Definition: Information technology (IT) governance consists of the leadership, structures, and processes that enable an organization to make decisions to ensure that its IT sustains and extends its strategies and objectives . IT governance is an integral part of enterprise governance (see the SEG's Enterprise Governance topic) and, as with enterprise governance, requires a clear understanding of the enterprise's strategic goals and objectives and a structure with repeatable processes to support decisions ensuring alignment of IT investments with those goals and objectives. IT governance ensures that IT decisions focus on:
- Evaluating and directing the use of IT to support the organization.
- Monitoring the use of IT to achieve plans.
- Using the IT strategy and policies to accomplish its purpose.
- Aligning the IT strategy with the organization's goals.
Keywords: decision making, performance, outcomes, business process, framework, governance, strategy
MITRE SE Roles and Expectations: MITRE systems engineers (SEs) are expected to understand why IT governance is a critical issue for the federal government and the integral role IT governance serves within organizational strategic planning. MITRE SEs can help an organization achieve real value from IT investments by assessing their alignment to enterprise goals and strategies and by providing feedback and lessons learned on where improvements should be made. They are expected to assist the customer in following mandates and best practices for governing IT investments in the federal government, adhering to the requirements of the organization's governance program, and establishing appropriate roles and responsibilities. MITRE SEs can help to establish a foundation on which good decisions can be made by deriving and analyzing data for specific decisions, e.g., those related to business cases, reference architectures, policies, standards, formats, processes, and life cycles needed to establish governance. This may require an understanding of organizational change and transformation, risk management, and communications planning. For more information, see the SEG's Transformation Planning and Organizational Change topic.
IT governance is about making decisions in a repeatable structured manner to support investment in and use of IT to achieve an organization’s goals. The goals of IT governance are to ensure IT investments generate business value and to mitigate IT risks. IT governance affects the degree to which an organization will get value from its IT investments . Research among private sector organizations has found that "top performing enterprises succeed in obtaining value from IT where others fail, in part, by implementing effective IT governance to support their strategies and institutionalize good practices ." This principle can be extended to the goals of the enterprise at large. Whereas the purpose of enterprise governance is to effectively derive value from the enterprise resources for all the constituents in the enterprise, based on defined enterprise goals and strategy, the purpose of IT governance is to ensure the effective and efficient management and delivery of goods and services aligned to enterprise strategies . See related articles under this section's Enterprise Technology, Information, and Infrastructure topic.
For nearly two decades, the federal government has been trying to adopt investment and usage best practices from private industry to ensure that IT enables government to better serve the American people. Through legislation, executive orders, and guidance, the federal government requires that agencies apply rigor and structure to the selection and management of IT in order to achieve program benefits and meet agency goals. In 1996, Congress passed the Clinger-Cohen Act, which required, among other things, that senior government decision makers become involved in the decisions concerning the value and use of IT in the organization. The Office of Management and Budget (OMB) has issued Executive Orders and Circulars to help improve agency management of IT resources to support and govern the intent of Clinger-Cohen and other legislation. (See Figure 1.) These circulars approach the problem of the use of IT through the budget process requiring that requests for funds for IT investments meet specific requirements.
Most recently, OMB issued its 25 Point Implementation Plan to Reform Federal IT Management , once again addressing the concerns around federal agencies' ability to achieve effectiveness and efficiency from its IT investments. The 25 Points institutes a "TechStat" process within the federal government to take a close look at poor or underperforming programs.
Best Practices and Lessons Learned
The most effective IT governance fosters and maintains a focus on decisions and actions needed to achieve outcomes and improve performance. The governance program, therefore, must have clear goals and defined outcomes tied to strategic goals. One of the first actions in standing up a governance program is to clearly define and articulate the scope of what is being governed and the desired outcomes of governance decision making. A common challenge is an organizational focus on developing governance to comply with GAO or OMB requirements, without a clear and universal understanding of the desired outcomes. And, although compliance is certainly important, if it is the only focus of the program, it is not likely to provide real value to the organization. The following areas highlight governance guidance where SEs can partner with their customers to help achieve success for deciding on and implementing IT solutions to meet their needs.
