IT Governance

Revision as of 00:41, 20 January 2023 by User (talk | contribs)

IT Governance Definition

IT Governance is defined as the processes that ensure information technology investments are aligned with an organization's goals and objectives. It enables organizations to monitor and control activities and decisions associated with information technology to comply with laws, regulations, and policies, and manage their IT risks effectively. IT Governance is essential to maximizing returns on IT investment.

Simply put, IT Governance ensures:

  • effective and efficient use of information technology
  • alignment between IT strategy and business strategy
  • maximum returns on IT investments

Essentially, IT Governance uses formal and informal mechanisms to monitor and control key information technology capability decisions - in an attempt - to ensure the delivery of value to key stakeholders in an organization. Where IT Strategy sets the approach for the use of IT for business value, governance sets the direction.

IT Governance Key Points

  • IT Governance is a process. It is not a point-in-time event. It is not a committee. It is not a department.
  • The objective of IT Governance is to ensure the delivery of business results not "IT systems performance" nor "IT risk management" - that would reinforce the notion of IT as an end in itself. On the contrary, IT Governance is about IT decisions that have an impact on business value.
  • The process, therefore, monitors and control key IT decisions that might have an impact - positive or negative - on business results.
  • The concept of governance is meaningless without the recognition of both ownership and responsibility. The key stakeholders in an organization have an "ownership" stake in the organization. The management is responsible to these stakeholders.
    • We must recognize the ownership stake of not just shareholders but also of the other stakeholders such as customers, vendors, employees etc.
    • The "management," i.e. the people entrusted with making key decisions, is responsible to these stakeholders.
  • Therefore, the objective of IT Governance is not just the delivery of risk-optimized business value but also to engender the trust of the key stakeholder in the people to who they have entrusted their money and/or livelihood!
    • One can argue that this trust results in more business value. No doubt. But the fact remains that it is a means to that end and must be recognized independently as a motivation for IT Governance.
    • In a sense, IT Governance acts upon the old adage of "trust but verify!"[1]

Corporate Governance of Information Technology (CGIT)

Information Technology Governance is an essential element of corporate governance so it is sometimes referred to as the corporate governance of information technology.

IT governance is a broad concept that is centered on the IT department or environment delivering business value to the enterprise. It is a set of rules, regulations, and policies that define and ensure the effective, controlled, and valuable operation of an IT department. It also provides methods to identify and evaluate the performance of IT and how it relates to business growth. Moreover, by following and implementing an IT Governance Framework such as ISACA's COBIT Framework, an organization can comply with regulatory requirements and reduce IT business while attaining measurable business benefits.IT governance uses, manages, and optimizes IT in such a way that it supports, complements or enables an organization to achieve its goals and objectives.[2]

Definitions of IT Governance

There are many definitions of IT Governance.
Notable among them are the following:

  • IT governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategy and objectives. (ITGI, 2005)
  • IT governance is specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. (Weill & Woodham, 2002)
  • IT governance is the organizational capacity exercised by the board, executive management, and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT. (Van Grem-bergen, 2000)
  • Weill and Ross define IT governance as "the decision rights and accountability framework to encourage desirable behavior in the use of IT." They identify three components of governance:
    • IT Decisions Domains: What are the key IT decision areas?
    • IT Governance Archetypes: Who governs the decision domains and how is it organized? Who decides or has input, and how?
    • Implementation Mechanisms: How is the decision and input structures formed and put in place?[3]
  • The IT Governance Institute (ISACA) defines IT Governance as follows:

"...leadership, organizational structures and processes to ensure that the organization's IT sustains and extends the organization's strategies and objectives."[4]

  • According to Gartner IT governance (ITG) is defined as "the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals." IT demand governance (ITDG — what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation, and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG — how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility.[5]
  • CIO Magazine defines IT Governance as "putting structure around how organizations align IT Strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance." It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs, and what return IT is giving back to the business from the investment it’s making.[6]

Different names of IT Governance

IT Governance is also known as:

  • Information technology governance
  • Information and communications technology governance (ICT Governance)
  • Corporate Governance of information technology (CGIT)
  • Corporate governance of information and communications technology
  • Enterprise governance of information technology (EGIT)

History of IT Governance[7]

The discipline of information technology governance first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organization's strategic objectives, business goals, and IT management within an organization. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the chief information officer or business management. The primary goals for information and technology (IT) governance are to
(1) assure that the use of information and technology generates business value,
(2) oversee management's performance and
(3) mitigate the risks associated with using information and technology.
This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact the successful achievement of strategic objectives, and institutionalizing good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organization's strategic objectives. Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s

  • Committee of Sponsoring Organizations of the Treadway Commission (USA)
  • Cadbury Report (UK)
  • King Report (South Africa).

