What is IT Governance?
Updated: Mar 31, 2018
This month I want to discuss the topic of Governance. I had talked about it in my post in September 2014 titled "Surrounding the Cloud", as it's a key component when considering or implementing a Cloud strategy, but the topic is important enough to earn its own post. Governance as a definition has different meanings, but in my context we are referring to corporate governance and even more specifically, corporate governance for IT or IT governance.
IT governance is all about is all about the processes and procedures in place for an IT environment that are recognized and used to ensure IT's success in driving value to the organization in which is serves. To boil it down simply: IT governance is about controls. The controls that are in place to ensure that IT (and that includes the people, the processes, and the technology) are there to serve the needs of the business. I believe that the easiest way to explain what IT Governance is all about is by breaking it down into four (4) key areas: Roles, Responsibilities, Policies, and Processes/Procedures.
Roles are as straightforward as they seem. A role is a person or persons assigned to perform a designated function. What this role encompasses is defined here. If the role hasn't been defined nor assigned to someone (Responsibilities), it is very difficult to hold someone accountable for its success or even to gauge and measure its success. As simple as it sounds, someone needs to own it and then be responsible (see below) for it.
Once a role is defined, someone is responsible for ensuring the success of that defined role. That comes down to responsibilities and this is where accountability comes into play. Who is responsible for exactly what, is defined here. If responsibilities are not defined then how can you hold people accountable for not fulfilling their responsibilities? Again, so simple in how it's defined, but so important and critical to success with IT.
A policy is defined a principle that is adopted to achieve a desired outcome. Within IT Governance, it's the "stakes in the ground" that are put in place to help drive success in delivering quality IT services. A policy can be fairly straightforward to define, but not necessarily to adhere to—that's where processes and procedures some into play. The policies are clearly defining what needs to be done or what is expected, but not necessarily how to do it.
The processes are how you deliver the IT service against the policy that has been defined. This is the how it's going to be done, specifically. The processes and procedures are the exact roadmap and steps to deliver that particular IT service. Clearly defined processes or procedures provide no ambiguity and are very easy for all involved to interpret and follow.
Here's an example to help make them clear:
When an organization hires new employees, these employees need access to specific company IT resources, such as email, ERP, CRM, SharePoint, and other key business applications. These are the IT services I refer to up above.
The role around the service is the specific functional position that is tasked with making sure that this new hire has access to these resources. This is the specific person, or a group of people, such as an IT help desk person, IT person, or other person or persons that gives access to these resources.
The person who is responsible, is the person that has overall responsibility and is making sure that the new hire has the accesses that the IT services that they need. It could be the same IT person or IT help desk person that is responsible for granting them the access they need, but in many cases it will be the manager of the IT help desk person or IT person, who has responsibility for providing those IT services (email, ERP, CRM, SharePoint, etc.). Where the IT person would give them the actual access to the email they need (role) the manager is responsible for delivering the email overall for the company, therefore has the responsibility.
The policy is where it is stated that each person will get email, access to ERP, CRM, and SharePoint, and defines the type of access they are to receive based upon their position within the organization. Salespeople might have access to the ERP system for sales order data, but not have access to the General Ledger data, as they have no need to see that information. The policy defines who gets what and the specific level of access, with, again, no ambiguity.
The processes/procedures are the controls put in place and the roadmaps to ensure that the policy is enforced. The policy states that a person receives access to email, while the procedures are the specifics on how the email is granted to them. How they are added to Active Directory, how quickly their email will be up and running after they start, the committed SLA that they can expect when there is an issue with email, password change requirements, archiving requirements, email protocol, etc. Those are the specifics processes and procedures around the policy that state how the company provides email to its employees.
I think that this is a good place to start in helping to define what Governance is with some context to explain what it really means. There is much to it when you look at it holistically, but in when you boil it down to what it actually is and means, it's fairly simple and straightforward. More to come on the topic of Governance in future posts, but until then I hope 2014 was a successful year for you in terms of IT, business, and personally.
I wish you success in 2015 and look forward to what 2015 brings for all of us.