Do you know if your IT department is under control? How does one determine if the IT capability is well managed? Is IT well managed if the IT service is in line with service levels? Is IT in control if projects are delivered more or less on time? Or one can say IT is under control when information is secure? What should a CEO or a CIO do to ensure that the technology function is well governed?
What is governance? The term ‘governance’ is derived from the Latin it is derived from the Latin work “gubernare” – the action of steering a ship. Governance provides a structure for setting objectives and monitoring performance to ensure that the objectives are achieved. Essentially, governance defines who makes what decisions, how decisions are made and who is accountable for what.
IT Governance is a part of corporate governance. In current digital economy, the importance of technology within most organizations is increasing. It is becoming important to ensure that IT meets the organizations objectives. While there is usually no debate about the concept of IT governance, there are still many views about of what constitutes IT governance. Some people equate IT governance to IT service management (ITSM), others think it is managing information and security. But IT governance is all this and more.
Five Focus Areas of IT Governance
At the core IT governance is about two things. How IT delivers value to the business and how well IT risks are mitigated. When there is strategic alignment of business and IT objectives value is delivered. Embedding accountability in the organisation ensures risk management. These lead to the five focus areas for IT governance. These are:
- Strategic alignment,
- Resource management,
- Performance measurement,
- Value delivery and
- Risk management
First three areas are the drivers and the last two are the outcomes or the results. These are connected in a continuous governance life-cycle. Strategy alignment is usually the first step. From strategy next step is delivery of expected value through implementation while controlling the risks. Next, results are regularly measured, reported and actioned. Finally, strategy is re-evaluated and adjusted. Resource management decisions are made throughout the governance life cycle. Organisation’s culture, values, mission and vision create the environment within which it operates (value drivers).
Let us look at each of these five governance areas further.
IT Strategic Alignment
What is strategic alignment? Strategic alignment is achieved when the organisations strategic objectives inform building of IT capabilities which are necessary to deliver value to business. It means that IT strategy is aligned to business strategy. But just strategy alignment is not enough. It also means IT operations too are in alignment with the business operations.
For IT to deliver value to the enterprise, there need to be clear linkages between the aims of the business and the direction of IT. Therefore when creating the IT strategy one must consider:
- the business requirements,
- the competitive environment,
- the impact of the current and future technologies and business trends,
- current capability of IT to be able to deliver the expected levels of service,
- cost of existing IT and whether it is providing value, and
- the investments needed to meet expected service levels.
The board or executive level IT steering committee ensures strategy alignment. It checks that:
- IT strategy is aligned to the business strategy,
- IT delivers against the strategy (within budget, functionality and outcomes) and
- IT investments between support and capabilities needed for growth / transformation are balanced.
Effective alignment also requires creating and maintaining awareness of IT’s importance for the business; clarifying role that IT should play (e.g. enable vs. utility vs. transform) and monitoring IT performance and the impact of projects and service operations.
Value delivery ensures IT investments are generating appropriate return-on-investment. Value delivery means delivering within budget and with right quality that achieves the promised benefits. The benefits may be cost reduction, new capability/ products / services, customer satisfaction or top/ bottom line growth. IT value is also delivered by delivering the infrastructure that allows the business to grow. Off course for the value delivery to be effective, the value must be created in the right areas. This is where alignment is so important.
Value is demonstrated in many different ways. Value-for-money means IT operations and services are being run in a cost-effective manner. Measuring cost and quality of IT services and comparing against peer group (benchmarking) is an accepted method. New business value is created when IT helps make better decisions, transforms processes, improves customer interaction or helps deliver new products. Return on investment can be used to measure this value. (For more on IT value read).
In recent research conducted by Ernst & Young, the top finding was that organizations, that do focus on strategic risks and have integrated their various risk management activities, outperform their peers financially. Managing enterprise risks is the primary driver for governance in many organisations. Amongst the many enterprise risks, IT risks form a part of operational and systemic risks. Since most businesses are heavily dependent on IT for operations and service delivery; how IT risks are managed is important to boards and regulators. Examples of typical IT risks are business continuity, change control, information security, and new technology implementation.
- Generate two-way open communications about risk with stakeholders,
- Provide stakeholders with the relevant information that helps then make informed decisions,
- Have the board or management committee play a leading role in defining risk management objectives.
- Adopt and implement a common risk framework across the organization,
- Assign accountability for the risks to executives.
- Establish a system of internal controls to manage these risks.
Even when no immediate actions are planned, analysing and being aware of the risks improves decision making.
Resource management aims to optimise IT investment, use of IT assets and resources to improve performance. Many businesses don’t get the full value from their IT assets and their associated costs. Resource management also includes managing outsourced services so that the service is delivered at acceptable price.
Effective resource management requires that procurement, project management, workforce planning (recruitment, retention and skills development), and work tools and facilities are managed well. Good resource management ensures that IT support services are prioritised in line with needs and importance of business operations. Similarly life cycle of IT assets (hardware, licences and applications) need to be managed to reduce outages, costs and impact of changing technologies. Balancing cost of infrastructure with the quality of service is also important for resource management.
Managing performance of projects and IT services is a focus here. A balanced scorecard approach will allow performance measurement from multiple perspectives, such as Financial, Customer, Internal process and Learning. IT balanced scorecard (IT BSC) is very powerful aid to reporting IT performance and also to achieve business alignment. Balanced scorecards that include a mix of both outcome (what is being done) measures and drivers of performance (how you are doing) are effective for improving performance.
IT Governance is a key to ensuring IT is under control. Governance requires that all aspects of IT performance and risk are monitored and controlled in a way that improves overall business performance. IT governance is not a one-time activity but a critical management process. Little will be achieved without the support from the top. Organisations that have effective IT governance manage IT costs, risks and performance more effectively and can said to have IT under control.