As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that information technology was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance. In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008. IT governance process enforces a direct link of IT resources & processes to enterprise goals in line with the strategy. There is a strong correlation between the maturity curve of IT governance and the overall effectiveness of IT.

IT Governance Landscape (Figure 1.)[8]

IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, leadership, and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?" It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of your customers to be satisfied with the exact same product or service configuration for any given product or service that your company produces. Therefore, a number of IT governance-related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape. IT governance is a subset of enterprise governance which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted at enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs and is a subset of IT and product development governance. Development governance encompasses the |software development lifecycle. Figure 1. illustrates these relationships, highlighting development governance.

IT Governance Landscape
Figure 1. source: IBM

Domains of IT Governance (Figure 2.)[9]

Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy, and education of information systems, assurance, and security has developed some useful guidance that separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:

  1. Strategic Alignment: Strategic Alignment is concerned with how IT supports the enterprise strategy and how IT operations are aligned with current enterprise operations. Alignment involves:
    • Understanding the needs of the business
    • Developing IT strategy and objectives
    • Resource allocation – portfolio management
    • Demand management
    • Communication
  2. Value Delivery: Value Delivery ensures that value is obtained from investment in information technology and is an essential component of IT governance. It involves selecting investments wisely and managing them throughout their life cycle—from inception to final retirement. It involves making sure that IT delivers appropriate quality on time and within budget and examines how the actual cost is managed and how the ROI is determined.
    • Identifying project value drivers
    • Identifying service value drivers
    • Project management
    • External benchmarking
  3. Performance Management: Performance management looks at how IT tracks and monitors implementation strategy, how the success of the project is determined, resource usage, and the ensuing process performance and service delivery
    • Customer satisfaction
    • Service level management
    • Business value measurement
    • Process improvement
  4. Risk Management: Risk Management is about the safeguarding of IT assets, disaster recovery, and continuity of operations including security and information integrity.
    • Organizational risk appetite
    • Project and investment risk mitigation
    • Information security risk mitigation
    • Operational risk mitigation
    • Compliance regulatory mandates
    • Audit
  5. Resource Management: Resource Management looks at how IT optimizes and manages critical IT resources
    • Hardware and software asset management
    • Third-party service providers & Outsourcing
    • Standardized architecture
    • Financial management – service costing

Domains of IT Governance
Figure 2. source: Maciej Rostanski,Marek Pyka et al.

What is perhaps most important here, however, is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards, and best practices contained in the domains are considered and applied in accordance with the needs, requirements, and capabilities of the business. As such the ISACA model is arguably most useful when it is considered a basic guideline for injecting IT governance best practices into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.

Principles of IT Governance[10]

  1. Actively design governance: Actively designing governance involves senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point. Not only does overall governance require active design, but each mechanism also needs regular review. Focus on having the fewest number of effective mechanisms possible. Many enterprises with effective IT governance have between six and ten integrated and well-functioning mechanisms. One goal of any governance redesign should be to assess, improve, and then consolidate the number of mechanisms.
  2. Know when to redesign: Rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Thus, governance redesign should be infrequent. Transformations involve many other issues besides IT and take many months to implement.
  3. Involve senior managers: CIOs must be effectively involved in IT governance for success. Other senior managers must participate in the committees, the approval processes, and performance reviews. For many enterprises, this involvement is a natural extension of senior management's normal activities. Senior management necessarily gets involved in strategic decisions. This means that senior management is rarely concerned with the exception process. However, if an exception has strategic implications, it may reach the executive-level IT Steering Committee.
  4. Make choices: Good governance, like a good strategy, requires choices. It's not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate. As the number of tradeoffs increases, governance becomes more complex. Top-performing enterprises handle goal conflicts with a few clear business principles. The resulting IT principles reflect these business principles.
  5. Clarify the exception-handling process: Exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise. There are three common elements to their exceptions procedures:
    • The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.
    • The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.
    • Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.
  6. Provide the right incentives: A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. Whenever incentives are based on business unit results, a chargeback can be a point of contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood. It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.
  7. Assign ownership and accountability for IT governance: Like any major organizational initiative, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.
    • IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.
    • The person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to the governance of financial or any other key asset.
    • IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.
  8. Design governance at multiple organizational levels: In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. Usually, the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.
  9. Provide transparency and education: It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. The less transparent the governance processes are, the fewer people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less will there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.
  10. Implement common mechanisms across the six key assets: There are six key assets through which enterprises accomplish their strategies and generate business value: Human assets, Financial assets, Physical assets, IP assets, Information, and IT assets, and Relationship assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.

