Drivers behind the need for IT Governance

In the previous post, we laid out a common sense definition of what IT governance is (i.e. - “the what”).  In this post, we will attempt to look at the drivers of IT Governance (or “the why”). The drivers outlined below have collectively contributed to the increasing importance of ITG in the C-suite and have also in one sense led to the framing of the scope of IT Governance needs as well.

Keep Business running:   Modern organizations and business rely heavily on IT. When IT systems become unavailable because of technical failure or other disruptions (e.g. power failure), the impact is usually significant. Even office workers cannot function if support systems (e.g. email, document processing, etc) fail. Similarly, a simple failure, such as a server’s storage capacity being exceeded, can bring an entire department to a standstill.  This level of reliance on IT systems necessitate that appropriate controls be in place to ensure service continuity.

Realizing business value:   There are numerous statistics on failed projects. Some suggest that as many as three out of four projects do not realize their expected benefits. There are many reasons for these failures including - poor definition and planning at the start, compounded by insufficient control during delivery.  Ensuring benefit realization on IT investments is a key area addressed by IT governance.

Rising costs of IT: Despite lower costs of IT hardware, the expenditure on IT as a proportion of the total business cost is increasing and considered by senior business executives as “black hole”. With the market forcing the business to run more efficiently, enterprises are increasing looking at IT costs to better understand them and regulate their allocation. Adopting a portfolio approach to IT spend, assets and investments (addressed in ITG) provides a lever for business executives to control the IT Spend.

Aligning IT with the business:  Business staff does not always take ownership of IT initiatives which leads to a situation where IT staff end up directing many such initiatives. Getting the business into the driver’s seat when it comes to picking the right projects to execute and following through to benefit realization is critical today, especially when IT spend is significant. Achieving this strategic alignment with the enterprise objectives is a key discipline in ITG.

Increased regulatory compliance: Over the past few decades there has been an increase in legislation affecting business and the use of IT. Some examples are the Sarbanes-Oxley Act, regulations around protection of personal data, and sector specific requirements for the healthcare, pharmaceutical and financial industries.  These regulations elevate the relevance of IT operations and controls to the purview of Enterprise Governance, and hence make it a part of the Leadership Agenda.

IT security affecting the business:  This area is often misunderstood by Senior Leadership because of the technical nature of the conversations. Frequently, this area is delegated to an expert. In reality, many weaknesses are not technical, but are instead caused by a lack of awareness of the issues between users and management. Specific control practices are required to address the complexities of security and to reduce damage to business because of risk exposure of security breaches.  This area is addressed within risk management discipline of ITG.

The drivers discussed above provide a flavor of the different dimensions of the role that IT plays in an enterprise. This necessitates that IT be governed as a critical asset by the leadership thereby providing the raison d’etre for IT Governance.

We would really like to hear from you on the relevance of IT Governance to your professional context. Please use the comment feature on this  blog to get back to us.

Putting IT Governance in Context

The 2011-2012 chapter-year brings with it a renewed focus on IT Governance domain for our ISACA Denver Chapter.  We would like to get your feedback on where the IT governance domain intersects with your professional life, and focus our attention on the areas that are germane to you. Our plan is to follow through with a series of newsletter articles around this topic and also to establish an IT Governance Special interest group in the coming months. The Denver Chapter board joins me in requesting your enthusiastic feedback and participation in this domain.

A good starting point to kick our efforts off would be to clarify what ISACA means by IT Governance and setting some context around the various IT governance domains.  This seems especially relevant since the phrase “IT Governance” seems to mean different things to different people.

ISACA Definition of IT governance:  IT governance is an integral part of Enterprise governance and it consists of the leadership, organizational structures and the processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. It is considered the responsibility of the board of directors and executive management.

One could think of IT governance as the act of oversight that steers the investments in IT and efforts of the IT organization in a manner that maximizes the potential of IT positively impacting the business and minimizes the potential of IT negatively impacting the business.  You might notice that this perspective moves the accountability for IT enabled business outcomes over to the business, ideally all the way up to the board level. In practice, we find that the visibility of IT in an organization is determined by several factors including geography, industry, size, public/private, and point in the business lifecycle.

Who is involved in IT Governance?

Even though the ultimate accountability for IT governance lies at the highest levels, in practice, this process is carried out with the help of different stakeholders groups within the organization. These stakeholders fall into three broad categories, each with their own focus. They are:

• Investors in IT: This is the business management itself that funds IT. This group wants adequate ROI and alignment with strategic objectives/priorities.
• Controllers:  This group includes internal / external audit, risk and compliance officers, finance, etc.  Their interest is in monitoring risk and compliance, regulatory & legal requirements , evidence of governance and compliance with strategy
• Providers of IT: This group consists of the people within the IT organization and related suppliers. Their interest is to ensure alignment to the set priorities and provide IT services to their customers while preserving and enhancing reputation.

Organizations that are mature in the practice of IT governance, usually establish various committees to administer / steer IT, including IT Strategy committee, IT Steering Committee, Architecture boards, etc. These structures enable the interactions between the three stakeholder groups, establish mutual decision rights for key processes, and realize the goal of IT governance.

Governance domains and their context

Moving beyond definition, ISACA maps five areas that constitute the process of IT Governance. The picture below lists these domains and maps some popular IT management concepts to each of these domains.

These areas would also broadly constitute the responsibilities of a CIO within an organization. Senior IT Leadership, working in concert with the business leadership, governs IT within their organization across these areas.

Conclusion and feedback

IT Governance is increasingly gaining relevance and maturing as a discipline. As this field starts to intersect with your professional scope, it will be important to stay on top of how this field matures in the near-future.

 A good introduction around IT governance can also be found in the ITGI website (ITGI.org) under  ”About IT Governance”. A more detailed publication,” Board Briefing on IT Governance, 2nd Edition”, is available to our members as a free download in the ISACA website.

Our goal for this introduction was to get us all on the same page on the phrase “IT Governance”, given the non-intuitive nature of what it describes.  So, do you think we achieved that goal?  Also, which of the above domains would like to hear more on? Do you want a specific slant on this topic in the coming newsletters? We would really like to hear back from you. Please use the comment feature on this blog  to get back to us.