There is an argument from some esteemed ITIL colleagues that states there should be no such thing as IT Governance at all. I smile and nod as I prepare my arguments as almost certainly they’ve either missed the point of IT Governance or have become blinded to the view that IT Governance should be all wrapped up in the wider Governance and Compliance areas of the business. This is fine, it’s all valid discussion points but all that said there’s also a lot to be said for having a dedicated IT Governance resource.
IT Governance is there to ensure IT structures actually service the business needs. Here’s what Gartner states:
IT Governance specifies the decision-making authority and accountability to encourage desirable behaviors in the use of IT. IT Governance provides a framework in which the decisions made about IT issues are aligned with the overall business strategy and culture of the enterprise. Governance is about decision making per se — not about how the actions resulting from decisions are executed. Governance is concerned with setting directions, establishing standards and principles, and prioritizing investments; management is concerned with execution.
Before we analyse Gartner’s statements I feel it’s best to address some of the tools that are available to IT Governance. The strength of IT Governance is the ability to adopt and adapt frameworks to suit the business. For example, I’ve found that some smaller businesses find the cost of becoming ISO27001 compliant too much to bear and they want a middle ground and do you know what? As long as regulatory and legal requirements that apply to the business are met then that’s fair enough!
Frameworks can help and COBIT 5 (goals cascade) is one of them in this instance. You add a dollop of ISO20000 here and a dash of ISO27001 there. You adopt and adapt some ITIL processes that suit your business. While this is not platinum level compliance you are well on your way to starting your business on a rewarding journey. Before long your teams are starting to speak the same language and starting to align. Doesn’t this sound like something you want?
There are a few key statements in the Gartner quote that are worthwhile exploring so let’s go:
IT Governance specifies the decision-making authority and accountability to encourage desirable behaviours in the use of IT.
You could interpret that this means that IT Governance ensures IT behaviours are properly led. You’ll find that any IT Governance manager or executive worth their salt would ensure the correct levels of accountability and responsibility are identified and would absolutely require the cooperation and buy in from the Board. IT Governance has to have a say (and an ear) at the correct level. Anything less will result in less than optimal results or even failure so why would you hobble it? IT Governance is an enabler and needs to operate with the requisite authority to ensure accountability and responsibilities are applied.
IT Governance provides a framework in which the decisions made about IT issues are aligned with the overall business strategy and culture of the enterprise.
There’s a lot to be said in this statement and we could discuss it at length. This is about provision of important frameworks and standards, whether that’s via policy or process or both it means decision making can no longer be stuck in the mire as clear direction is given, underpinned by the aforementioned accountability and responsibilities supported by the Board. There are various methods used to enable this, such as COBIT 5 or Capability Maturity Model Integration (CMMI), these all introduce elements of ITIL, ISO20000, ISO27001 into your processes. Because of IT Governance, it now becomes very clear what path needs to be followed to arrive at a desired outcome.
You can see here that IT Governance covers a huge range of aspects within IT. It is not only concerned with IT Service Management (ITSM), it is concerned with Project Governance and Information Security. IT Governance is almost the complete one-stop shop professional service you didn’t know you needed!
It has to be said that all of this is not just about formal strategic decision making though, this includes the creation and embedding of processes that need to be followed to provide clarity and efficiency into the IT organisation. This requires in depth knowledge of ITSM, PMO and Information Security and Risk Management processes and possessing the ability to shape them according to the nature of the business and the maturity of the organisation while maintaining regulatory and legal compliance as required. If you are introducing IT Governance into your organisation you need to ensure the people doing this have the accreditation and experience required.
There’s a lot of work that goes into embedding processes and if you aim to simply introduce processes straight from the textbooks there’s a very good chance they will fall flat on their face.
It’s also worthwhile reminding ourselves that none of this can be done in isolation. Even though we are talking about IT Governance the business has a very strong say. After all, it’s the business strategy that drives the alignment of IT and not the other way round.
Governance is concerned with setting directions, establishing standards and principles, and prioritizing investments
This is correct. It’s analysing the business, aligning IT to the strategy, adopting and adapting relevant frameworks, setting agreed standards and monitoring for progress. It forms an important part of the wider enterprise governance. SME’s can all benefit from having a form of IT Governance in place to reduce risk and liabilities. If you’re still here and reading this we’ve now come full circle. We can see now why there needs to be a formal IT Governance and why its function cannot be covered effectively by simply hoping overarching Governance will do the job.
If you’d like to contact us about it we offer a free consultation.