IT Governance Frameworks

IT Governance Frameworks [11]
There are three widely recognized, vendor-neutral, third-party frameworks that are often described as 'IT governance frameworks'. While on their own they are not completely adequate for that task, each has significant IT governance strengths:

  • ITIL®: ITIL, or IT Infrastructure Library®, was developed by the UK's Cabinet Office as a library of best-practice processes for IT service management. Widely adopted around the world, ITIL is supported by ISO/IEC 20000:2011, against which independent certification can be achieved. On our ITIL page, you can access a free briefing paper on ITIL, IT service management, and ISO 20000.
  • COBIT®: Control Objectives for Information and Related Technology (COBIT) is an IT governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management, and aligning IT strategy with organizational goals. COBIT is an internationally recognized framework. In particular, COBIT's Management Guidelines component contains a framework for the control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 37 identified COBIT processes.
  • ISO 27002: ISO 27002 (supported by ISO 27001), is the global best-practice standard for information security management in organizations.

The challenge, for many organizations, is to establish a coordinated, integrated framework that draws on all three of these standards.[12]

The Importance of IT Governance

The Importance of IT Governance [13]

  • Compliance with regulations
  • Competitive Advantage
  • Support of Enterprise Goals
  • Growth and Innovation
  • Increase in Tangible Assets
  • Reduction of Risk

IT Governance Implementation and Life-Cycle

IT Governance Implementation (Figure 3.)[14] IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executives, and enabled objectives and benefits that are clearly expressed in a business case. Successful implementation depends on implementing the appropriate change in the appropriate way. The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:

  1. Core continual improvement life cycle—as opposed to a one-off project
  2. Change enablement—addressing the behavioral and cultural aspects
  3. Program management—following generally accepted project management principles

IT Governance Implementation Lifecycle
Figure 3. source: BusinessOfGovernment.Org

The implementation life cycle and its seven phases are illustrated above:

  • Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
  • Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interests.)
  • Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.)
  • Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
  • Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved, and maintained.
  • Phase 6: sustainable operation of the new or improved IT Governance initiatives and the monitoring of the achievement of expected benefits.
  • Phase 7: the overall success of the initiative is reviewed, further requirements for IT Governance are identified, and the need for continual improvement is reinforced.

Over time, the life cycle should be followed iteratively while building a sustainable approach to the IT Governance of the enterprise.

To ensure the success of the IT Governance implementation initiative, a sponsor should take ownership, involve all key leadership executives, and provide for a business case. Initially, the business case can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities; a business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:

  • Business benefits, their alignment with business strategy, and the associated benefit owners.
  • Business changes needed to create the envisioned value. This could be based on health checks and capability gap analyses and should clearly state both what is in scope and what is out of scope.
  • Investments needed to make the IT Governance changes (based on estimates of projects required)
  • Ongoing IT and business costs.
  • Expected benefits of operating in a changing way.
  • Roles, responsibilities, and accountabilities related to the initiative.
  • How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
  • The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).

