IT Governance Frameworks

RFG believes IT management must now embrace the concept of governance, if it has not already. On the heels of glaring corporate governance scrutiny, IT governance, while always important, is taking on a higher level of significance. IT executives should reflect on their enterprise culture and processes while working with those responsible for corporate-wide governance. IT and other business executives should also focus on the fiduciary responsibilities of IT and the enterprise, while using current models as guides for the design of proper IT governance frameworks.

Business Imperatives:

  • Business and IT governance, once considered separate, are now intimately intertwined. The increased scrutiny on corporate governance directly and indirectly affects IT and the direction IT governance will take. IT executives therefore need to understand governance and the specific issues affecting their respective enterprises, as well as what IT is realistically capable of delivering. IT executives should work closely with business peers and corporate governance bodies, as well as with other key managers and key service providers, to best establish direction for the IT governance framework.
  • Successful IT governance models strongly embed an enterprise's culture, processes, and values. While there are guidelines, there are no "one-size-fits-all" frameworks. IT executives should evaluate many areas, including business alignment, fiscal controls, development methods and standards, management accountability, organization structure, outsourcing options, procurement standards, and quality initiatives, as elements of an approach to IT governance.
  • Proper governance requires accountability as well as measurement. In addition, processes and procedures must be both detailed and documented, to show that IT has a consistent approach to solving the issues across the company. However, these processes and procedures should be agile and flexible, to adapt to changes such as new legislation or technologies. Finally, governance is essential to ensure that an enterprise derives maximum value from its IT investments. IT executives should weave personal as well as departmental accountability into any IT governance framework.

Corporate governance is a top-of-mind issue for companies and their shareholders around the world. In the U.S., corporate governance directives are reflected in recent legislation. While legislation does not address technology issues per se, any corporate directive will have a strong affect on IT. Furthermore, in an era where technology is critical to business, corporate governance is incomplete without adequate IT governance.

Recent calls for more stringent corporate governance reflects, for the most part, reaction to ethical improprieties - however, the drive for IT governance typically has different motivations. For IT, the issue begins with business alignment, yet also extends into proper business conduct.

IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes. (Source: IT Governance Institute)

Business and IT Governance Correlation

The key, then, is not to think of IT governance as an afterthought to corporate governance or somehow less critical. Instead, IT executives as well as CxOs and line-of-business (LOB) executives should work together on all fronts to ensure IT is part of the corporate governance plan. This can be accomplished by the CIO or other IT executive participating in corporate governance committees, and business units getting involved in IT governance activities.

IT departments and individuals interact in governance relationships with one another, within IT, and external to IT. Individuals interact with contractors, partners and customers. Non-IT individuals and departments do the same. The enterprise is not an island governance needs to extend to the supply chain as well as to customers.

Successful IT governance requires more than IT people striving to educate the rest of the corporation regarding technologies. In addition, those outside of IT need to take the responsibility to communicate more often and more clearly with IT. Alignment is a two-way street. Perceptive CEOs and boards of directors understand that technology is critical to business success, and is therefore also essential for proper corporate governance. Therefore, corporate governance committees should address technology governance issues as well, to provide complete governance oversight mechanisms.

In addition, risk management is both a driver and an element of governance. Proper governance reduces risk exposure that potentially could cost the enterprise, provides an information base for informed decisions, and furnishes a comprehensive yet flexible framework for planning.

Alignment of IT with business is an integral part of successful IT and business governance. "IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the entity will have an immense impact on whether the entity will attain its vision, mission or strategic goals." (Source: Robert S. Roussey, CPA, Professor of Accounting Leventhal School of Accounting, University of Southern California, and past-chairman of the International Auditing Practices Committee.)

Successful IT Governance Models

As previously stated, successful IT governance to requires extensive involvement of non-IT management. This involvement encourages scrutiny of major IT decisions from a business perspective. Also, such responsibility educates those managers outside of IT regarding the opportunities and challenges associated with business and IT initiatives.

Another key requirement is the capability to make decisions rapidly, and based on sufficient information. The approach to making decisions should be well understood in the enterprise, and executives should allocate the authority and make available sufficient business information for key decisions. However, governance requires checking the validity of information and discussion of alternatives. The challenge for many organizations seeking improved governance will be to avoid slowing down the business with an overly cautious decision-making approach. IT executives should seek a balance between speed and accuracy in the decision-making process.

Several approaches are available for IT executives to use when setting priorities and matching them to business objectives. For example, Balanced Scorecard is a methodology for performance measurement that can help IT executives align to enterprise objectives.

In addition, a review of successful IT governance model yields a core list of best practices. These include, but are not necessarily limited to, the following.

