One of the most misused words in IT is “governance.” Unfortunately, the constant misuse of the terms “IT governance” and “governance” often leads to either a lack of context or a blurred meaning that is subject to personal interpretation.
There is a general belief that IT governance is only about policies, procedures and meaningless bureaucracy, putting controls in place just for the sake of it. Therefore, people tend to regard IT governance as in opposition to business orientation when, in actuality, governance is—to a great extent, if not completely—about business orientation, that is, ensuring that the resources used by IT provide a return to the enterprise.
Many of the problems that IT organizations suffer from are a result of poor IT governance practice. Nevertheless, ongoing discussions are being held without tackling the root cause: lack of governance. Some common pitfalls of IT organizations include the following:
- Recurring delays in the delivery of IT projects and IT projects that do not solve a business issue
- Compliance failures from all sides including EU General Data Protection Regulation (GDPR), software licensing compliance and industry-specific regulations
- Business misalignment or frustrations over not understanding what IT is doing for the business, what IT prioritizes other than the business, whether IT is purely operational or strategic, and whether the IT service level is high
- IT decisions made without business strategy in mind, which can result in problems
Therefore, particular issues related to these common pitfalls tend to be discussed, analyzed and solved on case-by-case bases, when they actually reflect a governance weakness that, if properly addressed, would solve many of the regular issues.
The Basics
ISACA® defines enterprise governance as:
A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly.1
The four main concepts include direction, objectives, risk and resources.
Often, IT decisions are made without proper direction, in a context where the objectives are not clear enough or have not aligned with the business or without proper risk identification and assessment. There are also initiatives that are decided with no visibility and planning at all with regard to the resources that will be necessary.
WHEN THE RELATIONSHIP BETWEEN BUSINESS STAKEHOLDERS AND IT IS WEAK, AWKWARD OR UNTRUSTWORTHY, NO MATTER WHICH POLICIES AND PROCESSES ARE IN PLACE, GOVERNANCE WILL BE POOR.
In ISACA’s definition of enterprise governance, the terms “policies” and “procedures,” which typically come to mind as components of governance, are not even mentioned. Per COBIT® , policies and procedures are one of the key governance enablers; however, there are six other governance enablers that are just as relevant and important. The seven governance enablers are:2
- Principles, policies and frameworks
- Processes
- Organizational structures
- Culture, ethics and behavior
- Information
- Services, infrastructure and applications
- People, skills and competencies
The lack of focus on the people dimension of governance levers is, to a great extent, a common characteristic in organizations with poor governance. The words “people,” “skills,” “awareness” and “behaviors” should resonate when talking about governance. This is about building strong and trustworthy relationships between business stakeholders and IT. When the relationship between business stakeholders and IT is weak, awkward or untrustworthy, no matter which policies and processes are in place, governance will be poor.
At the other side of the spectrum, in organizations with strong and solid IT governance, business leaders are able to:
- Explain what IT is doing in global terms
- Understand the IT strategy
- Confirm that the priorities of IT are fully aligned with business aims, meaning that the initiatives, services and projects that IT is working on are valuable to the business.
IT governance should be regarded as a necessary bridge between IT and the business.
Understanding the Business
One of the first steps is to understand the goals of the organizations. What are the business objectives? What is the culture and context? How does the organization want to operate with IT? What does it expect from IT? Formal conversations with management leaders are keys to providing clear answers to these questions. But again, this input should be the result of a continuous strong relationship rather than a one-time interview.
For example, IT cannot stick to waterfall project management methodologies when the organization operates business within a dynamic, short-term delivery orientation. IT cannot force Agile methodologies when it operates in a purely conservative, long-term-oriented and stable environment (which is sometimes forced by the regulations to which the industry is subject, such as in banking, healthcare and pharmaceuticals). Therefore, it is imperative to meet with the organization’s leaders to get acquainted with the necessary contextual information that may determine the right way to work.
