Follow Us:

IT Governance

Definitions: Governance refers to the responsibilities, structures, and processes by which organizations are directed and controlled [1]. It may be thought of as who, what, and how business, engineering, and operations decisions are made in order to support business strategy. Within and among enterprises are many interrelated layers of governance; the chief differences among them are the scope and the decisions that need to be made.

Enterprise Governance is a set of responsibilities and practices exercised by "a board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly [2]." All other types of governance within an organization—IT governance, interagency governance, program governance, project governance—are within the context of enterprise governance.

Information Technology (IT) Governance is an integral part of enterprise governance and consists of the leadership, structures, and processes that ensure that an organization's IT sustains and extends its strategies and objectives [2]. IT governance requires a structure and processes to support repeatable decision making, alignment of IT activities to the enterprise's strategic goals and objectives, and a clear understanding of authority and accountability. As with any governance body within an organization, IT governance cannot be viewed, assessed, modified, or changed without considering the rest of the organization's governance bodies and practices.

Although the definition of governance has many variations, some core elements are common or implied in all of them:

• Governance is about making decisions to support the organization's strategy.
• Governance requires a framework or structure that defines roles and responsibilities, processes, policies, and criteria to foster sound decision making.
• Governance requires identifying the right people who will make the tough decisions and are held accountable for those decisions.

Keywords: business process, framework, governance, strategy

MITRE SE Roles & Expectations: MITRE systems engineers (SEs) are expected to understand why IT governance is a critical issue for the federal government and the integral role IT governance serves within organizational strategic planning. They are expected to assist the customer in adhering to the requirements of the organization's governance program, establishing appropriate roles and responsibilities, and following mandates and best practices for governing IT investments in the federal government. MITRE SEs also should play a role in helping an organization achieve real value from IT investments by ensuring alignment to the enterprise strategies and governance program. MITRE SEs' role is to increase the value of the IT investments by providing feedback and lessons learned on how the governance program is functioning and where improvements should be made. MITRE SEs are expected to establish a foundation on which good decisions can be made by deriving and analyzing data for specific decisions, e.g., those related to business cases, reference architectures, policies, standards, formats, processes, and life cycles needed to establish governance. This may require an understanding of organizational change and transformation, risk management, and communications planning. For more information on both of those topics, refer to the Transformation Planning and Organizational Change topic within this guide.

Background

IT governance affects the degree to which an organization will get value from its IT investments. The goals of IT governance are to ensure IT investments generate business value and to mitigate IT risks [6]. Research among private sector organizations has found that "top performing enterprises succeed in obtaining value from IT where others fail, in part, by implementing effective IT governance to support their strategies and institutionalize good practices [3]." This principle can be extended to the goals of the enterprise at large. Whereas the purpose of enterprise governance is to effectively derive value from the enterprise resources for all the constituents in the enterprise, based on defined enterprise goals and strategy, the purpose of IT governance is to ensure the effective and efficient management and delivery of goods and services aligned to enterprise strategies [6]. For more information on Enterprise Strategy, refer to the article in this section on Strategic Planning. Also, see related articles under the Enterprise Technology, Information, and Infrastructure topic in this section. 

For nearly two decades, the federal government has been trying to adopt investment and usage best practices from private industry to ensure that IT enables government to better serve the American people. Through legislation, executive orders, and guidance, the federal government requires that agencies apply rigor and structure to the selection and management of IT in order to achieve program benefits and meet agency goals. In 1996, Congress passed the Clinger-Cohen Act, which required, among other things, that senior government decision makers become involved in the decisions concerning the value and use of IT in the organization.

IT Investment Management

In 2004, the U.S. Government Accountability Office (GAO) published the Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (ITIM) [4]. ITIM is a maturity model built around the select/control/evaluate approach outlined in the Clinger-Cohen Act. The ITIM establishes requirements for IT management and is used to assess how well an agency is selecting and managing its IT resources (Figure 1). In many agencies today, the IT investment life cycle includes a fourth phase: Pre-Select. In this phase, the organization plans and evaluates its strategy and mission needs before the select phase and "pre-selects" those that best help the organization meet this strategy before final selection of investments.

Figure 1. Fundamental Phases of the IT Investment Approach

The Office of Management and Budget (OMB) has issued Executive Orders and Circulars to help improve agency management of IT resources to support and govern the intent of Clinger-Cohen and other legislation. (See Figure 2.) These circulars approach the problem of the use of IT through the budget process requiring that requests for funds for IT investments meet specific requirements.

Most recently, OMB issued its 25 Point Implementation Plan to Reform Federal IT Management [5], once again addressing the concerns around federal agencies' ability to achieve effectiveness and efficiency from its IT investments. The 25 Points institutes a "TechStat" process within the federal government to take a close look at poor or underperforming programs.

Figure 2. Sample OMB Circulars and Guidance

Best Practices and Lessons Learned

The governance program must have clear goals and defined outcomes tied to strategic goals. One of the first actions in standing up a governance program is to clearly define and articulate the scope of what is being governed and the desired outcomes of governance decision making. The outcome of the governance process should be aligned to the organization's strategic goals and clearly communicated to all stakeholders in the organization. The focus on outcomes will drive all other decisions surrounding the establishment of the governance program, including what decisions need to be made, who should make the decisions, and what data and analysis are needed.

Often, an organization does not articulate the real objectives of the governance program, or the governance efforts are focused solely on complying with federal laws and guidance. It is not uncommon for an organization to spend considerable resources developing charters, processes, and governance structures without a clear and universal understanding of the goal. And, although compliance is certainly important, if it is the only focus of the program, it is not likely provide real value to the organization. Accepting a broader view on the need for governance, an IT governance body could have goals focused on value delivery, resource management, and/or risk management where compliance objectives are simply part of overall decision making.

