IT Governance: Definitions, Frameworks and Planning

ProjectManager

Information technology is prevalent in nearly every industry and organization across the globe as the need for data analysis and IT assets such as software and hardware has become critical for most businesses. It’s a diverse and challenging discipline with a lot of moving parts and critical scenarios. On top of it all, information technology is constantly evolving. IT governance ensures that IT departments are prepared for what’s next, without losing focus on what matters.

What Is IT Governance?

IT governance is a set of guidelines and processes that are implemented to ensure that all the IT activities of an organization are geared towards the achievement of its business goals. These IT activities include how IT teams are structured, the procurement of IT assets and the configuration of IT infrastructures.

The main desired outcomes from implementing IT governance in any given organization are typically to:

• Ensure business value is generated by information and technology
• Oversee the performance of IT managers
• Assess risks associated with the IT department and establish an IT disaster recovery plan
• Provide transparency and accountability to IT operations
• Define IT project management standards
• Oversee the financial management aspects of IT such as capital budgeting and capital spending
• Ensure IT compliance with laws and regulations
• Define standards for recurrent IT audits
• Meet the IT needs of the different departments of an organization

IT governance is a subset of corporate governance, which is its own collection of processes that are designed to keep the entire corporation effective and efficient.

IT Governance vs. Corporate Governance

While IT governance and corporate governance may sound similar, they shouldn’t be used interchangeably. The scope of corporate governance is much wider, as it’s in charge of defining how an organization will be managed as a whole, while IT governance focuses on IT-related activities.

For example, corporate governance establishes the levels of management that will guarantee there’s accountability and leadership throughout the organization, while IT governance only focuses on the structure of the IT team.

What Is an IT Governance Framework?

To put it simply, an IT governance framework is a roadmap that defines the methods used by an organization to implement, manage and report on IT governance within said organization.

These IT governance frameworks have been developed by organizations such as the Information Systems Audit and Control Association (ISACA) and the International Organization for Standardization (ISO). It’s important to understand that the various IT frameworks that exist approach IT governance differently in terms of the principles, processes and standards they use to define it.

Let’s review the most commonly used IT governance frameworks to get an idea of how each of them works.

Most Commonly Used IT Governance Frameworks

The most common IT governance frameworks are:

• COBIT: This is by far the most popular framework out there. It gives staff a reference of 37 IT processes, with each process defined with process inputs and outputs, objectives, methods to measure performance and more.
• AS8015-2005: A technical standard developed in Australia and published in 2005, this framework is a 12-page framework that includes six principles for effective IT governance.
• ISO/IEC 38500: This framework aims to assist those at the top of the organization to better grasp their legal and ethical obligations when it comes to their company’s use of IT.
• ITIL: Stands for Information Technology Infrastructure Library, this framework includes five management best practices from strategy to design that aim to ensure that IT supports core business operations.
• COSO: From the Committee of Sponsoring Organizations of the Treadway Commission, this framework focuses on more general and less IT-focused processes, with an emphasis on enterprise risk management and fraud deterrence.
• CMMI: Also known as the Capability Maturity Model Integration framework, this process uses a scale of 1 to 5 to better understand how the organization is performing and maturing over time.
• FAIR: Also known as the Factor Analysis of Information Risk, this framework has an emphasis on cyber security and risk assessment, with the ultimate goal of making better-informed decisions.

And that’s not the full list of frameworks out there; there are many more IT governance frameworks that offer both a full and partial view of IT governance processes that can be useful when it comes to the application of a solid and effective IT governance process.

IT Governance Principles

As noted, each of the frameworks listed above has its own principles, which makes it hard to define a set of general IT governance principles. Generally, most IT auditors follow the principles defined by two of the most popular IT governance frameworks, COBIT and ISO 35800.

COBIT IT Governance Principles
The guiding principles of this IT governance framework are:

• Provide stakeholder value: IT governance should focus on the value that IT operations generate for the business, which in turn will provide value to its stakeholders such as shareholders, customers and employees.
• Holistic approach to IT governance: IT governance must make sure that the IT technologies that make up the IT infrastructure, the IT roles and guidelines work cohesively.
• Dynamic governance system: IT governance shouldn’t be rigid, but rather adapt to the changes required by the organization.
• Governance distinct from management: COBIT draws a line between governance and IT management, as IT governance sets the overall structure in which IT operations will be managed.
• Tailored to enterprise needs: As stated above, IT governance should ensure IT goals align with business goals, which can be very different from one business to another.
• End-to-end governance system: While IT governance focuses on IT departments, managing IT data is a cross-functional effort that requires the collaboration of multiple departments such as finance, sales and marketing, so IT governance guidelines will also extend to other areas of business.

