Actions

Difference between revisions of "IT Governance"

m
m
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
== What is IT Governance (Information Technology Governance)? ==
+
== What is IT Governance? ==
'''IT Governance ([[Information Technology Governance]])''' is a [[process]] used to monitor and [[control]] key [[IT_Capability|information technology capability]] decisions - in an attempt - to ensure the delivery of [[value]] to [[Stakeholder|key stakeholders]] in an [[Organization|organization]]. Here are the key points in this definition:
+
'''IT Governance (aka Information Technology Governance)''' is a process used to monitor and control key [[IT_Capability|information technology capability]] decisions - in an attempt - to ensure the delivery of value to key stakeholders in an organization. Here are the key points in this definition:
 
*IT Governance is a process. It is not a point in time event. It is not a committee. It is not a department.
 
*IT Governance is a process. It is not a point in time event. It is not a committee. It is not a department.
*The [[objective]] of IT Governance is to ensure the delivery of [[business]] results not "IT systems performance" nor "[[Information Technology Risk (IT Risk)|IT risk management]]" - that would reinforce the notion of IT as an end in itself. To the contrary, IT Governance is about IT decisions that have an [[impact]] on [[Business Value|business value]].
+
*The objective of IT Governance is to ensure the delivery of business results not "IT systems performance" nor "IT risk management" - that would reinforce the notion of IT as an end in itself. To the contrary, IT Governance is about IT decisions that have an impact on [[Business Value|business value]].
 
*The process therefore monitors and control key IT decisions that might have an impact - positive or negative - on business results.
 
*The process therefore monitors and control key IT decisions that might have an impact - positive or negative - on business results.
*The concept of governance is meaningless without the recognition of both ownership and responsibility. The key stakeholders in an [[organization]] have an "ownership" stake in the organization. The [[management]] is responsible to these stakeholders.
+
*The concept of governance is meaningless without the recognition of both ownership and responsibility. The key stakeholders in an organization have an "ownership" stake in the organization. The management is responsible to these stakeholders.
 
**We must recognize the ownership stake of not just shareholders but also of the other stakeholders such as customers, vendors, employees etc.
 
**We must recognize the ownership stake of not just shareholders but also of the other stakeholders such as customers, vendors, employees etc.
 
**The "management," i.e. the people entrusted with making key decisions, is responsible to these stakeholders.
 
**The "management," i.e. the people entrusted with making key decisions, is responsible to these stakeholders.
*Therefore, the objective of IT Governance is not just the delivery of [[risk]] optimized [[Business Value|business value]] but also to engender the trust of the key [[Stakeholder|stakeholders]] in the people who they have entrusted their money and/or livelihood!
+
*Therefore, the objective of IT Governance is not just the delivery of ris optimized business value but also to engender the trust of the key stakeholder in the people who they have entrusted their money and/or livelihood!
 
**One can argue that this trust results in more business value. No doubt. But the fact remains that it is a means to that end and must be recognized independently as a motivation for IT Governance.
 
**One can argue that this trust results in more business value. No doubt. But the fact remains that it is a means to that end and must be recognized independently as a motivation for IT Governance.
**In a sense, IT Governance acts upon the old adage of "trust but verify!"<ref>[https://cioindex.com/reference/demystifying-it-governance/ Definition of IT Governance]</ref>
+
**In a sense, IT Governance acts upon the old adage of "trust but verify!"<ref>What is Meant by IT Governance? [https://cioindex.com/reference/demystifying-it-governance/ Definition of IT Governance]</ref>
 +
 
  
 
__TOC__
 
__TOC__
 +
  
 
== Corporate Governance of Information Technology (CGIT) ==
 
== Corporate Governance of Information Technology (CGIT) ==
IT governance is a broad concept that is centered on the IT department or environment delivering business value to the enterprise. It is a set of rules, regulations and policies that define and ensure the effective, controlled and valuable operation of an IT department. It also provides methods to identify and evaluate the performance of IT and how it relates to business growth. Moreover, by following and implementing an [[IT_Governance_Framework|IT Governance Framework]] such as [[COBIT_(Control_Objectives_for_Information_and_Related_Technology)|COBIT]], an organization can comply with regulatory requirements and reduce IT business while attaining measurable business benefits.IT governance uses, manages and optimizes IT in such a way that it supports, complements or enables an organization to achieve its [[goals]] and objectives.<ref>Explaining Information Technology Governance [https://www.techopedia.com/definition/19641/information-technology-governance-it-governance Techopedia]</ref>
+
IT governance is a broad concept that is centered on the IT department or environment delivering business value to the enterprise. It is a set of rules, regulations and policies that define and ensure the effective, controlled and valuable operation of an IT department. It also provides methods to identify and evaluate the performance of IT and how it relates to business growth. Moreover, by following and implementing an IT Governance Framework such as [[COBIT_(Control_Objectives_for_Information_and_Related_Technology)|COBIT]], an organization can comply with regulatory requirements and reduce IT business while attaining measurable business benefits.IT governance uses, manages and optimizes IT in such a way that it supports, complements or enables an organization to achieve its goals and objectives.<ref>Explaining Information Technology Governance [https://www.techopedia.com/definition/19641/information-technology-governance-it-governance Techopedia]</ref>
  
  
 
== Definitions of IT Governance ==
 
== Definitions of IT Governance ==
 
'''There are many definitions of IT Governance.''' <br />Notable among them are the following:
 
'''There are many definitions of IT Governance.''' <br />Notable among them are the following:
*Weill and Ross define IT governance as: the decision rights and accountability [[framework]] to encourage desirable behavior in the use of IT. They identify three components of governance:
+
*Weill and Ross define IT governance as: the decision rights and accountability framework to encourage desirable behavior in the use of IT. They identify three components of governance:
 
**IT Decisions Domains: What are the key IT decision areas?
 
**IT Decisions Domains: What are the key IT decision areas?
 
**IT Governance Archetypes: Who governs the decision domains and how is it organized? Who decides or has input, and how?
 
**IT Governance Archetypes: Who governs the decision domains and how is it organized? Who decides or has input, and how?
**Implementation Mechanisms: How are the decision and input structures formed and put in place?<ref>What is IT Governance [http://oit.ncsu.edu/sites/default/files/content/Navigational%20Page/weill_ross_framework_pdf_99126.pdf  Weill Ross Framework MIT]</ref>  
+
**Implementation Mechanisms: How are the decision and input structures formed and put in place?<ref>What is the role of IT Governance [http://oit.ncsu.edu/sites/default/files/content/Navigational%20Page/weill_ross_framework_pdf_99126.pdf  Weill Ross Framework MIT]</ref>  
*[https://www.isaca.org|The IT Governance Institute (ISACA)] defines IT Governance as follows:
+
*The IT Governance Institute (ISACA) defines IT Governance as follows:<br />
"...[[Leadership|leadership]], organizational structures and processes to ensure that the organisation's IT sustains and extends the organisation's strategi<br />es and objectives." <ref> Board briefing on IT Governance by [http://www.isaca.org/restricted/Documents/26904_Board_Briefing_final.pdf ISACA]</ref>
+
"...leadership, organizational structures and processes to ensure that the organization's IT sustains and extends the organization's strategies and objectives."<ref> Board briefing on IT Governance by [http://www.isaca.org/restricted/Documents/26904_Board_Briefing_final.pdf ISACA]</ref>
*According to Gartner IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT [[demand]] governance (ITDG — what IT should work on) is the process by which organizations ensure the effective [[evaluation]], [[selection]], prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT [[supply]]-side governance (ITSG — how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.<ref>Gartner's definition of IT governance [http://www.gartner.com/it-glossary/it-governance Gartner]</ref><br />
+
*According to Gartner IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG — what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG — how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.<ref>Gartner's definition of IT governance [http://www.gartner.com/it-glossary/it-governance Gartner]</ref>
*CIO Magazine defines IT Governance as: Simply put, it’s putting structure around how organizations align [[IT_Strategy_(Information_Technology_Strategy)|IT Strategy]] with [[Business_Strategy|business strategy]], ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An [https://cioindex.com/index/it-governance-framework/ IT governance framework] should answer some key questions, such as how the IT department is functioning overall, what key [[metrics]] management needs and what return IT is giving back to the business from the investment it’s making.<ref>CIO Magazine's definition of IT Governance [http://www.cio.com/article/2438931/governance/it-governance-definition-and-solutions.html cio.com]</ref>
+
*CIO Magazine defines IT Governance as: Simply put, it’s putting structure around how organizations align [[IT_Strategy_(Information_Technology_Strategy)|IT Strategy]] with [[Business_Strategy|business strategy]], ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.<ref>CIO Magazine's definition of IT Governance [http://www.cio.com/article/2438931/governance/it-governance-definition-and-solutions.html cio.com]</ref>
 
