IT Governance

Building Capability

The first Capability Maturity Model was developed by the Software Engineering Institute of the Carnegie Mellon University. The aim is to assist organisations improve their processes by following an evolutionary path.

The maturity level of an organisation provides a way to predict the future performance of an organisation within a given discipline or set of disciplines. Experience has shown that organisations do their best when they focus their process-improvement efforts on a manageable number of process areas that require increasingly sophisticated effort as the organisation improves. A maturity level is a defined evolutionary plateau of process improvement. Each maturity level stabilizes an important part of the organisation's processes.

The maturity levels are measured by the achievement of the specific and generic goals that apply to each predefined set of process areas. There are five maturity levels, each a layer in the foundation for ongoing process improvement, designated by the numbers 1 through 5.

The first step in improving a process is to understand the boundaries of the process you are trying to improve. The process could be any process and it will be a combination of people, tools, technologies, and methods employed to accomplish a task.

Once the operational entity is defined, a clear understanding of the operational entity's purpose and objectives guides improvement efforts. Many times, the purpose and objectives are stated in strategic planning documents. A clear understanding of the purpose and objectives will keep improvement efforts aligned with strategic needs and will avoid expending critical resources on improvement efforts that don't contribute to those needs.

Along with understanding the operational entity's objectives, it's important to understand how to know if you achieve its objectives. It sounds good to say you intend to make your operation "world class", but how would you know when you're there? The objectives of an operational entity are stated first so that you can perform some level of verification to confirm that your improvement efforts move you closer to those objectives.

Once the operational entity requiring improvement is identified and its purpose is clearly understood, constraints and risks are more easily identified and addressed. The current state of the operational entity could be assessed against its objectives to identify current and potential barriers to meeting those objectives. Improvement plans would then be developed and implemented to address these barriers.

Operational process improvement using the COBIT framework enables an organised approach to identifying and addressing the constraints and risks, and helping the operational entity more effectively achieve its purpose.

The IT Governance Network has produced an ebook looking at IT Governance and the issues in King III Report. The King Commission on Corporate Governance released its report on 2 September 2009. This report contains a chapter on IT Governance.

King III eBook

To download the FREE ebook "Executive Overview IT Governance aligned to King III" click here.


Other FREE Downloads:

pdf Getting started with King III

Pdf King III Essentials and the 43 Steps to Implementation

Pdf King III and the IT Governance Charter

pdf King III and the role of Internal vs External Audit

Pdf King III and Internal Controls

Pdf King III and the Status of IT Governance

Pdf King III and System Management for increased Productivity

pdf King III and Information Security

pdf King III and Developing an Information Security Management System

pdf King III and the Protection of Personal Information

pdf ITIL and Productivity Improvement

To implement the ISO 38500 standard a system to direct and control the current and future use of IT is required. The system comprises controls and processes to achieve the strategic objectives set by the organisation's governing body. A few choices are available

COBIT is a popular IT management framework that defines both processes and controls. In many respects its purpose is similar to ISO 38500 as it also aims to enable better governance of information technology so that the organisational objectives are achieved.

iso 38500 modelAt the centre of ISO 38500 is a framework of 6 principles. To implement these principles it is easiest if they are mapped to the COBIT process model and through the execution of these processes ISO 38500 becomes effective.

The advantage of using a process framework like COBIT is that it groups related IT activities in processes that have a life-cycle and are focused on achieving specific outcomes. Through cascading the organisation's business objectives down to the IT processes you are able to align day to day activities with the organisation's stakeholder expectations.

Roles, responsibilities and decision-rights at the process level can be aligned with the business goals. Governance mechanisms such as job descriptions and contracts can be crafted to support the achievement of specific outcomes. Performance measures can be fine tuned to drive the required behaviour. Over time, controls are implemented to manage risk and capability is developed so the organisation is better able to perform as expected.

A governance system comprises various governance mechanisms that enable multiple stakeholders in an enterprise, including management, to have an organised say in evaluating conditions and options; setting direction; and monitoring compliance, performance and progress against plans, to satisfy specific enterprise objectives. It is usually the CIO's responsibility to identify and implement the appropriate governance mechanisms for the use of information and technology. However, in doing so commonsense must prevail. Suitably appropriate structures, processes and governance mechanisms should deployed based on the size, complexity and nature of business activities that are necessary to achieve the organisation’s strategies and objectives.

Typical governance mechanisms, include:

  • frameworks and architecture
  • principles
  • goals and objectives
  • IT governance charters
  • IT policies
  • IT plans, schedules, deadlines
  • IT strategies
  • organisational structures
  • decision mechanisms, roles and responsibilities
  • processes and practices, registries
  • standards, contracts, SLAs, 
  • monitoring of compliance and managing
  • scorecards, bench-marking and reporting.

Although frameworks like COBIT provide important guidance about the required tasks that make up generally accepted best practice for IT processes, the actual process of implementing or modifying the recommended practices for a particular organisation can be challenging. Companies often struggle to define and implement the processes, controls and governance mechanisms recommended without expert consultation. Frequently there is considerable upfront investment in simply understanding the requirements of the selected frameworks with little real value actually being created.

With the ITGN's expert guidance, streamlined processes with clearly defined actionable tasks and governance mechanisms can be implemented to manage the risks, deliver the results expected and support regulatory compliance obligations.

Governance is different from Management

The word "manager" normally refers to a person who provides technical and administrative direction and control to those performing tasks or activities within the manager’s area of responsibility.

The traditional functions of a manager include planning, organising, directing, and controlling work within an area of responsibility. If a manager does this, he/she is likely to be providing “good management”.

In many instances there isn’t sufficient time and resources for the manager to focus on anything other than the operational activities he/she is responsible for. Frequently the manager is “fighting fires” – managing an endless number of operational problems.


People accountable for good governance are responsible for making the changes necessary to deliver the performance expected by the Business.

King IV Corporate Governance Assessment

King IV assessmentAssess the current level of your organisation's corporate governance using this King IV assessment tool.


COBIT Assessment as a Service

COBIT 5 AssessmentConduct a COBIT assessment using this COBIT Assessment-as-a-Service.


POPIA Preliminary Assessments

it governance oversightPOPIA preliminary assessments provide an efficient and effective approach to determining the extent to which the requirements of the Protection of Personal Information Act have been addressed.


Go to top