Organizations today are subject to many internal and external requirements governing financial accountability, data protection and retention and disaster recovery, to name a few. They’re also under pressure from shareholders, stakeholders and customers.
Without a formal governance program to help meet these requirements, according to a recent article, IT organizations can experience:
- Lack of metrics (leading to ineffective decisions)
- Dissatisfaction among senior business leaders
- Missed delivery expectations
- Avoidance of central IT (shadow IT)
- Duplication between central IT and business unit IT
- Rising IT costs without commensurate return
- Excessive duplication and complexity
- Poor vendor performance
That’s why today’s most successful organizations implement a formal IT governance program that provides a framework of best practices and controls to ensure they meet internal and external requirements. While there are multiple frameworks in use (ITIL, COSO, FAIR), I want to talk about perhaps the most popular, COBIT 5.
COBIT 5: What is it?
According to the ISACA, the COBIT 5 framework is defined as follows:
“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”
This means that governance should evaluate, direct and monitor (EDM):
- Evaluate to determine balanced, agreed-on enterprise objectives to be achieved.
- Direct through prioritization and decision making.
- Monitor performance, compliance and progress against agreed direction and objectives.
CoBIT 5 has also outlined five principles for effective information and technology governance. It is the last principle—separate governance from management—that’s perhaps most important.
(As of this writing, ISACA had just introduced COBIT 2019 which updates and enhances existing COBIT 5 standards, but doesn’t significantly change them.)
Separate governance from management
Governance and management are not the same.
Governance is typically carried out by stakeholders focused on developing policies and strategies for mitigating risk and ensuring compliance across the enterprise. Management, on the other hand, typically falls to the IT team. Their job is to understand and implement the intent of the policies set forth by the governance committee using available technologies to ensure alignment with the business.
Consider the term “governance of IT,” for example. In this context, the separation becomes immediately clear. The IT organization is subject to the influences of the enterprise which establishes IT’s “marching orders.”
The following diagram, from ITIL® 2011 Edition, depicts these influences.
Key responsibilities of IT governance
According to Gartner, the simplest definition of IT governance is “the set of processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” Thus, the key responsibilities of governance of IT are to:
- Ensure that policies and standards are aligned with the overall corporate vision, mission and goals.
- Direct funding and investment in areas that provide the highest value to the enterprise.
- Ensure that required processes are directly followed.
- Define roles and responsibilities.
- Define and report on Critical Success Factors and associated Key Performance Indicators.
- Facilitate implementation actions to resolve identified opportunities.
As a service provider, IT must be sensitive to the needs of its direct customer—the enterprise itself—and assure that their services align with changing business needs. They must define governance roles and responsibilities, produce relevant data and take action to ensure alignment.
To that end, IT should consider applying the principles of governance at a strategic, tactical and operational level:
- Strategic – Establish a formal IT Service Management (ITSM) capability that’s not limited to a single framework, method, standard or movement, but rather combines multiple relevant approaches. This capability should clearly connect to the IT strategic plan and support business outcomes, while quantifying the value that Service Management brings (specific Critical Success Factors with supporting Key Performance Indicators).
- Tactical – Produce a pragmatic and achievable rolling 18-month roadmap, delineating the activities that will be conducted, in what order and over what period of time, along with periodic checkpoints to measure progress.
- Operational – Provide a supporting technology platform.
Logicalis: Your IT governance and management expert
Logicalis can help you apply the principles of governance at a strategic, tactical and operational level in your own organization. We can help establish or optimize a formal Service Management capability through our proven capabilities across a spectrum of related services, including:
- Service Management Executive Overview
- Governance and Service Management Roadmap Workshop
- Service Management Process Assessments
- Service Management Process Modeling Workshops
- Customized Workshops Focused on IT or Business Service Management
- Fully Accredited Education for ITIL, Agile COBIT and DEVOPS Certifications
- Business & IT Alignment Simulations
- Business Case Development
- RFP Management
- ServiceNow Implementations
- ServiceNow Licensing
- ServiceNow Health Checks
Tony Fischer is Director of Business Development for Logicalis US, responsible for Service Management Sales and Services.