 
  
  
Line 34: Line 35:
 
*Information technology governance
 
*Information technology governance
 
*Information and communications technology governance (ICT Governance)
 
*Information and communications technology governance (ICT Governance)
*[[Corporate Governance]] of information technology (CGIT)
+
*Corporate Governance of information technology (CGIT)
 
*Corporate governance of information and communications technology
 
*Corporate governance of information and communications technology
 
*Enterprise governance of information technology (EGIT)
 
*Enterprise governance of information technology (EGIT)
Line 41: Line 42:
 
== History of IT Governance ==
 
== History of IT Governance ==
 
'''Emergence of IT Governance'''  <ref>Emergence of IT Governance [https://en.wikipedia.org/wiki/Corporate_governance_of_information_technology Wikipedia]</ref><br />
 
'''Emergence of IT Governance'''  <ref>Emergence of IT Governance [https://en.wikipedia.org/wiki/Corporate_governance_of_information_technology Wikipedia]</ref><br />
The discipline of information technology governance first emerged in 1993 as a derivative of [[Corporate_Governance|corporate governance]] and deals primarily with the connection between an [[Business Objective|organisation's strategic objectives]], [[Business Goals|business goals]] and [[IT Management (Information Technology Management)|IT management]] within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the [[Chief Information Officer (CIO)|chief information officer]] or business management. The primary goals for information and technology (IT) governance are to<br />
+
The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organization's strategic objectives, business goals and [[IT Management (Information Technology Management)|IT management]] within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the [[Chief Information Officer (CIO)|chief information officer]] or business management. The primary goals for information and technology (IT) governance are to<br />
 
(1) assure that the use of information and technology generate business value,<br />
 
(1) assure that the use of information and technology generate business value,<br />
 
(2) oversee management's performance and<br />  
 
(2) oversee management's performance and<br />  
 
(3) mitigate the risks associated with using information and technology.<br />  
 
(3) mitigate the risks associated with using information and technology.<br />  
This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organisation's strategic objectives. Following corporate governance failures in the 1980s, a number of countries [[Corporate_Governance| established codes of corporate governance]] in the early 1990s
+
This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organization's strategic objectives. Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s
 
*Committee of Sponsoring Organizations of the Treadway Commission (USA)
 
*Committee of Sponsoring Organizations of the Treadway Commission (USA)
 
*Cadbury Report (UK)
 
*Cadbury Report (UK)
 
*King Report (South Africa).
 
*King Report (South Africa).
  
As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support [[Corporate_Governance|good corporate governance]]. It was soon recognized that [[Information Technology (IT)|information technology]] was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance. In Australia, the AS8015 [[Corporate Governance]] of [[Information and Communications Technology (ICT)|ICT]] was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008. IT governance process enforces a direct link of IT resources & process to enterprise goals in line of [[strategy]]. There is a strong correlation between maturity curve of IT governance and overall effectiveness of IT.
+
As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that [[Information Technology (IT)|information technology]] was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance. In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008. IT governance process enforces a direct link of IT resources & process to enterprise goals in line of strategy. There is a strong correlation between maturity curve of IT governance and overall effectiveness of IT.
  
  
 
== IT Governance Landscape ==
 
== IT Governance Landscape ==
 
'''The IT Governance Landscape (Figure 1.)''' <ref>The IT Governance Landscape [https://www.ibm.com/developerworks/rational/library/dec07/mueller_phillipson/index.html IBM]</ref><br />
 
'''The IT Governance Landscape (Figure 1.)''' <ref>The IT Governance Landscape [https://www.ibm.com/developerworks/rational/library/dec07/mueller_phillipson/index.html IBM]</ref><br />
IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, [[Leadership|leadership]], and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?" It is no more likely that a single IT governance process will work for all IT [[Business Process|business processes]] than it is for every one of your customers to be satisfied with the exact same [[product]] or [[service]] configuration for any given product or service that your company produces. Therefore, a number of IT governance related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape. IT governance is a subset of [[Corporate Governance|enterprise governance]], which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs, and is a subset of IT and product development governance. Development governance encompasses the [[Software Development Life Cycle (SDLC)|software development lifecycle]]. Figure 1. illustrates these relationships, highlighting development governance.
+
IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, leadership, and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?" It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of your customers to be satisfied with the exact same product or service configuration for any given product or service that your company produces. Therefore, a number of IT governance related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape. IT governance is a subset of enterprise governance which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs, and is a subset of IT and product development governance. Development governance encompasses the |software development lifecycle. Figure 1. illustrates these relationships, highlighting development governance.
  
  
Line 64: Line 65:
  
 
== Domains of IT Governance ==
 
== Domains of IT Governance ==
'''Domains of IT Governance (Figure 2.)''' <ref>The Five Domains of IT Governance [http://www.longviewsystems.com/it-governance/|Longview Systems]</ref><br />
+
'''The Five Domains of IT Governance (Figure 2.)''' <ref>What are the types of IT Governance? [http://blog.dayaciptamandiri.com/2014/02/5-domain-dari-it-governance.html DCM]</ref><br />
 
Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy and education of information systems, assurance and security has developed some useful guidance which separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:
 
Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy and education of information systems, assurance and security has developed some useful guidance which separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:
*1. [[IT Governance Framework|Framework for the Governance of Enterprise IT]]: Organizations need to implement an [[IT Governance Framework|IT Governance framework]] which stays in continuous alignment with enterprise governance and the key drivers (both internal and external) directing the [[Business Strategy|company’s strategic planning]], goals and objectives.
+
#Strategic Alignment: Strategic Alignment is concerned with how IT supports the enterprise strategy and how IT operations are aligned with current enterprise operations. Alignment involves:
**This framework should wherever possible attempt to utilize [[industry]] standards and best practices (COBIT, [[ITIL (Information Technology Infrastructure Library)|ITIL]], ISO, etc.) in accordance with the explicit needs and requirements of the business.
+
#*Understanding the needs of the business
**The [[IT Governance Framework|IT Governance model]] should be driven at the top level of the organization with roles, responsibilities and accountabilities fully defined and enforced across the organization.
+
#*Developing IT strategy and objectives
*2. [[Strategic Management]]: To be effective in enabling and supporting the achievement of [[Business Objective|business objectives]], [[Business_IT_Alignment|business strategy must drive IT strategy]]. As such, the strategy of business and IT are intrinsically linked and efficient and effective business operations and growth relies on the proper alignment of the two.
+
#*Resource allocation – portfolio management
**Some of the most effective methods for achieving this alignment are the proper implementation of an [[Enterprise Architecture|enterprise architecture]] [[methodology]], [[Project Portfolio Management (PPM)|portfolio management]], and [[Balanced Scorecard|balanced scorecards]].
+
#*Demand management
*3. Benefits Realization: IT Governance helps the business realize optimized business benefits through the [[IT Investment Management (ITIM)|effective management of IT enabled investments]]. Often there is considerable concern at a board or senior management level that IT initiatives are not translating into business benefits.
+
#*Communication
**IT Governance aims to ensure IT benefits through the implementation of value management practices, benefits realization planning and performance monitoring and response.
+
#Value Delivery: Value Delivery ensure that value is obtained from investment in information technology and is an essential component of IT governance. It involves selecting investments wisely and managing them throughout their life cycle—from inception to final retirement. It involves making sure that IT delivers appropriate quality on-time and within budget and examines how actual cost is managed and how the ROI is determined.
**Key to benefits realization is the establishment of [[Project Portfolio Management (PPM)|effective portfolio management]] to [[IT Investment Management (ITIM)|govern IT enabled investments]] as well as the [[design]] and utilization of appropriate performance metrics and reporting methods which are managed and responded to accordingly. The realization of a culture focused on continuous [[improvement]] can further help ensure benefits realization is achieved through a constant focus on improving business performance.
+
#*Identifying project value drivers
*4. Risk Optimization: In an increasingly interconnected digital world, the identification, [[Risk Assessment|assessment]], [[Risk Mitigation|mitigation]],[[Risk Management|management]], communication and monitoring of IT related business risk is an integral component of an enterprises governance activities.
+
#*Identifying service value drivers
**While activities and capabilities for risk optimization of IT will differ widely based on the size and maturity of the organization and the industry vertical in which they operate, of most importance is the development of a [[Risk IT Framework|risk framework]] which can demonstrate good governance to [[Shareholder|shareholders]] and [[Customer|customers]] in a repeatable and effective manner.
+
#*Project management
**Some important components of this dimension include [[Business Continuity Planning (BCP)|business continuity planning]], alignment to relevant legal and regulatory requirements and the development of a risk appetite and tolerance methodology used to assist with risk based decisions.
+
#*External benchmarking
*5. Resource Optimization: To be effective, IT requires sufficient, competent and capable resources (people, information, infrastructure and applications) in order to meet business demands and execute on the activities required to meet current and future strategic objectives.
+
#Performance Management: Performance management looks at how IT tracks and monitors implementation strategy, how the success of project are determined, at resource usage, and the ensuing process performance and service delivery
**This requires focus on identifying the most appropriate methods for resource [[Procurement|procurement]] and [[Resource Management|management]], monitoring of external suppliers, [[Service-Level Management (SLM)|service level management]],[[Knowledge Management|knowledge management]], and staff training and development programs.
+
#*Customer satisfaction
 +
#*Service level management
 +
#*Business value measurement
 +
#*Process improvement
 +
#Risk Management: Risk Management is about the safeguarding of IT assets, disaster recovery and continuity of operations including security and information integrity.
 +
#*Organizational risk appetite
 +
#*Project and investment risk mitigation
 +
#*Information security risk mitigation
 +
#*Operational risk mitigation
 +
#*Compliance regulatory mandates
 +
#*Audit
 +
#Resource Management: Resource Management looks at how IT optimizes and manages critical IT resources
 +
#*Hardware and software asset management
 +
#*Third party service providers & Outsourcing
 +
#*Standardized architecture
 +
#*Financial management service costing
  