To achieve the greatest value and impact from IT governance, governance must focus on these three areas (also depicted in Figure 2):
- Governance is about making decisions to support the organization's strategy and goals.
- Governance requires identifying the right people who will make the tough decisions and are held accountable for those decisions.
- Governance requires a framework or structure that defines roles and responsibilities, processes, policies, and criteria to foster sound decision making.
Identifying Key Decisions. IT governance is about making decisions on how—and how well—investments in IT support the agency’s strategy. The first step in developing, assessing, or supporting a governance framework is to identify what decisions the agency needs to make about IT that will help it achieve its outcomes. The identification of these decisions will drive the development of the governance structure, the identification of the roles and responsibilities of those participating and accountable for decisions, and the information that is needed to make decisions to achieve results.
Questions typically must include:
- What IT investments should we make to support the agency’s strategic goals?
- What standards should we adopt?
- How well are our IT investments performing in support of the goals?
- What course corrections in our IT investments should we make?
Ensure reliable information for decision making. Once the key decisions are identified, SEs can assist by investigating alternative courses of action, determining the applicable measures of effectiveness, and relating these to assessments of risk (including technical maturity and applicability to the task at hand), cost, schedule, and performance. If the information is not readily available, executive sponsors can help support a process for getting the right information to decision makers in a predictable manner.
Designing governance. An organization’s governance process is driven by those who have the authority to make the key decisions and those who should provide input into those decisions. Governance is more likely to succeed and be effective over a sustained period of time if it reflects the culture and decision-making style of the organization and is integrated with existing decision making, tolerance of risk, and operational management processes. The governance processes can and should be tailored and designed to ensure a "fit to purpose" by matching the size and scope of the program/organization business needs and strategic goals to the climate and governance maturity level of the organization.
Leadership. Sustained, effective IT governance decision making relies on the right leadership. A governance process needs a chairperson who has the authority to make decisions but can also engage governance board members and stakeholders and provide direction. Lack of leadership for establishing and maintaining a governance program is a challenge to sustaining it over time. A related issue is changing leadership. Often a federal executive establishes and puts full weight behind a program, only to leave behind a successor who does not support the cause as vigorously.
Participation. Participation and membership on governance boards requires members who feel empowered and who are decisive and collaborative. It is important to clearly define roles and responsibilities and to match the decision-making needs with the authorities and level of accountability of the membership. To ensure that governance team members are sufficiently engaged and accept assignments, they must:
- View participation as valuable and meaningful.
- Sustain participation, collaboration, and accountability.
- Make available the expertise and resources necessary for success.
- Onboard/mentor new members.
- Clearly understand decisions.
In addition, the program needs to provide opportunities to revisit it for updates and to ensure that team members and stakeholders are sufficiently engaged.
Structure. Typically a broad range of decisions need to be made regarding the investment in and use of IT. The more strategic, higher risk, enterprise-wide decisions need to be made at higher levels of the organization. The more tactical the decision, the lower the level at which the decision should be made. The decisions drive the governance structure. (See Figure 3.)
The governance structure establishes the authority of governance bodies, processes that establish repeatable criteria and decision making, and preparation of charters, or similar type of documents, to describe the scope, duties, structure, and selection process of members, roles, and responsibilities. When designing IT governance, it is important to understand funding lines. Often in the federal government, different components of federal agencies have their own funding, which makes it a challenge to coordinate IT investments across the entire organization.
Discipline is essential. The IT governance process needs to be repeatable so that governance board meetings are meaningful and focused on the decisions that need to be made. It is also important that all stakeholders be aware of what decisions are being made and why, and what decisions will be made in the future. This requires that some discipline and structure be imposed on the process. This discipline should include:
- Defined, documented process, including written criteria for decision making
- Record keeping, including minutes and documentation of decisions and action items
- Meeting preparation, including agenda read-aheads
It is important to communicate so that everyone knows the basis for making decisions. This discipline leads to better results.
