IT governance is the glue that holds the rest of IT Service Management (ITSM) together. It ensures that your organization, its data, and its people are protected. Effective IT governance helps IT to remain in sync with business objectives while reducing risk.
In this article, we'll see why it's important for your business, its domains, the different frameworks available, and the roles involved in ensuring IT governance across the company.
Let's begin.
What is IT governance?
IT governance is the framework that provides a formal structure for organizations to ensure IT investments support business objectives. It's managing how organizations are run to promote transparency and accountability in business operations.
Governance became important following some high-profile corporate fraud cases in the 1990s and early 2000s. These events prompted several countries to establish and maintain rules and regulations for corporate governance, such as the Sarbanes-Oxley Act and the Graham-Leach-Bailey Act.
The five domains of IT governance
IT governance is typically divided into five domains:
- Value delivery, oriented to whether or not IT delivering value to the rest of the business.
- Strategic alignment, which questions if the goals of IT and the organization are in alignment.
- Performance Management, focused to how IT performance is being managed.
- Resource Management, oriented to whether IT resources are being managed effectively and appropriately.
- Risk Management, which looks if the risks are being identified, reported, and acted on.
Why is IT governance important?
Effective IT governance has the following benefits:
- It ensures that business legal, regulatory, and compliance requirements are met.
- It reduces risk.
- It supports business goals and ensures that IT objectives are in alignment with the rest of the business.
- It supports growth and innovation by giving the organization a solid base of operations.
- It gives businesses a more competitive edge, especially if an ISO standard or other independently verified best practice initiative is in place.
- It ensures that the appropriate policies, processes, and procedures are applied consistently across the organization.
IT governance frameworks
There are six most commonly used IT governance frameworks, each with its own principles and requirements. Let's take a closer look at them.
1. ISO 38500
ISO 38500 is the international standard for the corporate governance of information technology. It guides those advising, informing, or assisting directors on the organization's effective and acceptable use of information technology.
This governance framework defines six principles:
- Establish responsibilities.
- Plan to best support the organization.
- Make acquisitions for valid reasons.
- Ensure necessary levels of performance.
- Ensure conformance with rules.
- Ensure respect for human factors.
ISO/IEC 38500 is applicable to the governance of management decisions and processes relating to an organization's information and communication services.
2. ISO/IEC 27000
ISO/IEC 27000 is the standard for Information Security Management. ISO/IEC 27000:2018 provides an overview of the practice, as well as definitions commonly used in the ISMS standards.
This standard ensures that organizations have the right policies to ensure that appropriate privacy, confidentiality, and security exist around IT and cybersecurity services.
3. COBIT
COBIT is a detailed framework of globally accepted practices, models, and analytics tools designed for governance and management of enterprise IT. It aims to help organizations meet regulatory and risk management requirements and alleging IT strategy to the goals of the wider business.
COBIT has five fundamental principles:
- Meeting stakeholder needs.
- Covering the enterprise end to end.
- Applying a single integrated framework.
- Enabling a holistic approach.
- Separating governance from management.
4. ITIL
ITIL is the best practice framework that enables IT departments to support the business effectively, efficiently, and safely. It has seven guiding principles:
- Focus on value.
- Collaborate and promote visibility.
- Optimize and automate.
- Start where you are.
- Progress iteratively with feedback.
- Keep it simple and practical.
- Think and work holistically.
ITIL is one of the most commonly used governance frameworks across the globe. Its main benefit is that it provides practical guidance on managing and improving IT services and the roles and responsibilities needed to support and run them.
5. CMMI
The Capability Maturity Model Integration (CMMI) model helps organizations effectuate process improvement and develop behaviors that decrease risks in service, product, and software development.
While CMMI was initially tailored for software development activities, the latest versions can be applied to hardware-software, and end-to-end service development. The model enables organizations to measure, build, and improve capabilities to improve overall performance.
The CMMI model has five levels:
- Initial
- Managed
- Defined
- Quantitatively Managed
- Optimizing
6. Factor Analysis of Information Risk
Abbreviated as FAIR, the Factor Analysis of Information Risk is a governance model that helps organizations quantify risk. The focus is on cyber security and operational risk to support more well-informed decision-making. It aims to provide organizations with the standards and best practices to measure, manage and report on information risk from the business perspective.