  
Line 86: Line 102:
  
  
What is perhaps most important here, however, is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards and best practices contained in the domains are considered and applied in accordance with the needs, requirements and capabilities of the business. As such the ISACA [[model]] is arguably most useful when it is considered as a basic [[guideline]] for injecting IT governance [[Best Practice|best practices]] into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.
+
What is perhaps most important here, however, is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards and best practices contained in the domains are considered and applied in accordance with the needs, requirements and capabilities of the business. As such the ISACA model is arguably most useful when it is considered as a basic guideline for injecting IT governance best practices into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.
 +
 
 +
 
 +
== Principles of IT Governance ==
 +
'''Ten Principles of IT Governance'''<ref>Ten Principles of IT Governance [https://hbswk.hbs.edu/archive/ten-principles-of-it-governance Harvard Business School]</ref><br />
 +
#Actively design governance: Actively designing governance involves senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point. Not only does overall governance require active design, but each mechanism also needs regular review. Focus on having the fewest number of effective mechanisms possible. Many enterprises with effective IT governance have between six and ten integrated and well-functioning mechanisms. One goal of any governance redesign should be to assess, improve, and then consolidate the number of mechanisms.
 +
#Know when to redesign: Rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Thus, governance redesign should be infrequent. Transformations involve many other issues besides IT and take many months to implement.
 +
#Involve senior managers: CIOs must be effectively involved in IT governance for success. Other senior managers must participate in the committees, the approval processes, and performance reviews. For many enterprises, this involvement is a natural extension of senior management's normal activities. Senior management necessarily gets involved in strategic decisions. This means that senior management is rarely concerned with the exception process. However, if an exception has strategic implications, it may reach the executive level IT Steering Committee.
 +
#Make choices: Good governance, like good strategy, requires choices. It's not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate. As the number of tradeoffs increases, governance becomes more complex. Top-performing enterprises handle goal conflicts with a few clear business principles. The resulting IT principles reflect these business principles.
 +
#Clarify the exception-handling process: Exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise. There are three common elements to their exceptions procedures:
 +
#*The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.
 +
#*The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.
 +
#*Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.
 +
# Provide the right incentives: A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. Whenever incentives are based on business unit results, chargeback can be a point of contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood. It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.
 +
#Assign ownership and accountability for IT governance: Like any major organizational initiatives, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.
 +
#*IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.
 +
#*The person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to governance of financial or any other key asset.
 +
#*IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.
 +
#Design governance at multiple organizational levels: In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. Usually the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.
 +
#Provide transparency and education: It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. The less transparent the governance processes are, the less people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less willingness there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.
 +
#Implement common mechanisms across the six key assets: There are six key assets through which enterprises accomplish their strategies and generate business value: Human assets, Financial assets, Physical assets, IP assets, Information and IT assets, and Relationship assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.
  
  
 
== IT Governance Frameworks ==
 
== IT Governance Frameworks ==
'''IT Governance Frameworks''' <ref>IT Governance Frameworks [https://www.itgovernance.co.uk/it_governance itgovernance.co.uk]</ref><br />
+
'''IT Governance Frameworks''' <ref>What are the different IT Governance Frameworks? [https://www.itgovernance.co.uk/it_governance itgovernance.co.uk]</ref><br />
There are three widely recognized, [[vendor]]-neutral, third-party frameworks that are often described as 'IT governance frameworks'. While on their own they are not completely adequate to that task, each has significant IT governance strengths:
+
There are three widely recognized, vendor-neutral, third-party frameworks that are often described as 'IT governance frameworks'. While on their own they are not completely adequate to that task, each has significant IT governance strengths:
*ITIL®: [https://cioindex.com/references/itil/ ITIL, or IT Infrastructure Library®], was developed by the UK's Cabinet Office as a library of best-practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be achieved. On our ITIL page, you can access a free briefing paper on ITIL, IT service management and ISO 20000.
+
*ITIL®: ITIL, or IT Infrastructure Library®, was developed by the UK's Cabinet Office as a library of best-practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be achieved. On our ITIL page, you can access a free briefing paper on ITIL, IT service management and ISO 20000.
*COBIT®: [https://cioindex.com/references/cobit/ Control Objectives for Information and Related Technology (COBIT)] is an IT governance control framework that helps organisations meet today’s business challenges in the areas of regulatory [[compliance]], risk management and [[Business_IT_Alignment|aligning IT strategy with organisational goals]]. [[COBIT (Control Objectives for Information and Related Technology)|COBIT]] is an internationally recognised framework. In particular, COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 37 identified COBIT processes.  
+
*COBIT®: Control Objectives for Information and Related Technology (COBIT) is an IT governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organizational goals. COBIT is an internationally recognized framework. In particular, COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 37 identified COBIT processes.  
*ISO 27002: ISO 27002 (supported by ISO 27001), is the global best-practice [[standard]] for information security management in organisations.
+
*ISO 27002: ISO 27002 (supported by ISO 27001), is the global best-practice standard for information security management in organizations.
The challenge, for many organisations, is to establish a coordinated, integrated framework that draws on all three of these standards. <ref>[https://cioindex.com/references/it-governance-framework/ IT Governance Frameworks]</ref>
+
The challenge, for many organizations, is to establish a coordinated, integrated framework that draws on all three of these standards. <ref>[https://cioindex.com/references/it-governance-frameworks/ IT Governance Frameworks]</ref>
 +
 
  
 
== The Importance of IT Governance ==
 
== The Importance of IT Governance ==
 
'''The Importance of IT Governance''' <ref>Why is IT Governance Important? [https://www.slideshare.net/mahetabkhan5/it-governance-46869745|Mahetab Khan]</ref><br />
 
'''The Importance of IT Governance''' <ref>Why is IT Governance Important? [https://www.slideshare.net/mahetabkhan5/it-governance-46869745|Mahetab Khan]</ref><br />
*[[Compliance|Compliance with regulations]]
+
*Compliance with regulations
*[[Competitive Advantage]]
+
*Competitive Advantage
*[[Business Goals|Support of Enterprise Goals]]
+
*Support of Enterprise Goals
*[[Innovation|Growth and Innovation]]
+
*Growth and Innovation
*[[Asset Management|Increase in Tangible Assets]]
+
*Increase in Tangible Assets
*[[Risk Mitigation|Reduction of Risk]]
+
*Reduction of Risk
  
  
 
== IT Governance Implementation and Life-Cycle ==
 
== IT Governance Implementation and Life-Cycle ==
 
'''IT Governance Implementation (Figure 3.)'''<ref>What are the Phases of the IT Governance Implementation Life Cycle? [http://www.businessofgovernment.org/blog/business-government/roadmap-implementing-and-improving-it-governance IBM CBG]</ref><br />
 