Effective IT Governance

Achieving Effective IT Governance Implementation [15] There are seven critical success factors for achieving effective IT governance implementations. These are widely accepted as important by companies that have had successful IT governance implementation:

  • Get executive sponsorship.
    • The higher in the organization the better. If IT governance is seen as “optional,” it won’t work.
    • Certainly on the IT side, the CIO should be a visible, vocal champion.
    • On the business side, it would be ideal to have a C-level executive. CFOs in particular are powerful persuaders because it’s clear they’re speaking on behalf of the company’s bottom line.
  • Put client resources on the team.
    • This is spoken from a consultant’s point of view, but the concept is equally valid for internal implementations.
    • Success depends on strong teamwork and alliances across IT and the business side.
    • By exposing both key business-side and IT users to the system early, taking the time to acquaint them to it, and explaining its benefits, you create champions who carry the story across the company.
  • Understand the problem.
    • Aim before you fire. Take the time to determine where you’re starting from in the Capability Maturity Model. If you’re at level one, you have basic process work to do before you are ready to implement a transformational solution.
    • Pick an attainable target to start with, ideally a particular pain point that is costing you time and money. It might be poor project performance resulting from a lack of visibility and control; slow, labor-intensive handling of routine business requests of IT; mistake-prone application change management that endangers your all-important business systems; a lack of standards for comparing the potential value of various projects in the IT portfolio; or a combination of these. Start with one and work from there.
  • Envision the solution.
    • Think hard about what you want to accomplish initially. Set goals high, but don’t make them unattainable—it demoralizes people.
    • Make sure your requirements are clearly defined and universally understood among all the stakeholders.
    • Stick to the original plan once you’ve adopted it. Keep the vision firmly fixed in your mind. Don’t listen to the siren song of scope creep. Achieve your mission first, and then build on success.
    • Focus on process improvement areas. Look for every opportunity to streamline workflow and remove steps. If you’re not already using a standard framework such as ITIL, you should seriously consider embracing it. It will help you employ processes in a proven and effective way.
  • Pick the right software solutions for the right reasons.
    • Recognize that successful IT governance requires clear, enforceable processes and standards. Your software should provide real-time visibility of projects and activities in easy-to-use desktop dashboards. It should also include built-in enforcement mechanisms.
    • Think beyond your initial implementation. Make sure the software is built to be an enterprise-level solution—scalable, in other words. Check to see that it is easily configurable and flexible in its use.
    • Also be sure the software is compatible with, and leverages, best practice frameworks such as ITIL and CMMi, and supports such quality issues as Six Sigma.
  • Take small steps.
    • Don’t “swing for the fences.” Start with a pilot project or group, ideally one where the new system will show clear value to users and gain support.
    • Training is extremely important. Don’t expect people to move to the new system seamlessly. If you throw them in over their heads, you risk drowning the initiative.
    • At some point, you’ll find the new IT governance system positioned to replace some standalone existing application that has a following in the company. Some amount of resistance at this point is natural. Take it slow, and at these critical junctures, take the time to win recalcitrant users over through collaborative engagement.
    • Still, you have to keep moving forward once you’ve started. Small steps will get you there, but not if you let pockets of resistance stall the effort for extended periods.
  • Include post-implementation activities.
    • This is one of the most overlooked parts of the process, though it is potentially the most important.
    • Make sure you have developed clear plans for the transition to the new system and that you implement them methodically as soon as the implementation is complete.
    • This is a critical time to assess the effectiveness of your training. Make the investment in one-on-one customized training with end users as a reality check on the usability of the system and the level of engagement it elicits in users.
    • This is also the time to evangelize the system on the business side. Set up customized C-level and executive dashboards and deploy them to users, being sure to acculturate the executives to the new system, and emphasizing the real-time visibility and control it provides them to “twist the dials” and extract more business value from IT.
    • Actively ask for feedback. In effect, immediately transfer ownership of the system to the end users by requesting and documenting user comments and suggestions for enhancements. Implement the best suggestions right away, so front-line users see that they’re being listened to. They’ll embrace the system faster.

Benefits of IT Governance

Benefits of Implementing IT Governance (Figure 4.) [16]
The key benefits of implementing an IT governance model include: • Strategic alignment, resulting in increased business partner satisfaction • Enhanced value delivery, driven by improved project prioritization, leading to a reduction of the IT budget • Improved performance and resource management, lowering the total cost of IT ownership • Better quality of IT output, resulting in a reduction in IT control issues

Figure 4 illustrates the typical benefits and impacts seen when implementing IT governance for clients across various industry sectors. Benefits of IT Governance
Figure 4. source: Cognizant

IT Governance, Risk Management, and Compliance

IT Governance, Risk and Compliance (IT GRC)(Figure 6)[17] "Adopting a unified IT Governance, Risk and Compliance (IT GRC) approach, and managing the associated activities coherently will create efficiencies, provide a holistic view of the IT environment and ensure accountability."

