There has been a lot of really good discussion and follow-up commentary around my IT governance posting from last week and so I wanted to provide a little more detail around what we mean we talk about IT governance. For us, IT governance is a very simple concept with far-reaching implications that impacts everything we think about as examine the framework to update MOF. Which is why our definition of IT governance has become our mission statement. So, what does IT governance mean to us? Quite simply, it is:
"Ensuring that IT does the right thing at the right time for the right reasons."
So, if we drill into that a bit more, we feel IT governance is comprised of 4 concepts:
- Compliance: putting the checkpoints and controls in place to enable IT to answer the following questions:
- Security - Is our environment patched, protected, and secure?
- Privacy - Are we properly handling customer, partner, and HR data?
- Regulatory - Are we in compliance with all required government regulations?
- Meeting management objectives: Is IT able to meet and articulate their response to management objectives around:
- Operations: Availability and capacity targets?
- Performance: Are SLA targets defined and being met?
- Financial: Does IT understand the cost of delivering a service?
- Risk: Are we managing the various types of risk proactively and within tolerance levels as defined by management? Is Risk Management properly driving policy?
- Technological, reputational, operational, financial, regulatory
- Audit: Do we have the means in place to assess the above?
We believe that all of these concepts are foundational to the success of a lifecycle framework and grow logically out of the existing MOF Process Model and MOF Risk Management Methodology. They simply require a new level of articulation and specification in order to ensure their performance. So, given the above, you may wonder how would we describe the SMFs in this new framework?
The SMFs are a series of tasks and activities supported by checkpoints and controls that assist IT in figuring out:
- WHAT is the right thing to do?
- WHEN is the right time to do it (in the context of the lifecycle)?
- HOW do I get it done?
I've also attached a very short Power Point presentation that describes the above that you are welcome to download. Thank you to everyone who has commented, provided input, and joined us in the discussion of how to make a better framework. Please click on Comments below and continue to share your thoughts.