IT Governance Demystified

In my experience, “IT Governance” is the most popular IT buzzword among corporate IT executives and company boards nowadays. But like many buzzwords, this one is far easier to recite than it is to understand, let alone apply. And it certainly doesn’t help that (as it is often the case with buzzwords), there exists a curious dichotomy between what this term actually means and how it is being used by IT vendors trying to latch on to it to increase the appeal of their wares.

Given that the “signal-to-noise” ratio on this topic is so low, I thought I’d take a few minutes to explain what IT Governance is, how the term is used and abused by IT organizations and vendors today, and what are the key issues in implementing a useful IT Governance framework.

What is IT Governance?

A straightforward definition of IT Governance comes from the Board Briefing on IT Governance publication (pdf) produced by the IT Governance Institute:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

At the next level, this breaks down into the following five IT Governance areas:

  1. Business-IT Strategic alignment, with focus on aligning with the business and collaborative solutions.
  2. Value delivery, concentrating on optimizing expenses and proving the value of IT.
  3. Risk management, addressing the safeguarding of IT assets, disaster recovery and continuity of operations, and risks associated with regulatory compliance.
  4. Resource management, optimizing knowledge and IT infrastructure.
  5. Performance measurement, tracking project delivery and monitoring IT services, which provides feedback to the governing body and enables decision making, objective setting, and policy adjustment.

What complicates the picture is that there is no single IT Governance “standard.” Rather, the topic of IT Governance falls at the intersection of three popular frameworks, which are contemporary buzzwords extraordinaire in their own right: ITIL (from the IT delivery and support point of view), CobiT (from the financial auditing and control point of view), and SOX (from the US regulatory compliance point of view).

For a high-level – yet rather thorough – treatment of the IT Governance topic, you may want to check out the book by Peter Weill and Jeanne Ross, from the Harvard Business School Press.

IT Governance – State of the art

HBS and other theory aside, the predominant reality today, as I have observed it over the last few years, is that IT Governance is not an actively designed CxO-driven initiative but a collection of loosely connected “governance silos.” The most common kinds of such uncoordinated silos that I most often encounter are “project governance,” “outsourcing governance,” “architecture governance,” “data security and access governance,” and “governance around change.” In most cases, these governance silos get created as a reactive mechanism to address a particular need (for example, architecture problems or overspending or duplication).

Patching up problems as they arise is a defensive tactic that limits opportunities for strategic impact from IT. Instead, management should actively design IT governance around the enterprise’s objectives and performance goals, across the five dimensions of IT Governance outlined above.

IT Governance – What the vendors are saying

Given the complexity of the IT Governance juggernaut, and the fact that much of its success is dependent on the company’s organizational discipline and maturity, it’s obvious that no single vendor can “enable IT governance.” Yet you’d never guess this from reading their glossies. Project management solution vendors like Kintana (now Mercury IT Governance Center), Changepoint (now part of Compuware), Niku (recently acquired by CA), PlanView, and PacificEdge have all been repositioning their products as more trendy “IT Governance” solutions. Many IT asset management vendors have done the same. And most recently, the venerable Systems Management suite vendors like HP OpenView have also jumped on the IT Governance bandwagon.

There is no doubt that all these vendors provide useful solution pieces that contribute to solving the overall IT Governance jigsaw puzzle. But it’s hard to make sense of the pieces unless you can see the front of the puzzle box – what the completed jigsaw will look like once the pieces are in place. So what does a successful IT Governance framework look like?

Key issues in implementing a successful IT Governance framework

Every successful IT Governance framework that I’ve seen includes an organizational component and a technology component. The organizational aspects are neatly summarized by Weill and Ross as “Ten Principles of IT Governance”: involve senior managers, ensure clear exception-handling, provide the right incentives, assign ownership and accountability, provide transparency and education, etc.

At the technology level, the key question is: What are the concepts that need to be defined to enable effective IT Governance, and how to implement the processes and tools that make these concepts actionable?

The answer is guided by the old maxim – Define. Manage. Measure. Improve. – because…

  • What is not defined cannot be managed.
  • What is not managed cannot be measured.
  • What is not measured cannot be improved.

Over the last two years, most IT organizations have gone through the painstaking exercise to define the services they are delivering (through the IT Service Catalog) and the projects they are working on (through IT Project Portfolios), implementing systems to manage the delivery of these services (through Service Delivery Management) and projects (through Project Management), developing metrics and key performance indicators (KPIs) to measure the quality and cost of delivering these services and projects, and using this information to improve their delivery processes.

Those who implemented this framework successfully (along with the organizational and policy best practices), have seen dramatic improvements along all the key dimensions of IT Governance: business-IT strategic alignment (by focusing on the services and projects with the highest business impact), value delivery (by realizing operational efficiencies through process and infrastructure automation), risk management (by formalizing business continuity provisions as well-defined IT services and by addressing regulatory compliance requirements through increased process definition and transparency), and resource management (by tying their service delivery systems directly into human, infrastructure, and knowledge resource repositories).

Following these key principles, supported by the appropriate tools, companies can ensure that “IT Governance” becomes more than just a buzzword, but an actionable methodology to most effectively harness the awesome power of information technology in the interests of the business enterprise.