Ensure reliable information for decision making. Successful and effective governance relies on the availability of reliable data and information on which to base decisions. Organizations often do not have the right information about projects or investments to make good decisions. The result can be "garbage in, garbage out." Once an organization has defined its desired outcomes for the process, it can begin to identify the information needed to make decisions to achieve these outcomes. This type of information would include, for example, a project's actual cost, schedule, and scope performance against the estimated or projected performance. IT management documentation, service management monitoring, and configuration management also inform the decision-making process. Data for IT decision making include assessment factors such as return on investment, total cost of ownership, performance measurements, IT security, and enterprise architecture; development of scoring algorithms; and guidelines and methodology, as required, for consistency in scoring.  SEs can assist by investigating alternative courses of action, determining the applicable measures of effectiveness, and relating these to assessments of risk (including technical maturity and applicability to the task at hand), cost, schedule, and performance. If the information is not readily available, executive sponsors can help support a process for getting the right information to decision makers in a predictable manner. 

Governance programs must gain and retain the executive sponsorship needed. Lack of leadership for establishing and maintaining a governance program is a challenge to sustaining it over time. A related issue is changing leadership. Often a federal executive establishes and puts full weight behind a program, only to leave behind a successor who does not support the cause as vigorously. This underscores the need for a sustained, documented, and formalized program focused on clear IT outcomes aligned to organizational strategy. The program needs to provide opportunities to revisit it for updates and to ensure that team members and stakeholders are sufficiently engaged.

Governance requires a structure, defined and repeatable processes, policy, and criteria. Once the desired outcomes of governance are identified, an organization needs to establish the decision-making authority and the participants' roles and responsibilities. This involves the development of a governance structure that establishes the authority of governance bodies, processes that establish repeatable criteria and decision making, and preparation of charters, or similar type of documents, to describe the scope, duties, structure, and selection process of members, roles, and responsibilities. For governance to be effective over a sustained period of time, it is more likely to succeed if it reflects the culture and decision-making style of the organization and is integrated with existing decision-making, tolerance of risk, and operational management processes. The governance processes should not be burdensome, but can and should be tailored and developed to ensure a "fit to purpose" by matching the size and scope of the program/organization business needs and strategic goals to the climate, risk tolerance acceptance levels, and governance maturity level of the organization.

Performance measures are critical to effective IT governance. Many organizations find it difficult to measure the performance of their IT governance programs because the programs often don't function in the context of governance goals but instead focus on individual IT project goals. In these situations, the lack of effective governance measurements limits the understanding of how well the process is performing in meeting the decision-making needs of the organization. Successful governance activities maintain reporting or tracking of measures that indicate the value of the governance program for its intended purpose toward meeting defined goals. Examples of IT governance performance measures focused on improving the process include increasing transparency of IT investment decisions, demonstrating an increase in IT innovation investments with a decrease in IT sustainment spending, and incorporating flexibility in IT infrastructure to react to changes in regulation and policy environment. [7] Regular reporting not only serves to show value, but also helps maintain the focus of the governance program as it executes.  MITRE SEs can help customers measure and report on performance indicators to enable governance bodies to make decisions about projects and programs in the context of the organization's goals.

Articulate the value of governance to balance its perception as a burden. Because organizations often have the notion that governance is too burdensome, in order to meet release or development schedules, their governance processes are often short-cut or by-passed altogether. This may appear to provide short-term rewards, but experience has shown it is inefficient in the long term. As organizations try to balance resources across many efforts, their visibility into the programs diminishes and, as result, they lose opportunities for consolidation or more effective enterprise operations that would have been achieved if they had had a functioning governance process.

Summary

To be successful, IT governance must be integrated and aligned with the organization's enterprise governance. The decisions for IT investments must have a direct connection to supporting goals defined by the organization and to the allocation of resources to meet those goals. IT governance decisions should have a clear line of sight to the agency's goals and intended strategic outcomes. IT governance activities provide focus and create a path forward to meeting the information management challenges faced by the agency.

There are many approaches to implementing effective governance. The exact approach depends on the strategy and results the organization is trying to achieve as well as the culture within which the organization operates. A review of governance practices suggests that specific foundational elements must be in place for governance to be effective:

1. Strong executive sponsorship of the process
2. Clear and well-communicated strategic goals
3. Clear, well-defined roles and responsibilities
4. Standardized data and information transparency
5. Measurement and planned review of the governance practices to ensure value

Governance frameworks that may be of interest: CoBIT, ITIL, CMMI, ISO38500.

References & Resources

1. International Standard ISO/IEC 38500:2008(E), 1st ed., 2008-06-01.
2. ITGI Board Briefing on IT Governance, 2nd ed.
3. Weill, P., "Don't Just Lead, Govern: How Top Performing Firms Govern IT," Center for Information Systems Research, Sloan School of Management, Massachusetts Institute of Technology, 2004.
4. GAO Executive Guide, Information Technology Investment Management—A Framework for Assessing and Improving Process Maturity, March 2004. GAO-04-394G.
5. Office of Management and Budget, 25 Point Implementation Plan to Reform Federal Information Technology Management, December 9, 2010.
6. R. Brisebois, G. Boyd, and Z. Shadid, "Canada - What is IT Governance? And Why is it Important for the IS auditor," The IntoSAI IT Journal, no. 25, pp. 30-35, August, 2007
7. Fink, K., and Ploder, C. Decision support framework for the implementation of IT-governance. Hawaii International Conference on System Sciences, pp. 432–441, January 2008.

Additional References & Resources

• Weill, Peter, and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business Press, 2004.