'''IT Governance Implementation (Figure 3.)'''<ref>What are the Phases of the IT Governance Implementation Life Cycle? [http://www.businessofgovernment.org/blog/business-government/roadmap-implementing-and-improving-it-governance IBM CBG]</ref><br />
IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key [[leadership]] executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executive and enabled objectives and benefits that are clearly expressed in a [[Business Case|business case]]. Successful implementation depends on implementing the appropriate change in the appropriate way. The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:<br />
+
IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executive and enabled objectives and benefits that are clearly expressed in a business case. Successful implementation depends on implementing the appropriate change in the appropriate way. The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:
1. Core continual improvement life cycle—as opposed to a one-off project
+
#Core continual improvement life cycle—as opposed to a one-off project
2. Change enablement—addressing the behavioral and cultural aspects
+
#Change enablement—addressing the behavioral and cultural aspects
3. Program management—following generally accepted project management principles
+
#Program management—following generally accepted project management principles
  
  
Line 122: Line 159:
 
The implementation life cycle and its seven phases are illustrated above:
 
The implementation life cycle and its seven phases are illustrated above:
 
*Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
 
*Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
*Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a [[Process Capability Assessment Model (PCAT)|process capability assessment]]. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interest.)
+
*Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interest.)
*Phase 3: improvement [[target]] set, including a more detailed [[SWOT Analysis|analysis to identify gaps and potential solutions]]. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to [[yield]] the greatest benefits.)
+
*Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.)
 
*Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
 
*Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
 
*Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved and maintained.
 
*Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved and maintained.
Line 137: Line 174:
 
*Ongoing IT and business costs.
 
*Ongoing IT and business costs.
 
*Expected benefits of operating in the changed way.
 
*Expected benefits of operating in the changed way.
*Roles, responsibilities and accountabilities related to the initiative.<ref>[https://cioindex.com/reference/it-governance-example/ IT Governance Example]</ref>
+
*Roles, responsibilities and accountabilities related to the initiative.
 
*How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
 
*How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
 
*The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).
 
*The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).
Line 154: Line 191:
 
**By exposing both key business-side and IT users to the [[system]] early, taking the time to acquaint them to it, and explaining its benefits, you create champions who carry the story across the company.
 
**By exposing both key business-side and IT users to the [[system]] early, taking the time to acquaint them to it, and explaining its benefits, you create champions who carry the story across the company.
 
*Understand the problem.
 
*Understand the problem.
**Aim before you fire. Take the time to determine where you’re starting from in the [[Capability Maturity Model (CMM)|Capability Maturity Model]]. If you’re at level one, you have basic process work to do before you are ready to implement a transformational solution.
+
**Aim before you fire. Take the time to determine where you’re starting from in the Capability Maturity Model. If you’re at level one, you have basic process work to do before you are ready to implement a transformational solution.
**Pick an attainable target to start with, ideally a particular pain point that is costing you time and money. It might be poor project performance resulting from a lack of visibility and control; slow, labor-intensive handling of routine business requests of IT; mistake-prone [[application]] change management that endangers your all-important business systems; a lack of standards for comparing the potential value of various projects in the [[Project Portfolio Management (PPM)|IT portfolio]]; or a combination of these. Start with one and work from there.
+
**Pick an attainable target to start with, ideally a particular pain point that is costing you time and money. It might be poor project performance resulting from a lack of visibility and control; slow, labor-intensive handling of routine business requests of IT; mistake-prone application change management that endangers your all-important business systems; a lack of standards for comparing the potential value of various projects in the IT portfolio; or a combination of these. Start with one and work from there.
 
*Envision the solution.
 
*Envision the solution.
 
**Think hard about what you want to accomplish initially. Set goals high, but don’t make them unattainable—it demoralizes people.
 
**Think hard about what you want to accomplish initially. Set goals high, but don’t make them unattainable—it demoralizes people.
 
**Make sure your requirements are clearly defined and universally understood among all the stakeholders.
 
**Make sure your requirements are clearly defined and universally understood among all the stakeholders.
**Stick to the original plan once you’ve adopted it. Keep the [[vision]] firmly fixed in your mind. Don’t listen to the siren song of scope creep. Achieve your [[mission]] first, and then build on success.
+
**Stick to the original plan once you’ve adopted it. Keep the vision firmly fixed in your mind. Don’t listen to the siren song of scope creep. Achieve your mission first, and then build on success.
**Focus on process improvement areas. Look for every opportunity to streamline [[Workflow|workflow]] and remove steps. If you’re not already using a standard framework such as ITIL, you should seriously consider embracing it. It will help you employ processes in a proven and effective way.
+
**Focus on process improvement areas. Look for every opportunity to streamline workflow and remove steps. If you’re not already using a standard framework such as ITIL, you should seriously consider embracing it. It will help you employ processes in a proven and effective way.
*Pick the right [[software]] solutions for the right reasons.
+
*Pick the right software solutions for the right reasons.
**Recognize that successful IT governance requires clear, enforceable [[Process|processes]] and standards. Your software should provide real-time visibility of projects and activities in easy-to-use [[desktop]] dashboards. It should also include built-in enforcement mechanisms.
+
**Recognize that successful IT governance requires clear, enforceable processes and standards. Your software should provide real-time visibility of projects and activities in easy-to-use desktop dashboards. It should also include built-in enforcement mechanisms.
 
**Think beyond your initial implementation. Make sure the software is built to be an enterprise-level solution—scalable, in other words. Check to see that it is easily configurable and flexible in its use.
 
**Think beyond your initial implementation. Make sure the software is built to be an enterprise-level solution—scalable, in other words. Check to see that it is easily configurable and flexible in its use.
**Also be sure the software is compatible with, and leverages, best practice frameworks such as [[ITIL (Information Technology Infrastructure Library)|ITIL]] and [[Capability Maturity Model Integration (CMMI)|CMMi]], and supports such [[quality]] issues as [[Six Sigma]].
+
**Also be sure the software is compatible with, and leverages, best practice frameworks such as ITIL and CMMi, and supports such quality issues as Six Sigma.
 
*Take small steps.
 
*Take small steps.
 
**Don’t “swing for the fences.” Start with a pilot project or group, ideally one where the new system will show clear value to users and gain support.
 
**Don’t “swing for the fences.” Start with a pilot project or group, ideally one where the new system will show clear value to users and gain support.
Line 173: Line 210:
 
**This is one of the most overlooked parts of the process, though it is potentially the most important.
 
**This is one of the most overlooked parts of the process, though it is potentially the most important.
 
**Make sure you have developed clear plans for the transition to the new system and that you implement them methodically as soon as implementation is complete.
 
**Make sure you have developed clear plans for the transition to the new system and that you implement them methodically as soon as implementation is complete.
**This is a critical time to assess the effectiveness of your training. Make the investment in one-on-one customized training with end users as a reality check on the [[usability]] of the system and the level of engagement it elicits in users.
+
**This is a critical time to assess the effectiveness of your training. Make the investment in one-on-one customized training with end users as a reality check on the usability of the system and the level of engagement it elicits in users.
 
**This is also the time to evangelize the system on the business side. Set up customized C-level and executive dashboards and deploy them to users, being sure to acculturate the executives to the new system, and emphasizing the real-time visibility and control it provides them to “twist the dials” and extract more business value from IT.
 
**This is also the time to evangelize the system on the business side. Set up customized C-level and executive dashboards and deploy them to users, being sure to acculturate the executives to the new system, and emphasizing the real-time visibility and control it provides them to “twist the dials” and extract more business value from IT.
**Actively ask for [[feedback]]. In effect, immediately transfer ownership of the system to the end users by requesting and documenting user comments and suggestions for enhancements. Implement the best suggestions right away, so front-line users see that they’re being listened to. They’ll embrace the system faster.
+
**Actively ask for feedback. In effect, immediately transfer ownership of the system to the end users by requesting and documenting user comments and suggestions for enhancements. Implement the best suggestions right away, so front-line users see that they’re being listened to. They’ll embrace the system faster.
  
