« A Simple Formula for IT Optimization | Main | Best Practices for Service Catalog Design »

July 3, 2005

IT Governance Demystified

In my experience, "IT Governance" is the most popular IT buzzword among corporate IT executives and company boards nowadays. But like many buzzwords, this one is far easier to recite than it is to understand, let alone apply.  And it certainly doesn’t help that (as it is often the case with buzzwords), there exists a curious dichotomy between what this term actually means and how it is being used by IT vendors trying to latch on to it to increase the appeal of their wares.

Given that the “signal-to-noise” ratio on this topic is so low, I thought I’d take a few minutes to explain what IT Governance is, how the term is used and abused by IT organizations and vendors today, and what are the key issues in implementing a useful IT Governance framework.

What is IT Governance?

A straightforward definition of IT Governance comes from the Board Briefing on IT Governance publication (pdf) produced by the IT Governance Institute:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

At the next level, this breaks down into the following five IT Governance areas:

  1. Business-IT Strategic alignment, with focus on aligning with the business and collaborative solutions.
  2. Value delivery, concentrating on optimizing expenses and proving the value of IT.
  3. Risk management, addressing the safeguarding of IT assets, disaster recovery and continuity of operations, and risks associated with regulatory compliance.
  4. Resource management, optimizing knowledge and IT infrastructure.
  5. Performance measurement, tracking project delivery and monitoring IT services, which provides feedback to the governing body and enables decision making, objective setting, and policy adjustment.

What complicates the picture is that there is no single IT Governance “standard.”  Rather, the topic of IT Governance falls at the intersection of three popular frameworks, which are contemporary buzzwords extraordinaire in their own right: ITIL (from the IT delivery and support point of view), CobiT (from the financial auditing and control point of view), and SOX (from the US regulatory compliance point of view).

For a high-level - yet rather thorough - treatment of the IT Governance topic, you may want to check out the book by Peter Weill and Jeanne Ross, from the Harvard Business School Press.

IT Governance – State of the art

HBS and other theory aside, the predominant reality today, as I have observed it over the last few years, is that IT Governance is not an actively designed CxO-driven initiative but a collection of loosely connected “governance silos.”  The most common kinds of such uncoordinated silos that I most often encounter are “project governance,” “outsourcing governance,” “architecture governance,” “data security and access governance,” and “governance around change.”  In most cases, these governance silos get created as a reactive mechanism to address a particular need (for example, architecture problems or overspending or duplication).

Patching up problems as they arise is a defensive tactic that limits opportunities for strategic impact from IT. Instead, management should actively design IT governance around the enterprise's objectives and performance goals, across the five dimensions of IT Governance outlined above.

IT Governance – What the vendors are saying

Given the complexity of the IT Governance juggernaut, and the fact that much of its success is dependent on the company’s organizational discipline and maturity, it’s obvious that no single vendor can “enable IT governance.”  Yet you’d never guess this from reading their glossies.  Project management solution vendors like Kintana (now Mercury IT Governance Center), Changepoint (now part of Compuware), Niku (recently acquired by CA), PlanView, and PacificEdge have all been repositioning their products as more trendy “IT Governance” solutions.  Many IT asset management vendors have done the same.  And most recently, the venerable Systems Management suite vendors like HP OpenView have also jumped on the IT Governance bandwagon.

There is no doubt that all these vendors provide useful solution pieces that contribute to solving the overall IT Governance jigsaw puzzle.  But it’s hard to make sense of the pieces unless you can see the front of the puzzle box – what the completed jigsaw will look like once the pieces are in place. So what does a successful IT Governance framework look like?

Key issues in implementing a successful IT Governance framework

Every successful IT Governance framework that I’ve seen includes an organizational component and a technology component.  The organizational aspects are neatly summarized by Weill and Ross as “Ten Principles of IT Governance”: involve senior managers, ensure clear exception-handling, provide the right incentives, assign ownership and accountability, provide transparency and education, etc.

At the technology level, the key question is: What are the concepts that need to be defined to enable effective IT Governance, and how to implement the processes and tools that make these concepts actionable?

