Governance is about vision, and the translation of vision into policy.
Governance can be said to be representing the owners, or the interest group of people, who represent a firm, company or any institution. The governing body, on the other hand, appoints management personnel.
Good governance is outcome and value focused. It helps an enterprise realize its goals and reap business benefits. It also helps to mitigate risk and improve team effectiveness by enabling effective measurement and control and promoting good communication.
Good governance does not consist of a set of shackles and controls that stifle creativity. Although it is based on repeatable measures, good governance should provide a context for guiding entrepreneurialism, quality achievement, and efficient execution. To be accepted by practitioners, governance measures must have demonstrable value.
The governing functions are those that provide the essential direction, resources and structure needed to meet specific needs in the community which include:
v Strategic Direction, setting a direction for the organization that reflects community needs.
v Resource Development, developing financial resources that support program activities
v Financial Accountability, managing financial resources that ensure honesty and cost-effectiveness
Enterprise governance is the set of responsibilities and practices exercised by the board and executive management with the goals of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.
While governance developments have primarily been driven by the need for transparency of enterprise risks and the protection of shareholder value, the pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT governance.
IT governance is the responsibility of the board and executive management” and that IT governance “should be an integral part of enterprise governance. IT governance comprises a set of formal and informal rules and practices that determine how IT decisions are made, how empowerment is exercised, and how IT decision makers are held accountable for serving the corporate interest.
An IT governance program operationalizes mechanisms — in the form of decision-making structures, principles, policies, standards, and procedures — to make sure that transparent and well-informed decisions are rendered and the appropriate action taken.
Proposed Principles for the IT Governance Model
o Simple to understand and explain
o Easy to maintain
v Participative and inclusive
o Stakeholders must be part of the decision process
o All parties concerned should be given the opportunity to provide input and feedback
o All departments and agencies must be informed of the decisions made
o Governance - its roles, responsibilities and structures are recognized and supported
o The decision process will follow a known process that ensures appropriate consultation and engagement from all stakeholders
o Decisions made are universal and are inherited
o The governance structure should be able to accommodate new directions and decision areas, and new stakeholders
v Acting as One
o The model should support the alignment of government-wide and departmental decisions
o Departments’ and agencies will implement a governance structure for IT that is in line with Treasury Board Secretariat (CIOB) to facilitate communication and alignment
IT Governance Reference Model
IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives. IT governance can be seen as a structure of relationships and processes to direct and control the enterprise use of IT to achieve the enterprise’s goals by adding value while balancing risk vs. return over IT and its processes. IT governance provides the structure that link IT processes, IT resources and information to enterprise strategies and objectives. Furthermore, IT governance integrates and institutionalizes best practices of planning and organizing, acquiring and implementing, delivering and supporting, and monitoring and evaluating IT performance to ensure that the enterprise’s information and related technology support its business objectives. IT governance thus enables the enterprise to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive advantage. IT governance also identifies control weaknesses and assures the efficient and effective implementation of measurable improvements.Information technology, in its turn, can influence strategic opportunities as outlined by the enterprise and can provide critical input to strategic plans. In this way, IT governance enables the enterprise to take full advantage of its information, and can be seen as a driver for corporate governance.
Because every organization is only one of its kind, companies will differ in how they nurture an environment favorable to advantageous behavior in the use of IT.
Therefore, IT governance cannot be implemented according to a one-size-fits-all pattern but instead must be carefully architected based on an organization’s profile. For an IT governance program to be effective, it needs to be symbiotic with the prevailing culture and carefully interwoven into the organization’s operational structure.
Governance mechanisms, structures, relationships, and processes must be synergistically fused with the organization if IT governance is to be successful.
1. Business drivers: A principal objective of IT governance is to see that the IT tactical direction aligns with the company’s tactical business goals. Business drivers are the attributes of business function necessary to maintain the strategic business needs of the company and outline the IT governance framework.
2. Guiding Principles: Guiding principles encapsulate the organization’s beliefs and philosophies and are enacted by controls in the form of policies, standards, and procedures that guide how decisions will be driven in both the business and IT organizations and at every level of the enterprise (i.e., strategic, tactical, or operational).
v Every organization has a unique “personality profile” that reflects three interrelated dimensions:
v Culture — the manner in which a company characterizes itself; the company’s unique identity
v Business model — how the organization will create value for its customers.
v Operating environment – the means by which value can be realized to sustain the business model
3. Accountability Framework: Central to IT governance is the notion of authority, empowerment, and accountability. An accountability framework includes clear assignment of roles and responsibilities for decision making.