  • Architecture complete yet flexible
  • Centralized IT staff versus IT staff disbursed across multiple LOBs
  • Centrally managed infrastructure
  • Clear organizational reporting relationships
  • Estimate project costs based on a five-year life cycle cost, rather than only development costs
  • Exceptional people retained and trained
  • Operating structure geared toward delivery of needed business applications
  • Projects managed as a portfolio
  • Standards enforced consistently
  • Validation of attainment of benefits after projects deployed

There are several publicly available frameworks. One is Control Objectives for Information and related Technology (CobiT). This is a set of documented best practices for IT governance that assists auditors, management, and users to bridge the gaps among business risks, control needs, and technical issues. Developed by the IT Governance Institute, a part of the Information Systems Audit and Control Association (ISACA), these guidelines have a business orientation. Thus, business process owners and managers, as well as auditors and users, can employ the guidelines successfully. CobiT's extensive guidelines also have value for security aspects of governance. However, the framework may need adaptation and adjustment to address all components of broader IT governance. CobiT is available as a free download or for purchase in printed form.

RFG's view is that IT governance involves five categories of activity from which IT operates.

S - Strategy. IT alignment with the business involves many activities including measurement and metrics for IT projects and planning.

P Policies, processes and procedures. IT governance relies on clearly articulated business policies that can be translated to solid procedures, which in turn applies the appropriate check and balances. IT processes should map to business processes.

O Operations and Organization. The operations aspect involves establishing and maintaining the infrastructure for efficient and effective delivery of IT applications and services. The organization component involves the roles and responsibilities of staff within IT as well as how they map to the rest of the enterprise

R - Regulations. Many vertical industry segments are highly regulated. Even those that are not must account for data protection and records retention laws of the jurisdictions in which they operate.

T - Technology. Technology involves evaluation, selection, purchase, and management of the business applications, tools and their providers.

Detailed, documented processes and procedures are necessary to show that IT has a consistent approach to solving the issues across the company. For example, IT cannot save e-mail for one division for three years but discard another division's after six months. Similarly, if non-electronic correspondence is kept for six years, electronic correspondence must map to the same standard.

Data follows the same path. Ignorance of the laws is not an accepted excuse in a court of law. As an adjunct to this, testing will likely become more rigorous to ensure that bugs that potentially corrupt the accuracy or integrity of data are not introduced into code, by accident or intent. This will become more complex as Web services and outsourcing proliferate. IT executives should request that vendors certify that the software code being delivered has passed internal quality tests and is stable. Vendors should also be required to certify that their software contains no known errors that could render applications inaccessible or otherwise non-functional. IT executives should also insist that vendors agree to be accountable if software code errors are directly responsible for downtime or failures that interrupt business. (See the RFG Research Note "Take Your ERP and Love It (Part Two).") IT executives should review testing plans and procedures and be sure any IT governance model used involves rigorous testing activities.

Proper IT governance also depends on how the business views IT today. As shown in Figure 4 below, there are significant differences between the respective approaches of commodity service providers and strategic partners. However, this is not an "either/or" comparison. All IT departments fall somewhere on a continuum between these two perspectives. IT governance issues such as organization structure, reporting mechanisms, and value equations map to this continuum. IT executives should determine their departments' relationship with the enterprise as a whole. IT executives should then adjust governance activities to not only reflect today but to also push IT in the desired direction.

Experience shows that in some businesses, LOB executives have gone around IT governance processes to drive their own projects. Such LOB executives also often pressure IT executives to add unapproved, non-funded projects to the IT queue, or push for added features or accelerated delivery of approved projects. IT executives should use the governance process to keep LOB executives in line without provoking antagonism for failing to support unauthorized changes or projects. One way to do this is with IT auditors.

Examples of IT Governance Models

One large technology company, considered quite advanced in its treatment of IT and alignment with its business, is an example of a working model for IT governance. Key attributes of this company's model include the following.

  • Accounting treatment minimal IT allocations and global consistency of accounting treatment
  • Application development life cycle methodology with ongoing project management
  • Fiscal controls growth in IT spending in line with corporate growth
  • Focus on continual improvement
  • Initial and ongoing measurement measure all IT activities for value and continued improvement
  • LOB decision makers fund IT projects LOB managers make trade-off decisions, not IT
  • Management accountability quarterly operations reviews of past quarter with objectives for next quarter, priority status reporting for key projects, mandatory participation, vendor management, important metrics
  • No "mega" projects phased approach with customer feedback cycles
  • Performance metrics and productivity analysis to determine attainment of benefits
  • Infrastructure is solid and well-managed to speed application implementation
  • Technology standards focus on reducing time to market, reducing costs, and easing data integration
  • Track client satisfaction quarterly

Another interesting example is from The University of California at San Francisco, which has its "UCSF IT Governance Structure" posted online. The UCSF structure shows the various committees with descriptions of their roles, links to related documents, and member information.

Such publicly available frameworks can be a starting point for a specific enterprise IT governance model. Any framework for IT governance should be adjusted periodically to account for changes in the business and technologies.

RFG believes IT governance is a complex but essential undertaking that requires complete immersion into and integration with the business. Corporate governance frameworks and their activities must include and not be separate from IT. While IT executives can promote this cooperative concept, boards of directors and corporate management at the highest levels should view IT governance as an essential component of corporate governance. IT executives should use publicly available models as guidelines for design of IT governance frameworks, practices, and procedures, and modify these based on specific enterprise requirements. IT executives should also become and remain aware of the fiduciary responsibilities of IT and the enterprise, and use these to guide governance activities.

RFG analyst Ron Exler wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Exler

Copyright © 2003 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)