Let’s face it, without proper IT Governance (ITG), IT departments are playing a catch up game. Most likely, the IT department is operating in a reactive mode: an undesirable and frustrating situation for any CIO. IT Governance is also one of the vaguest concepts in IT, practiced more by intuition and organizational legacy structures and processes rather than a systematic and standardized manner. In this blog, I will shed some light on ITG and offer a definition, structures, and processes that are minimal to successful and effective ITG. I will do this as follows:
- Covering basic and quick IT Governance definition and concepts offered by Gartner.
- Briefly explaining IT Governance Arrangement Matrix proposed by Peter Weill and Jeanne Ross in their excellent book titled “IT Governance” published by the HarvardBusiness School Press.
- Briefly going over key COBIT 5 IT Governance framework elements.
- Finally, combine the Governance Arrangement Matrix with the COBIT 5 ITG key elements and propose an essential and effective ITG governance structure and processes.
A succinct definition for ITG is offered by Gartner: “IT Governance is the organizational structures and processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” According to Gartner, this definition contains the following concepts:
- ITG is composed of processes with inputs, outputs, roles and responsibilities
- The goal of ITG is defined as a business goal, not just IT-related
- Key performance measures, identified as effectiveness and efficiency, together represent business value
It is important to highlight that IT governance is the responsibility of the board of directors and executive management. The IT Governance Institute (ITGI) concisely outlines the objective of IT Governance as follows: “IT Governance is concerned about two things: IT’s delivery of value to the business and mitigation of risk”.
In addition to the above definitions, the international organization ISACA (isaca.org) offers an elaborate and convoluted IT Governance literature that includes a framework, definitions, concepts, processes and implementation approach through its COBIT 5 Framework.
To be able to address the IT Governance Arrangement Matrix we need to, first, understand basic ITG concepts offered by Peter Weill and Jeanne Ross. According to them, any effective IT governance must address the following three questions:
- What decisions must be made to ensure effective management and use of IT?
- Who should make these decisions?
- How will these decisions be made?
In answering the “what” question above, Weil and Ross identified the following 5 key IT decisions that must be made for an effective ITG:
- IT principles
- IT architecture
- IT infrastructure
- Business application needs
- IT investment and prioritization
In answering the “who” question, Weill and Ross further identified following players who can make the above decisions:
Business Monarchy, i.e., business alone makes those decisions
- IT Monarchy, IT alone
- Duopoly, joint decision making
- Feudal, business unit leaders, key process owners or their delegates
- Federal, C-level executives and business groups, equivalent of central and state governments working together
- Anarchy, each individual user
Weill and Ross move on to create what is known as the Governance Arrangement Matrix (GAM) which allows every enterprise to define how each decision is made. The table below shows the GAM and how successful enterprises have implemented it. GAM is not a one size fits all and depending on the size of your organization, you will have different ways of making those decisions.
The above matrix cross-checks the decision making body with the decision that must be made and specifying who provides input and who actually makes the decision. The cells that are checked shows how successful organizations applied the GAM.
COBIT 5 proposes a framework to harmonize the IT Governance by addressing the following critical IT Governance elements:
- Strategic Alignment
- Value Delivery
- Risk Management
- Resource Management
- Performance Management
The above is depicted in the following COBIT iconic diagram:
In the step four below, I will address how to combine GAM with the COBIT 5 elements into creating an essential ITG structures and processes.
Using the GAM matrix and applying the COBIT 5 framework, I propose create a set of committees, org structures and processes that would allow you to construct or improve your existing ITG. In principal, what I propose is to lay or fold the GAM on top of the enterprise’s pyramid in the context of the COBIT 5 framework. It might sound confusing but the diagram below along with the IT Governance Matrix can explain this idea in more simple terms. In essence, the committees and processes created at the different layers of the enterprise pyramid will address the “who” and “how” questions in the Weill and Ross ITG framework. The industry processes and standards such as ITIL, TOGAF, ISO 27001, COBIT 5, ISO 17799, etc. will address the “how” part of the ITG questions.
For an effective ITG, I take an organizational pyramid and structure and divide it into three main layers: the strategic/executive, tactical/middle management, and operational layers.
To make ITG more practical, I subdivided the tactical layer into two, one business-IT and the second is IT specific, making the pyramid structure 4 layers as we can see in the diagrams below. Enterprises of different sizes will have variations on this generic structure, where larger enterprises will have organizational “depth” and more “layers” between the proposed ones, but in essence the same proposed approach will apply. Just to be clear, this is not a one-size-fits-all structure. The proposed approach can be tweaked and modified to suit the size, structure, culture, and the industry of your own organization.
In this approach, I will map or transpose the Governance Arrangement Matrix and the COBIT 5 framework into the top-down enterprise pyramid and in the process create a top-down IT governance pyramid as shown below. The main difference from the pentagon COBIT framework is that I propose a pyramid model where I combine the Value and Performance Measurement in the COBIT framework into one ITG element. This is due to the intrinsic high-correlation between measuring IT value and performance measurement of IT, which gives us the great advantage of simplifying the governance structure.
The pyramid diagrams below provide a 3 dimensional illustration of the four pyramid sides with the COBIT ITG elements and with the 4 strategic, tactical and operational ITG layers.
As we can see from the ITG Matrix below, at the executive level, there are at minimum 4 committees that are required for an effective ITG. These committees can be combined into one, in smaller organizations. However, the decisions that need to be made must be addressed separately and in a structured format by this committee. At the tactical level, more committees and bodies are formed both between IT and the business and within the IT department itself. Therefore, we see that the tactical level is divided into two layers. Going down the pyramid into the operational level, even more bodies and organizational structures are needed to create this effective ITG. The pyramid below offers a simple view of the proposed ITG, while the matrix that follows offers detailed answers to the questions raised by GAM, where it answers the decisions that need to be made, by whom, and how.
The above table proposes an essential but high-level IT governance structures and processes addressing who and how IT decisions are made along with what decisions need to be made. It focuses more on the IT tactical and operational sides and offers governance structures that ensure better IT operations and value delivery. Some cells in the table are left blank due to the fact the size of an organization can impact the number of governance structures. But these cells can be easily deduced and supplemented for large organizations using the same the table structure.
In the empirical research conducted by Weill and Ross, they found out that organizations with well-oiled IT Governance (top performers), generate ROI on IT investments that are 40% greater than their competitors. This alone is a great incentive to have a well-structured and functioning IT Governance in your organization. I hope this blog is a good starting point to a fruitful journey.