What is IT governance and its Significance?

What is IT governance and its Significance?

WHAT IS IT GOVERNANCE?

In today’s world, IT governance can mean many things and refer to various IT frameworks. In many cases, IT governance is confused with simply implementing standards to report results and compliance. According to the IT Governance Institute,

“IT governance is the responsibility of executives and the board of directors, and consists of leadership, organizational structures, and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.”

What does this mean in the federal arena? Fundamentally, governance is about establishing policy. It’s about implementing structure around how the agencies align their IT strategy with their business strategy, to ensure that they stay on track to achieve their strategic goals, and implement effective ways to measure the agencies’ IT performance. Chief information officers (CIOs), IT federal managers, and project managers have the responsibility to implement mandates and internal policies to ensure that all stakeholders’ interests are taken into account and that they provide measurable results.

Apart from this, it also needs to be mentioned that corporate governance and IT governance must not be viewed in isolation but must act and move in tandem. Indeed, many experts point to the fact that IT governance is a subset of corporate governance and that both must be framed in a mutually dependent manner.

Broadly speaking, the objectives of IT governance can be summed up as assuring the creation of value through the use of IT; oversight of the management’s performance; mitigation of the risks associated with the use of IT; and a general tendency to have oversight over the IT systems so that there is alignment between the organizational goals and the goals of the IT systems.

Key terms explained

The terms IT governance, IT management, and IT controls are often used interchangeably though this is fallacious as each of these terms refers to different aspects of organizational imperatives. The primary objective of IT governance is the marshaling of the IT resources available to the organization and the stewardship of the IT systems in a manner that would create value for the organization. On the other hand, IT management is all about the plans to operationalize the use of IT resources, directing and controlling the use of such resources, and organizing the management of such resources. Similarly, IT controls are the mechanisms put in place to ensure that the organizational IT systems are being monitored and tracked. Thus, as we can see, there is a difference in each of these terms, which is more than semantic and instead, extends to the scope as well as the depth of the organizational mandate for each of these terms. We have used the term organizational mandate, as IT governance is a higher-level business imperative whereas the other terms are more micro-managerial in nature.

The best way to think about IT governance is to ask the question as to what can be achieved through the use of IT and how well the existing IT resources can be leveraged for the benefit of the organization. In other words, IT governance can be seen as a superstructure that encompasses the other terms defined above. Moreover, IT governance is itself a substructure in the overall superstructure of corporate governance and business governance. This means that IT governance is effective only when there is a vertical and horizontal alignment between these various elements of the organizational structure.

Framework of IT governance

There are many IT governance frameworks that are used by organizations worldwide and the most widely used framework is COBIT or the Control Objectives for Information and Related Technology). This framework prescribes a set of 37 different IT processes and the means of managing these processes through identifying the inputs and outputs along with key process activities, performance measures, and process objectives to ensure that the IT systems are indeed delivering business value.

The key reasons why organizations use the IT frameworks are to ensure that they use the IT systems in an efficient and effective manner. Further, risk mitigation and performance management are key business imperatives, which the organization must follow so that there are no surprises for its operations and that the business objectives are being met.

WHY IS GOVERNANCE IMPORTANT?

The importance of IT governance is that it achieves desired outcomes and behavior. The relationship between IT governance and effective value creation of IT investments has long been recognized and is cited as the reason for achieving excellence in the management of IT. It provides a focus on cost and allows effective communication between the customers and providers by establishing joint accountability for IT investments. Enforcing the governance processes is articulated by IT portfolio management and is used by IT leaders to manage their agencies’ IT investments, projects and resources in an effort to review opportunities, reduce redundancy across the IT environment, and drive cost savings. Governance offers a formula for success and allows leaders within federal agencies to be active in the strategic management of IT and make sure the following basic elements are in place.

