IT Governance covers the culture, organisation, policies and practices that provide this kind of oversight and transparency of IT – IT Governance is part of a wider Corporate Governance activity but with its own specific focus. The benefits of good IT risk management, oversight and clear communication not only reduce the cost and damage caused by IT failures – but also engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services.
Why is IT Governance important?
Management’s awareness of IT related risks has increased.
There is a focus on IT costs in all organisations.
There is a growing realisation that more management commitment is needed to improve the management and control of IT activities.
IMPACT’s IT Governance Special Interest Group (SIG) has examined these trends and found that the following issues drive the need for IT Governance:
There is a general lack of accountability and not enough shared ownership and clarity of responsibilities for IT services and projects. The communication between customers (IT users) and providers has to improve and be based on joint accountability for IT initiatives.
There is a potentially widening gap between what IT departments think the business requires and what the business thinks the IT department is able to deliver.
Organisations need to obtain a better understanding of the value delivered by IT, both internally and from external suppliers. Measures are required in business (the
customer’s) terms to achieve this end.
Top management wants to understand “how is my organisation doing with IT in comparison with other peer groups?”
Management needs to understand whether the infrastructure underpinning today’s and tomorrow’s IT (technology, people, processes) is capable of supporting expected business needs.
Because organisations are relying more and more on IT, management needs to be more aware of critical IT risks and whether they are being managed. Furthermore, if there is a lack of clarity and transparency when taking significant IT decisions, this can lead to reluctance to take risks and a failure to seize technology opportunities.
And finally, there is a realisation that because IT is complex and has its own fast changing and unique conditions, the need to apply sound management disciplines and controls is even greater.
What does IT Governance cover?
IT Governance is a relatively new concept as a defined discipline and is still evolving.
IT Governance is not just an IT issue or only of interest to the IT function. In its broadest sense it is a part of the overall governance of an entity, but with a specific focus on improving the management and control of Information Technology for the benefit of the primary stakeholders. Ultimately it is the responsibility of the Board of Directors to ensure that IT along with other critical activities is adequately governed. Although the principles are not new, actual implementation requires new thinking because of the special nature of IT.
IT Governance spans the culture, organisation, policy and practices that provide for IT management and control across five key areas :
– Provide for strategic direction of IT and the alignment of IT and the business with respect to services and projects.
Value Deliver y
– Confirm that the IT/Business organisation is designed to drive maximum business value from IT. Oversee the delivery of value by IT to the business, and assess ROI.
Risk Mana gement
– Ascertain that processes are in place to ensure that risks have been adequately managed. Include assessment of the risk aspects of IT investments.
– Provide high-level direction for sourcing and use of IT resources. Oversee the aggregate funding of IT at enterprise level. Ensure there is an adequate IT capability and infrastructure to support current and expected future business requirements.
– Verify strategic compliance, i.e. achievement of strategic IT objectives. Review the measurement of IT performance and the contribution of IT to the business (i.e. delivery of promised business value).
IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules. It requires a commitment from the top of the organisation to instil a better way of dealing with the management and control of IT.
IT Governance is an ongoing activity that requires a continuous improvement mentality and responsiveness to the fast changing IT environment.
IT Governance can be integrated within a wider Enterprise Governance approach, and support the increasing legal and regulatory requirements of Corporate Governance.
What are the benefits?
Investments are likely to be needed to improve and develop the IT Governance areas that need attention. It is important therefore, to begin with as good a definition as possible of the potential benefits from such an initiative to help build a viable business case. The expected benefits can then become the project success criteria and be subsequently monitored.
The IMPACT IT Governance SIG has identified the following main areas of benefit likely to arise from good IT Governance:
Transparency and Accountability
- Improved transparency of IT costs, IT process, IT portfolio (projects and services). Clarified decision-making accountabilities and definition of user and provider relationships.
Return on Investment/Stakeholder Value
- Improved understanding of overall IT costs and their input to ROI cases.
- Combining focused cost-cutting with an ability to reason for investment.
- Stakeholders allowed to see IT risk/returns.
- Improved contribution to stakeholder returns.
- Enhancement and protection of reputation and image.
Opportunities and Partnerships
- Provide route to realise opportunities that might not receive attention or sponsorship.
- Positioning of IT as a business partner (and clarifying what sort of business partner IT is).
- Facilitate joint ventures with other companies.
- Facilitate more businesslike relationships with key IT partners (vendors and suppliers).
- Achieve a consistent approach to taking risks.
- Enables IT participation in business strategy (which is then reflected in IT strategy) and vice versa.
- Improve responsiveness to market challenges and opportunities.
- Achieve clear identification of whether an IT service or project supports “business as usual” or is intended to provide future added value.
- Increased transparency will raise the bar for performance, and advertise that the bar should be continuously raised.
- A focus on performance improvement will lead to attainment of best practices.
- Avoid unnecessary expenditures – expenditures are demonstrably matched to business goals.
- Increase ability to benchmark.
Enables an integrated approach to meeting external legal and regulatory requirements.
What is IT Governance best practice?
Experiences gained by IMPACT SIG members have identified a number of practical organisational and process issues that need to be addressed when implementing IT Governance. This has enabled the Group to recommend the following best practices (critical success factors) when planning IT Governance initiatives:
An enterprise wide approach should be adopted
The business and IT must work together to define and control requirements.
IT will need to develop a control model applicable to all business units/divisions.
A committee approach is recommended for setting, agreeing, and monitoring
A shared, cohesive view of IT Governance is needed across the enterprise based on a common language.
There should be a clear understanding (and approval) by stakeholders of what is within the scope of IT Governance.
Top level commitment backed up by clear accountability is a necessity IT Governance needs a mandate and direction from Board/Executive level management if it is to succeed in practice.
Make sure management responsibilities and accountabilities in the business as well
as IT have been defined.
An agreed IT Governance and control framework is required
Although it may generate challenges and pushback, and will require a consensus, an agreed framework for defining IT processes and the controls required to manage them must be defined for IT Governance to function effectively.
The processes for IT Governance need to be integrated with other enterprise wide
governance practices so that IT Governance does not become just an IT owned process.
The framework needs to be supported by an effective communication and awareness campaign so that objectives are understood and the practices are complied with.
Incentives should be considered to motivate adherence to the framework.
Pay attention to devolved decentralised IT organisations to ensure a good balance between centrally driven policy and locally implemented practices.
Avoid too much bureaucracy.
Trust needs to be gained for the IT function (in house and/or external)
For IT Governance to work the suppliers of IT services and know-how need to be seen as professional, expert and aligned to customer requirements. Trust has to be developed by whatever means including awareness programmes, joint workshops, and the IT Director acting as a bridge between the business and IT.
Measurement systems will ensure objectives are owned and monitored
Creation of an IT scorecard will underpin and reinforce achievement of IT Governance objectives.
Creation of an initial set of measures can be a very good way to raise awareness and initiate an IT Governance programme.
The measures used must be in business terms and be approved by stakeholders.
Focus on costs
It is likely that there will be opportunities to make financial savings as a consequence of implementing improved IT Governance. These will help to gain support for improvement initiatives.