A Pragmatic Approach to IT Governance

Let’s face it, without proper IT Governance (ITG), IT departments are playing a catch up game.  Most likely, the IT department is operating in a reactive mode: an undesirable and frustrating situation for any CIO. IT Governance is also one of the vaguest concepts in IT, practiced more by intuition and organizational legacy structures and processes rather than a systematic and standardized manner. In this blog, I will shed some light on ITG and offer a definition, structures, and processes that are minimal to successful and effective ITG. I will do this as follows:

  1.  Covering basic and quick IT Governance definition and concepts offered by Gartner.
  2. Briefly explaining IT Governance Arrangement Matrix proposed by Peter Weill and Jeanne Ross in their excellent book titled “IT Governance”  published by the  HarvardBusiness School Press.
  3. Briefly going over key COBIT 5 IT Governance framework elements.
  4.  Finally, combine the Governance Arrangement Matrix with the COBIT 5 ITG key elements and propose an essential and effective ITG governance structure and processes.

title one

A succinct definition for ITG is offered by Gartner: “IT Governance is the organizational structures and processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” According to Gartner, this definition contains the following concepts:

  • ITG is composed of processes with inputs, outputs, roles and responsibilities
  • The goal of ITG is defined as a business goal, not just IT-related
  • Key performance measures, identified as effectiveness and efficiency, together represent business value

It is important to highlight that IT governance is the responsibility of the board of directors and executive management. The IT Governance Institute (ITGI) concisely outlines the objective of IT Governance as follows: “IT Governance is concerned about two things: IT’s delivery of value to the business and mitigation of risk”.

In addition to the above definitions, the international organization ISACA (isaca.org) offers an elaborate and convoluted IT Governance literature that includes a framework, definitions, concepts, processes and implementation approach through its COBIT 5 Framework.


To be able to address the IT Governance Arrangement Matrix we need to, first, understand basic ITG concepts offered by Peter Weill and Jeanne Ross.  According to them, any effective IT governance must address the following three questions:

  • What decisions must be made to ensure effective management and use of IT?
  • Who should make these decisions?
  • How will these decisions be made?

In answering the “what” question above, Weil and Ross identified the following 5 key IT decisions that must be made for an effective ITG:

  • IT principles
  • IT architecture
  • IT infrastructure
  • Business application needs
  • IT investment and prioritization

In answering the “who” question, Weill and Ross further identified following players who can make the above decisions:

Business Monarchy, i.e., business alone makes those decisions

  • IT Monarchy, IT alone
  • Duopoly, joint decision making
  • Feudal, business unit leaders, key process owners or their delegates
  • Federal, C-level executives and business groups, equivalent of central and state governments working together
  • Anarchy, each individual user

Weill and Ross move on to create what is known as the Governance Arrangement Matrix (GAM) which allows every enterprise to define how each decision is made.  The table below shows the GAM and how successful enterprises have implemented it. GAM is not a one size fits all and depending on the size of your organization, you will have different ways of making those decisions.


The above matrix cross-checks the decision making body with the decision that must be made and specifying who provides input and who actually makes the decision. The cells that are checked shows how successful organizations applied the GAM.


COBIT 5 proposes a framework to harmonize the IT Governance by addressing the following critical IT Governance elements:

  1. Strategic Alignment
  2. Value Delivery
  3. Risk Management
  4. Resource Management
  5. Performance Management

The above is depicted in the following COBIT iconic diagram:


In the step four below, I will address how to combine GAM with the COBIT 5 elements into creating an essential ITG structures and processes.


Using the GAM matrix and applying the COBIT 5 framework, I propose create a set of committees, org structures and processes that would allow you to construct or improve your existing ITG.  In principal, what I propose is to lay or fold the GAM on top of the enterprise’s pyramid in the context of the COBIT 5 framework.  It might sound confusing but the diagram below along with the IT Governance Matrix can explain this idea in more simple terms. In essence, the committees and processes created at the different layers of the enterprise pyramid will address the “who” and “how” questions in the Weill and Ross ITG framework. The industry processes and standards such as ITIL, TOGAF, ISO 27001, COBIT 5, ISO 17799, etc. will address the “how” part of the ITG questions.

