Information Technology (IT) Governance is a concept associated with a holistic approach to the management of IT, and is often recognized as a subset of Corporate Governance.
For example, the IT Governance Institute (ITGI) was established and first published its often-cited IT Governance framework in 1998. Along the way, many other leading professional organizations and research groups also promoted the concept of IT Governance. The ITGI defines IT Governance as “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes.”
The emergence of IT Governance near the top of this year’s Top Technologies list is a strong indication of how quickly and significantly this concept affects our profession and the role of the IT professional. Clearly, compliance requirements associated with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) are driving the emergence of the IT Governance concept. In 2004, the ITGI published IT Control Objectives for Sarbanes-Oxley. This guidance quickly became the de facto worldwide standard for the definition of control objective and control activities as part of Sarbanes-Oxley compliance.
IT Governance Frameworks
The guidance represented by IT Control Objectives for Sarbanes-Oxley focuses on establishing controls to mitigate financial reporting risk. However, it also has helped create mainstream awareness of the broader concept of IT Governance. In fact, this guidance was derived from Control Objectives for Information and Related Technology (CoBIT), also published by the ITGI. CoBIT is recognized as a leading worldwide framework for IT Governance. Other leading IT Governance frameworks include the IT Infrastructure Library and ISO 17799 (Information Technology - Security Techniques - Code of Practice for Information Security Management).
Alignment of IT with Business Requirements
While IT Governance frameworks can help businesses and organizations address compliance requirements such as SOX 404, the concept is most useful as a means of ensuring that IT is effectively aligned with business requirements and IT services are delivered cost-effectively. In fact, many businesses and organizations practice IT Governance because it makes good business sense. However, businesses that stand to benefit the most from deployment of an IT Governance framework include those where:
- IT is a core component of the business model. For example, the use of IT is pervasive in the delivery of products and services in industries such as financial services, healthcare, pharmaceuticals, and consumer product goods.
- IT is a primary enabler of efficiency and effectiveness of core processes. For example, over the past decade or more, companies performing manufacturing and distribution have made tremendous investments in IT to streamline and globalize business processes.
- IT is a primary source of risk. Risks include disruption from change, non-compliance, ineffective controls, missed opportunities and excessive costs. Typically, the more a company uses and depends on IT, the greater the risk IT will represent to the company.
Perhaps the most important element of IT Governance frameworks such as CoBIT is that they provide guidance to help companies effectively deploy IT planning and management into all aspects of the business.
New Approaches to IT Management
“Old-school” approaches to IT management place responsibility for IT solely on the senior IT manager, who is not a trusted partner working with the entire senior management team.
Under a “new-school” IT Governance approach, IT is an executive management responsibility, not just the job of the senior IT manager. Under this new approach, IT managers partner with executive management from operations, finance, personnel management, and compliance. Together, they leverage technology to solve business problems, and take an organized, orchestrated approach to planning and deploying IT solutions that are most effective for the company.
As a result, effective IT Governance requires strong IT leadership. This leadership requires not just strong technical skills, but great all-around business and people skills.
IT Integration is Key
Companies that deploy IT Governance have strong IT leaders that are actively involved in supporting all aspects of operations, finance, personnel management and compliance. These companies carefully consider IT’s role in all strategic planning, operational management, and compliance-related management activities. In addition, effective IT Governance provides for continuous monitoring and evaluation of effectiveness and efficiency.