What is IT Governance?

Many people, even those working in information technology (IT), are not sure about what is IT governance. Some are even unsure that technology and governance need to go together. That is despite the fact that this discipline has been in place ever since the dawn of computing and is essential for any organization that uses IT. The issue could be that it is nowhere near as exciting as the rest of IT, but it is just as challenging. This article will look at IT governance and why it is essential today and for the future.

What is IT governance?

Information technology governance is an element of corporate governance that is aimed at improving the overall management of IT and deriving improved value from investment in information and technology. Corporate governance, as defined by The Governance Institute, is:

“a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders are balanced.”

Establishing a framework for corporate governance of information technology can help an organization comply with requirements of laws and regulations for business, such as the DPA (Data Protection Act) 2018 and the GDPR. IT governance planning in an organization will help you to define and maintain appropriate policies and procedures that will help you to meet these requirements for data security and privacy.

It can also help to maximize the return on your investment in IT. It does this by helping you to evaluate, prioritize, and select which investments are most likely to give you the best returns, and ensuring that and ensure that IT purchases and activities are aligned with overall business objectives.

Planning coupled with the proper structure can help to ensure that IT is operated in an effective, efficient, safe, and regulatory compliant way. Establishing a framework can also help with the management of IT-related risks, for example, through using IT security governance to manage the risks from cyber-attacks.

Technology governance as a part of IT governance can reduce the costs of IT support by encouraging the use of a standard set of technologies. Through the application of frameworks such as COBIT, it can also be used to standardize all IT-related processes, reducing costs and improving customer service. Other benefits include:

Demonstrating measurable results arising from the use of IT.
Assuring stakeholders that they can have confidence in your IT services.
Facilitating increased returns on IT investment.
Complying with any corporate governance requirements.

The history

The history of this discipline started a long time ago, at the dawn of computing. Ways were devised to control which developments would get funded and to ensure the quality of deliverables, but this early IT governance was not recognized as a separate discipline within IT. The formal history first emerged in 1993 as a derivative of corporate governance. This provided a focus on linking IT management with the organization’s strategic objectives and business goals, highlighting the importance of value creation and accountability for IT.

Following some high-profile governance failures involving corporate fraud and deception, in the 1990s, several countries decided to establish some formal codes and regulations for corporate governance. These include:

Committee of Sponsoring Organizations of the Treadway Commission (USA).
Cadbury Report (UK).
King Report (South Africa).
Gramm–Leach–Bliley Act (USA).
Sarbanes-Oxley Act (USA).

These led to a realization that governance of IT systems and management were essential to support strong corporate governance, as IT underpinned the daily operations of most businesses. IT was seen as an enabler of corporate governance and a value creator that required stronger governance.

This led to the development of a standard, the AS8015 Corporate Governance of ICT, which was published in Australia in January 2005. In May 2008, this was used to fast-track the publication by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) of an international standard for IT Governance, ISO/IEC 38500. Publication of this standard was a milestone in the history of IT governance. It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.

IT governance objectives

For good IT governance developing a successful strategy is crucial. IT strategy and governance must be tightly coupled, as following a technology-based strategy alone is unlikely to meet the organization’s business objectives.

Objectives should not sit in isolation; they should be a key part of the overall IT strategy that should be part of the organization’s corporate strategy. IT governance exists within organizations to guide IT initiatives and to ensure that the performance of IT meets the following corporate objectives:

Align IT to support business operations and deliver value.
Use IT resources responsibly.
Identify and manage risks related to IT.

The goals and objectives for any organization should include the following aspects:

Alignment: The governance must ensure that the IT services and developments are fully aligned with the organization’s business strategy. Lack of alignment between the IT strategy and the business strategy can cause adverse business issues.
Value delivery: The governance must ensure that the maximum business value is obtained from the IT systems.
Risk management: All IT-related risks must be sufficiently controlled or mitigated, including the risks of investments as well as operation.
Resource management: The governance must ensure that the IT capabilities and resources are always sufficient to meet the current and future business objectives through appropriate sourcing of new and use of existing IT resources.
Performance measurement: The contribution of IT to achieving the organization’s strategic objectives should be measured. This will demonstrate how IT governance adds value to the business.

