From relative obscurity a few years ago, several factors have come together to make the concept of formal IT governance a good idea for virtually every company, both public and private. Key motivators include the need to comply with a growing list of regulations related to financial and technological accountability, and pressure from shareholders and customers. Here’s a quick primer on the basics of IT governance:What is IT governance?
Simply put, it’s putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
Is it something every organization needs?
Every organization—large and small, public and private—needs a way to ensure that the IT function sustains the organization’s strategies and objectives. The level of sophistication you apply to IT governance, however, may vary according to size, industry or applicable regulations. In general, the larger and more regulated the organization, the more detailed the IT governance structure should be.
What are the drivers that motivate organizations to implement IT governance infrastructures?
Organizations today are subject to many regulations governing data retention, confidential information, financial accountability and recovery from disasters. While none of these regulations requires an IT governance framework, many have found it to be an excellent way to ensure regulatory compliance. By implementing IT governance, you’ll have the internal controls you need to meet the core guidelines of many of these regulations, such as the Sarbanes-Oxley Act of 2002.
What’s the business case? That is, how can I convince top management that we need to do this?
Make sure the right people are selling the concept; if IT is selling it, you’re in trouble. It’s much more effective if a cross-functional team consisting of IT and line-of-business managers makes the case to the board of directors that effective IT management is an important part of the company’s success. The team must be able to explain that the company needs a road map—something to tell decision-makers where the company is, where it needs to be and how best to get there. And of course, talk about the benefits—greater efficiency and accountability, along with reduced risk. Be careful, however, when talking about ROI: A lot of the cost of implementing an IT governance framework can be chalked up to what management should be doing anyway. Simply put, companies have to accept the cost, but they don’t like to hear that.
Strategic alignment: Linking business and IT so they work well together. Typically, the lightning rod is the planning process, and true alignment can occur only when the corporate side of the business communicates effectively with line-of-business leaders and IT leaders about costs, reporting and impacts.
Value delivery: Making sure that the IT department does what’s necessary to deliver the benefits promised at the beginning of a project or investment. The best way to get a handle on everything is by developing a process to ensure that certain functions are accelerated when the value proposition is growing, and eliminating functions when the value decreases.
Resource management: One way to manage resources more effectively is to organize your staff more efficiently—for example, by skills instead of by line of business. This allows organizations to deploy employees to various lines of business on a demand basis.
Risk management: Instituting a formal risk framework that puts some rigor around how IT measures, accepts and manages risk, as well as reporting on what IT is managing in terms of risk.
Performance measures: Putting structure around measuring business performance. One popular method involves instituting an IT Balanced Scorecard, which examines where IT makes a contribution in terms of achieving business goals, being a responsible user of resources and developing people. It uses both qualitative and quantitative measures to get those answers.
It doesn’t make sense to reinvent the wheel by starting from scratch, so don’t even try. Start with a framework; there are many to choose from, but using at least one means everything has already been organized and bulletproofed by industry experts worldwide. These frameworks even offer implementation guides. And most companies use a framework: According to a survey by PricewaterhouseCoopers in conjunction with the IT Governance Institute, 95 percent of companies use one of the major IT governance frameworks, while only a few create their own.
Here is a quick rundown on the choices:
CoBIT: This framework, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. Basically, it’s a set of guidelines and supporting toolset for IT governance that is accepted worldwide. It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. The latest version, released in May 2007, is CoBIT 4.1. CoBIT is well-suited to organizations focused on risk management and mitigation.
ITIL: The Information Technology Infrastructure Library(ITIL) from the government of the United Kingdom runs a close second to CoBIT. It offers eight sets of management procedures in eight books: service delivery, service support, service management, ICT infrastructure management, software asset management, business perspective, security management and application management. ITIL is a good fit for organizations concerned about operations.
COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission. It includes guidelines on many functions, including human resource management, inbound and outbound logistics, external resources, information technology, risk, legal affairs, the enterprise, marketing and sales, operations, all financial functions, procurement and reporting. This is a more business-general framework that is less IT-specific than the others.
CMMI: The Capability Maturity Model Integration method, created by a group from government, industry and Carnegie-Mellon’s Software Engineering Institute, is a process improvement approach that contains 22 process areas. It is divided into appraisal, evaluation and structure. CMMI is particularly well-suited to organizations that need help with application development, lifecycle issues and improving the delivery of products throughout the lifecycle.
There are a lot of framework choices. How do I choose?
Most companies go with CoBIT or ITIL, but others can also fit the bill. For operations, try ITIL. For application development and lifecycle issues, try CMMI. For risk, use CoBIT. CoBIT is also a great umbrella framework. But combining frameworks can also make sense, says Ron Saull, an IT Governance Institute trustee. You might want to use CoBIT as an overall framework; then use ITIL for your operations, CMMI for development and ISO 17799 for security. In fact, combining frameworks is fairly common; the PricewaterhouseCoopers study found that in 65 percent of cases, companies use CoBIT and ITIL together or with lesser-known frameworks. But most importantly, use a framework that fits your corporate culture and that your stakeholders are familiar with. If the company is using one of these frameworks and can leverage it to be its IT governance framework, all the better.
Can we do this alone, or should we get some outside help?
Sometimes it makes sense to get help, and implementing an IT governance framework is one of those times. Not only is internal expertise on IT governance hard to come by, but executives just don’t have the time. The best scenario is usually a combination of the two. Internally, someone really needs to own the process, but getting some help is essential.
What can go wrong if it’s not implemented effectively?
If the IT governance framework isn’t implemented properly, it can directly affect how IT is perceived at a high level. The last thing you want is for IT to be perceived as a cost center that doesn’t produce real value, says Marios Damianides, former international president of ISACA and the IT Governance Institute, and currently a partner for Ernst & Young. Lack of effective implementation also can cause continued issues with project overruns and poor value to cost measurements, not to mention stakeholder dissatisfaction.
What are some tips for making sure it goes smoothly and delivers positive results?
You’ve heard it all before, but here we go: Get executive buy-in. Dedicate a cross-functional team to the process, and get outside help if needed. Clearly delineate the roles and responsibilities of each department and stakeholder in clear terms. Take into account the corporate culture and adjust accordingly. Maintain continual communication during the process. Measure and monitor the progress of the implementation. And don’t consider this a “nice-to-have”—it’s a “need-to-have.”