Efforts in understanding and defining the role that IT can play while following the organization’s objectives are essential. Many other decisions will be determined by answering these first questions, which imply that an important connector between IT and business is strong governance.
Innovation and Governance
Governance has a lot to do with innovation. There are several cases that can be used as examples of what many organizations face.
Case One
An organization has had too many failed initiatives, experiments, and technologies or solutions tested; the efforts either did not work or did not match with the business objectives of the organization. In these cases, a great deal of resources have been invested before management realizes that the work is moving in the wrong direction.
In reflection, was there a clear risk appetite and risk tolerance statement shared across the organization? Was there proper risk monitoring?
A clear risk appetite statement, which defines how willing the organization is to allow investments in projects with high uncertainty with regard to their outputs, is needed to get formal endorsement for risky projects.
Case Two
Some innovation initiatives have been successful,
achieving very interesting solutions. The solutions
are things that could be translated into real value.
However, they have nothing to do with the business.
IT IS IMPERATIVE TO MAKE SURE THAT A PROJECT INTENDS TO SOLVE A CHALLENGE THE ORGANIZATION IS FACING BEFORE INVESTING IN IT.
In reflection, it is possible that the business
objectives were not clear enough or widely
understood, which caused the innovation solutions
to become unrelated to the objectives. In other
words, it is imperative to make sure that a project
intends to solve a challenge the organization is
facing before investing in it. It may be possible to
sell the solution to another organization.
Case Three
After reviewing IT strategy execution, it is clear that
all efforts have gone into maintaining existing
platforms. There were some version upgrades, but
overall, the policy that was followed focused on
maintaining the status quo.
In reflection, was there clear direction stating that part of the resources should be devoted to innovation? Innovation does not normally happen spontaneously. There needs to be a desire for innovation and resources need to be planned. One recommendation is to define how much investment the organization wants to devote to innovation, for what and how during the budgeting process. Creating a detailed plan makes it more likely that the organization will be successful.
Governance Enablers (or Components)
There are other frameworks for implementing governance mechanisms in addition to COBIT. And human common sense might also drive sound decisions to implement governance mechanisms. But it is important that some formal mechanisms are implemented to make sure that IT works for the organization and to monitor decisions ensuring that they are made with a business-value perspective in mind.
It should always be about closing the gap between business and IT. Decisions within the IT realm should always be explained with an understandable rationale for business stakeholders and with a clear link to the business priorities.
People Dimension
Again, as in many other aspects, the people dimension becomes critical. When there is not an empathic and strong connection between IT leadership and senior management, a connection that grows stronger by constant collaboration, communication and feedback, it can become another contributing factor to misalignment between business and IT. A strong connection makes the most of any collaboration. It helps the senior management understand what IT is presenting and provides valuable feedback to improve strategies or plans, and it helps IT have the chance to enrich plans or better adapt them to the business.
Alternatively, when there is a lack of connection or empathetic relationship, senior management may feel too far away from what IT is presenting or explaining, and their feedback may be nonexistent, valueless or uninformed. This dynamic can lead everyone to a vicious circle of increasing misalignment.
Conclusion
An IT governance structure that focuses on policies, processes and procedures, only for the sake of internal control without a straight line to business value, is not only poor governance but a signal of no governance at all.
Governance needs a link to the business, and it is helpful to remember: direction, objectives, risk, resources.
The organization must implement the necessary mechanisms to ensure that what IT is doing and every single dollar it spends or invests makes sense to the business today and tomorrow.
Endnotes
1 ISACA®, CGEIT® Review Manual, 8th Edition, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCsEAK
2 ISACA, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018, https://www.isaca.org/resources/cobit
Ramón Serres, CRISC, CISM, CGEIT, COBIT 2019 Foundation CCSK, CISSP
Is a multifaceted professional, industrial engineer, writer and member of the ISACA® Barcelona (Spain) Chapter Leadership Team. He is passionate about cybersecurity, risk management and IT governance, and has been leading the information security function in a pharmaceutical company, Almirall, where he currently works.