IT governance is senior management's ability to direct, measure and evaluate the use of an enterprise's IT resources in support of the achievement of the organisation's strategic goals. Leadership, organisational structure and processes are used to leverage IT resources to produce the information required and drive the alignment, delivery of value, management of risk, optimised use of resources, sustainability and the management of performance.
People, process and technology together provide the management system to oversee the activities undertaken and the resources consumed to produce the information that supports the achievement of the business and organisation's strategic goals. A capability model is used to describe the organisation's maturity in consistently delivering the expected outcomes. Capability level 1 indicates a heavy dependence on the people hired and the products/tools procured to achieve the predefined objectives. Capability level 2 suggests that an element of process repeatability exists and therefore there is less dependence on people and some 'organisational memory' evolving particularly around the management of inherent risks. At capability level 3 organisation-wide efficient and effective IT processes exist to deliver the services that support the business operations.
The challenge is to address stakeholder expectations when multiple business units "own" and "use" the same set of services and where most applications are "owned" by individual business units that control the budget for design, development, and support. The first step towards better governance is to establish accountability. This requires an examination of the roles and responsibilities within the processes used for decision-making that can impact on the achievement of strategic goals (i.e. accountability, process-orientation and business focus).
Decision-making can be found at all levels within an organisation. The most basic decision is how to use one's available time. Good governance will enable alignment of daily activities with strategic goals and encourages individuals to first perform those tasks that can impact strategic goals by linking tasks to activity goals, process goals, IT goals and the organisation's business goals. Individuals are empowered with knowledge about "what" is expected and are freed from narrow job descriptions of "how" to perform the tasks. They are encouraged to determine the "best practice" for undertaking these tasks aiming at discovering what will be sufficient for the particular organisation.
Processes are defined to organise IT activities in a manner that is intended to be efficient and effective. Processes exist at various layers within the enterprise and are influenced by the organisational structure and leadership provided. Implementing IT governance is iterative and occurs at the strategic, tactical and operational levels in line with stakeholder priorities.
Developing a capability to better govern encompassess people (i.e. roles), process and technology, and requires the managing of outcomes consistent with measurable preconditions. The purpose is to institutionalise discipline and maturity in IT processes so as to gain greater control and economies in achieving strategic goals.
Information Technology has a significant impact on corporate governance and the business processes of an organisation. Throughout the world directors and executive officers have been given the responsibility to maintain effective systems of internal control, responsibility to ensure controls and processes in systems are evaluated and tested, responsibility for the total risk management process, responsibility to ensure IT expenditure is based on sound commercial principles and not on "strategic instinct". Boards of directors and executive officers are now clearly the focal point of corporate governance and therefore good IT governance.
The IT Governance Institute provides the following definition: "IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the:
- leadership and
- organisational structures and
that ensure that the organisation's IT sustains and extends the organisation's strategies and objectives."
Process is the most enduring of the three primary components (process, people & technology) of a management system. Process serves as the foundation for the definition of the remaining elements.
- Processes ensure a stable, controlled, repeatable service that can be objectively measured against deliverables and service levels.
- Processes enable:
- Efficient and effective services to meet business requirements
- Cost and quality improvements.
Good corporate governance goes beyond the conduct and responsibility of boards and directors, integrating these with issues of:
- risk management
- internal control
- value delivery
- integrated sustainability reporting
- performance measurement.
Since IT has a profound effect on the business processes within organisations, boards and executive management need to ensure:
- that the necessary skills are in place,
- that their responsibilities in respect of internal controls are adequately discharged, and
- the potential benefits that result from using technology to improve business results, reporting and transparency are being embraced.
Directors and executive managers need to be mindful of the implications of blurred organisational boundaries that arise as a consequence of e-business, and that this results in their governance responsibilities extending beyond the traditional corporate boundaries. They need to ensure that the same levels of governance are applied in the organisations with which they integrate along the value chain.