Supporting resources. Supporting resources are critical to the success of governance—they make discipline a reality and move the organization from ad hoc to purposeful governance. It is unrealistic to expect that governance board members can provide the supporting activities to keep governance moving. Organizations frequently have the notion that governance is too burdensome because they lack adequate resources to support the process. Governance support includes governance coordination, which means coordinating activities, guiding processes, and managing performance. Support also includes governance execution support, which could include meeting scheduling, minutes, decision log maintenance, and communications.
Agree on principles and behaviors. It is important that governance participants agree on principles and standards that can guide behavior and establish a culture conducive to good governance. Principles and behaviors help ensure that decisions are repeatable, consistent, and driven by organizational needs. Examples of principles and behaviors are given in Figure 4.
Performance measures are critical to effective IT governance. Many organizations find it difficult to measure the performance of their IT governance programs because the programs often don't function in the context of governance goals but instead focus on individual IT project goals. In these situations, the lack of effective governance measurements limits the understanding of how well the process is performing in meeting the decision-making needs of the organization. Successful governance activities track and report on measures that indicate how well the governance program is contributing to defined goals. Examples of IT governance performance measures focused on improving the process include increasing transparency of IT investment decisions, demonstrating an increase in IT innovation investments with a decrease in IT sustainment spending, and incorporating flexibility in IT infrastructure to react to changes in regulation and policy environment . Regular reporting not only serves to show value but also helps maintain the focus of the governance program as it executes. MITRE SEs can help customers measure and report on performance indicators to enable governance bodies to make decisions about projects and programs in the context of the organization's goals.
To be successful, the decisions for IT investments must have a direct connection to supporting goals defined by the organization and to the allocation of resources to meet those goals. IT governance decisions should have a clear line of sight to the agency's goals and intended strategic outcomes. IT governance activities provide focus and create a path forward to meeting the information management challenges the agency faces.
There are many approaches to implementing effective governance. The exact approach depends on the strategy and results the organization is trying to achieve as well as the culture within which the organization operates. A review of governance practices suggests that for governance to be effective, specific foundational elements must be in place:
- Clear and well-communicated strategic goals
- Strong executive sponsorship of the process
- Clear, well-defined roles and responsibilities
- Standardized data and information transparency
- Measurement and planned review of the governance practices to ensure value`
Governance frameworks that may be of interest: COBIT , ITIL , CMMI , ISO38500 .
References and Resources
- IT Governance Institute, 2007, Control Objectives for Information and Related Technology (COBIT) 4.1, Rolling Meadows, Ill., ISACA.
- Brisebois, R., G. Boyd, and Z. Shadid, August 2007, Canada - What is IT Governance? And Why Is It Important for the IS Auditor, The IntoSAI IT Journal, No. 25, pp. 30–35.
- Weill, P., March 2004, Don't Just Lead, Govern: How Top Performing Firms Govern IT, Center for Information Systems Research, Sloan School of Management, Massachusetts Institute of Technology.
- Office of Management and Budget, December 9, 2010, 25 Point Implementation Plan to Reform Federal Information Technology Management.
- Fink, K., and C. Ploder, January 2008, Decision support framework for the implementation of IT-governance," Hawaii International Conference on System Sciences, pp. 432–441.
- ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, accessed July 14, 2014.
- AXELOS, IT Service Management (ITIL®), accessed July 10, 2014.
- CMMI Institute, CMMI Institute – Home of the Capability Maturity Model Integration (CMMI), accessed July 14, 2014.
- International Standard ISO/IEC 38500:2008(E), Corporate Governance of Information Technology, 1st Ed., 2008-06-01.
Additional References and Resources
Ansell, C., and A. Gash, November 13, 2007, Collaborative Governance in Theory and Practice, Journal of Public Administration Research and Theory.
Australian National Audit Office (ANAO), June 26, 2014, Better Practice Guide, Public Sector Governance: Strengthening Performance Through Good Governance.
CIO.gov, TechStat, accessed July 14, 2014.
GAO, March 2004, GAO Executive Guide, Information Technology Investment Management—A Framework for Assessing and Improving Process Maturity, GAO-04-394G.
IT Governance Institute, 2003, Board Briefing on IT Governance, 2nd Ed., Rolling Meadows, Ill., ISACA.
Weill, P., and J. W. Ross, 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston, Mass., Harvard Business School Press.