4. Decision model: A decision-making model helps ensure that IT decisions are logical and reliable with the corporate direction and aligned with the overall business strategies. The decision model ensures clarity of, and accountability for, desired outcomes. Decision authorities are individuals or bodies (e.g., committees or boards) that are empowered to make and ratify decisions regarding the use of IT
v IT governance frameworks embrace sound industry practices and are a blend of collective intelligence derived from a community of experts.
v Industry frameworks of best practices prove very useful enablers by providing the foundation of a governance program. For an IT governance program to be effective, however, it must be tailored and architected to shadow an organization’s “personality.”
v Each of the leading practice frameworks exhibits relative merits and strengths. Each tends to have been designed to serve a specific aspect of IT, and this shapes the construct and content.
v IT governance frameworks are not necessarily mutually exclusive. Components of different frameworks can coexist and complement each other. This federated approach can be particularly attractive when the remediation efforts point to necessary improvements in diverse areas of governance; for example, business technology alignment and vendor service-level management. In these instances, COBIT and ITIL can be synthesized together in a unified framework.v IT governance cannot be approached in a haphazard manner. There is no vanilla procedure that will magically embed IT governance into an organization. While not prescriptive, IT governance is top-down and principles-based. To be successful, it requires structured, systematic thinking and an understanding of an organization’s personality traits. It further requires ownership and sponsorship at the senior management/executive level. It is essential that business and IT senior and operational management create awareness and involvement for the IT governance initiative.
v IT governance to be successful, it should be a workable solution able to deal with the challenges and pitfalls presented by IT. It should not only prevent problems but also enable competitive advantage. IT risks are closely related to business risks, because IT is the enabler for most business strategies. The management and control of IT should, therefore, be a shared responsibility between the business and the IT functions, with the full support and direction of the board. IT governance provides the oversight and monitoring of these activities within a wider enterprise governance scheme.
IT Governance & IT Management
Management is about making the decisions needed to implement policy. While governance pertains to the vision of an organization, and translation of the vision into policy, management is all about making decisions for implementing the policies.
The management functions are those that provide the program activities and support to accomplish the goals of the organization. These usually include:
v Program Planning and Implementation: Taking the strategic direction to the next level of detail and putting it into action
v Administration: Ensuring the effective management of the details behind programs.
IT management is focused on the effective and efficient internal supply of IT services and products and the management of present IT operations.
IT governance, in turn, is much broader and concentrates on performing and transforming IT to meet present and future demands of the business (internal focus) and business customers (external focus).
Management comes only second to the governing body, and they are bound to strive as per the wishes of the governing body.
IT governance is about deciding and prioritizing what things to do, while management is about how to do them in an optimal manner.
Therefore, good IT management disciplines are corollary to good IT governance.
v Strategy alignment ensures that IT generates demand for the products and services offered by the organization. This translates into coherent business.
v Value delivery & Management ensures that IT acquires, provisions, and deploys technology solutions on a timely, cost effective, and high-quality basis to meet the needs of the business and organizations maximize value by optimizing the benefits of investments throughout their economic lifecycle within defined risk tolerance thresholds.
v Risk management ensures the practices of risk identification, quantification (likelihood and impact), and mitigation are effectively deployed across the organization. The influence of risk management permeates all aspects of the reference model.
v Resource management ensures optimal use and allocation of IT resources and capabilities in servicing the needs of the enterprise, maximizing the efficiency of these assets, and minimizing their costs.
v Performance management ensures that the performance and quality of IT services are adequately defined, monitored, and measured.
IT governance is a life cycle that, for a specific objective, can be entered at any point but is best started from the point of aligned business and IT strategy. Then, the implementation will be focused on delivering the value that the strategy promises and addressing the risks that need to be managed. To support this implementation, management should manage its IT resources such that the enterprise is capable of delivering business results/value at an affordable cost with an acceptable level of risk. At regular intervals the strategy needs to be monitored and the results measured, reported and acted upon. The strategy should be re-evaluated and realigned as required.