  
Line 182: Line 219:
 
The key benefits of implementing an IT governance model include:
 
The key benefits of implementing an IT governance model include:
 
• Strategic alignment, resulting in increased business partner satisfaction
 
• Strategic alignment, resulting in increased business partner satisfaction
• Enhanced value delivery, driven by improved project prioritization, leading to reduction of IT [[budget]]
+
• Enhanced value delivery, driven by improved project prioritization, leading to reduction of IT budget
• Improved performance and resource management, lowering the [[Total Cost of Ownership (TCO)|total cost of IT ownership]]
+
• Improved performance and resource management, lowering the total cost of IT ownership
• Better quality of IT [[output]], resulting in a reduction in [[Information Technology Controls (IT Controls)|IT control]] issues
+
• Better quality of IT output, resulting in a reduction in IT control issues
  
  
Line 191: Line 228:
 
'''Figure 4.'''
 
'''Figure 4.'''
 
source: [https://www.cognizant.com/services-resources/Services/Maximizing-Business-Value-Through-Effective-IT-Governance.pdf Cognizant]
 
source: [https://www.cognizant.com/services-resources/Services/Maximizing-Business-Value-Through-Effective-IT-Governance.pdf Cognizant]
 +
  
 
== IT Governance, Risk Management, and Compliance ==
 
== IT Governance, Risk Management, and Compliance ==
Line 209: Line 247:
 
**Effective IT governance is the single most important predictor of the value an organisation generates from IT
 
**Effective IT governance is the single most important predictor of the value an organisation generates from IT
 
*Regulatory and industry requirements
 
*Regulatory and industry requirements
**Organisations need to satisfy quality, fiduciary and security requirements for information as for all other assets
+
**Organizations need to satisfy quality, fiduciary and security requirements for information as for all other assets
**Committee of Sponsoring Organisations of the Treadway Commission (COSO) defines widely accepted control framework for enterprise governance and risk management also requires a framework for control over IT
+
**Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines widely accepted control framework for enterprise governance and risk management also requires a framework for control over IT
**Sarbanes-Oxley, [[Basel II]]
+
**Sarbanes-Oxley, Basel II
 
**Industry specific regulations
 
**Industry specific regulations
 
**General call for greater transparency
 
**General call for greater transparency
Line 218: Line 256:
 
== IT Governance Maturity Model ==
 
== IT Governance Maturity Model ==
 
'''IT Governance Maturity Model (Figure 5.)'''<br />
 
'''IT Governance Maturity Model (Figure 5.)'''<br />
The figure below illustrates  the capability maturity model for the IT governance process. This capability maturity model (CMM) describes a maturity curve on these capability levels: initial/ad hoc, repeatable, defined, managed, and optimized, along with these parameters: [[Strategic Alignment|strategic alignment]], value delivery, [[Risk Management|risk management]], [[Resource Management|resource management]], and [[Performance Management|performance management]].  
+
The figure below illustrates  the capability maturity model for the IT governance process. This capability maturity model (CMM) describes a maturity curve on these capability levels: initial/ad hoc, repeatable, defined, managed, and optimized, along with these parameters: strategic alignment, value delivery, risk management, resource management, and performance management.  
  
  
Line 226: Line 264:
  
  
== How does IT Governance create IT Value? ==
+
== How IT Governance Create IT Value ==
'''How does IT Governance create [[IT Value]]'''<ref>How does IT Governance create IT Value [https://gbr.pepperdine.edu/2010/08/the-it-governance-road-map/ Pepperdine.edu]</ref><br />IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of [[shareholder]] value. The overall objective of IT governance is to understand the issues and the strategic importance of IT, so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:
+
'''How does IT Governance create IT Value'''<ref>How does IT Governance create IT Value [https://gbr.pepperdine.edu/2010/08/the-it-governance-road-map/ Pepperdine.edu]</ref><br />IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value. The overall objective of IT governance is to understand the issues and the strategic importance of IT, so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:
*[[Business IT Alignment|Alignment of IT to support business operations and sustain advantages]];
+
*Alignment of IT to support business operations and sustain advantages;
*[[IT Optimization|Responsible use of IT resources]];
+
*Responsible use of IT resources;
*Appropriate identification and [[Risk Management|management of IT-related risks]];
+
*Appropriate identification and management of IT-related risks;
 
*Facilitation of IT’s aid in exploiting opportunities and maximizing benefits.
 
*Facilitation of IT’s aid in exploiting opportunities and maximizing benefits.
  
A structured IT governance committee or [[policy]] along with corporate managers combine to ensure that [[Business IT Alignment|IT is synchronized with the business]] and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans. Firms typically make five types of IT decisions:
+
A structured IT governance committee or policy along with corporate managers combine to ensure that IT is synchronized with the business and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans. Firms typically make five types of IT decisions:
 
*IT principles decisions dictating the role of IT in the enterprise.
 
*IT principles decisions dictating the role of IT in the enterprise.
*[[Enterprise Architecture|IT architecture]] decisions on technical choices and directions.
+
*IT architecture decisions on technical choices and directions.
 
*IT infrastructure decisions on the delivery of shared IT services.
 
*IT infrastructure decisions on the delivery of shared IT services.
 
*Business application requirements decisions for each project.
 
*Business application requirements decisions for each project.
*[[IT Investment Management (ITIM)|IT investment]] and [[Project Portfolio Management (PPM)|prioritization decisions]].
+
*IT investment and prioritization decisions.
  
 
IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm’s goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the firm.
 
IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm’s goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the firm.
 +
  
 
== More on IT Governance (corporate governance of information technology) ==
 
== More on IT Governance (corporate governance of information technology) ==
IT governance is merely a subset of enterprise regulation, which ensures that the organization’s IT sustains strategies and objectives.The need to oversee technology investments is even more important, at a time when many high-ranking officials are blatantly violating set norms.
+
IT governance is merely a subset of enterprise regulation, which ensures that the organization’s IT sustains strategies and objectives. The need to oversee technology investments is even more important, at a time when many high-ranking officials are blatantly violating set norms.
Information security accountability is dependent only on effective management and adherence to legal and regulatory norms. The CXO challenge is not to understand every aspect of [[IT Infrastructure|technology infrastructure]], but understand its role as a strategic business driver.
+
Information security accountability is dependent only on effective management and adherence to legal and regulatory norms. The CXO challenge is not to understand every aspect of technology infrastructure, but understand its role as a strategic business driver.
  
 
To make IT governance a talking point, experts recommend a multi-pronged strategy:
 
To make IT governance a talking point, experts recommend a multi-pronged strategy:
*Enable IT-Board Coordination: Many technology tools are now available to foster [[innovation]]. More frequent communication, ease of document sharing and materials, as well as reports and [[analytics]] that help boards gain insight into an organization’s risk management processes.
+
*Enable IT-Board Coordination: Many technology tools are now available to foster innovation. More frequent communication, ease of document sharing and materials, as well as reports and analytics that help boards gain insight into an organization’s risk management processes.
*Balancing Technology Risk: There is a multiplicity of risks associated with technology. Relatively few people understand the nature of these challenges. Board influencers and decision makers need to identify critical segments and minimize [[liabilities]].
+
*Balancing Technology Risk: There is a multiplicity of risks associated with technology. Relatively few people understand the nature of these challenges. Board influencers and decision makers need to identify critical segments and minimize liabilities.
 
*Business-Technology Strategy: Most executives need to understand how technology strategy works at multiple levels:
 
*Business-Technology Strategy: Most executives need to understand how technology strategy works at multiple levels:
 
**How information technology enhances the organization’s ability to understand financial, operational and reputational aspects of a company.
 
**How information technology enhances the organization’s ability to understand financial, operational and reputational aspects of a company.
 