For an effective ITG, I take an organizational pyramid and structure and divide it into three main layers: the strategic/executive, tactical/middle management, and operational layers.

To make ITG more practical, I subdivided the tactical layer into two, one business-IT and the second is IT specific, making the pyramid structure 4 layers as we can see in the diagrams below. Enterprises of different sizes will have variations on this generic structure, where larger enterprises will have organizational “depth” and more “layers” between the proposed ones, but in essence the same proposed approach will apply.  Just to be clear, this is not a one-size-fits-all structure.  The proposed approach can be tweaked and modified to suit the size, structure, culture, and the industry of your own organization.

In this approach, I will map or transpose the Governance Arrangement Matrix and the COBIT 5 framework into the top-down enterprise pyramid and in the process create a top-down IT governance pyramid as shown below.  The main difference from the pentagon COBIT framework is that I propose a pyramid model where I combine the Value and Performance Measurement in the COBIT framework into one ITG element. This is due to the intrinsic high-correlation between measuring IT value and performance measurement of IT, which gives us the great advantage of simplifying the governance structure.


The pyramid diagrams below provide a 3 dimensional illustration of the four pyramid sides with the COBIT ITG elements and with the 4 strategic, tactical and operational ITG layers.



As we can see from the ITG Matrix below, at the executive level, there are at minimum 4 committees that are required for an effective ITG. These committees can be combined into one, in smaller organizations. However, the decisions that need to be made must be addressed separately and in a structured format by this committee. At the tactical level, more committees and bodies are formed both between IT and the business and within the IT department itself.  Therefore, we see that the tactical level is divided into two layers. Going down the pyramid into the operational level, even more bodies and organizational structures are needed to create this effective ITG. The pyramid below offers a simple view of the proposed ITG, while the matrix that follows offers detailed answers to the questions raised by GAM, where it answers the decisions that need to be made, by whom, and how.


The above table proposes an essential but high-level IT governance structures and processes addressing who and how IT decisions are made along with what decisions need to be made. It focuses more on the IT tactical and operational sides and offers governance structures that ensure better IT operations and value delivery.  Some cells in the table are left blank due to the fact the size of an organization can impact the number of governance structures. But these cells can be easily deduced and supplemented for large organizations using the same the table structure.

In the empirical research conducted by Weill and Ross, they found out that organizations with well-oiled IT Governance (top performers), generate ROI on IT investments that are 40% greater than their competitors. This alone is a great incentive to have a well-structured and functioning IT Governance in your organization. I hope this blog is a good starting point to a fruitful journey.

Five Essential Steps Towards an IT Strategy

IT strategy and planning is hard and time consuming. In this blog, I offer a pragmatic approach to conducting IT strategy effort even in the absence of a business strategy.  Just to be clear, a comprehensive IT strategy requires a well-defined business strategy.  However, some IT planning tasks cannot wait and should not wait for a business strategy to be fully developed.  In this blog, I propose a five-step approach to developing an IT strategy that is especially effective in situations where there is no clearly codified business strategy.

But first, let’s define what a strategy is.  As succinctly put by Duncan Bucknell, “A strategy is a solution to move from where you are now (A) to where you want to be (B)…or put another way, it is what you want to happen to achieve an end”.

I propose the following five essential steps that I have successfully applied in developing effective IT strategies:

  1. Review and Evaluate IT Assets
  2. Conduct Capacity Planning
  3. Review and Evaluate IT KPIs and SLAs
  4. Assess the Delivery of IT Projects
  5. Review and Evaluate the History of IT Budgets


This step involves the task of finding out the status of your IT assets.  In Bucknell’s strategy “definition” above, you need to find out where point “A” is in your IT department.

Your spreadsheet or database of IT assets should include the full inventory of hardware and software products, tools, and utilities.  Then you need to make sure that all of your IT assets are accounted for in a structured format.  Whether you are using a sophisticated and expensive IT Asset Management (ITAM) tool or a simple spreadsheet to track your IT assets, you need to collect certain attributes or metadata about your assets.  If you don’t have your IT assets accounted for, then you are in a very difficult situation and your strategy becomes to catalogue your IT assets.

Below is a sample spreadsheet with a minimal set of attributes on IT assets.