The answer is guided by the old maxim – Define. Manage. Measure. Improve. – because…

  • What is not defined cannot be managed.
  • What is not managed cannot be measured.
  • What is not measured cannot be improved.

Over the last two years, most IT organizations have gone through the painstaking exercise to define the services they are delivering (through the IT Service Catalog) and the projects they are working on (through IT Project Portfolios), implementing systems to manage the delivery of these services (through Service Delivery Management) and projects (through Project Management), developing metrics and key performance indicators (KPIs) to measure the quality and cost of delivering these services and projects, and using this information to improve their delivery processes.

Those who implemented this framework successfully (along with the organizational and policy best practices), have seen dramatic improvements along all the key dimensions of IT Governance: business-IT strategic alignment (by focusing on the services and projects with the highest business impact), value delivery (by realizing operational efficiencies through process and infrastructure automation), risk management (by formalizing business continuity provisions as well-defined IT services and by addressing regulatory compliance requirements through increased process definition and transparency), and resource management (by tying their service delivery systems directly into human, infrastructure, and knowledge resource repositories).

Following these key principles, supported by the appropriate tools, companies can ensure that “IT Governance” becomes more than just a buzzword, but an actionable methodology to most effectively harness the awesome power of information technology in the interests of the business enterprise.

Posted on July 3, 2005 | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference IT Governance Demystified:

» Time To Set Up An "IT Boardroom" from James Governor's MonkChips
I have been giving alignment a lot of thought recently, that is, alignment between IT and the business. HP doesn't think alignment captures the idea sufficiently so it talks to IT Business "synchronization"Maybe convergence is even more appropriat... [Read More]

Tracked on Jul 6, 2005 7:28:42 AM


A reader noted that I didn’t explain the distinction I am making in this post between the Service Catalog and Project Portfolio concepts. Instead of putting together my own explanation, let me quote from IT portfolios, service catalogs, and enterprise architecture, an excellent posting from Charles Betz’s erp4it blog:

Portfolio management as a term of course comes from investing; the literature I've reviewed from both Niku and Prosight is full of terminology like "balancing" and "investment." … The portfolio management discipline involves quasi-financial modeling; one can play out various investment scenarios and optimize them. …

A service catalog is an IT Service Management term. Rather than an investment portfolio, the paradigm here is merchandising: we have these offerings (applications, services, processes) for sale (or rent). If you purchase them, we commit to delivering them at this level of service. If we fail, you can hold us contractually liable.

Service Catalogs and Project Portfolios are complementary concepts that are both critical to implementing a successful IT Governance framework.

Posted by: Boris Pevzner | Jul 4, 2005 12:02:42 AM

Good points... you may want to check out a recent Wall Street Journal article that highlights the fact that IT Governance is rapidly becoming a board-level priority:

More companies are setting up board-level panels replete with tech-savvy directors, both in an effort to improve bottom-line results and to ease compliance with new governance involving technology.

About 50 publicly traded companies in the U.S. have some sort of board-level technology committee, according to the Corporate Library, a corporate-governance watchdog. These include pharmaceutical titan Pfizer Inc., medical-products company Medtronic Inc. and technology company Hewlett-Packard Co.

But technology committees aren't limited to technology or pharmaceutical companies; delivery giant FedEx Corp. and financial concerns such as Mellon Financial Corp. and PNC Financial Services Group also have board tech panels.

The CIO Magazine has also explored this phenomenon in some depth last year in their Who's Afraid of the Big, Bad Board? article.

Posted by: Charles Winn | Jul 4, 2005 10:44:52 AM

Like the blog Boris, I'm subscribed

Posted by: Richard Byrom | Jul 5, 2005 12:05:00 AM

And then there's the distinction between project and application portfolios - I'd argue that the application portfolio is actually a far more useful concept. The distinction between application portfolio and service catalog is perhaps the $64,000 question.

Posted by: Charles Betz | Jul 5, 2005 10:35:09 AM

Post a comment