Ineffective governance has a substantial impact on business alignment and risk management. Misalignment can result in improper identification of sensitive data, critical services and substandard security controls. Additionally, impaired alignment between the enterprise and IT weakens communication and priorities, resulting in poor allocation of resources and a lack of transparency in actual risk reduction.
Common enterprise governance issues include obscure or ill-defined risk thresholds, a false sense of confidence and inadequate performance measurement. Subsequently, weak governance processes result in deficient management of IT-enabled investments throughout their economic life cycle. Strong governance of IT can extend business value by optimizing risk and managing resources to support the organization’s mission, goals and objectives.
Many organizations misunderstand IT governance's purpose and value because few qualified professionals are adept in IT governance. However, governance and assurance professionals can change this perception via strategic alignment and the effective use of governance enablers such as principles, processes and policies. Additionally, via the employment of information and technology, enterprises can tailor the governance of enterprise IT (GEIT) framework to optimize their people, skills and competencies and improve their culture, behavior and ethics. By aligning assurance functions such as risk management, IT audit and cyber, organizations can create strong governance. Assurance helps enterprises create plans aimed toward optimizing business goals, establishing alignment and reducing risk to enterprise objectives.
Many organizations misunderstand IT governance's purpose and value because few qualified professionals are adept in IT governance.
What Is Governance?
Most enterprises exist to provide services to create value for their customers, stakeholders and shareholders. Enterprise processes emanate from the enterprise's mission, objectives and strategy. Through organizational structures and leadership, organizations can establish objectives that support their mission and satisfy their stakeholders and customers. The board of directors (BoD) establishes the strategy, and the enterprise derives its principles from this plan.
Organizational leaders can support the enterprise’s objectives and prioritize decision-making by evaluating the risk and benefits associated with various investments. Senior managers identify the capabilities that contribute value to the organization’s strategy.
Assurance Accountability and Business Performance
Governance ensures that the enterprise conforms to applicable laws and regulations and establishes mature organizational structures to help enforce due care and due diligence. For example, due care describes how a coherent individual with similar aptitudes would act under comparable conditions.1 Due diligence is the process that succeeds due care and protects the organization against negligence.2 Furthermore, due diligence is a legal mandate that requires enterprises to take appropriate measures to reduce risk and conform to applicable laws.3
One aspect of governance deals with assurance accountability and ensures that the board and senior managers execute the appropriate procedures. Another aspect of governance deals with performance. Performance assures that the enterprise can create value, measure success, meet enterprise objectives and ensure stakeholder satisfaction. This component of governance focuses on the organization's ability to optimize resources and manage risk to its objectives.
What Is GEIT?
GEIT leverages critical assets such as human, financial, physical, intellectual property, information and relationship to create the IT governance framework. The GEIT framework relies heavily on the enterprise's organizational structure and culture. Enterprises acquire a framework and tailor it based on their needs.4
The goal of GEIT is to leverage technology to support and optimize enterprise needs. Enterprises should pursue a GEIT framework if they need to optimize resources, establish effective communication and manage risk to enterprise objectives.5 GEIT helps senior managers address common pain points such as applicable laws, regulations and compliance. Additionally, GEIT helps enterprises satisfy internal and external stakeholder needs. IT governance empowers organizations and helps establish and monitor accountability for IT activities to ensure that IT-enabled investments support enterprise objectives. Furthermore, GEIT can uncover underlying issues that have existed for years. These issues can result in unidentified risk such as revenue loss and services that seldom create value for the business.
The Value of GEIT
Many enterprises misunderstand IT governance's purpose and value because few qualified professionals are adept at IT governance. For example, there are only approximately 8,000 professionals who hold the Certified in the Governance of Enterprise IT® (CGEIT®) credential worldwide.6 A lack of experienced IT governance professionals at the executive level could impede an organization's ability to align IT goals with business goals and manage risk to enterprise objectives.
Governance and assurance professionals must have an adequate understanding of how IT supports enterprise goals and optimizes IT-enabled investments. Adequate comprehension allows assurance professionals to determine if technology creates value and reduces risk to enterprise goals and objectives.7 From a due care perspective, the BoD and senior managers are responsible for the effective governance of IT.8 Furthermore, business managers and IT should collaborate to meet organizational objectives.