Embracing these objectives will help to deliver optimized business value and facilitate gaining and maintaining the trust of key stakeholders.

The importance of IT Governance

Why is IT governance important? To start with, it underpins corporate governance. For corporate governance why is it important to include the governance of IT? Because just about every organization today relies on IT systems in some form. The importance of it relative to the activities of the organization will, of course, vary between different types and sizes of business. But it cannot be ignored. Corporate governance failures can result in fines and even the imprisonment of Executives. Blaming IT is no defense. Hence if you consider what is corporate governance and why it is important to include IT in the scope, this should help to persuade you its importance.

IT governance provides an organization with a structure of relationships and processes that direct and control how IT is provided and operated. Using this type of governance helps the enterprise to achieve its goals by adding value from IT whilst balancing the risk versus reward of IT investments and processes. It provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives.

IT projects should also be in the scope of governance. The organization might have separate governance arrangements for projects, but where this is the case, there must be a strong link with the approach used to govern IT; otherwise, there a risk that projects may be delivered on time but not align with the necessary requirements for governing IT. This is key when considering what is project governance and why is it important.

What are the benefits?

The benefits will vary between different organizations. For those that are in highly regulated industries, such as healthcare or aerospace, the benefits of good governance are clear. Maintaining compliance with the governance requirements of these sectors is not just something that is nice to do; it is mandatory if the organization wants to stay in business.

As well as maintaining compliance, there are several other potential benefits. Many of these are shared with what can be achieved through applying corporate governance best practices and are not unique to IT. But they all should be considered as potential benefits when carrying out IT governance planning. The potential benefits include:

Reduced risks: As governance includes risk management, the impact of IT-related risks is reduced or eliminated.
IT alignment: ensuring that IT aligns with and actively supports the goals and strategy of the organization.
Improved culture: IT culture is no longer seen as different from the culture of the organization.
Compliance: The governance of IT supports compliance with governance requirements.
Managed projects: Governance aids improved control over IT projects.
Successful projects: Because IT projects are aligned with the organization’s strategic goals, they are more likely to be rated successful by the business.
IT’s profile: IT’s profile in the rest of the business will improve as it demonstrates understanding and supporting the organization’s goals.
Managed performance: The performance of IT’s contribution to the organization is measured.
Managed resource capacity: IT resources are matched to business demand.
Optimized operations: IT activities are optimized to deliver benefits to the organization.
Improved information governance: Controls can help the organization to achieve the benefits of information governance.

IT Governance Process

There is no single process that can be used to govern IT. A number of different processes and practices are required, which should be used on an ongoing basis. It is not something that you do once or once a year. It has to become an inherent part of how you operate IT, using processes that are repeatable, scalable, and controllable. They should be regularly reviewed to ensure that they continue to deliver the expected value to both internal and external customers.

It is common practice to use several different but related processes, each focusing on a different area of IT. This integrated collection is often referred to as an IT governance landscape, the scope of which includes IT systems, architectures, services, developments, networks, infrastructure, and processes. As each of these has different characteristics, they are often subject to different governance approaches linked by a common strategy. Here are some examples of the process:

IT architecture governance: This governs the development of IT architectures by establishing guidelines that new developments have to comply with. IT architecture governance can prevent an organization from using more technologies than they can support, ensuring that the use of any new technologies is carefully considered before use and optimizing support costs. Standard architectural models such as TOGAF are often used as part of IT architecture governance.
IT process governance: This governs the processes that are used to develop, team, and support IT products. It can be used to standardize processes across the organization, removing the reliance on single individuals and supporting consistent outcomes. COBIT is a good example of an IT process governance framework.
Enterprise IT governance: The term enterprise IT refers to hardware and software designed to meet the demands of large organizations. While it is easier to implement governance for these large-scale systems compared to collections of smaller systems, the processes for governance of enterprise IT have to be able to cope with the scale of use and complexity that often comes with enterprise IT systems.
Product development governance: This is for organizations that develop their own IT products. This is a specific type of IT process governance that encompasses the software development lifecycle processes, illustrating these relationships and highlighting development governance.

