Governance’ describes how and by whom business transformation will be implemented
within an organisation or corporation. Basically, corporate governance is achieved
through organisational structure and performance measurement, which define boundaries,
authorities, responsibilities, and tasks. Frequently a ‘government’ or board is
established to administer these processes and systems.
IT governance, at its most basic definition, is the process by which decisions are
made around ICT investments where optimizing ICT investments must become a priority.
However, IT governance cannot exist in isolation but must be a subset of corporate
governance. As such IT governance can be described as:
“an integral part of corporate governance which consists of the leadership and organisational
structures and processes that ensure that the organisation’s ICT sustains and extends
the organisation’s strategies and business objectives.”
Every IT governance framework must address:
- governance structures (the ‘who’ of IT governance);
- governance processes (the ‘how’ of IT governance);
- governance communication (to measure and communicate performance of the overall
IT governance effort).
Back to top
No single framework will fit the needs of business objectives for one organisation.
Each business must look at its own challenges, goals and objectives and then evaluate
the available governance frameworks to see which features of each best helps to
meet those goals. Each of the three most recommended frameworks brings its own strengths
to the business circumstances.
These three frameworks interact on different levels and cross-domain each other
as shown in the below figure (where the term “BS7799” is equal to the referenced
ISO/IEC 27000 series).
CobIT
Every enterprise uses ICT to enable business initiatives. These business initiatives
or goals direct as such the business goals for ICT. In other words, ICT goals must
contribute to the achievement of business goals.
Control Objectives for Information and related Technologies (CobIT) serves as an
IT governance framework by providing maturity models, critical success factors,
key goal indicators and key performance indicators for the management of ICT.
The core-principle of CobIT is that it defines generic business goals and uses them
as a guide to determine the specific ICT business requirements, goals, processes
and metrics for the enterprise.
ITIL
IT Infrastructure Library (ITIL) is focused on identifying best practices in regards
to managing IT service levels and is particularly process-oriented. The areas which
are covered in its “library” are:
- planning to implement service management;
- the business perspective;
- software asset management;
- service delivery;
- service support;
- security management;
- ICT infrastructure management;
- application management.
While CobIT takes the perspective of audit, control and IT governance, ITIL takes
the perspective of service management. The two frameworks are however more complementary
than competitive and components of both can be used to build a governance framework.
ISO/IEC 27000 series
The intent of the ‘ISO/IEC 27000 series - Information Technology – Security Techniques’
(previously ‘BS7799’ or ISO/IEC 17799) standard is to focus on information security
and to aid an organisation in the creation of an effective ICT security plan. Its
relatively narrow focus on security makes it unsuitable as the sole basis for an
IT governance framework, but since risk management is a component of IT governance,
there is relevance to the standard, and parts of it can and should be used during
the creation of an overall IT governance model.
CMM
The Capability Maturity Model (CMM) is an improvement model approach which allows
for assigning maturity levels to each (IT) process. It has 5 defined levels of maturity,
but a more pragmatic maturity model for IT governance can be:
|
Level
|
Description
|
|
0
|
Non-existent
|
The organisation has not recognised the issue or need of IT governance.
|
|
1
|
Ad hoc
|
Ad hoc governance practices are just that. There are no formal processes or mechanisms;
it's essentially everyone for them.
|
|
2
|
Fragmented
|
There has been some effort to formalise IT governance practices, but they are fragmented
Branswijck Certifications the organisation.
|
|
3
|
Consistent
|
There is a formal IT governance process in place and practiced consistently Branswijck
Certifications the organisation.
|
|
4
|
Controlled
|
Monitoring and measuring compliance with the established IT governance is in place.
|
|
5
|
Best practices
|
IT governance has been practised for some time and has evolved to represent best
practices.
|
Back to top
The growing adoption of ICT best practices has been driven by a business requirement
for the ICT department to better manage its quality and reliability, and to respond
to growing regulatory and contractual requirements.
There is however the danger that implementation of these potentially helpful best
practices or frameworks will be costly and unfocussed if they are treated as purely
technical guidance. To be most effective, best practises should be applied within
the business context, focusing on where their use would provide the most benefits
to the organisation.
Branswijck Certifications’ approach to measure IT governance and propose strategic
guidance is based on interviews and its own expertise. The basis for its methodology
can be found within the CobIT framework.
Through interviews the following information is collected:
- the strategic business targets, together with their importance to the business and
dedication with which they will be pursued, for the short to middle long term (next
5 years);
- the perceived actual CMM level, the desired maturity level and the estimated effort
involved or cost to obtain this for each IT process.
With the collected information and by using the supporting links between ICT and
business, objective analysis is done to provide with a ‘path forward’ in establishing,
or where already implemented to maintain, a sound IT governance.