Home / Resources / News and Trends / Newsletters / AtIsaca / 2021 / Volume 34 / Can IT Governance Be Dispensed With

Can IT Governance Be Dispensed With?

Author: Ravikumar Ramachandran, CISA, CISM, CGEIT, CRISC, CDPSE, OCA-Multi Cloud Architect, CISSP-ISSAP, SSCP, CAP, PMP, CIA, CRMA, CFE, FCMA, CIMA-Dip.MA, CFA, CEH, ECSA, CHFI, MS (Fin), MBA (IT), COBIT-5 Implementer, Certified COBIT Assessor, ITIL 4 -Managing Professional, TOGAF 9 Certified, Certified SAFe5 Agilist, Professional Scrum Master-II, Chennai, India
Date Published: 20 October 2021

The title of this article poses a provocative question. The answer is an emphatic NO!

The reasons for this question often being asked in management circles is due to the complex and often contradictory nature of the IT governance process. After all, the marketing and sales team may recommend purchasing that latest technology to beat the competition, while the IT governance process duly followed may end up leading to the opposite conclusion. While this may add to CEOs’ truckload of woes, nonetheless, they need to take the IT governance process and its inputs into consideration to safeguard the organization – not to mention their job. 

F. Scott Fitzgerald famously wrote, “The test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function.” Thus, IT governance as a compliance function and yet a strategy enabler process provides a wide array of options for the CEO to consider and eventually drive toward a comprehensive plan of action.

CEOs need not spend precious time re-inventing the process, but rather simply follow the ready-made frameworks created by reputed institutions. The most common frameworks organizations use to boost their IT governance, and ultimately their business performance, are as follows:

  • COBIT: Created by ISACA, COBIT is specifically designed for enterprise IT and is considered the industry-standard for IT governance frameworks and is accepted by regulatory bodies across the globe.
  • ITIL, or Information Technology Infrastructure Library: A framework that considers how IT service strategy design, transition, operations, and service improvement can support core business practices.
  • COSO, or the Committee of Sponsoring Organisations of the Treadway Commission: A framework that focuses on internal controls rather than on IT-specific functions, integrating other frameworks like risk management and fraud prevention. 
  • CMMI, or the Capability Maturity Model Integration framework: With a focus on performance improvement, CMMI uses a scale to evaluate an organization’s performance, quality and profitability.
  • FAIR or Factor Analysis of Information Risk: A newer framework, FAIR, helps organizations quantify their level of cybersecurity and organizational risk, and is the only international-standard quantitative model for the latter.

Now let us examine the key benefits of IT governance for organizations that embrace many of the good practices enabled by the frameworks mentioned above:

  1. Aligns with and enables enterprise strategy: The definition of IT Governance, per ITGI, is “the responsibility of executives or the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategy and objectives.” In simple words, IT governance ensures that IT works for the execution of enterprise strategy. The metric for measuring this benefit is the amount of IT budgets accepted and approved by business executives as a result of their conviction that IT supports business strategy.

    In the past it was business strategy enabling IT strategy, but presently it is IT strategy enabling business strategy, where IT governance plays a much bigger role.
  1. Value delivery: The performance a specific IT services group delivers to a specific business unit (e.g., core banking) is measured. For each business unit, specific metrics will be defined. The ultimate responsibility for achieving and measuring the business value of IT rests with the business and is reflected in the business results of the individual lines of the business in different ways, depending on the nature of value being sought.
  1. Resource management: This is the biggest portion of the IT budget. IT governance helps in achieving effective resource management by prescribing effective usage of both internal and external resources through effective SLAs, organization of IT assets through effective architecture, effective management of the software lifecycle and hardware licenses, and finally prescribing industry best practices.
  1. Performance management: IT governance enables the ascertainment of how much IT contributed to the business in the past and the outlook for the future. ROI captures the financial value of the investments in IT projects. An IT Balanced Scorecard measures both tangible and intangible values.
  1. Risk management: This is the most important function of IT governance. IT risks pose both peril and an opportunity, and business units should own the risk of using IT, with the board directing the activities of risk management annually. Risk management best practices as prescribed by COBIT-Risk IT and other standards such as COSO ERM, M_o_R, OCTAVE and ISO 31000 can also be consulted.
  1. Cost management: This is a traditional financial objective and is measured through the attainment of expense and recovery targets. The expenses refer to the costs that the IT organization has incurred for the business and the recovery refers to the allocation of costs to IT services and the internal charge back to the business. IT costs come with no profit margin and are recovered from the lines of business on a fair and equitable basis as agreed by the company’s CFO. Comparison with similar industries will be drawn to benchmark these metrics.
  1. Inter-company synergy achievement: This is measured though the achievement of single system solutions, targeted cost reductions and the integration of the IT organizations. This measure becomes relevant in the context of a merger of IT organizations. The selection of single system solutions is a cooperative effort between business leaders and IT staff, resulting in a “target state architecture” depicting the target applications architecture.
  1. Improved compliance with relevant laws, regulations and polices: This is a major benefit of IT governance as it protects the organization and its management from non-compliance and legal risk.
  1. Operational success: IT becomes an enabler of change rather than an inhibitor, and IT governance also achieves improved transparency and understanding of IT’s contribution to the business – improved agility in supporting business needs and increased user satisfaction with IT services.

Mandatory for survival
In the present context of digital transformation no longer being optional for any enterprise in the current digitization-driven economy, whether wholly or partially in the case of retention of some legacy systems, a commitment to strong IT governance is absolutely mandatory for survival.

Author’s note: The views expressed in this article are of the author’s views and does not represent that of the organization or of the professional bodies to which he is associated.