IT Governance Models

IT governance models define a set of rules, regulations, and policies that define and ensure the effective, controlled, and valuable operation of an IT function. They also provide methods to identify and evaluate the performance of IT and how it supports the business. Many organizations define their own model; some widely-used models can be adopted then tailored to suit the needs of the specific organization. This is very similar to the approach used by many organizations for IT security governance, which takes the ISO/IEC 27001 information security standard model, then selects which governance controls are relevant to their circumstances.

Which of the models is most appropriate for you depends on what type of business you are. For example, an IT organization that specializes in managing the delivery of IT projects would be best suited to an IT project governance model, such as PRINCE or PMBoK. An organization that encompasses every discipline in IT might be better suited to an IT governance model based on the COBIT framework, possibly enhanced by the ISO/IEC 20000 standard for IT service management.

ISACA, a leading global provider specializing in governance, has developed some useful guidance that separates IT governance models into 5 separate domains. No organization is mandated to use all of these domains – but they are advised to consider all of the recommendations, standards, and best practices associated with the domains against their needs, compliance requirements, and capabilities.

The 5 domains are:

Framework for the governance of enterprise IT: Organizations need to implement an IT governance framework that stays in continuous alignment with enterprise governance and the key drivers (both internal and external) directing the company’s strategic planning, goals, and objectives. This framework should, wherever possible, attempt to utilize industry standards and best practices (COBIT, ITIL, ISO, etc.) in accordance with the explicit needs and requirements of the business.
Strategic Management: To be effective in enabling and supporting the achievement of business objectives, the business strategy must drive IT strategy. As such, the strategy of the business and IT are intrinsically linked. Efficient and effective business operation and growth rely on the proper alignment of the two. Some of the most effective methods for achieving this alignment are the implementation of an enterprise architecture methodology, portfolio management, and balanced scorecards.
Benefits Realization: IT Governance helps the business to realize optimized business benefits through the effective management of IT-enabled investments. It aims to ensure the delivery of IT benefits through the implementation of value management practices, benefits realization planning, and performance monitoring and response. Portfolio management can be used to help govern IT-enabled investments as well as the design and use of appropriate performance management methods. A culture focused on continuous improvement can also help to ensure that benefits are continually achieved.
Risk Optimization: The identification, assessment, mitigation, management, communication, and monitoring of IT-related business risks is an integral component of any enterprise’s governance activities. While the specific risk management activities for IT will vary widely based on the organization’s size and maturity and the industry in which they operate, it is important to develop a risk-robust risk management framework that can effectively demonstrate good governance to stakeholders and customers.
Resource Optimization: Good models ensure that IT can provide the resources necessary to meet business demands, including people, information, infrastructure, and applications. The models should also ensure that IT has sufficient resources available to meet current and future strategic objectives. This requires a focus on identifying the most appropriate methods for resource procurement and management, monitoring of external suppliers, service level management, knowledge management, and staff training and development programs.

Some IT governance models also include a maturity model, which can be used to assess the maturity of an organization’s governance approach. This diagram illustrates the components of a typical IT governance model:

% Domains of IT Governance — Source: IT Project Management Challenges and Innovations, Maciej Rostanski,Marek Pyka et al. Published by University of Dabrowa Górnicza, November 2015

IT Governance Components

There are typically five components of IT governance models. The detail within each of these components will vary between each organization’s implementation, but the overall structure is likely to contain these common components:

Governance framework: A framework for the governance of IT should include all of the processes, responsibilities, policies, guidelines, metrics, and activities necessary for effective governance. This will help to ensure that a standardized governance approach is used throughout the organization, which is well known by all employees and delivers consistent results. This critical component of IT governance will define the ‘who’ and ‘how’ elements of the operating model, providing the framework for how decisions are made and communicated.