**Creating a business idea that works in real-time.
 
**Creating a business idea that works in real-time.
*Effective [[IT ROI|RoI]]: When conceptualizing a project with long-term implications, carefully study every aspect business-related: the financial, operational and reputation-based projects of technology investments.
+
*Effective ROI: When conceptualizing a project with long-term implications, carefully study every aspect business-related: the financial, operational and reputation-based projects of technology investments.
*[[Stakeholder]] Analysis And Education: Democratizing access and educating every stakeholder is integral to making technology ubiquitous. In most organizations, many stakeholders are unaware or cannot connect due to multiple reasons.Also, educating relevant stakeholders about proper technology facets enhances impact. Long-term viability and sustainability is a function of how IT permeates into the organization ethic.
+
*Stakeholder Analysis And Education: Democratizing access and educating every stakeholder is integral to making technology ubiquitous. In most organizations, many stakeholders are unaware or cannot connect due to multiple reasons. Also, educating relevant stakeholders about proper technology facets enhances impact. Long-term viability and sustainability is a function of how IT permeates into the organization ethic.<ref>Example of IT Governance Talking points</ref>
  
  
===See Also===
+
== See Also ==
* [[IT Governance Framework]]
+
* [[Balanced Scorecard]]
* [[Governance]]
+
* [[Enterprise Risk Management (ERM)]]
* [[Governance, Risk And Compliance (GRC)]]
+
* [[Risk Management]]
* [[Government Enterprise Architecture (GEA)]]
+
* [[Business Strategy]]
* [[Government Interoperability Maturity Matrix (GIMM)]]
+
* [[Corporate Governance]]
* [[Balanced_Scorecard|Balanced Scorecard]]
+
* [[Enterprise Architecture]]
* [[Enterprise_Risk_Management_(ERM)|Enterprise Risk Management (ERM)]]
 
* [[Risk_Management|Risk Management]]
 
* [[Business_Strategy|Business Strategy]]
 
* [[Corporate_Governance|Corporate Governance]]
 
* [[Corporate_Strategy|Corporate Strategy]]
 
* [[Enterprise_Architecture|Enterprise Architecture]]
 
 
* [[COSO_Internal_Control_Integrated_Framework|COSO Internal Control- Integrated Framework ]]
 
* [[COSO_Internal_Control_Integrated_Framework|COSO Internal Control- Integrated Framework ]]
* [[Compliance|Compliance]]
+
* [[Compliance]]
* [[Data_Governance|Data Governance]]
+
* [[Data Governance]]
 
* [[Information Technology Risk (IT Risk)]]
 
* [[Information Technology Risk (IT Risk)]]
* [[Risk Governance|Governance of Risk]]
+
* [[Stage-Gate]]
* [[Stage-Gate|Stage Gate]]
+
* [[Project Management]]
* [[Project Management|Managing Programs and Projects]]
+
* [[Project Portfolio Management (PPM)]]
* [[Project Portfolio Management (PPM)|Project Portfolio Management (PPM)]]
 
 
* [[E-Governance]]
 
* [[E-Governance]]
 
* [[Information Governance (IG)]]
 
* [[Information Governance (IG)]]
 
* [[Cloud Computing Governance]]
 
* [[Cloud Computing Governance]]
  
===References===
+
 
 +
== References ==
 
<references />
 
<references />
  
  
===Further Reading===
+
== Further Reading ==
 
*What is IT governance? A formal way to align IT & business strategy [https://www.cio.com/article/2438931/governance/governanceit-governance-definition-and-solutions.html cio.com]
 
*What is IT governance? A formal way to align IT & business strategy [https://www.cio.com/article/2438931/governance/governanceit-governance-definition-and-solutions.html cio.com]
 
*IT Governance – What is It and Why is It Important? [http://www.digitalistmag.com/innovation/2012/05/07/it-governance-what-is-it-and-why-is-it-important-04961 Digitalist]
 
*IT Governance – What is It and Why is It Important? [http://www.digitalistmag.com/innovation/2012/05/07/it-governance-what-is-it-and-why-is-it-important-04961 Digitalist]
 
*Banking on IT Governance: Benefits and Practices [http://www.firstpost.com/business/banking-governance-benefits-practices-2253752.html FirstPost]
 
*Banking on IT Governance: Benefits and Practices [http://www.firstpost.com/business/banking-governance-benefits-practices-2253752.html FirstPost]
*Maximizing [[Business Value]] Through Effective IT Governance [https://www.cognizant.com/services-resources/Services/Maximizing-Business-Value-Through-Effective-IT-Governance.pdf Cognizant]
+
*Maximizing Business Value Through Effective IT Governance [https://www.cognizant.com/services-resources/Services/Maximizing-Business-Value-Through-Effective-IT-Governance.pdf Cognizant]
 
*Leadership - The Role of IT Governance [https://www.itworld.com/article/2779316/virtualization/leadership---the-role-of-it-governance.html IT World]
 
*Leadership - The Role of IT Governance [https://www.itworld.com/article/2779316/virtualization/leadership---the-role-of-it-governance.html IT World]
 
*The Many Blessings Of Information Governance [https://www.forbes.com/sites/riskmap/2015/06/01/the-many-blessings-of-information-governance/#2500537f1a8a Forbes]
 
*The Many Blessings Of Information Governance [https://www.forbes.com/sites/riskmap/2015/06/01/the-many-blessings-of-information-governance/#2500537f1a8a Forbes]
 
*IT Governance is Killing Innovation [https://hbr.org/2013/08/it-governance-is-killing-innov HBR]
 
*IT Governance is Killing Innovation [https://hbr.org/2013/08/it-governance-is-killing-innov HBR]
*[https://cioindex.com/index/it-governance-framework-sample/ IT Governance Examples].
+
*[https://cioindex.com/reference/information-technology-governance-plan-example/ Information Technology Governance Plan Example].

Revision as of 23:58, 22 July 2022

What is IT Governance?

IT Governance (aka Information Technology Governance) is a process used to monitor and control key information technology capability decisions - in an attempt - to ensure the delivery of value to key stakeholders in an organization. Here are the key points in this definition:

  • IT Governance is a process. It is not a point in time event. It is not a committee. It is not a department.
  • The objective of IT Governance is to ensure the delivery of business results not "IT systems performance" nor "IT risk management" - that would reinforce the notion of IT as an end in itself. To the contrary, IT Governance is about IT decisions that have an impact on business value.
  • The process therefore monitors and control key IT decisions that might have an impact - positive or negative - on business results.
  • The concept of governance is meaningless without the recognition of both ownership and responsibility. The key stakeholders in an organization have an "ownership" stake in the organization. The management is responsible to these stakeholders.
    • We must recognize the ownership stake of not just shareholders but also of the other stakeholders such as customers, vendors, employees etc.
    • The "management," i.e. the people entrusted with making key decisions, is responsible to these stakeholders.
  • Therefore, the objective of IT Governance is not just the delivery of ris optimized business value but also to engender the trust of the key stakeholder in the people who they have entrusted their money and/or livelihood!
    • One can argue that this trust results in more business value. No doubt. But the fact remains that it is a means to that end and must be recognized independently as a motivation for IT Governance.
    • In a sense, IT Governance acts upon the old adage of "trust but verify!"[1]



Corporate Governance of Information Technology (CGIT)

IT governance is a broad concept that is centered on the IT department or environment delivering business value to the enterprise. It is a set of rules, regulations and policies that define and ensure the effective, controlled and valuable operation of an IT department. It also provides methods to identify and evaluate the performance of IT and how it relates to business growth. Moreover, by following and implementing an IT Governance Framework such as COBIT, an organization can comply with regulatory requirements and reduce IT business while attaining measurable business benefits.IT governance uses, manages and optimizes IT in such a way that it supports, complements or enables an organization to achieve its goals and objectives.[2]


Definitions of IT Governance

There are many definitions of IT Governance.
Notable among them are the following:

  • Weill and Ross define IT governance as: the decision rights and accountability framework to encourage desirable behavior in the use of IT. They identify three components of governance:
    • IT Decisions Domains: What are the key IT decision areas?
    • IT Governance Archetypes: Who governs the decision domains and how is it organized? Who decides or has input, and how?
    • Implementation Mechanisms: How are the decision and input structures formed and put in place?[3]
  • The IT Governance Institute (ISACA) defines IT Governance as follows:

"...leadership, organizational structures and processes to ensure that the organization's IT sustains and extends the organization's strategies and objectives."[4]

  • According to Gartner IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG — what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG — how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.[5]
  • CIO Magazine defines IT Governance as: Simply put, it’s putting structure around how organizations align IT Strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.[6]


Different names of IT Governance

IT Governance is also known as:

  • Information technology governance
  • Information and communications technology governance (ICT Governance)
  • Corporate Governance of information technology (CGIT)
  • Corporate governance of information and communications technology
  • Enterprise governance of information technology (EGIT)


History of IT Governance

Emergence of IT Governance [7]
The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organization's strategic objectives, business goals and IT management within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the chief information officer or business management. The primary goals for information and technology (IT) governance are to
(1) assure that the use of information and technology generate business value,
(2) oversee management's performance and
(3) mitigate the risks associated with using information and technology.
This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organization's strategic objectives. Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s

  • Committee of Sponsoring Organizations of the Treadway Commission (USA)
  • Cadbury Report (UK)
  • King Report (South Africa).

