Who is responsible for IT governance at your enterprise? I’ll bet your answer is the CIO, or one of their direct-reports. I am conducting an IT governance assessment for a large hi-tech firm and of the 34 executives I interviewed, half of them said it was the CIO. Most of the remaining folks identified various IT executives as sharing responsibility for IT governance. Of the 17 IT and 17 business execs I interviewed, only six identified members of the business as having responsibility for IT governance.
This enterprise is similar to most organizations I have encountered in the past six years of my global evangelism of IT governance. Companies and public agencies continue to make the mistake of expecting IT to govern IT, when in fact it is business leaders who should be governing IT.
As I have said in the past, the worst thing about IT governance is those first two letters, I-T. It should have been called “Enterprise governance of IT” (a term only recently adopted by the IT Governance Institute – an adjunct organization of the Information Systems Audit and Control Association.)
Consider the five principles of IT governance:
- Ensure IT is aligned with the business
- Ensure IT is delivering value to the business
- Ensure IT is managing risk
- Ensure IT is managing resources
- Ensure IT is managing performance
What do you think the result will be if you ask IT to ensure it is meeting each of these principles? Though it is not as egregious as the fox watching the hen-house, the analogy is somewhat comparable. I am certain most IT organizations aspire to meet each of these principles, but I have yet to encounter a single IT organization that was able to do so without the direct involvement of the business. I am absolutely convinced that these principles will only be realized when the enterprise, the business, governs IT.
Check out the collateral at the IT Governance Institute (ITGI) and you’ll find the Board Briefing on IT Governance. That’s right…the “Board” briefing. This is the briefing for the Board of Directors, providing the meaning of IT governance, its relationship to enterprise governance, and the actions boards and senior management should take to affect IT governance. Responsibility for IT governance begins with the Board of Directors.
That is why I am very excited to be participating in the upcoming Corporate Governance Conference hosted by the Association for Corporate Growth, 101 Corridor Chapter. I was invited to be part of a panel discussing information technology as a governance issue. It is a rare topic of discussion at their conference which underscores the near universal board and business neglect to govern IT.
This is a recording of my interview with the Lynda Roth, President of the chapter. The interview was conducted to promote my participation in their upcoming event and it delves into the need for the business to assume its front-and-center role in governing IT.
In addition to asking who is responsible for IT governance, here are some more questions that provide great insight into the state of IT governance of any enterprise:
- Briefly describe IT governance at our company
- Are there IT governance metrics?
- What is IT governance supposed to achieve at our company?
- What decisions are governed?
- Who is accountable for making those decisions?
- Does it take too long to make those decisions?
- What are the governing committees?
- How often does IT governance change? Why does it change?
- Does IT governance cover all business initiatives, or does it just apply to a few key business objectives?
- Do we have a well-defined IT governance exceptions process? Is the exceptions process overused?
- Are performance objectives linked/tied to IT governance goals?
- Do we conduct analysis to determine if ROI for IT initiatives is being met? Is this analysis effective?
- What are the consequences of circumventing or undermining IT governance?
- Is IT governance working well?
The answers to these questions will be very telling - especially when you see the inevitable disparity in the responses. And don’t just ask the IT folks. Here is a good guide to determine who you should be interviewing:
Stakeholders within the enterprise who have an interest in generating value from IT investments:
- Those who make investment decisions
- Those who decide about requirements
- Those who use/consume IT services
Internal and external stakeholders who provide IT services:
- Those who manage the IT organization and processes
- Those who develop capabilities
- Those who operate the services
Internal and external stakeholders who have a control/risk responsibility:
- Those with security, privacy and/or risk responsibilities
- Those performing compliance functions
- Those requiring or providing assurance services
So who is responsible for IT governance in your organization? How is it working? I would love to hear your IT governance stories.