For corporates considering a new IT governance programme, the first requirement is to agree upon what it means, what it involves and who is responsible for its implementation and oversight. This includes ensuring that external IT service are also following accepted It governance guidelines so that best practice is maintained throughout the IT environment whether in-house or outsourced.
Inadequate IT governance is not the exception, especially in mid-sized enterprises, but perhaps more surprisingly it is also a condition common to many large enterprises as well.
One of the root causes for these challenges is that those people who are responsible for the success of IT initiatives often use the term "governance" loosely, without sharing a common understanding of the term and without completely comprehending what it actually involves. In these cases the first imperative to implementing a coherent corporate governance environment is to define what the term "governance" actually means.
The next step is to identify the key distinctions between good and poor governance and having done so, to then determine the path from poor to good governance over a pre-determined and realistic period of time.
What is governance?
A good place to start in our quest for a clear definition is the World Bank, which has described a common understanding of governance. It is defined as: ‘The rule of the rulers typically with a given set of rules’.
Or more simply put, governance is the process by which authority is conferred on rulers, by which they make the rules and by which those rules are enforced and modified.
How does the World Bank concept of governance translate to enterprises?
Corporate governance (the rules) refers to the formation and steering of the rules and processes of an organisation by which businesses are operated, regulated and controlled for effective achievement of corporate goals. Corporate governance structures (the rulers) are those bodies or councils which are specifically concerned with governance, while the Board of Directors are finally accountable for the application of good governance. Typically, they carry out their governance duties via committees that oversee critical areas such as audit, compensation, acquisitions and so on.
To complicate matters, different corporate governance guidelines and regulations are used by different countries. One of the most commonly referred is the OECD Principles of Corporate Governance. Another is the Sarbanes Oxley Act, a United States Federal law on accounting reform. There are also industry specific regulations like Basel III for Banking, HIPAA for Health Insurance, and so on.
The importance of IT governance
Since organisations are increasingly dependent on IT for their operations and profitability, the need for better accountability of technology-related decisions has become a key part of corporate governance, making IT governance a highly strategic subset of the overall enterprise governance.
In the case of IT, governance - or the rules - links IT strategies to the overall enterprise goals and strategies. It also institutionalises best practices for planning, acquiring, implementing and monitoring IT performance; it manages the risks that IT poses to business and it ensures accountability of IT costs.
The IT governance structure
An organisation’s IT strategy committee, or the equivalent, is typically composed of board and non-board members which together form the governance structure that oversees IT governance. They are the rulers who may in turn have sub-committees or groups who are responsible for specific areas of IT governance.
Over the years multiple industry standard IT governance and control frameworks have evolved and are available for enterprises to adopt. The most commonly referred to are: ISO/IEC 38500:2008 Corporate Governance of information technology and the Control Objectives for Information and Related Technology (COBIT).
In addition to these there are also many other related frameworks and methodologies which help enterprises to address specific aspects of their IT governance. Fortunately the Calder-Moir IT Governance Framework has drawn upon and integrated the wide range of management frameworks, standards and methodologies that exists today - some of which overlap and compete - into a conceptual approach that provides an effective visualisation of IT governance.
Where does IT outsourcing governance fit?
Most enterprises today outsource at least some, and in many cases all, of their IT or IT-enabled business services to third parties. Because IT is now such a prominent driver of business success and efficiency, it has become vitally important for organisations to accept that while they may outsource their IT service delivery, they must continue to be accountable for the service delivery to the business. Organisations need to know their third party service providers are following the accepted principles of good governance to ensure they are in a position to effectively manage the risks and continue to deliver value to their corporate customers.
This specific focus, called ‘outsourcing governance’, is essentially a sub-set of IT governance and its primary focus is regulating the interface between the enterprise and the outsourced service provider. One crucial consideration when considering outsourcing governance is that given the close interrelationship between the in-house and outsourced IT environment, focusing on IT outsourcing governance invariably proves inadequate - it must be considered within the context of IT governance as a whole.