As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that information technology was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance. In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008. IT governance process enforces a direct link of IT resources & process to enterprise goals in line of strategy. There is a strong correlation between maturity curve of IT governance and overall effectiveness of IT.


IT Governance Landscape

The IT Governance Landscape (Figure 1.) [8]
IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, leadership, and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?" It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of your customers to be satisfied with the exact same product or service configuration for any given product or service that your company produces. Therefore, a number of IT governance related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape. IT governance is a subset of enterprise governance which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs, and is a subset of IT and product development governance. Development governance encompasses the |software development lifecycle. Figure 1. illustrates these relationships, highlighting development governance.


IT Governance Landscape
Figure 1. source: IBM


Domains of IT Governance

The Five Domains of IT Governance (Figure 2.) [9]
Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy and education of information systems, assurance and security has developed some useful guidance which separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:

  1. Strategic Alignment: Strategic Alignment is concerned with how IT supports the enterprise strategy and how IT operations are aligned with current enterprise operations. Alignment involves:
    • Understanding the needs of the business
    • Developing IT strategy and objectives
    • Resource allocation – portfolio management
    • Demand management
    • Communication
  2. Value Delivery: Value Delivery ensure that value is obtained from investment in information technology and is an essential component of IT governance. It involves selecting investments wisely and managing them throughout their life cycle—from inception to final retirement. It involves making sure that IT delivers appropriate quality on-time and within budget and examines how actual cost is managed and how the ROI is determined.
    • Identifying project value drivers
    • Identifying service value drivers
    • Project management
    • External benchmarking
  3. Performance Management: Performance management looks at how IT tracks and monitors implementation strategy, how the success of project are determined, at resource usage, and the ensuing process performance and service delivery
    • Customer satisfaction
    • Service level management
    • Business value measurement
    • Process improvement
  4. Risk Management: Risk Management is about the safeguarding of IT assets, disaster recovery and continuity of operations including security and information integrity.
    • Organizational risk appetite
    • Project and investment risk mitigation
    • Information security risk mitigation
    • Operational risk mitigation
    • Compliance regulatory mandates
    • Audit
  5. Resource Management: Resource Management looks at how IT optimizes and manages critical IT resources
    • Hardware and software asset management
    • Third party service providers & Outsourcing
    • Standardized architecture
    • Financial management – service costing


Domains of IT Governance
Figure 2. source: Maciej Rostanski,Marek Pyka et al.


What is perhaps most important here, however, is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards and best practices contained in the domains are considered and applied in accordance with the needs, requirements and capabilities of the business. As such the ISACA model is arguably most useful when it is considered as a basic guideline for injecting IT governance best practices into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.


Principles of IT Governance

Ten Principles of IT Governance[10]

  1. Actively design governance: Actively designing governance involves senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point. Not only does overall governance require active design, but each mechanism also needs regular review. Focus on having the fewest number of effective mechanisms possible. Many enterprises with effective IT governance have between six and ten integrated and well-functioning mechanisms. One goal of any governance redesign should be to assess, improve, and then consolidate the number of mechanisms.
  2. Know when to redesign: Rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Thus, governance redesign should be infrequent. Transformations involve many other issues besides IT and take many months to implement.
  3. Involve senior managers: CIOs must be effectively involved in IT governance for success. Other senior managers must participate in the committees, the approval processes, and performance reviews. For many enterprises, this involvement is a natural extension of senior management's normal activities. Senior management necessarily gets involved in strategic decisions. This means that senior management is rarely concerned with the exception process. However, if an exception has strategic implications, it may reach the executive level IT Steering Committee.
  4. Make choices: Good governance, like good strategy, requires choices. It's not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate. As the number of tradeoffs increases, governance becomes more complex. Top-performing enterprises handle goal conflicts with a few clear business principles. The resulting IT principles reflect these business principles.
  5. Clarify the exception-handling process: Exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise. There are three common elements to their exceptions procedures:
    • The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.
    • The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.
    • Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.
  6. Provide the right incentives: A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. Whenever incentives are based on business unit results, chargeback can be a point of contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood. It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.
  7. Assign ownership and accountability for IT governance: Like any major organizational initiatives, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.
    • IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.
    • The person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to governance of financial or any other key asset.
    • IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.
  8. Design governance at multiple organizational levels: In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. Usually the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.
  9. Provide transparency and education: It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. The less transparent the governance processes are, the less people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less willingness there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.
  10. Implement common mechanisms across the six key assets: There are six key assets through which enterprises accomplish their strategies and generate business value: Human assets, Financial assets, Physical assets, IP assets, Information and IT assets, and Relationship assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.


IT Governance Frameworks

IT Governance Frameworks [11]
There are three widely recognized, vendor-neutral, third-party frameworks that are often described as 'IT governance frameworks'. While on their own they are not completely adequate to that task, each has significant IT governance strengths:

  • ITIL®: ITIL, or IT Infrastructure Library®, was developed by the UK's Cabinet Office as a library of best-practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be achieved. On our ITIL page, you can access a free briefing paper on ITIL, IT service management and ISO 20000.
  • COBIT®: Control Objectives for Information and Related Technology (COBIT) is an IT governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organizational goals. COBIT is an internationally recognized framework. In particular, COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 37 identified COBIT processes.
  • ISO 27002: ISO 27002 (supported by ISO 27001), is the global best-practice standard for information security management in organizations.

The challenge, for many organizations, is to establish a coordinated, integrated framework that draws on all three of these standards. [12]


The Importance of IT Governance

The Importance of IT Governance [13]

  • Compliance with regulations
  • Competitive Advantage
  • Support of Enterprise Goals
  • Growth and Innovation
  • Increase in Tangible Assets
  • Reduction of Risk


IT Governance Implementation and Life-Cycle

IT Governance Implementation (Figure 3.)[14]
IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executive and enabled objectives and benefits that are clearly expressed in a business case. Successful implementation depends on implementing the appropriate change in the appropriate way. The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:

  1. Core continual improvement life cycle—as opposed to a one-off project
  2. Change enablement—addressing the behavioral and cultural aspects
  3. Program management—following generally accepted project management principles


IT Governance Implementation Lifecycle
Figure 3. source: BusinessOfGovernment.Org


The implementation life cycle and its seven phases are illustrated above:

  • Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
  • Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interest.)
  • Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.)
  • Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
  • Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved and maintained.
  • Phase 6: sustainable operation of the new or improved IT Governance initiatives and the monitoring of the achievement of expected benefits.
  • Phase 7: overall success of the initiative reviewed, further requirements for IT Governance are identified, and need for continual improvement is reinforced.

Over time, the life cycle should be followed iteratively while building a sustainable approach to the IT Governance of the enterprise.

To ensure the success of the IT Governance implementation initiative, a sponsor should take ownership, involve all key leadership executives, and provide for a business case. Initially, the business case can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities; the business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:

  • Business benefits, their alignment with business strategy and the associated benefit owners.
  • Business changes needed to create the envisioned value. This could be based on health checks and capability gap analyses and should clearly state both what is in scope and what is out of scope.
  • Investments needed to make the IT Governance changes (based on estimates of projects required)
  • Ongoing IT and business costs.
  • Expected benefits of operating in the changed way.
  • Roles, responsibilities and accountabilities related to the initiative.
  • How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
  • The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).


