance with regulations
- Competitive Advantage
- Support of Enterprise Goals
- Growth and Innovation
- Increase in Tangible Assets
- Reduction of Risk
IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executive and enabled objectives and benefits that are clearly expressed in a business case. Successful implementation depends on implementing the appropriate change in the appropriate way. The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:
1. Core continual improvement life cycle—as opposed to a one-off project
2. Change enablement—addressing the behavioral and cultural aspects
3. Program management—following generally accepted project management principlesFigure 3.
The implementation life cycle and its seven phases are illustrated above:
- Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
- Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interest.)
- Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.)
- Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
- Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved and maintained.
- Phase 6: sustainable operation of the new or improved IT Governance initiatives and the monitoring of the achievement of expected benefits.
- Phase 7: overall success of the initiative reviewed, further requirements for IT Governance are identified, and need for continual improvement is reinforced.
Over time, the life cycle should be followed iteratively while building a sustainable approach to the IT Governance of the enterprise.
To ensure the success of the IT Governance implementation initiative, a sponsor should take ownership, involve all key leadership executives, and provide for a business case. Initially, the business case can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities; the business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:
Achieving Effective IT Governance Implementation 13
- Business benefits, their alignment with business strategy and the associated benefit owners.
- Business changes needed to create the envisioned value. This could be based on health checks and capability gap analyses and should clearly state both what is in scope and what is out of scope.
- Investments needed to make the IT Governance changes (based on estimates of projects required)
- Ongoing IT and business costs.
- Expected benefits of operating in the changed way.
- Roles, responsibilities and accountabilities related to the initiative.
- How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
- The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).
There are seven critical success factors for achieving effective IT governance implementations. These are widely accepted as important by companies that have had successful IT governance implementation:
Benefits of Implementing IT Governance (Figure 4.)14
- Get executive sponsorship.
- The higher in the organization the better. If IT governance is seen as “optional,” it won’t work.
- Certainly on the IT side, the CIO should be a visible, vocal champion.
- On the business side, it would be ideal to have a C-level executive. CFOs in particular are powerful persuaders because it’s clear they’re speaking on behalf of the company’s bottom line.
- Put client resources on the team.
- This is spoken from a consultant’s point of view, but the concept is equally valid for internal implementations.
- Success depends on strong teamwork and alliances across IT and the business side.
- By exposing both key business-side and IT users to the system early, taking the time to acquaint them to it, and explaining its benefits, you create champions who carry the story across the company.
- Understand the problem.
- Aim before you fire. Take the time to determine where you’re starting from in the Capability Maturity Model. If you’re at level one, you have basic process work to do before you are ready to implement a transformational solution.
- Pick an attainable target to start with, ideally a particular pain point that is costing you time and money. It might be poor project performance resulting from a lack of visibility and control; slow, labor-intensive handling of routine business requests of IT; mistake-prone application change management that endangers your all-important business systems; a lack of standards for comparing the potential value of various projects in the IT portfolio; or a combination of these. Start with one and work from there.
- Envision the solution.
- Think hard about what you want to accomplish initially. Set goals high, but don’t make them unattainable—it demoralizes people.
- Make sure your requirements are clearly defined and universally understood among all the stakeholders.
- Stick to the original plan once you’ve adopted it. Keep the vision firmly fixed in your mind. Don’t listen to the siren song of scope creep. Achieve your mission first, and then build on success.
- Focus on process improvement areas. Look for every opportunity to streamline workflow and remove steps. If you’re not already using a standard framework such as ITIL, you should seriously consider embracing it. It will help you employ processes in a proven and effective way.
- Pick the right software solutions for the right reasons.
- Recognize that successful IT governance requires clear, enforceable processes and standards. Your software should provide real-time visibility of projects and activities in easy-to-use desktop dashboards. It should also include built-in enforcement mechanisms.
- Think beyond your initial implementation. Make sure the software is built to be an enterprise-level solution—scalable, in other words. Check to see that it is easily configurable and flexible in its use.
- Also be sure the software is compatible with, and leverages, best practice frameworks such as ITIL and CMMi, and supports such quality issues as Six Sigma.
- Take small steps.
- Don’t “swing for the fences.” Start with a pilot project or group, ideally one where the new system will show clear value to users and gain support.
- Training is extremely important. Don’t expect people to move to the new system seamlessly. If you throw them in over their heads, you risk drowning the initiative.
- At some point, you’ll find the new IT governance system positioned to replace some standalone existing application that has a following
in the company. Some amount of resistance at this point is natural. Take it slow, and at these critical junctures, take the time to win recalcitrant users over through collaborative engagement.
- Still, you have to keep moving forward once you’ve started. Small steps will get you there, but not if you let pockets of resistance stall the effort for extended periods.
- Include post-implementation activities.
- This is one of the most overlooked parts of the process, though it is potentially the most important.
- Make sure you have developed clear plans for the transition to the new system and that you implement them methodically as soon as implementation is complete.
- This is a critical time to assess the effectiveness of your training. Make the investment in one-on-one customized training with end users as a reality check on the usability of the system and the level of engagement it elicits in users.
- This is also the time to evangelize the system on the business side. Set up customized C-level and executive dashboards and deploy them to users, being sure to acculturate the executives to the new system, and emphasizing the real-time visibility and control it provides them to “twist the dials” and extract more business value from IT.
- Actively ask for feedback. In effect, immediately transfer ownership of the system to the end users by requesting and documenting user comments and suggestions for enhancements. Implement the best suggestions right away, so front-line users see that they’re being listened to. They’ll embrace the system faster.
The key benefits of implementing an IT governance model include:
• Strategic alignment, resulting in increased business partner satisfaction
• Enhanced value delivery, driven by improved project prioritization, leading to reduction of IT budget
• Improved performance and resource management, lowering the total cost of IT ownership
• Better quality of IT output, resulting in a reduction in IT control issues
Figure 4 illustrates the typical benefits and impacts seen when implementing IT governance for clients across various industry sectors. Figure 4.
See AlsoControl Objectives for Information and Related Technology (COBIT)Information Technology Infrastructure Library (ITIL)Balanced ScorecardEnterprise Risk Management (ERM)Risk ManagementIT Strategy (Information Technology Strategy)Business StrategyCorporate GovernanceCorporate StrategyEnterprise ArchitectureCOSO Internal Control- Integrated FrameworkCompliance
- What is IT governance? A formal way to align IT & business strategy cio.com
- IT Governance – What is It and Why is It Important? Digitalist
- Banking on IT Governance: Benefits and Practices FirstPost
- Maximizing Business Value Through Effective IT Governance Cognizant
- Leadership - The Role of IT Governance IT World
- The Many Blessings Of Information Governance Forbes
- IT Governance is Killing Innovation HBR
CIO Desk Reference
(Relevant content on this topic in the CIO Toolkit
on CIO Index