As both business and public sector organisations are becoming increasingly dependent on IT, there is growing recognition that governance of IT is an essential part of the corporate governance. Governance is about who makes the decisions? How they are made and who is accountable for what? While the need for IT governance is accepted, implementing effective IT governance continues to be a challenge.
Many C-level executives still consider IT to be too complex, technical and difficult to govern. IT governance still is perceived as a CIO issue. Alignment between IT and business strategy as well as between IT and business governance remains weak.
This article demystifies the IT governance and provides practical ideas for improvement.
Four “ares” of governance
Governance is about ensuring that the organizations resources are used the right way to create value while managing IT risks. The Val-IT framework from IT Governance institute helps address these challenges. The four “Ares’ are the core of Val-IT framework. This is a sound framework which helps organisations ensure IT efforts are aligned and IT continues to deliver value.
- Are we doing the right things? To quote Peter Drucker: “There is nothing so useless as doing efficiently that which should not be done at all”. This is the question about should we be doing something at all. It ensures strategic alignment between business and IT. Is what we are trying to do fit with the organisations vision and strategy? Is it consistent with the business principles?
- Are we doing them the right way? This is the question about architecture and standards. Is what we are doing conform to the architecture and processes?
- Are we getting it done well? This is the question about the execution. Do we have the disciplined delivery and change management processes? Do we have the right skilled re sources and are we managing them well? How does our performance measure up to others? Are we effectively managing risks?
- Are we getting the benefits? This is a question about realising value from investments in IT /projects. Are we clear about the benefits? Do we have metrics? Is the accountability for the benefits clearly defined?
These four questions cover the core of Governance, which are Strategic alignment, IT value delivery, IT Risk management, Performance management, and IT Resource Management. When managers at all levels address these questions, IT governance will become part of the culture.
IT Governance Models
There is no one size fits all model for IT governance. Three common models are based on three decision-making styles within organizations. These are: Centralised, Federated or Decentralised.
Figure 2 – IT Decision making models
- In the centralised model efficiency and cost control is emphasised over business unit responsiveness. There is greater focus on standards, synergies and economies of scale.
- In a BU centric (decentralised) model there is greater business ownership and responsiveness but integration and synergies suffer, resulting in likely higher costs.
- The federated model tries to combine the best features of these two. In the federated model common applications and infrastructure resources are pooled while business units control BU specific applications.
Here are some commonly used IT Governance forums. The above models influence the scope and membership of the IT governance forums.
Business Leadership Council / Executive committee – This is the top-level committee that makes enterprise-wide decisions including approving IT strategic plan and controlling major investments (including projects). Sometimes Ex-co may delegate the IT decisions to IT Council or IT Steering committee. This usually consists of key business executives, CFO and CIO. They would consider IT policy and investment decisions more deeply than the Ex-co.
IT Leadership council – This group consists of most senior IT leaders across the enterprise. They focus on decisions such as IT policy, IT Architectures and IT infrastructure. This is a critical forum in Federated and decentralised models.
IT Architecture Council consisting of key IT and some business leaders who would oversee development of architecture standards, recommend them for endorsement by the Leadership council. This group may also monitor compliance with the architecture standards.
Business-IT relationship managers – These managers bridge the gap between IT and business units and act as two-way communication channel to address and resolve any gaps.
Characteristics of good IT governance
- IT investments and decisions are assessed in a manner similar to business investments and IT is managed as a strategic asset. This means there is top management participation in key IT decisions. There is board oversight of IT investments and executives are held accountable for realising benefits.
- IT is essential part of corporate planning and strategic planning. IT understands the business dynamics and contributes to the development of business strategy, which is interlinked to IT strategy. IT and business work together to identify opportunities.
- Top IT risks are considered within the enterprise risk management framework. Risks such as data protection, IT security and business continuity receive periodic board oversight.
- IT performance is regularly measured and compared with peers and best practice.
- How decisions are made and why, is well understood and outcomes are clearly and formally communicated to the stakeholders. Formal exception processes are established and promote transparency as well as allowing organisational learning.
Steps to better governance
Improving governance in organizations is a strategic change process. There is no silver bullet. Governance is not just a new process but it also needs a new mindset and behaviours at senior levels of both IT and business. The established power centres within organizations do not always welcome greater transparency and accountability. Experience suggests that strong support from CEO and CIO and gradual increase in governance maturity usually works better than constant tinkering.
Here are ten steps for improving IT Governance:
- Visible and active top management commitment is absolutely critical for the success of any governance initiative. Governance is a disciplined approach. There must be consequences for all the executives for non-compliance.
- Treat governance as a change program requiring resources and commitment. It must have visible benefits for it to be considered successful. Also, consider organization’s culture, resources available and capacity for change. Establish credible goals, measure and communicate the benefits.
If the IT is struggling to deliver reliable service, or have a poor track record of customer service or project delivery; focus the governance efforts for addressing these burning issues rather than going for the lofty goals of strategy alignment and such.
- Use recognised frameworks for the governance initiative. There are a number of frameworks like COBIT, ITIL and others. If service management were an issue using ITIL framework would be ideal. Use knowledgeable experts to help establish a realistic program.
- Transparency of decision making and reporting gives governance its potency. Transparency whether it be business cases, standards compliance or project health reports create trust and creates peer pressure to address issues identified or to question unusual decisions.
- Create a formal process for handling exceptions. Then report on percent of exceptions and key reasons for these. May be the standard it inappropriate or the enforcement is poor. Openly discuss and address.
- Encourage peer group consensus at each governance tier and avoid escalations to higher levels. This will build trust and sense of compromise within the framework of good governance.
- Where possible align with the corporate governance mechanisms. Most companies would have risk management, investment management, and crisis or business continuity management mechanisms. Align IT with this where possible. This would accelerate the implementation as well as give it instant credibility. Seek input from internal or external Audit staff in design of the governance framework.
- Educate senior management on benefits of IT governance as well as on new technologies and challenges so that they can participate in an informed manner in key technology related decisions. Lack of technological knowledge should not be an excuse for executives not to participate in key technology investment decisions.
- Build accountability for benefits realisation in the business case itself. This will encourage active interest in delivery governance.
- Avoid clogging the IT steering committee or EX-co with technical or architectural details. Address the technical details at a technical forum and report only on compliance or non-compliance/ risk to the top team. The top team can then focus on ‘is this the right thing to be doing (or investing in)’ rather than ‘how’.
If you want to discuss steps to improve IT governance in your organisations contact me.