Why focus on IT Governance?

You may wonder why a service management framework, or service lifecycle, would be built on the foundation of IT Governance.  After all, governance isn't one of the sexiest or most enjoyable topics for the average IT pro.  Yet, it can't be denied that corporate governance is critical for both establishing and maintaining shareholder trust.  And as IT has become an increasingly significant part of the business' bottom-line, there is an increasing need to demonstrate transparency in such areas as decision making, performance, and ROI.  Further, IT Governance becomes an even more significant topic in light of the rising pervasiveness of business process automation and the need for IT to attest to these automated controls.  Whether or not the IT pro is enthused about the idea, they are being impacted through a top-down imposition of governance related tasks and activites that they often struggle to understand how to deliver against. 

Regulatory pressures and compliance measures are other drivers of the IT governance discussion.  Often, IT is faced with the dilemna of needing to respond, but lacking the clout or capability to do so, perhaps because they are unable to frame the issues in terms the business cares about.  One possible mechanism for communication is a risk management methodology.  Perhaps by helping IT and the business approach risk and mitigation as part of a governance discussion using a common vocabulary could be an effective approach?


Two other questions we'd love to see some specific feedback on:

  1. What does IT Governance mean to the IT Pro?

  2.  In what ways are IT Pros addressing internal controls?

Thank you,

Jason Osborne

Frameworks PM

Comments (7)

  1. Anonymous says:

    I strongly disagree with the proposed definition of Governance. Governing is the act of oversight and enforcement. It would go as far as to say that it is synonymous with compliance. When I work with organizations around governance and policies such as SOX I use the following as a guide.

    Step 1: Say what you are going to do. Document it.

    Step 2: Do it. Produce evidence of completion.

    Step 4: Compare the evidence created against the initial intentions.

    Step 5: Build a plan to close the gaps. Change the expectations or improve the execution.

    This is essentially the Deming Loop. Plan, Do, Check, Act. Governance itself does not assist a company in making good decisions. Rather the existence of a plan and the review of the evidence created by executing the plan is where the company gains insight to make beneficial adjustments. That is, of course, assuming the plan is prescribing a beneficial strategy up front, but that is another issue entirely.

    So, turning my focus back to the question at hand. What does IT Governance mean to the IT Pro?

    In my experience, the IT Pro is often left out of the planning stage, which is detrimental to the entire effort. It is far easier to envision at the higher level of management what should be governed and enforced, than it is at the technical level to successfully implement and measure. As a result, IT Governance sometimes means a very negative experience to the IT Pro. It becomes an instant uphill battle to try to find a way to execute the plan and measure the result, or articulate to the governing body why it cannot be done as requested.

    As example, a top request of efforts like SOX or COBIT is to provide evidence that sensitive documentation is categorized as sensitive and stored/transmitted securely in accordance with its categorization. This is a seemingly realistic ask. However, when IT Pros attempt to execute upon it, they are faced with a plethora of challenges. Challenges such as:

    How do you detect when someone has typed up a new sensitive document,

    How do you stop people from printing them and leaving them in the break room,

    How do you stop people from e-mail out sensitive documents, but not stop non-sensitive documents.

    Those challenges just scratch the surface, the list goes on. …and on.

    Turing my attention to the second question. In what ways are IT Pros addressing internal controls? I fear it might be easier to answer the question: In what ways are IT Pros NOT addressing internal controls? I have seen a very broad toolset. This ranges from Service Desk tools to track incidents and RFCs all the way to gathering log files from systems and performing semi-manual audits.

    At the risk of starting a conversation with myself, let me ask and answer my own question.

    Q: What can MOF do to help the IT Pro deal with Governance?

    A: MOF needs to elevate its position among frameworks. More than one IT executive has spelled out MOF and mis-interpreted the ‘Operations’ term to mean that it is a limited scope framework. Therefore, the executive begins down a tricky path of implementing split frameworks/methodologies. The IT Pros are left out of the COBIT/SOX/… discussions and the IT Executives refrain from participating in the MOF discussions. The net outcome, as you can imagine, is mis-alignment between expectations and deliverables.

    I see a tremendous need to move forward with an executive section of MOF to bridge this divide. There should be a clear articulation of how MOF can help define, deliver and improve upon the strategy of IT and the strategy of the Business. This section should drive value into the Governance topic by:

    Providing a MOF to COBIT mapping,

    A MOF to ISO20000 mapping,

    And a general conversation on the most common SOX gaps and call out the guidance within MOF that can close them.

    To put a bow on my thoughts and recapture those that I may have lost in my meandering thoughts:


  2. In my experience, the IT Pro doesn’t care about "governance" in the traditional sense of the term.  Regulatory compliance, share holder trust, etc. are typically the province of senior management and CIO/CTO-level.  The IT Pros grudgingly implement whatever they are told to, but not because they understand or believe in it.

    The typical IT Pro cares about pager calls in the middle of the night and first-line managers asking why application X failed or server Y crashed.  Thus, "governance" to the IT Pro is their health and performance metrics/measurements – how many total failures they had last month, how long each server or application was down before it could be recovered, and how ofen a particular component fails.  Governance means making sure the dashboard stays in the green and the managers stay off of your back.