IT GRC ensures that:

  • Activities and functions of IT organization (s) support objectives investments are maximized.
  • IT delivers envisioned benefits against the strategy, costs are optimized, and relevant best practices are incorporated.
  • The optimal investments are made in IT and critical IT resources are responsibly, effectively, and efficiently managed and used.

IT Governance, Risk and Compliance (IT GRC
Figure 6source: PWC

Some important issues:

  • Profitability
    • Firms with above-average IT governance performance had more than 20% higher profitability than firms with poor governance
    • Effective IT governance is the single most important predictor of the value an organization generates from IT
  • Regulatory and industry requirements
    • Organizations need to satisfy quality, fiduciary, and security requirements for information as for all other assets
    • Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines a widely accepted control framework for enterprise governance and risk management also requires a framework for control over IT
    • Sarbanes-Oxley, Basel II
    • Industry-specific regulations
    • General calls for greater transparency

== IT Governance Maturity Model (Figure 5.) [18] The figure below illustrates the capability maturity model for the IT governance process. This capability maturity model (CMM) describes a maturity curve on these capability levels: initial/ad hoc, repeatable, defined, managed, and optimized, along with these parameters: strategic alignment, value delivery, risk management, resource management, and performance management.

IT Governance Capability Maturity Model
Figure 5. source: Knowledge Leader

How IT Governance Creates IT Value[19]

IT governance has primarily been driven by the need for the transparency of enterprise risks and the protection of shareholder value. The overall objective of IT governance is to understand the issues and the strategic importance of IT so that the firm can maintain its operations and implement strategies to enable the company to better compete now and in the future. Hence, IT governance aims at ensuring that expectations for IT are met and that IT risks are mitigated. IT governance exists within corporations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:

  • Alignment of IT to support business operations and sustain advantages;
  • Responsible use of IT resources;
  • Appropriate identification and management of IT-related risks;
  • Facilitation of IT aid in exploiting opportunities and maximizing benefits.

A structured IT governance committee or policy along with corporate managers combine to ensure that IT is synchronized with the business and delivers value to the firm. IT governance also aids companies in instituting formal project approval processes and performance management plans. Firms typically make five types of IT decisions:

  • IT principles decisions dictating the role of IT in the enterprise.
  • IT architecture decisions on technical choices and directions.
  • IT infrastructure decisions on the delivery of shared IT services.
  • Business application requirements decisions for each project.
  • IT investment and prioritization decisions.

IT governance exists to assist enterprise leaders in their responsibility to make IT successful in supporting the firm’s goals and mission. IT governance helps firm executives to raise awareness and understanding among employees. Such governance also helps provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds the expectations of the firm.

More on IT Governance (corporate governance of information technology)

IT governance is merely a subset of enterprise regulation, which ensures that the organization’s IT sustains strategies and objectives. The need to oversee technology investments is even more important, at a time when many high-ranking officials are blatantly violating set norms. Information security accountability is dependent only on effective management and adherence to legal and regulatory norms. The CXO challenge is not to understand every aspect of technology infrastructure but understand its role as a strategic business driver.

To make IT governance a talking point, experts recommend a multi-pronged strategy:

  • Enable IT-Board Coordination: Many technology tools are now available to foster innovation. More frequent communication, ease of document sharing and materials, as well as reports and analytics help boards, gain insight into an organization’s risk management processes.
  • Balancing Technology Risk: There is a multiplicity of risks associated with technology. Relatively few people understand the nature of these challenges. Board influencers and decision-makers need to identify critical segments and minimize liabilities.
  • Business-Technology Strategy: Most executives need to understand how technology strategy works at multiple levels:
    • How information technology enhances the organization’s ability to understand the financial, operational, and reputational aspects of a company.
    • Creating a business idea that works in real-time.
  • Effective ROI: When conceptualizing a project with long-term implications, carefully study every aspect business-related: the financial, operational, and reputation-based projects of technology investments.
  • Stakeholder Analysis And Education: Democratizing access and educating every stakeholder is integral to making technology ubiquitous. In most organizations, many stakeholders are unaware or cannot connect due to multiple reasons. Also, educating relevant stakeholders about proper technology facets enhances the impact. Long-term viability and sustainability a function of how IT permeates into the organization ethic.[20]

See Also


Further Reading