Business Benefits: A key component is understanding what business benefits are expected from the governance of IT. These benefits can take many forms. They can include tangible benefits such as regulatory compliance or reduced costs of wasted investments. They can also include intangible benefits such as improved employee satisfaction. But unless these benefits are quantified and communicated, there is a risk that the governance activities will not achieve the desired goals, as employees see them as unnecessary to the future of the organization.

Management: The other components are useless without effective management. That includes management of the governance activities themselves, benefits management, strategic management, and portfolio management. It should be an inherent component of all management activities conducted within the organization. It should never be seen as something that is only the IT manager’s responsibility or the internal audit team.

Optimizing Risks: Good models for risk management include both IT and business continuity planning, alignment to any legal and regulatory requirements for managing risks, and an approach that includes a risk appetite and tolerance methodology that can assist with making risk-based decisions about IT systems and services.

There are three widely recognized and vendor-neutral frameworks that contain these components in some form or other. Each has different governance strengths:

ITIL is the most widely adopted framework for IT service management. It was initially developed by the UK’s Cabinet Office as a library of best-practice processes for this IT discipline. Widely adopted around the world, there is an associated standard, ISO/IEC 20000:2011, against which independent certification can be achieved. While not claiming to be a governance framework for IT, ITIL contains some useful practices that can be applied to just about any organization to improve how they manage IT.
COBIT, Control Objectives for Information and Related Technology, is an IT governance control framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management, and aligning IT strategy with organizational goals. Like ITIL, COBIT is also an internationally adopted framework. But, unlike ITIL, COBIT is recognized as a governance framework for IT. For example, COBIT’s Management Guidelines component contains a framework for the control and measurability of IT, which provides the tools to assess and measure the capability of IT in the 37 identified COBIT processes.
Val IT: Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level.

IT governance vs IT management

Governance and management are terms for activities that every organization should be carrying out. But what are the differences between IT governance vs IT management? In small organizations, the same individual might be doing activities related to both of these without realizing that there is a difference, but they should be thought of as having separate roles and responsibilities. When considering the differences, it is important to recognize that both are concerned with controlling an organization so that it can achieve its goals. However, there are subtle differences between them.

The word ‘governance’ comes from the same root as ‘government.’ Most people understand what the role of the government is. It sets out what an organization must do now and what it should become in the future. So, governance in IT is concerned with setting the direction for IT, defining and ensuring compliance with the necessary rules and regulations, and making any required changes in policies to avoid any conflicts with the goals of the organization.

In IT, management is a much more commonly used term than governance. Management is concerned with the day-to-day operation of IT, including decision-making and resource allocation. The role of IT management is to ensure the smooth running of IT. Management operates at multiple levels, including top management, IT team management, and IT process management.

Hence in summary:

Governance is a task that is concerned with setting the goals for IT, including the necessary controls and activities required to achieve those goals. Whereas IT management is concerned more with looking after day-to-day IT operations and maintaining the smooth delivery of IT services.
Governance in IT answers the questions about how IT contributes to the goals of the organization both now and in the future, whereas IT management answers questions about how IT operates on a daily basis.

Examples

These examples should help to further illustrate what it is all about.