    The majority of IT Pro thinking revolves around components, not services.  Most IT Pros I’ve worked with do not have any perception of end-to-end service delivery – they are totally focused on "their stuff" and not anyone else’s problems.  Once we introduce them to MOF and some of our tools (like Service Maps), the light begins to dawn, but it takes some real effort to shift them out of their paradigm.  In many cases, they shield themselves by not having governance in place – they continue to work in silos and look for opportunities to shift blame or scrutiny to some other support area when things go wrong.  A typical response to the question "how many times was your messaging service unavailable last month?" would be "our servers were up 100% of the time, except for the regular maintenance we did last Sunday, but the SAN guys blew up a couple of stores when they reconfigured their drives without telling us."

  3. Robvdb says:

    I have to agree with Kevin, but…  (always a but, otherwise no reason to comment) I think they must do it otherwise they undermine their own existence .

    Why do I make such a bold statement? well for one thing I love to discuss, but also because I think it holds a true factor in it.

    First let’s see what does Governance mean:

    Governance: The collection of mechanisms that allows the organization to make the best decisions as fast as possible. [1]

    That sounds reasonable to me! Sounds like Root cause analysis to me and that sounds like something all IT people like, resolving problems as soon as possible, or in a more theoretic mindset: close the incident as soon as possible.

    So why do IT guys then not like Governance? It sounds to me Governance helps them do their work in a better and faster way.

    I want to go back to the meaning of Governance: "that allows the organization …" directly includes both the SAN guy as well as the Server guy from Kevin’s example. “Organization is everyone”.

    This brings me to the conclusion of my initial statement: If the SAN guy or the Server guy is trying to sneak out the corporate goals of managing a service instead of a server they are in fact acting in contradiction to what they believe in, Solving problems as soon as possible.

    [1] http://blogs.ittoolbox.com/pm/hertzfeld/archives/simple-definition-governance-11569?rss=1

  4. Steve McReynolds says:

    I think that we have to be careful here here. IT Governance has become associated with all the fal out from Enron and the associated Sarbanes Oxley legislation. However, I’m not clear that IT Governance has the same meaning worldwide.

    It remainds me of that great question (from the Australian guy) at a previous Tech Ready "Is Microsoft a US company operating around the world or a truly global company?"

    IT Governace to me is about ensuring that policies, stregty and processes are corrcetly followed (even if thay are not that good to start with). In the UK for instance I think that this means more about having a committee or group to ensure that this happens and corrceting it when it odesn;t than trying to follow a specific peice of legislation.

    Absolutley no offence to my US colleagues but we have to make sure that our description / interpretation of "IT Governance" covers evryone.

  5. Robvdb says:

    Good points.

    Some reactions: ‘Deming’, ‘NOT adressing internal controls’ are indeed good solid points and I like your response a lot.

    There are some points I would like to discuss.

    To me we are dicsussing IT Governance, not Governance, It might be a syntax thing but the difference is there. Governance discusses the topics of: IT management, IT governance, IT Strategy and IT control which makes IT Gov only a small part of corporate governance.

    Moving to "In my experience, the IT Pro is often left out of the planning stage" if that is the case I can not see a way to fulfill the goal of the Deming circle: Quality and Results so this would be a very frightining scenario to me. Lets me the devils advocate and lets leave Deming or any other methodology out of the equation and lets go back to the past; ets manage our silo and never talk to the other parts of the business chain. Frighting thought isn’t it?

    The definition given above is on governance is one from the IT perspective, IT Governance is a way to deliver mechanisms and techniques to the organization. it is not a ‘holy truth’ however, I think we can do a contest on the number of IT Governance definitions 🙂

    Last point for now "Bringing allignment between expectations and capabilities" excellent viewpoint!, but I can not see it building the relations between Business and IT

    Supporting it yes, no questions asked, building it …. no, this is to me more another methodology, BiTA.


  6. Wally Eastland says:

    I see a common theme running through all the above comments. A theme which is probably the main reason many if not most Service Management, Goverance and/or Organizational Change efforts fail or bog down.

    The theme is the lack of inclusion of the IT Pro in the planning and decision making aspects of implementing IT Goverance and a further lack of ongoing reenforcement of why Goverance is important aqnd how the implementation is going.

    People are far more likely to care about things they:

    1. Understand,

    2. Had an opportunity to particpate or provide input to the creation of, and

    3. Get ongoing updates that show progress.

    Another key component of the long term success of a goverance effort is having a compensation/performance management model that reenforces the expected behaviors at all levels of the IT organization around the goverance activitites.

    Given the above, What IT Goverance means to the IT Pro is going to depend on what if any up front work was done to educate them on what IT Goverance means to their organization. It will also depend on what kind of ongoing reenforcement (either positive or negative)  programs are in place. Effectively, IT Pro’s will care (or not) about IT Goverance to a level proportionate with their understanding and inclusion in the reason for and benefits from Governance efforts.

    What does this mean for MOF as we update it? We need to ensure we take into account and specifically call out the importance of management providing clear guidance and communication around the adoption of any initiative (whether around goverance or Service management in general). The role of management in implementing MOF and Service Management is an area of weakness in our content that, if addressed, could have have a huge impact on both Goverance and the rest of MOF.

  7. popps says:

    after reading all this i still cannot describe how IT governance will solve the problem that is faced by organizations.

Skip to main content