• Alignment and responsiveness: Governance works hand in hand with IT portfolio management to align IT investments with agency objectives, enabling federal managers to improve responsiveness to challenges and manage current and future IT investments. It provides transparency to agency IT investments and ensures taxpayer money is spent in accordance with the agency’s mission.
• Objective decision making: Governance allows leadership to actively commit to improving the management and control of IT activities in the agency.
• Resource balancing: Proper management of critical resources enables control in planning and organizing IT initiatives. This gives federal managers the ability to ensure adequate IT support is available for current and future IT investments.
• Organizational risk management: Proactive risk management ensures that IT federal managers and leadership are aware of the risk associated with the IT initiatives and provides the basis to implement risk mitigation strategies.
• Execution and enforcement: Governance provides federal managers with the framework to manage all IT initiatives and demands, through a single point where they are prioritized and fulfilled. It allows standardizing technology platforms and helps managers make informed decisions on IT initiatives.
• Accountability: Effective governance is about accountability. This enables federal managers to enforce the responsibilities that relate to IT program management.

IT governance cannot exist in isolation and is a process by which decisions are made around enterprise IT investments and projects. By rolling up all investments and projects into the agency’s IT portfolio, a complete and comprehensive view of the entire IT portfolio emerges. This enables leadership to make better strategic decisions and proactively manage and evaluate future investment as a group. IT portfolio management also provides the mechanism for effective IT governance and reporting of Office of Management and Budget’s (OMB’s) Oversight and Government Reform.

INEFFECTIVE GOVERNANCE AND COMPLEXITIES OF GOVERNANCE TECHNIQUES:

TOP 10 REASONS FOR INEFFECTIVE GOVERNANCE

Establishing IT governance is not a one-time implementation or achieved by a mandate; it requires commitment from the federal leadership. IT governance is an activity that requires continuous improvement, and the challenges faced by CIOs are numerous and complex.

Over the past few years, federal agencies have worked diligently to establish effective IT governance. This has helped federal agency IT managers prioritize and optimize the IT investments decision-making process. At the same time, budget constraints have become the operating norm. The recent legislature had a 7 percent across-the-board cut among several agencies. This shrinking budget and increased scrutiny of federal initiatives has become the greatest concern for IT leadership at all levels of government.

The report GAO-12-461, dated April 2012, warned that the administration is at risk of losing momentum of fully completing the key action items in the Office of Management and Budget’s 25-Point Plan to Reform Federal Information Technology. Section D of this plan consists of three actions needed to strengthen IT governance: 1) Reform and strengthen Investment Review Boards, 2) Redefine the role of agency CIOs and federal CIO council, and 3) Roll out “TechStat” model at the bureau level.

NetImpact Strategies’ experience supporting numerous federal clients has enabled us to identify and recognize the reasons for the absence of good governance. Generally speaking, the following 10 reasons are the most common factors for ineffective IT governance at federal agencies.

IT governance spans the agency policy and practices that provide for IT management. Federal managers face continuous scrutiny over investment management and performance. In most federal agencies, it is not an isolated activity and CIOs and IT governance boards often face challenges including: lack of effective communication, lack of reliable data, lack of interest/clarity, having no accountability, certain decisions are not respected, having ineffective processes, having forced participation, lack of follow-through, too much bureaucratic “red tape,” and benefits which are not clearly articulated.

What’s the relationship between IT governance and GRC (governance, risk and compliance)?

According to Calatayud, IT governance and GRC are practically the same thing. “While GRC is the parent program, what determines which framework is used is often the placement of the CISO and the scope of the security program. For example, when a CISO reports to the CIO, the scope of GRC is often IT focused. When security reports outside of IT, GRC can cover more business risks beyond IT.”

Why do organizations implement IT governance infrastructures?

Organizations today are subject to many regulations governing the protection of confidential information, financial accountability, data retention and disaster recovery, among others. They’re also under pressure from shareholders, stakeholders and customers.

To ensure they meet internal and external requirements, many organizations implement a formal IT governance program that provides a framework of best practices and controls.

What kind of organization uses IT governance?

Both public- and private-sector organizations need a way to ensure that their IT functions support business strategies and objectives. And a formal IT governance program should be on the radar of any organization in any industry that needs to comply with regulations related to financial and technological accountability. However, implementing a comprehensive IT governance program requires a lot of time and effort. Where very small entities might practice only essential IT governance methods, the goal of larger and more regulated organizations should be a full-fledged IT governance program.

How do you implement an IT governance program?