In our asset inventory system or spreadsheet, we need to highlight each assets with one of the three traffic light colors: Red, Amber or Green to get the so called RAG status. The assets highlighted in red require immediate plans, with the possibility to be upgraded or replaced in the following year.  The assets in yellow might need to be replaced in the following two to three years.  Below are simple steps that help you determine how to color the rows in the spreadsheet:

  1. Highlight assets in red if the End of Support Date falls within the next year or earlier and its upgrade or replacement requires time and substantial effort. If you plan correctly on annual basis, you should never end up with assets in red. The planning task then becomes to assess the cost of and timeline required to upgrade or replace these assets.
  2. For assets with no End of Support date but with an End of Sale date that is occurring within the next year or earlier, then it is highlighted in yellow to plan for replacement in the next two to three years.
  3. Assets that have no End of Sale or End of Support dates, or these dates are far out in the future, are colored in green and the planning tasks becomes to account for their maintenance cost.

The IT budgetary plans start to shape up by adding up the costs of upgrading, replacing or maintaining the IT assets. Then your PMO is responsible for putting the upgrade or replacement plans.  Software products, especially COTS products such as ERP, CRM and SCM, require substantial resources to upgrade or replace. Therefore, these assets call for special attention and careful planning to replace or upgrade and require annual reviews of the vendors’ roadmap.


Capacity planning is essential for survival in IT departments especially in businesses where growth is steady or exponential.  Your business might not have a clearly spelled out business strategy or plans, but you can demand that the commercial team figure out certain basic business KPIs and predict them in the next one to three years.  For example, a simple KPI such as the number of expected customers, users, or subscribers to your business products or services has an impact on the capacity of IT systems.  You also need to know the number of your own employees or contractors who will work on delivering the products and services to your customers.  These numbers determine the amount of disk space, computing power, connectivity and network capacity, software license needs and the number of end user devices required to support your employees/contractors.  Details on how to conduct capacity planning can be found in chapter 2 of Gary Cokins’ book: “CIO Best Practices: Enabling Strategic Value With Information Technology”.


As part of understanding where you are at present (point “A”) as the first step in IT strategic planning, you also need to know what are your current KPIs and SLAs. Therefore, you need to have an inventory of meaningful KPIs and SLAs with the business.  In his blog Myles Suer suggests 7 so called magnificent IT KPIs. In addition to these KPIs suggested by Suer, you will most likely need KPIs that are more meaningful to the business such as the ones that measure the efficiency of running the IT department in terms of revenue per customer.  Other business KPIs can be related to IT cost per business service delivered or YoY IT Budget spend vs. revenue growth.

So when the list of KPIs is compiled the next task would be to enter these KPIs into a spreadsheet similar to the one below and define if their current values are acceptable to IT and to the business leadership; then define the future values and define the actions or future projects that might be required to achieve the new KPI value as in the example below.



Every year you need to have an answer to a very simple yet convoluted question: what is the percentage of projects completed within budget and planned timeline in the previous year?  This measure is obviously a KPI, but it needs to be addressed separately due to its significant impact on the strategy and planning process.  Answering this KPI question reveals a lot about the IT department and its capacity and capability to deliver IT projects and in a way allows you to strategize and plan from an internal IT perspective.  Capacity and capability does not mean just the ability to collect requirements, design, develop, and deploy systems, it also includes the IT human capacity and ability to manage multiple projects even when these projects are fully outsourced.  This KPI can also reveal many issues related to project delivery methodology, processes, tools and techniques. It will help you raise many questions that might help identify problems, the solution to which become a projects or an initiatives on your strategic plan.


Reviewing the IT budgeted versus the actual spend KPI in the previous two to three years provides another important insight into the capacity and capability of the IT department to deliver projects, solutions, products and services.  IT strategic planning requires the right funding where you don’t budget higher and end up spending less and unnecessarily tying up the company’s financial resources.  You also, don’t want to under budget and end up with projects that cannot be completed due to lack of proper funding.  Reviewing how much you spent in the last two to three years and on what, will give you great insight into how much you should budget and for what in the next three years.

Applying the five steps above will allow you to create a pragmatic IT strategy with budget estimates and execution plans that can help you run the IT department for the following 3 years.  However, CAPEX planning will require a business strategy, which takes us back to where we started, having a business strategy will be required for a comprehensive IT strategy.