Menu

Governance in IT 

When we consider the way we run the systems that support our businesses, the concept of IT Governance is probably the most important factor to take into account. There is often, however, a lack of understanding about what IT governance actually means and what the benefits of a good governance model in IT really are. It is not my intention here to instruct you on how to do IT Governance but rather to give pointers towards ways that might help in implementing IT Governance in an organisation.  

The first question to ask ourselves is, what exactly is IT Governance? 

A dry dictionary definition might term it as follows: 

IT governance can be summarised as the processes that ensure the effective and efficient use of IT in enabling an organisation to achieve its goals. It involves leadership, organisational structures, and processes that ensure the organisation’s IT sustains and extends the organisation’s strategies and objectives. 

This definition epitomises for me one of the main problems with IT Governance. It is seen as too conceptual and doesn’t really get brought to life in the day-to-day operation. Sometimes people think of it as a process to follow in order to get the boxes ticked to proceed to the next stage, and this sort of definition encourages this. The other problem that is often seen with this kind of definition is that it encourages a top-down dictatorial approach to Governance. 

To address this, I like to think of IT Governance as follows: 

IT Governance is relevant to all members of the enterprise. It ensures that the right decisions can be made that align with the strategy, risk appetite and culture of the enterprise. It provides a framework of Principles, Policies and Processes to guide the decision making in the most efficient way. 

Some may consider this a very broad definition that doesn’t get to the core of what IT Governance is about. This is quite deliberate. There is a perception that IT Governance is specialised and must be left to the technical teams. In today’s environment, IT pervades the enterprise and it is key to have a governance framework that mirrors this. It is also important to show that IT Governance is not something that ends at the upper echelons of the enterprise. To achieve this, we need the awareness of the principles, policies and processes to permeate throughout the enterprise. The ideal would be that it should not be seen as governing against bad practice but more as a method to govern for good practice. 

We should next address what we need to implement IT Governance in an Enterprise

Some might argue that the best first step is to adopt a common framework that is already in existence. ISO/IEC 38500 is the international standard with COBIT and ITIL being the most widespread frameworks in industry. I am certainly not going to suggest that starting with a framework is a bad idea and would highly recommend that one is adopted. 

The first step however should always be to discover what really matters to the enterprise. What is the strategy? What type of relationship is there with IT functions? How risk averse do they need to be to for the environment they operate in? These are just some of the questions to answer, but basically before you start on the IT Governance journey, you are going to need to understand the business architecture at least to some degree. 

Once we have discovered the details about the business, we need to consider how wide our IT Governance will spread. Implementing for a whole organisation at the very start is probably a step too far for most enterprises. The best approach would be to determine where the greatest need is first. This may be dictated by Business Strategy; an area shortly to undergo growth might be a good candidate. New legislation impacting a product could make systems supporting a particular proposition a focus. Alternatively, the focus could be on areas with the greatest need for governance, such as those creating the most IT issues. 

Adoption of a framework

Adoption and refinement of one of the frameworks mentioned previously is probably the next step but there are a number of important points to take into account when approaching this. 

A framework is meant to be tailored to meet your needs. Frameworks are designed to be tailored; there will be elements of your enterprise that mean that some parts of the framework are more important than others. Factors such as the threat landscape for your particular enterprise are important to consider here. Implementing processes or controls just because the framework tells you they might be required should be avoided. 

The frameworks need to be implemented to fit the culture of your enterprise. This could either be the culture you currently have or the culture you strive to obtain. For some enterprises, a dictatorial top-down approach to Governance has to be in place. If this is the case, the focus of the implementation has to be to ensure it doesn’t come across as a harsh regime. Other enterprises have a more laissez faire approach. In this case we need to make sure that the freedoms are recognised and controlled within the framework. Implementing a governance regime that matches the desired culture is a delicate balancing act that must be clearly communicated. 

Frameworks provide you with the controls you need to attest to. One of the most common of these controls is to ensure compliance with legal and regulatory requirements. This highlights for me a major area that needs consideration in an IT Governance framework. The framework will tell you that you must comply with legislation but will not outline for you the legislation itself. It is the principles that will be developed as part of IT Governance that will ensure that there is the awareness of the legislation. The principles should define how we interpret the rules imposed on us, whether by a legislator or a regulator. The effort to define these principles should not be underestimated and may be a key factor in deciding which area of the enterprise to concentrate on first. 

There are numerous factors to take into account when adopting a framework. Many are complementary with the journey some businesses are on to improve their enterprise architecture. It is therefore often a sensible approach to see the implementation of IT Governance and definition of the Enterprise Architecture assets as a joint effort. 

Benefits and Measurement of IT Governance 

Probably the main benefit of effective IT Governance is the assurance that what is being delivered as part of the IT strategy aligns with what is required from Business strategy. There are clear benefits around adherence to policies for regulatory and legal requirements. Ensuring that the systems, people and infrastructure are used in the most efficient way are also core to this. 

In order to meet these benefits, it is important to ensure that the journey to deliver IT Governance is seen as one of continuous improvement rather than a simple one-off implementation. No IT Governance framework can be implemented as perfect on day one, and nor will any ever achieve perfection. The goal should be to ensure that an appropriate level of maturity is met and maintained. Tracking of adherence to control metrics in the IT Governance framework is a useful way to measure the success or otherwise of the journey. It is here that there is another opportunity to spread the value throughout the enterprise. Publishing these metrics as dashboards will encourage adherence and inform the wider community of the improvements being made. 

Another benefit that is not often associated with IT Governance is the impact on raising awareness of IT functions and capabilities within the enterprise. It is often the case that Governance steps are not missed deliberately, but more overlooked due to lack of awareness. IT Governance that permeates the enterprise can act as a way to raise awareness of the capabilities open to the enterprise and match the business requirements with IT solutions that may already be in place. 

Conclusion 

IT Governance is a critical aspect of overall corporate governance. It should be seen as an enabler of the business functions within an enterprise. It is there to realise the full potential of the investments made in technology in a way that minimises risk and maximises compliance. All the while, IT Governance ensures that what is put in place matches the defined goals and strategy of the enterprise. Ensuring widespread awareness and adoption of appropriate IT Governance controls should be a core aim of the enterprise. 

Contact Richard Phillips to learn how Altus Consulting can help you with your IT Governance needs.

Keep exploring...

Stop Ignoring End-of-Life Core Operating Software
Technical Briefing Paper: Building An Effective Data Strategy
Commercial Off The Shelf Implementations Briefing Note

Subscribe

Don't miss out on news and opinion pieces from Altus experts

Insights - Subscribe form

Name
Business email preferable
Please confirm what you would like to receive from us