What does IT governance mean to us?

There has been a lot of really good discussion and follow-up commentary around my IT governance posting from last week and so I wanted to provide a little more detail around what we mean we talk about IT governance.  For us, IT governance is a very simple concept with far-reaching implications that impacts everything we think about as examine the framework to update MOF.  Which is why our definition of IT governance has become our mission statement.  So, what does IT governance mean to us?  Quite simply, it is:

"Ensuring that IT does the right thing at the right time for the right reasons."

So, if we drill into that a bit more, we feel IT governance is comprised of 4 concepts:

  • Compliance: putting the checkpoints and controls in place to enable IT to answer the following questions:

    • Security - Is our environment patched, protected, and secure?

    • Privacy - Are we properly handling customer, partner, and HR data?

    • Regulatory - Are we in compliance with all required government regulations?

  • Meeting management objectives: Is IT able to meet and articulate their response to management objectives around:

    • Operations: Availability and capacity targets?

    • Performance: Are SLA targets defined and being met?

    • Financial: Does IT understand the cost of delivering a service?

  • Risk: Are we managing the various types of risk proactively and within tolerance levels as defined by management?  Is Risk Management properly driving policy?

    • Technological, reputational, operational, financial, regulatory

  • Audit: Do we have the means in place to assess the above?

We believe that all of these concepts are foundational to the success of a lifecycle framework and grow logically out of the existing MOF Process Model and MOF Risk Management Methodology.  They simply require a new level of articulation and specification in order to ensure their performance.  So, given the above, you may wonder how would we describe the SMFs in this new framework?

The SMFs are a series of tasks and activities supported by checkpoints and controls that assist IT in figuring out:

  • WHAT is the right thing to do?

  • WHEN is the right time to do it (in the context of the lifecycle)?

  • HOW do I get it done?

I've also attached a very short Power Point presentation that describes the above that you are welcome to download.  Thank you to everyone who has commented, provided input, and joined us in the discussion of how to make a better framework.  Please click on Comments below and continue to share your thoughts.



Jason Osborne

Frameworks PM

MOF Update - Governance definition.ppt

Comments (6)

  1. jasono says:

    DavidB:  First, thanks for sharing your thoughts!  Now, to try to answer a few of your questions in no particular order.

    – One of the things that we have heard loud and clear from many sources is that we need to clearly articulate how Microsoft products, tools, soultions, and technologies can enable the framework and processes.  We intend to provide that guidance.  In fact, we bagan moving MOF in that general direction with the release of Windows Vista Service Life-Cycle Management (WV-SLM).  WV-SLM presents a service management approach, built on MOF, for a desktop environment with specific ties to a wide variety of Microsoft technologies and freely available Solution Acclerators.  If you have a chance at some point, please take a look at it and let me know if this solves some of the problems you describe above.

    – Also, it is not our intention to reinvent the wheel.  One of our design goals is to leverage and point to existing IP wherever it makes sense and as you say, fill in the blanks where we need to.

    – As for articulating the value to the business, please take a look at the IT Business Planning post I just made to get an idea of how we hope to enable IT pros to do just that.


  2. jasono says:


    There is a MOF Foundation level certification, endorsed by Microsoft and offered by EXIN.  The certification can be found at Prometric learning centers, online at http://www.exin.org/, and through accredited training partners.  If you have any additional questions, please use the Contact me form on this site to e-mail me.

    -Jason Osborne

  3. Khalid Hakim says:

    Can we say it differently?

    You cannot manage what you cannot control, and you cannot control what you cannot measure, and you cannot measure what is not defined.


  4. davidb says:

    I am not sure if this is comment really fits in with this topic, but I was not sure where else it should be placed. Hope this is OK.

    Fitting the role described in an earlier thread as “The IT Strategist (or Manager, or Service Manager)” of a global multi-national organization, I completely agree with the fundamental goals and objectives relating to MOF – "Ensuring that IT does the right thing at the right time for the right reasons.".  My question however is with regards to the approach.  

    One of the challenges that I am faced with is the wide variety of frameworks/best practices that are being discussed and championed through-out the organization, resulting in what is increasingly referred to within the industry as “framework confusion”.  Therefore rather than continue to build out yet another framework/set of best practices, why not take the opportunity to show leadership by helping business leaders, IT management and practitioners navigate their way through the confusion and provide information, tools, solutions and service that can increase the speed at which the value of adopting service management best practices can be realized?

    For example:

    Provide some information of the service management landscape and some of the “tools” and where their relative strengths are.  For example (please note what I am about to write below is for illustrative purposes only)

    • Cobit provides a framework, some means of measuring maturity, but is limited on best practices.  There is no form of certification

    • CMMI provides a means of measuring maturity a limited framework and some best practices. There is no form of certification

    • ITIL provides best practices, some framework, but no means of measuring maturity. There is no form of certification

    • ISO/IEC2000 provides a form of certification, framework, limited best practices and due to the nature of certification, some means of measuring maturity

    This could be build upon in the form of mappings to show how the existing frameworks interrelate and can be leveraged together for best advantage.  For example, a mapping could be based on something such as ISO/IEC 20000.  ISO 2000 has:

    a. Requirements for a Management System – includes Management Responsibility, Documentation Requirements, Competency Awareness and Training

    b. Planning and Implementing Service Management – Plan, Do, Check, Act

    c. Planning and Implementing New or Changed Services

    d. Service Delivery Processes

    e. Control Processes

    f. Release Process

    g. Resolution Process

    h. Relationship Process


    1. What is the value to the business of the framework?

    2. How and where can existing best practices provide the greatest value in achieving the requirements?

    3. If there are areas that none of the existing frameworks cover adequately (perhaps risk management or the team model might be examples?), can these be offered by MS under the guise of MOF (with relevant explanation as to why MS have developed their own piece in the puzzle).  Ideally it would also be with a view of offering the work to one of the existing frameworks for inclusion at the relevant point at which point you could reference the relevant framework

    4. How and where can Microsoft solutions, tools and services be leveraged to add value in meeting the requirements?

    To try and summarize the above in five lines or less:

    1. Leverage and reference existing frameworks wherever possible

    2. Leverage and reference existing best practices wherever possible

    3. Continue to contribute to the “de-facto standards” such as ITIL by continuing to identify missing or weak elements and developing appropriate guidance.

    4. Focus on providing information, tools, solutions and services that can increase the speed at which the value of adopting service management best practices can be realized

  5. Jason Week says:

    Shouldn’t part of meeting management’s objectives include service definition?  Well-defined services are necessary for effective and efficient service management processes.  The following set of statements comes to mind.

    – What is not Defined cannot be Controlled!

    – What is not Controlled cannot be Measured!

    – What is not Measured cannot be Improved!

    Per ITIL v3’s definition, a service is a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.  The delivered value can be created via applications, processes, functions, or various combinations of all three.

  6. Stefan says:

    Is there any kind of official certification for MOF or SMF?

Skip to main content