Gary Hardy is one of the pioneers of COBIT.
He has a unique wealth of insights and experiences gained over many years of involvement in ISACA and COBIT.
Gary was guest instructor at a COBIT Foundation and Implementation Methodology course held at Frame.
One of his more challenging insights was that, rather than using the term ‘IT governance’ we should be using the term ‘enterprise governance of IT’.
I can’t quote Gary precisely, but this article captures his perspective.
It’s a different way of looking at things, but is more likely to lead to success.
IT governance isn’t a job description
IT governance is often misinterpreted by individuals and organisations as being a job or position description. That is, if we appoint an IT governance manager, then the problem is well on its way to being solved.
This completely misses the point that governance is the responsibility of the board and executive management. It can’t simply be delegated to a subordinate manager.
However, once we have board and executive management endorsement, and we’ve established a program to implement and drive the effective governance of IT, then we definitely need a senior manager with the authority and responsibility to execute the planned program.
IT governance isn’t an organisational structure
Similar to the job description argument, we can’t simply set up an organisation and assume that the governance of IT is a done deal.
The board and executive management must own, sponsor, sustain and be accountable for the governance of IT.
Without this drive and direction from the top, the governance of IT will lack business credibility, support and acceptance, and won’t be effective or sustainable over time.
The governance of IT isn’t a project. It’s a lifecycle that must adapt to ever-changing business, regulatory and social circumstances and times.
Enterprise governance is simply what we do around here
It’s a reasonable assumption that a successful organisation didn’t achieve that success without having effective enterprise governance in place.
This infers that successful organisations understand enterprise governance; it’s what they do continually to ensure they achieve strategic alignment, create value, manage risk, manage resources and measure performance.
It follows that such organisations must understand the issues around governance, risk and compliance (GRC). Also, that they have in place ongoing programs to maintain and enhance policies, processes and procedures to ensure effective GRC.
So, if successful organisations already understand and practise enterprise governance, why is IT governance considered something new and different?
It should be viewed simply as extending our existing enterprise governance to the IT lifecycle.
Certainly IT has its own set of complexities, risks and investment demands, but IT also has very detailed and mature governance and management standards and frameworks. They inform and assist both the governors and managers to meet the enterprise’s business and governance objectives.
These standards and frameworks include ISO/IEC 38500, COBIT, ITIL, ISO 27000, ISO 31000, Six Sigma, LEAN, the Balanced Scorecard … the list goes on.
Most importantly, using COBIT as the overarching framework ensures that the other frameworks can be implemented effectively and efficiently to achieve the right business outcomes.
This begs the question: what does ‘enterprise governance’ mean?
The International Federation of Accountants defines it this way:
Enterprise governance constitutes the entire accountability framework of the organisation.
And the federation identifies the two key dimensions of enterprise governance: conformance and performance.
It’s a way more likely to succeed
In summary, governance of IT isn’t a unique, special or one-off exercise that sits alone and outside of our normal governance framework.
It has a better chance of being successfully implemented and sustained if it’s perceived and treated as part of our normal enterprise governance structures and processes.
Referring to the ‘enterprise governance of IT’ helps to support that perception across the organisation.
It’s time to stop calling it ‘IT governance’.