GEIT extends the mission and strategy throughout the organization and directs IT processes to ensure that technology aligns with objectives. Subsequently, GEIT enables enterprises to take advantage of opportunities and maximize their return on IT investments. Many enterprises consist of a mix of technical and nontechnical professionals who struggle to communicate and establish priorities.9 Modern research highlights a positive relationship between the enterprise and IT when measuring GEIT's impact on appropriate training, stakeholder involvement and IT performance.10
Today, most enterprises rely on IT-enabled investments to provide value for their customers and stakeholders. Therefore, it is important that organizations realize that ineffective communication and misalignment can result in inefficient use of resources. Additionally, inadequate communication and alignment can create material risk to the enterprise’s mission and objectives. Effective governance can help organizations prevent fraud and data breaches.11 Conversely, poor governance, inefficient communication and conflicts of interest are barriers to strategic alignment and risk reduction.12
GEIT helps enterprises translate their mission and goals into IT objectives and create stronger alignment between the enterprise and IT.13 Governance and assurance professionals can change the perception of GEIT by demonstrating its ability to identify problems and underlying issues. Effective IT governance encourages enterprises to utilize existing processes and enablers to reduce risk, optimize resources and create value.14
Identification of Pain Points and Underlying Issues
GEIT leverages business cases and associates them with problems and underlying issues to identify areas of inherent risk to address regions of high visibility.15 Through risk reduction and value creation, GEIT enables the enterprise to build stronger relationships and bolster confidence among the organization's leaders. Furthermore, this can enable assurance professionals to obtain allegiance from key stakeholders such as senior managers and process owners.
When stakeholders commit to processes that improve governance, GEIT can execute change throughout the enterprise and identify other drivers and issues. Through trust and alliance among key individuals, governance professionals can establish a practical and efficient GEIT framework.
When stakeholders commit to processes that improve governance, GEIT can execute change throughout the enterprise and identify other drivers and issues.
Identification of Enablers
Enterprises must identify their enablers. Enablers are resources that can help the organization achieve its objectives.16 CGEIT's enablers support enterprise objectives and ensure stakeholder satisfaction by measuring performance.
There are several enablers that support the GEIT framework and enterprise strategy.17 These enablers include principles, policies, frameworks and organizational structures. Additionally, culture, behavior, ethics, information, services and infrastructure are vital components for GEIT. People, skills and competencies are also essential elements that help support IT governance. Enterprises should map IT-related goals to governance enablers to establish alignment, allocate appropriate resources and manage enterprise risk.18 Effective IT governance empowers enterprises and provides them with tools to identify the current state and future state.
Mitigation of Risk
GEIT enablers help enterprises identify, assess, respond to and monitor risk at various levels throughout the organization. Enterprises can utilize enablers to sustain the existing risk management function and mitigate various types of risk.19 For example, the enterprise can leverage enablers to assess risk at the strategic, portfolio, program, project and operational levels.20 Additionally, these tiers help enterprises form a risk hierarchy.
At the strategic level, the enterprise must identify risk that could impact its mission, strategy and objectives. Risk scenarios at this level deal with enterprise plans, operational continuity and any initiatives that would help carry out the strategy.21 Subsequently, the portfolio and program tiers deal with risk that involves procurement, acquisition, funding, assurance and goals that support the strategy.22 At this tier, project sponsors and managers create business cases for IT-enabled services and concurrently identify potential benefits, associated risk and necessary resources. Additionally, these tiers categorize all the assets that contribute value to the enterprise and enable managers to make educated decisions.23
The project tier involves project sponsors, scheduling and resources needed to execute projects that generate value for the enterprise.24 The operational tier identifies risk that may impact the enterprise's services via mechanisms such as service level agreement (SLA) deviations.
GEIT helps enterprises identify potential business disruptions and ensure that process owners manage service-related risk.25 IT governance employs proactive risk management to address risk at each tier in the enterprise.
Strong Governance of IT Extends Business Value
Digital transformation and information technology are quintessential elements for generating value for the enterprise’s stakeholders. Conversely, this also illuminates an intriguing phenomenon that many organizations must realize: Enterprises have evolved to become dependent on information technology and digital transformation for survival.26 Governance is a constitutive element for value creation, risk management and vital for strategic alignment. COBIT 2019 proposes numerous methods to ensure strong alignment such as enterprise goals, balanced scorecard (BSC) dimensions and IT alignment goals.