Effective IT Governance

Achieving Effective IT Governance Implementation [15]
There are seven critical success factors for achieving effective IT governance implementations. These are widely accepted as important by companies that have had successful IT governance implementation:

  • Get executive sponsorship.
    • The higher in the organization the better. If IT governance is seen as “optional,” it won’t work.
    • Certainly on the IT side, the CIO should be a visible, vocal champion.
    • On the business side, it would be ideal to have a C-level executive. CFOs in particular are powerful persuaders because it’s clear they’re speaking on behalf of the company’s bottom line.
  • Put client resources on the team.
    • This is spoken from a consultant’s point of view, but the concept is equally valid for internal implementations.
    • Success depends on strong teamwork and alliances across IT and the business side.
    • By exposing both key business-side and IT users to the system early, taking the time to acquaint them to it, and explaining its benefits, you create champions who carry the story across the company.
  • Understand the problem.
    • Aim before you fire. Take the time to determine where you’re starting from in the Capability Maturity Model. If you’re at level one, you have basic process work to do before you are ready to implement a transformational solution.
    • Pick an attainable target to start with, ideally a particular pain point that is costing you time and money. It might be poor project performance resulting from a lack of visibility and control; slow, labor-intensive handling of routine business requests of IT; mistake-prone application change management that endangers your all-important business systems; a lack of standards for comparing the potential value of various projects in the IT portfolio; or a combination of these. Start with one and work from there.
  • Envision the solution.
    • Think hard about what you want to accomplish initially. Set goals high, but don’t make them unattainable—it demoralizes people.
    • Make sure your requirements are clearly defined and universally understood among all the stakeholders.
    • Stick to the original plan once you’ve adopted it. Keep the vision firmly fixed in your mind. Don’t listen to the siren song of scope creep. Achieve your mission first, and then build on success.
    • Focus on process improvement areas. Look for every opportunity to streamline workflow and remove steps. If you’re not already using a standard framework such as ITIL, you should seriously consider embracing it. It will help you employ processes in a proven and effective way.
  • Pick the right software solutions for the right reasons.
    • Recognize that successful IT governance requires clear, enforceable processes and standards. Your software should provide real-time visibility of projects and activities in easy-to-use desktop dashboards. It should also include built-in enforcement mechanisms.
    • Think beyond your initial implementation. Make sure the software is built to be an enterprise-level solution—scalable, in other words. Check to see that it is easily configurable and flexible in its use.
    • Also be sure the software is compatible with, and leverages, best practice frameworks such as ITIL and CMMi, and supports such quality issues as Six Sigma.
  • Take small steps.
    • Don’t “swing for the fences.” Start with a pilot project or group, ideally one where the new system will show clear value to users and gain support.
    • Training is extremely important. Don’t expect people to move to the new system seamlessly. If you throw them in over their heads, you risk drowning the initiative.
    • At some point, you’ll find the new IT governance system positioned to replace some standalone existing application that has a following in the company. Some amount of resistance at this point is natural. Take it slow, and at these critical junctures, take the time to win recalcitrant users over through collaborative engagement.
    • Still, you have to keep moving forward once you’ve started. Small steps will get you there, but not if you let pockets of resistance stall the effort for extended periods.
  • Include post-implementation activities.
    • This is one of the most overlooked parts of the process, though it is potentially the most important.
    • Make sure you have developed clear plans for the transition to the new system and that you implement them methodically as soon as implementation is complete.
    • This is a critical time to assess the effectiveness of your training. Make the investment in one-on-one customized training with end users as a reality check on the usability of the system and the level of engagement it elicits in users.
    • This is also the time to evangelize the system on the business side. Set up customized C-level and executive dashboards and deploy them to users, being sure to acculturate the executives to the new system, and emphasizing the real-time visibility and control it provides them to “twist the dials” and extract more business value from IT.
    • Actively ask for feedback. In effect, immediately transfer ownership of the system to the end users by requesting and documenting user comments and suggestions for enhancements. Implement the best suggestions right away, so front-line users see that they’re being listened to. They’ll embrace the system faster.


Benefits of IT Governance

Benefits of Implementing IT Governance (Figure 4.) [16]
The key benefits of implementing an IT governance model include: • Strategic alignment, resulting in increased business partner satisfaction • Enhanced value delivery, driven by improved project prioritization, leading to reduction of IT budget • Improved performance and resource management, lowering the total cost of IT ownership • Better quality of IT output, resulting in a reduction in IT control issues


Figure 4 illustrates the typical benefits and impacts seen when implementing IT governance for clients across various industry sectors. Benefits of IT Governance
Figure 4. source: Cognizant


IT Governance, Risk Management, and Compliance

IT Governance, Risk and Compliance (IT GRC)(Figure 6)[17]
"Adopting a unified IT Governance, Risk and Compliance (IT GRC) approach, and managing the asciated activities coherently will create efficiencies, provide a holistic view of the IT environment and ensure accountability."

IT GRC ensures that:

  • Activities and functions of IT organisation(s) support objectives investments are maximised.
  • IT delivers envisioned benefits against the strategy, costs are optimised, and relevant best practises incorporated.
  • The optimal investments is made in IT and critical IT resources are responsibly, effectively and efficiently managed and used.

IT Governance, Risk and Compliance (IT GRC
Figure 6source: PWC

Some important issues:

  • Profitability
    • Firms with above-average IT governance performance had more than 20% higher profitability than firms with poor governance
    • Effective IT governance is the single most important predictor of the value an organisation generates from IT
  • Regulatory and industry requirements
    • Organizations need to satisfy quality, fiduciary and security requirements for information as for all other assets
    • Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines widely accepted control framework for enterprise governance and risk management also requires a framework for control over IT
    • Sarbanes-Oxley, Basel II
    • Industry specific regulations
    • General call for greater transparency


IT Governance Maturity Model

IT Governance Maturity Model (Figure 5.)
The figure below illustrates the capability maturity model for the IT governance process. This capability maturity model (CMM) describes a maturity curve on these capability levels: initial/ad hoc, repeatable, defined, managed, and optimized, along with these parameters: strategic alignment, value delivery, risk management, resource management, and performance management.


IT Governance Capability Maturity Model
Figure 5. source: Knowledge Leader


How IT Governance Create IT Value

How does IT Governance create IT Value[18]
IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value. The overall objective of IT governance is to understand the issues and the strategic importance of IT, so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:

  • Alignment of IT to support business operations and sustain advantages;
  • Responsible use of IT resources;
  • Appropriate identification and management of IT-related risks;
  • Facilitation of IT’s aid in exploiting opportunities and maximizing benefits.

A structured IT governance committee or policy along with corporate managers combine to ensure that IT is synchronized with the business and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans. Firms typically make five types of IT decisions:

  • IT principles decisions dictating the role of IT in the enterprise.
  • IT architecture decisions on technical choices and directions.
  • IT infrastructure decisions on the delivery of shared IT services.
  • Business application requirements decisions for each project.
  • IT investment and prioritization decisions.

IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm’s goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the firm.


More on IT Governance (corporate governance of information technology)

IT governance is merely a subset of enterprise regulation, which ensures that the organization’s IT sustains strategies and objectives. The need to oversee technology investments is even more important, at a time when many high-ranking officials are blatantly violating set norms. Information security accountability is dependent only on effective management and adherence to legal and regulatory norms. The CXO challenge is not to understand every aspect of technology infrastructure, but understand its role as a strategic business driver.

To make IT governance a talking point, experts recommend a multi-pronged strategy:

  • Enable IT-Board Coordination: Many technology tools are now available to foster innovation. More frequent communication, ease of document sharing and materials, as well as reports and analytics that help boards gain insight into an organization’s risk management processes.
  • Balancing Technology Risk: There is a multiplicity of risks associated with technology. Relatively few people understand the nature of these challenges. Board influencers and decision makers need to identify critical segments and minimize liabilities.
  • Business-Technology Strategy: Most executives need to understand how technology strategy works at multiple levels:
    • How information technology enhances the organization’s ability to understand financial, operational and reputational aspects of a company.
    • Creating a business idea that works in real-time.
  • Effective ROI: When conceptualizing a project with long-term implications, carefully study every aspect business-related: the financial, operational and reputation-based projects of technology investments.
  • Stakeholder Analysis And Education: Democratizing access and educating every stakeholder is integral to making technology ubiquitous. In most organizations, many stakeholders are unaware or cannot connect due to multiple reasons. Also, educating relevant stakeholders about proper technology facets enhances impact. Long-term viability and sustainability is a function of how IT permeates into the organization ethic.[19]


See Also


References

  1. What is Meant by IT Governance? Definition of IT Governance
  2. Explaining Information Technology Governance Techopedia
  3. What is the role of IT Governance Weill Ross Framework MIT
  4. Board briefing on IT Governance by ISACA
  5. Gartner's definition of IT governance Gartner
  6. CIO Magazine's definition of IT Governance cio.com
  7. Emergence of IT Governance Wikipedia
  8. The IT Governance Landscape IBM
  9. What are the types of IT Governance? DCM
  10. Ten Principles of IT Governance Harvard Business School
  11. What are the different IT Governance Frameworks? itgovernance.co.uk
  12. IT Governance Frameworks
  13. Why is IT Governance Important? Khan
  14. What are the Phases of the IT Governance Implementation Life Cycle? IBM CBG
  15. Seven Critical Success Factors for Achieving Effective IT Governance Implementation Mercury
  16. Benefits of Implementing IT Governance Cognizant
  17. IT Governance, Risk and Compliance (IT GRC) PWC
  18. How does IT Governance create IT Value Pepperdine.edu
  19. Example of IT Governance Talking points


Further Reading