IT governance structure: roles and responsibilities
It's essential to remember that IT governance needs to be underpinned with roles and responsibilities to be effective. The ITIL 4 Direct, Plan, and Improve publication recommends the following structure to aid effective IT governance:
| Governance structure | Role in organizational governance |
| Board of Directors |
Responsible for their organization's governance. Their key responsibilities include:
|
| Shareholders |
Responsible for appointing directors and auditors to ensure effective governance |
| Audit Committee |
Responsible for supporting the board of directors by providing an independent assessment of management performance and conformance |
While the above will give you a starting point, it's important to note that there are aspects of governance that are the responsibility of everyone in the organization. An example is using IT equipment appropriately and safely, with the appropriate training, support, and knowledge sharing needed to be in place for that to happen.
IT governance best practices
One of the most frequently asked questions around governance is, "How can I tell that my organization is doing it well?" The answer takes the form of more questions - namely:
- Does governance have the appropriate levels of support in your organization? Is it prioritized at all levels? Does everyone in the business know what their responsibilities are regarding organizational governance?
- Does the governance body do its job effectively? Who checks?
- Does the IT function make decisions independently of the rest of the business, or is there collaboration or at least oversight between the two?
- What controls are in place to monitor IT spending to ensure transparency and fairness?
That's a lot of questions, right? Luckily, we can lean on our old friends COBIT and ISO/IEC 38500I for help. The COBIT framework has the following principles on governance, advising that IT governance should:
- Satisfy stakeholder needs and generate value from the use of information and technology.
- Be built from several components that can be of different types and that work together holistically.
- Be dynamic, always considering the effect of changes to any of its design factors.
- Clearly distinguish between management and governance activities and structures.
- Be tailored to the enterprise's needs, using a set of design factors as parameters to customize and prioritize its components.
- Cover the enterprise end to end, focusing on all technology and information processing it uses to achieve its goals, including outsourced processing.
In addition to the COBIT guidance, the ISO/IEC 38500 standard defines six principles that are necessary for the effective governance of IT:
- Responsibility - All colleagues understand their responsibilities and are empowered to meet them.
- Strategy - Ensuring that business and IT strategies are in alignment.
- Acquisition - All IT spending is transparent, with the appropriate balance of benefits, costs, and risks taken into account.
- Performance - IT meets the needs of the business and meets the agreed service levels.
- Conformance - The use of IT systems complies with all legal and regulatory requirements, and the appropriate supporting policies are well-managed and enforced.
- Human behavior - IT policies, practices, and decisions demonstrate respect for human behaviors.
IT governance software
Tech has a significant role to play in effective IT governance. Here's how InvGate Service Desk and Insight can help:
- Incident and Request Management - All IT contacts tracked across the business in one central location.
- Asset Management - helping you manage, control, and protect your estate
- Reporting dashboards to help with effective decision-making.
- The ability to share dashboards with customers for greater transparency.
The bottom line
IT governance is critical in any service-orientated organization to ensure it operates transparently and meets regulatory, legal, and compliance directives. Though it might be a bit overwhelming, the six IT governance frameworks are great allies to overcome the challenges, so let them guide you through the process.
And make sure that you have the right IT governance software to help you out as well. If you want to discover what InvGate Service Desk and Insight can do for you, book a call with our team or request the 30-day free trial to explore it at your pace!
Frequently Asked Questions
How to choose the right IT governance framework?
Look at the most significant area of exposure in your IT organization. Is it process maturity? If so, ITIL, COBIT, and CMMI can help you level up your IT practices. Is it risk management? Then consider the FAIR or ISO 38500 standard. Is it IT security? Then look at ISO 27001.
How to implement IT governance?
Again, start with your biggest risk or area of exposure. Focus on getting that under control first and then build from there.
What is in an IT governance plan?
A plan to look at how tech resources will be used, managed and monitored to ensure IT delivers the right outcomes while reducing risk.
What is the IT governance process?
IT governance is directing, monitoring, and planning IT resources to meet all regulatory, legal, and compliance deliverables are met.
How to audit IT governance?
An independent audit process must be in place to ensure your governance processes are working as they should be. It's best practice to share outcomes with the board and audit committee to ensure honesty and transparency.
