As both business and public sector organisations are becoming increasingly dependent on IT, there is growing recognition that governance of IT is an essential part of broader corporate governance. Governance is about who makes the decisions, how they are made and who is accountable for them.
Many C-level executives still consider IT to be too complex, technical and difficult to govern. IT governance still is perceived as a CIO issue. Alignment between IT and business strategy as well as between IT and business governance remains weak.
The Four "Ares" of Governance
IT governance is about ensuring that the organisation’s resources are used the right way to create value while managing IT risks. The Val-IT framework from the IT Governance Institute helps address these challenges. The four “Ares” are the core of Val-IT framework. This is a sound framework which helps organisations ensure IT efforts are aligned and IT continues to deliver value.
1. Are we doing the right things? To quote Peter Drucker: “There is nothing so useless as doing efficiently that which should not be done at all”. This is the question about should we be doing something at all. It ensures strategic alignment between business and IT. Is what we are trying to do fit with the organisations vision and strategy? Is it consistent with the business principles?
2. Are we doing them the right way? This is the question about architecture and standards. Is what we are doing conform to the architecture and processes?
3. Are we getting it done well? This is the question about the execution. Do we have the disciplined delivery and change management processes? Do we have the right skilled re sources and are we managing them well? How does our performance measure up to others? Are we effectively managing risks?
4. Are we getting the benefits? This is a question about realising value from investments in IT/projects. Are we clear about the benefits? Do we have metrics? Is the accountability for the benefits clearly defined?
These four questions cover the core of governance, which are: Strategic Alignment, IT Value Delivery, IT Risk Management, Performance Management and IT Resource Management. When managers at all levels address these questions, IT governance will become part of the culture.
IT Governance Models
There is no one size fits all model for IT governance. Three common models are based on three decision-making styles within organisations. These are: centralised, federated or decentralised.
- In the centralised model efficiency and cost control is emphasised over business unit responsiveness. There is greater focus on standards, synergies and economies of scale.
- In a BU-centric, decentralised model there is greater business ownership and responsiveness but integration and synergies suffer, resulting in likely higher costs.
- The federated model tries to combine the best features of these two. In the federated model common applications and infrastructure resources are pooled while business units control BU specific applications.
Here are some commonly used IT governance forums. The above models influence the scope and membership of the IT governance forums.
- Business Leadership Council/Executive Committee – This is the top-level committee that makes enterprise-wide decisions including approving IT strategic plan and controlling major investments (including projects). Sometimes Ex-co may delegate the IT decisions to an IT Council or IT Steering Committee. This usually consists of key business executives, CFO and CIO. They would consider IT policy and investment decisions more deeply than the Ex-co.
- IT Leadership Council – This group consists of most senior IT leaders across the enterprise. They focus on decisions such as IT policy, IT architectures and IT infrastructure. This is a critical forum in federated and decentralised models.
- IT Architecture Council – Consists of key IT and some business leaders who would oversee development of architecture standards, recommend them for endorsement by the Leadership council. This group may also monitor compliance with the architecture standards.
- Business-IT Relationship Managers – These managers bridge the gap between IT and business units and act as two-way communication channel to address and resolve any gaps.
Characteristics of Good IT Governance
- IT investments and decisions are assessed in a manner similar to business investments and IT is managed as a strategic asset. This means there is top management participation in key IT decisions. There is board oversight of IT investments and executives are held accountable for realising benefits.
- IT is essential part of corporate planning and strategic planning. IT understands the business dynamics and contributes to the development of business strategy, which is interlinked to IT strategy. IT and business work together to identify opportunities.
- Top IT risks are considered within the enterprise risk management framework. Risks such as data protection, IT security and business continuity receive periodic board oversight.
- IT performance is regularly measured and compared with peers and best practice.
- How decisions are made and why, is well understood and outcomes are clearly and formally communicated to the stakeholders. Formal exception processes are established and promote transparency as well as allowing organisational learning.
Next: Steps for Better IT Governance
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.