IT Governance is something that we all instinctively know is a worthwhile endeavour - but few organisations have formal programmes in place. In good times, efforts like IT Governance always sound good but somehow we never get around to starting - just as it's easy to ignore the advice to eat five portions of fruit and veg every day when you're outwardly healthy. Maybe today's tough business environment will change the picture?
Governance: too easy to say, too hard to do?
The "G" word has become a fashionable badge for technologies and technology practices over the past couple of years. I often joke that "Governance" is often used a little like "Architecture" - just as "Architecture" is often used as a more sexy way of saying "design" (that's so last century, isn't it?) "Governance" is often used as a more sexy way of saying "management". Now we're bombarded with terms like Data Governance; Project Governance; Information Security Governance; Application Governance; SOA Governance; and more. In this environment it's easy to get jaded and "switch off" - but the concept of IT Governance predates the current fashion for using the G-word, and what's more there's an established body of industry work (including ISO standards) that aims to provide prescriptive guidance for practitioners.
Of course, it's probably no surprise that the wealth of available guidance creates another problem: which approach should you follow? COBIT, ISO 38500, COSO and Val IT are just four of the main IT Governance "frameworks" in circulation today - and each has a slightly different take on the role and scope of the concept.
Our perspective on IT Governance is as follows:
IT Governance is a decision-making framework that aims to ensure that maximum business value is delivered from IT investments in the context of business strategies, priorities and constraints over time, and across projects. It has three key aims: to provide visibility of performance and problems; to provide traceability of decisions and work; and to provide control through the enforcement of appropriate policies.
Effective IT Governance needs to draw on four types of resources - people, policies, processes and technology. It fosters effective communication and collaboration between all stakeholders, regardless of their jurisdiction or focus.
This is probably closest to that espoused by the Val IT framework (which is promoted by ITGI and ISACA, the people responsible for COBIT). Val IT is focused on helping implementers ask and answer for "Are" questions: (1) Are we doing the right things? (2) Are we doing things right? (3) Are we getting them done well? And (4) are we getting the benefits?
Industry research strongly suggests that although there's a fair degree of awareness of the need for more structured approaches to managing IT investment and value delivery, the number of organisations actually implementing a formal IT Governance programme is relatively modest. In a 2007 study carried out by PricewaterhouseCoopers and ITGI, published in 2008, although only 2 per cent of the 600+ respondents reported that they didn't see IT Governance as an area needing attention:
• 15 per cent reported that although they saw IT Governance as an important issue, they were only just starting out with an assessment of what was needed.
• 30 per cent understood the importance of IT Governance, but had only put ad hoc measures in place.
• 29 per cent had put some well-defined IT Governance processes in place.
• 16 per cent had a set of formal IT Governance processes and an associated performance measurement system in place.
• 7 per cent were continuously optimising their IT Governance processes.
Our own small-scale poll of the CIO UK community suggests a similar pattern: around a third of respondents had already established an IT Governance programme; another third stated that they're work on establishing a programme; and the remaining third said they had no programme in place.
What's the value of IT Governance?
There's been plenty written about the impact of government regulations on corporations - and at the same time, voluntary initiatives such as Corporate Social Responsibility (CSR) programmes are leading organisations to do a better job of demonstrating how they impact their environments. These trends are combining to ensure that transparency and traceability of business decisions is becoming an ever-higher priority - particularly for all public and/or international organisations. IT's ability to act as an auditor of business decisions, positions and performance is driving IT governance to play a wider role in regulatory compliance as well as broader business governance functions. Moreover, IT's role in helping businesses to weather the current global economic downturn means greater exposure for IT organisations, requiring greater commitment to deliver to business outcomes more effectively and efficiently.
A separate PricewaterhouseCoopers/ITGI study - this time of 255 non-IT CEOs and other non-IT executives - showed a positive (although relatively weak) correlation between the maturity of IT Governance practice and the overall outcome achieved from IT investments: the more mature the IT Governance practice in place, the better the outcome achieved. It's clear that although other factors have significant impact on the outcomes achieved from investments in IT, good IT Governance plays a significant enablement role.
So what, specifically, are the main ways in which a formal IT Governance programme can deliver value? A lot depends on your organisation and your current level of IT maturity, but broadly speaking there are four main types of benefit:
• Avoided cost of project failure. Good IT Governance implementations help ensure that when IT-dependent projects are carried out, they're properly measured and managed, and project risks are well-understood and managed.
• Avoided cost of non-value adding initiatives. Good IT Governance implementations help ensure that initiatives that are well-aligned with business strategies and priorities get promoted, whereas those which are poorly-aligned are de-emphasised or killed. Without IT Governance processes in place, it's amazing how often IT investments get made without clear understanding of the strategic value they'll deliver.
• Improved service and project quality and cost measurement. Good IT Governance implementations ensure that to the extent that makes sense, all key activities are monitored and measured: so it's possible to say how much things are costing, how much they're delivering value, and what's going right (and wrong).
• Transparency and accountability. Good IT Governance implementations mean that everyone knows who's responsible for making IT investment and delivery decisions, what they need in order to make those decisions, and whether decisions are being made with the right information to hand.
With all this in mind, why is the structured pursuit of IT Governance not more prevalent? One of the main reasons appears to be tied to the last benefit outlined above: with clear traceability and accountability comes the fear of what will be discovered when the bright light of governance is shone into the dusty corners of IT investment decision-making. Although executives of all stripes are generally ready to "talk the talk" when it comes to transparency and accountability, human nature is such that it actually takes a lot of momentum and senior executive pressure to drive through this kind of cultural change.
No time like the present?
Interestingly, one of the other key findings from the large-scale 2007 PricewaterhouseCoopers/ITGI study was the weakness of the link that currently exists between IT Governance and corporate governance functions. The majority of the non-IT executives surveyed felt that the fit between IT Governance and corporate governance in their organisations was good or very good; but by contrast, the CIOs and IT managers surveyed had much more mixed views - and of those surveyed in audit roles, the view was much less positive. In short, those with more detailed knowledge of IT decision-making had much less positive views than those with only passing familiarity of IT decision-making.
This finding was echoed in our own poll, which indicated that of those respondents actively running IT Governance programmes or setting such programmes up, only around half could say what the relationship was between their IT Governance programme and their organisation's broader corporate governance approach.
In our current economic climate, I'm hoping that the difficult business conditions will spur more organisations to seriously consider formalising their approaches to IT Governance. Many of us find it difficult to eat five portions of fruit and veg a day when we're feeling well; but when we're laid low by a seasonal bug or a health scare, suddenly the importance of good diet and exercise is brought into sharp focus.
About this article:
This Debate article draws in part on the a CIO UK poll carried out in conjunction with UK-based analyst firm MWD Advisors. Each article involves input from UK CIOs and the CIO UK community.
To read the responses to the below piece from your peers in IT Leadership in Now is the time to invest in IT Governance say IT leaders, click here.
Do you agree or disagree with the sentiments of this article?
CIO UK values the input of CIOs and all members of the management and IT community. To add your thoughts to this Debate, either register for CIO UK and add a comment using the Comment tag at the base of the article.
Alternatively you can join the CIO UK LinkedIn community and leave your comments there.