Balanced Scorecard and IT Balanced Scorecard
GEIT utilizes a BSC to translate its goals and objectives to an IT balanced scorecard (IT BSC).27 This strategy facilitates strategic alignment, measures performance and assesses the IT organization's ability to meet enterprise objectives.28
The enterprise’s stakeholder and customer needs influence all goals and objectives. Furthermore, these goals cascade throughout the enterprise via the strategic, program, project and operational levels.29 Stakeholder expectations influence the enterprise's objectives and drive investments in IT.30 Mapping the IT BSC to the enterprise BSC facilitates clear communication and aligns IT goals to enterprise goals. The BSC and IT BSC help enterprises better understand their IT interdependencies. GEIT fosters strategic alignment to ensure that IT understands enterprise priorities while the enterprise understands how IT supports its overall mission.
Alignment of IT Strategy to Business Strategy
The IT strategy extends the enterprise strategy by aligning its goals to organizational goals. Tools and techniques such as the strengths, weaknesses, opportunities and threats (SWOT) analysis enable the enterprise to construct the IT strategy and identify the resources needed to achieve enterprise objectives.
Enterprises should form an IT strategy committee and involve senior management in significant IT decisions.31 Additionally, IT strategy committees help ensure that IT-enabled investments create value and process owners manage associated risk.32 Lack of senior management representation can result in IT projects that fail to support enterprise goals and create risk that results in media attention.
Enterprise Architecture
Enterprise architecture (EA) helps enterprises plan for future IT investments by assessing the impact of new IT initiatives.33 Furthermore, EA enables the organization to know if it is possible to integrate new initiatives within the current architecture.34 GEIT incorporates EA to help facilitate decision-making for senior managers by empowering executives to understand how EA aligns with the strategy.35
Portfolio Management
GEIT leverages portfolio management to prioritize IT initiatives based on their ability to create value.36 The portfolio contains business cases for every project and outlines the expected benefits.37 GEIT utilizes business cases to propose investments in IT initiatives and defines the solution's ability to reduce risk, optimize resources and create value for the enterprise.38
Portfolio management optimizes IT-enabled investments and enables management to evaluate business cases based on their ability to support enterprise objectives and sustain value. Additionally, process owners draft significant changes that occur within the EA as business cases. These business cases eventually morph into projects that reside in the portfolio.39 This strategy allows senior managers to make informed decisions, identify potential risk and ensure that changes align with organizational goals.
Aligning Assurance Functions to Optimize Business Goals and Reduce Risk
Governance, risk and compliance (GRC) address risk associated with processes in IT, legal and finance. GRC helps enterprises comply with applicable statutory and regulatory mandates.40 Organizations can align assurance functions such as risk, cybersecurity and audit to unify procedures, prevent redundancy and optimize enterprise goals via risk reduction.41
Efficient risk management involves combining the talents and expertise of assurance professionals from distinct disciplines to address various types of risk. For example, cybersecurity analysts and system engineers can help IT auditors interpret technical control objectives for various types of applications, services and infrastructure. Risk analysts identify and assess risk and work with cybersecurity professionals to ensure that appropriate controls exist and reduce risk to acceptable levels. Additionally, this strategy ensures that enterprises can monitor risk via key risk indicators (KRIs) and evaluate controls' effectiveness. Of special importance is the fact that assurance functions allow the enterprise to secure its objectives, execute its mission and justify its investments in IT solutions.
Blake Curtis, CISA, CRISC, CISM, CGEIT, CISSP
Began his IT career in 2009 and has more than 10 years of experience in engineering, networking, virtualization, IT service management, cybersecurity and risk management. Curtis currently serves as an information security and compliance adviser for Cigna’s global security assurance team. He advocates for continuous education and has more than 15 industry certifications across diverse disciplines. His primary interests exist within governance, risk and compliance, and he emphasizes the significance of acting as the bridge between the enterprise and information technology. Curtis is currently completing his doctorate degree in cybersecurity at Capitol Technology University (Washington DC, USA). He can be reached at https://www.linkedin.com/in/reginaldblakecurtis/.
