There are a number of internal and external factors that an organisation shall consider in designing and implementing IT governance. First and foremost, the mission and vision of the organisation. Secondly, laws and regulations of the jurisdictions and markets the organisation operate in.
Some of the other considerations concerning design could be; business model/ plans or strategy, policies, ethics, culture and conduct. Risk appetite and available resources or location of resources should also be considered in the design of IT governance. As an example of risk appetite, how an organisation treats regulatory risk could influence the design. Similarly, where and how many locations does the IT workforce of an organisation operate from shall also be an IT governance design consideration. The level of autonomy and decision making power that can be granted to the local management.
As with any other initiative, the implementation of IT governance must be supported by the top leadership. From an operational perspective desired outcome of effective IT governance shall be sustainability, consistency, repeatable processes and measurable performance. The higher-level outcome, over the period, shall demonstrate maturity in alignment and value creation.
Figure 2: Components of IT Governance
To get guidance and inspiration for the governance design and implementation or to help with improving the capability there are a number of frameworks, standards and tools that can be used, some examples are ISACA’s COBIT 2019 and CMMI (Capability Maturity) and Balanced Scorecard (BSC). Similarly, there are now other standards and tools available to measure performance and innovation.
Now, a little bit on some of the theories/ models out there which look into the setting and arrangement of the IT governance in pursuit of the desired outcome. P Weill and J Ross in their book [IT Governance: How Top Performers Manage IT Decision Rights for Superior Results] suggest that IT governance is essentially, a)specifying the decision rights and b) devising the accountability framework. Weill and Ross looked at 5 IT domains to understand HOW organisations make IT decisions;
- IT principles
- IT infrastructure
- IT Architecture
- Business applications
- IT investments and prioritisation
They then defined six models to understand WHO provides a) the input and b) WHO has the right to make the IT decisions. A brief depiction is below [source: MIT Sloan School Centre for Information Systems Research (CISR), taken from ISACA CGEIT manual and edited for the purpose of explanation];
- Business monarchy: business executives retain both the input and decision-making rights, with an occasional CIO involvement.
- IT monarchy: individual or a group of IT executives retain both the input and decision-making rights, IT managers or business are not involved.
- Feudal: business unit (BU) leaders retain the decision rights with input from process owners.
- Federal: generally, C level executives retain the decision right with the input from BU, process owners and IT executives.
- Duopoly: IT executives, C level execs and BU leaders jointly make decisions. Input can come from process owners as well as IT management.
- Anarchy: process owners make individual decisions.
It is crucial to establish accountability; in this context, COBIT provides guiding principles. An important point to remember is that as part of the Governance of Enterprise IT COBIT maintains the distinction between governance and management processes, i.e., management focusing on (plan, build, run, monitor) and governance focusing on (evaluate, direct, monitor).
Figure 3: Separated IT Governance from IT Management
Organisational structures are created/ adopted (from standards such as COBIT) to define responsibility and accountability. Structures such as the board of directors, executive committee, C suite, IT governance board, various Steering and other committees, independent functions such as compliance and Audit are some of the examples.
Dedicated governing function separate from operational management can often blur the lines of role and responsibility. For the purpose of providing clarity concerning responsibilities and accountabilities of various functions, a commonly used method is RACI charts that denote Responsible, Accountable, Consulted, Informed parties within an organisational structure at all levels. There are a number of examples of RACI matrix available online should you need some inspiration.
Opinions
Let’s quickly remind ourselves that the purpose of governance is to enable an organisation to achieve its business objectives effectively and efficiently. Too often rigid and siloed organisational structures can contribute to the lack of agility needed to respond to the business needs or to reduce the time to market. In some cases, governance models that were suitable some decades ago are now dated due to the strategic shift or changes in business dynamics, however, the realisation of the very problem hasn’t happened.
Agility: Organisations that are open to the principles of Agile methodology for delivering IT shall also be open to and take inspiration from Agile methodology for delivering business change. Governance models and organisational structures shall also be flexible in order to adapt and open to change.
Periodic review: IT governance and IT management structures shall be reviewed periodically, in fact, the periodic review shall be mandated in the policy, and results provided to the board as part of a feedback loop. Necessary adjustments shall be made that are commensurate with the internal changes as well as external threats and opportunities.
Decision making: Especially, in large organisations, oftentimes autonomy in localised decision making of IT management can involuntarily contribute to localised decisions concerning IT governance, resulting in over governance. This point can be best explained with the following example scenario: for instance, there was a need to introduce localised (for a specific country or market) additional governance processes in order to mitigate regulatory risk or to drive conduct/ culture in a certain direction – once objectives have been achieved, if processes are not rectified to bring those in line with the policy driven centrally, those additional governance processes can become a business-as-usual activity (cottage industry) – as a spill over sometimes adopted by other locales and regions. If the policy is driven centrally, with IT Governance and IT Management separated – it shall be IT Management that is empowered with flexibility and autonomy in decision making; for agility, in order to drive innovation and to achieve optimal performance. IT Governance is best suited to be driven centrally in my humble opinion. Boards, senior leadership and executives need to be creative in devising functions and organisational structures in such a way that has business governance, IT governance and IT management working together to align Business with IT – not just to deliver IT but also to respond to business change. It is becoming increasingly important to draw inspiration from the methodologies across disciplines in order to stay competitive.