Example of frameworks:

There are several widely recognized frameworks that organizations can use to give them a starting point. Organizations can use one of these framework examples to help them define their own governance model. Some organizations adopt only one of these examples. Others take an integrated approach, using parts of several frameworks to deliver the results that they need. The most commonly seen IT governance model examples include:

ISO/IEC 38500: ISO/IEC 38500:2015 is recognized as the international standard for corporate governance of IT. It sets out principles, definitions, and a high-level framework that organizations of all types and sizes can use better to align their use of IT with organizational decisions and meet their legal, regulatory, and ethical obligations.
COBIT: Control Objectives for Information and Related Technology, usually abbreviated to COBIT, is an internationally recognized example of IT governance frameworks that helps organizations to meet business challenges in the areas of regulatory compliance, risk management, and the alignment of IT strategy with organizational goals. The scope includes the full range of IT processes. COBIT 2019, the latest iteration of the framework, was released in November 2018. It builds on COBIT 5, introducing new concepts and addressing the latest developments affecting enterprise IT.
Calder-Moir IT Governance Framework: This framework provides structured guidance on how to approach IT governance and can be useful for benchmarking the balance and effectiveness of practices within an organization.

Other useful sources of model examples include:

The IT Governance Control Framework Implementation Toolkit. This provides practical assistance and guidance for practitioners who want to implement any governance framework.
ISO/IEC 31000:2018is a standard for risk management
ISO/IEC 27001:2013is a standard for information security
PRINCE2, MSP, and PMBOK are frameworks for program and project governance
King reports of corporate governance, versions I to IV, are booklets of guidance produced for the governance structures and operation of companies in South Africa

Failure examples:

Most failures of governance within IT do not get publicized as they can easily damage the reputation of an organization and lose their customers. The failures that we do get to know about tend to be from government organizations or large corporates. Failure examples from these organizations are often about poor governance concerned with IT investments. These include:

In 2005 Ford Motor Company spent $400 million on a new IT-based purchasing system that they abandoned.
The same year the FBI was criticized for spending $170 million on a virtual case file system, which didn’t work, so was scrapped.

Many failure examples cite similar reasons. These include:

Unclear roles and responsibilities
Inadequate data for decision making
Unrealistic objectives
Delays in making decisions
IT objectives not aligned with business requirements

All of these could have been avoided by the adoption of a strong framework for the governance of IT.

Structure examples:

Having a structure for the governance of IT is a key part of any governance framework. A structure example will help to define the “who?” and “what?” questions of governance: Who is doing the governance and what are they governing. The “how?” is defined by the processes and policies in the governance framework, illustrating how IT in the organization is governed.

There should be multiple levels of governance. Each level has a distinct purpose and specific decisions that can be made at that level. The highest level of governance is Strategic. Typically comprised of senior executives, this level of governance primarily focuses on the alignment between business strategy and the IT strategy. This group sets the vision for where the business is going and how IT will help it get there.

The next level of governance in this structure example is the Executive level. of governance. This group is responsible for prioritizing all IT projects, allocating resources, and ensuring the achievement of the business benefits. The CIO normally chairs this body, with representatives from across the business.

The third layer of governance consists has two parts: Program governance and Business process governance. Program governance oversees the delivery of specific IT projects. They deal with escalated project issues, organizational change management, and benefits realization. They are typically formed on an ad-hoc basis for a specific project or group of related projects and are disbanded when the project is closed.

Business process governance is responsible for how organization-wide processes that involve the use of IT are executed and amended.

The final level of IT governance is the Operations layer. They exist within the operational IT service management functions, concentrating on managing incidents and problems and approving change requests. A typical example for this layer is a Change Advisory Board who is responsible for the governance of changes to IT systems.

Summary

IT is fundamental to how most organizations do business today. Having robust governance over IT is essential if you want to stay in business, maintain any competitive advantage in your business sector, support your enterprise’s growth, reduce the risks of IT, and avoid issues of non-compliance with regulatory requirements. To be successful in how you govern IT, you should:

Actively involve senior management in all governance activities.
Align IT goals and budgets with the strategic business objectives.
Prioritize IT investments and activities against the goals.
Have clarity over governance roles and decision-making responsibilities.
Focus on the business value of IT projects.
Communicate priorities and progress clearly.
Continually engage the business customer.
Regularly monitor IT project progress and communicate the results.

IT governance is no longer optional; it is an essential component of any successful business.

What is IT Governance?