The easiest way is to start with a framework that’s been created by industry experts and used by thousands of organizations. Many frameworks include implementation guides to help organizations phase in an IT governance program with fewer speedbumps.

The most commonly used frameworks are:

• COBIT: Published by ISACA, COBIT is a comprehensive framework of “globally accepted practices, analytical tools and models” designed for governance and management of enterprise IT. With its roots in IT auditing, ISACA expanded COBIT’s scope over the years to fully support IT governance. The latest version is COBIT 5, which is widely used by organizations focused on risk management and mitigation.
• ITIL: Formerly an acronym for Information Technology Infrastructure Library, ITIL focuses on IT service management. It aims to ensure that IT services support core processes of the business. ITIL comprises five sets of management best practices for service strategy, design, transition (such as change management), operation and continual service improvement.
• COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO’s focus is less IT-specific than the other frameworks, concentrating more on business aspects like enterprise risk management (ERM) and fraud deterrence.
• CMMI: The Capability Maturity Model Integration method, developed by the Software Engineering Institute, is an approach to performance improvement. CMMI uses a scale of 1 to 5 to gauge an organization’s performance, quality and profitability maturity level. According to Calatayud, “allowing for mixed mode and objective measurements to be inserted is critical in measuring risks that are qualitative in nature.”
• FAIR: Factor Analysis of Information Risk (FAIR) is a relatively new model that helps organizations quantify risk. The focus is on cyber security and operational risk, with the goal of making more well-informed decisions. Although it’s newer than other frameworks mentioned here, Calatayud points out that it’s already gained a lot of traction with Fortune 500 companies.

How do I choose which framework to use?

Most IT governance frameworks are designed to help you determine how your IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from its investments.

Where COBIT and COSO are used mainly for risk, ITIL helps to streamline service and operations. Although CMMI was originally intended for software engineering, it now involves processes in hardware development, service delivery and purchasing. As previously mentioned, FAIR is squarely for assessing operational and cyber security risks.

When reviewing frameworks, consider your corporate culture. Does a particular framework or model seem like a natural fit for your organization? Does it resonate with your stakeholders? That framework is probably the best choice.

But you don’t have to choose only one framework. For example, COBIT and ITIL complement one another in that COBIT often explains why something is done or needed where ITIL provides the “how.” Some organizations have used COBIT and COSO, along with the ISO 27001 standard (for managing information security).

How do you ensure a smooth implementation and positive results?

One of the most important paths to success is with executive buy-in. Calatayud recommends forming a risk management committee with top-level sponsorships and business representation. “To ensure it’s an effective program, it needs to be supported by a broad set of line of business leaders.” He also recommends sharing results with the board or audit committee to “develop real attention when items begin to get ignored.”

As with any significant project, you should always keep communication lines open between various parties, measure and monitor the progress of the implementation, and seek outside help if needed.

How Best to Move Forward

Developing a comprehensive IT governance program can be a daunting task even for organizations with mature management practices. The best place to start is to become familiar with the COBIT 5 framework and principles. ISACA (Information Systems Audit and Control Association) offers many valuable tools and information that will help with education and put into place a road map for the IT governance journey.

Additionally, consider utilizing an experienced practitioner that can help implement practical and proven strategies to formulate an IT governance program and road map.  They can also assist in engaging senior management in adopting the necessary practices that will lead to acceptance across the broader organization.

It cannot be stressed enough that IT governance is an ongoing journey that will continually evolve, not a one-time destination.  It is up to CIOs to lead the way by helping their organizations think about, evaluate and adopt the “right” IT strategies for their businesses.

CONCLUSION

IT governance is important and will ensure the effective and efficient use of IT to achieve agency goals. As Peter Weill, chairman of the Center for Information Systems Research, Massachusetts Institute of Technology, said:

“If I was to choose one factor that most contributed to the success of IT, it is IT governance.”

Each agency is unique, and each agency’s approach to executing governance may vary with the culture and organizational structure. Implementing good IT governance requires a framework based on three major elements: effective structure, effective process, and effective communication. To achieve maturity ensures that IT is working as effectively as possible to maximize cost savings and the benefits of each IT investment, ensuring that the investments are consistent with the organization’s business strategy.