When I wrote about IT governance last month, I likened it to good dental hygiene. It's important to the overall health of an organization, but it's something that tends to get neglected. As I wrote, IT governance requires short-term sacrifice for long-term gain and it doesn't exactly mesh with increasing demands for more "flexibility" and "agility." After all, what's agile about decisions made by committee?
I shared some good tips on creating a governance program from O'Reilly Media CIO Jonathan Reichental and Alan Calder, author of several books on IT governance. One of them was to use a best-practices framework like the IT Infrastructure Library (ITIL) or Control Objectives for Information and Related Technology (COBIT).
One benefit of using a framework is it can help get everyone on the same page about governance, said Nicky Tiesenga, partner at IBM, USA and member of the Information Systems Audit and Control Association (ISACA), a global non-profit, IT governance organization with more than 86,000 constituents worldwide. I interviewed Tiesenga earlier this month about a survey administered by the IT Governance Institute (ITGI), the research affiliate of ISACA, in which 834 executives from 21 countries shared their thoughts about IT governance. The respondents were divided almost evenly between business executives (CEOs, CFOs and COOs) and IT execs (CIOs and heads of IT).
Organizations tend to have varying definitions of governance, Tiesenga told me, a problem that is exacerbated by leadership changes at the executive level. Using a framework like COBIT helps "because everybody has these international standards they can apply to an organization, regardless of the company they come from." ISACA's governance model incorporates five core dimensions: strategic alignment, value delivery, risk management, resource management and performance management.
I asked if having multiple different frameworks from which to choose might be confusing for organizations, especially those relatively new to the IT governance concept. Not really, said Tiesenga, who encourages organizations to "take a step back and get some governing boards or committees, some policies and standards, some organizational structures and processes" and then determine which framework or frameworks (yes, many organizations use more than one) best complement their own cultures. She said:
These standards out there, including ISACA's, are a set of items to keep on the bookshelf. But ultimately it's about running your own organization, what fits your culture.
For organizations that worry, as I mention in my first paragraph, that an IT governance program may make them less agile, Tiesenga said the governance practices an organization chooses to adopt should reflect its own culture and the industry it's in. She explained:
If you're a more creative organization like Microsoft or IBM, you might not have a set of policies, you might have a set of principles. Then you put in the processes and organizational structures to get the decision points that still allow you to be nimble. You'll probably have more structure in a government-type setting, but you might have more principle-based activity in other organizations. The industry an organization is in will drive whether those decision points are principle-based or policy-based. You've got to be nimble enough in your governance structure to put structure in where it makes sense. Don't put structure in where it doesn't make sense.