Endnotes
1 Merriam-Webster Dictionary, “Due care,” 2020
2 Merriam-Webster Dictionary, “Due diligence,” 2020
3 Legal Information Institute, “Duty of Care,” Cornell Law School, Ithaca, New York, USA, 2020,
4 Van Wyk, J.; R. Rudman; “COBIT 5 Compliance: Best Practices Cognitive Computing Risk Assessment and Control Checklist,” Meditari Accountancy Research,27(5), 7 October 2019, p. 761–788
5 Ibid.
6 ISACA®, CGEIT
7 Iliescu, F.; “Auditing IT Governance,” Informatica Economica, vol.14, iss. 1, 2010, p. 93–102,
8 Ibid.
9 Tonelli, A. O.; P. H. De Souza Bermejo; P. Aparecida Dos Santos; L. Zuppo; A. L. Zambalde; “IT Governance in the Public Sector: A Conceptual Model,” Information Systems Frontiers, vol. 19, 28 November, 2015, p. 593–610
10 Ibid.
11 Sullivan, R.; “The Changing Nature of U.S. Card Payment Fraud: Industry and Public Policy Options,” Economic Review, vol. 95, iss. Q II, 2010, p. 101–133
12 Ibid.
13 Op cit Tonelli et al.
14 Fabac, R.; V. Kirinic, V.; V. Zebic; “IT Governance in Croatian Public Administration—The Human Resources Issues,” Central European Conference on Information and Intelligent Systems, , 23-25 September 2015, Varazdin, Croatia, p. 19–26
15 Lombardi, R.; M. Del Giudice; A. Caputo; F. Evangelista; G. Russo; “Governance and Assessment Insights in Information Technology: The Val IT Model,” Journal of the Knowledge Economy, vol. 7, iss. 1, 6 November 2015, p. 292–308
16 Sadikin, M.; S. K. Purwanto; “The Implementation of E-Learning System Governance to Deal With User Need, Institution Objective, and Regulation Compliance,” Telkomnika, vol. 16, iss. 3, June 2018, p. 1332–1344,
17 Ibid.
18 Ibid.
19 Op cit Van Wyk and Rudman
20 Karkoskova, S.; G. Feuerlicht; “Extending MBI Model Using ITIL and COBIT Processes,” Journal of Systems Integration, vol. 6, iss. 4, 2015, p. 29–44
21 Ibid.
22 Ibid.
23 Ibid.
24 Ibid.
25 Ibid.
26 ISACA, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018
27 Nicho, M.; S. Khan; “IT Governance Measurement Tools and Its Application in IT-Business Alignment,” Journal of International Technology and Information Management, vol. 26, iss. 1, 2017, p. 81–111
28 Ibid.
29 Op cit Karkoskova and Feuerlicht
30 Devos, J.; K. Van de Ginste; “Towards a Theoretical Foundation of IT Governance—The COBIT 5 Case,” Electronic Journal of Information Systems Evaluation, vol. 18, iss. 2, September 2015, p. 95–103
31 Ali, S.; P. Green; “Effective Information Technology (IT) Governance Mechanisms: An IT Outsourcing Perspective,” Information Systems Frontiers, vol. 14, iss. 2, April 2012, p. 179–193
32 Buchwald, A.; N. Urbach; F. Ahlemann; “Business Value Through Controlled IT: Towards an Integrated Model of IT Governance Success and Its Impact,” Journal of Information Technology, vol. 29, iss. 2, June 2014, p. 128–147
33 Gammelgard, M.; M. Simonsson; A. Lindstrom; “An IT Management Assessment Framework: Evaluating Enterprise Architecture Scenarios,” Information Systems and eBusiness Management, vol. 5, iss. 4, September 2007, p. 415
34 Ramlaoui, S.; A. Semma; “Comparative Study of COBIT With Other IT Governance Frameworks,” International Journal of Computer Science Issues (IJCSI), vol. 11, iss. 6, November 2014, p. 95–101
35 Op cit Gammelgard et al.
36 Heindrickson, G.; C. Santos; “Information Technology Governance in Public Organizations: How Perceived Effectiveness Relates to Three Classical Mechanisms,” Journal of Information Systems and Technology Management: JISTEM, vol. 11, iss. 2, May–August 2014, p. 297–326
37 Op cit Iliescu
38 Ibid.
39 Marnewick, C.; F. Einhorn; “The Business Case Thrives on Relevant Information,” South African Journal of Information Management, vol. 21, iss. 1, 2019
40 Hagmann, J.; “Information Governance—Beyond the Buzz,” Records Management Journal, vol. 23, iss. 3, November 2013, p. 228–240
41 Ibid.