ISO 38500 IT Governance Principles
The guiding principles of this IT governance framework are:

• Responsibility: Roles and responsibilities should be clearly defined for effective IT governance.
• Strategy: The IT governance strategy should be focused on achieving business results.
• Acquisition: IT governance must ensure IT assets are acquired transparently and after careful consideration of the costs, benefits and risks.
• Performance: IT governance should define the standards to track and report whether IT service levels meet the needs of the business.
• Conformance: One of the most important goals for IT governance is to ensure the organization complies with regulations such as cybersecurity and IT risk management standards.
• Human behavior: IT policies, guidelines and standards should be designed in a way that are understandable and achievable by the IT staff.

Common IT Governance Roles & Responsibilities

The process of establishing the IT governance of an organization starts with the corporate governance guidelines that are set forth by the shareholders, the board of directors and the executive management team.

Shareholders

Shareholders are the owners of a company. They appoint the board of directors and outline the goals of an organization from a high-level standpoint. Based on their input, the board of directors and executives will create a corporate governance framework.

Board of Directors

The board of directors is a group of individuals who are responsible for the oversight of the corporate governance of a business, including aspects related to IT. The board of directors acts as the liaison between shareholders and company executives such as the chief information officer. The board of directors approves the IT budget, establishes an overall vision for IT governance, measures the performance of IT operations and oversees the accountability of the IT team.

Chief Information Officer (CIO)

The chief information officer is an executive-level position that is responsible for the management and delivery of all IT-related activities and ensuring the IT governance standards, rules and procedures are followed. A CIO is responsible for overseeing IT operations management, IT service management, IT asset management and IT risk management. CIOs usually work in tandem with other executives such as chief financial officers (CFOs) and chief operating officers (COOs).

IT Director

IT directors are the liaison between the CIO and the IT staff. While the CIO oversees all aspects of IT from an executive level, the IT director manages the day-to-day IT operations of an organization. Therefore, the main responsibility of an IT director is to lead the IT department and ensure they’re following the IT guidelines defined by the CIO.

Key Terms in IT Governance

For those just getting a basic understanding of everything IT governance entails, it can be confusing with all the industry jargon out there. Here are some of those complicated IT terms defined.

• IT management: Not to be confused with IT governance, IT management is about how IT resources are leveraged from a planning, organizing and directing perspective. This is different from IT governance in that IT governance is all about uncovering what an organization can achieve when it uses its IT resources effectively.
• IT compliance: Compliance in the IT world can mean creating an adequate defense process that manages both the management of the compliance process as well as the integrity of the compliance system. Therefore, IT compliance revolves around taking control of protecting personal or private information, including how it’s kept, stored or shared.
• IT controls: These are specific tasks performed by IT staff to ensure that business objectives are kept top of mind.
• Governance, risk and compliance (GRC): Invented by the Open Compliance and Ethics Group (OCEG), this term refers to a certain grouping of capabilities that combine governance, risk management and performance to achieve reliable business objectives and address uncertainty.
• Good governance: This is a method of measuring public organizations’ efficacy for the maximum public good, mostly from a political perspective. The concept of good governance is also a key component of managing risk and ensuring compliance from an IT perspective.
• Certified in the governance of enterprise information technology (CGEIT): This is a certification that is vendor-neutral, and designed for IT staff in large businesses and organizations that are responsible for IT governance.
• Information Systems Audit and Control Association (ISACA): ISACA is an independent, nonprofit that is “engaged in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.”

What Are the Benefits of IT Governance?

IT managers and system administrators know technology like the back of their hands. They work with it day in, and day out and keep up with the latest trends at all times. So, to the administrator, it might seem like adding an IT governance process is an extra step added to their busy days. However, there are many benefits to IT governance, including:

• Getting buy-in from stakeholders, partners and customers is never easy, but showing that you have taken the extra step to implement an IT governance plan gives them added assurance that you mean business.
• Controlling your risks doesn’t come automatically. It has to be studied in a working environment where a standard, replicable process has been implemented. IT governance helps track risks in a controlled experimental environment.
• Ensure your company is meeting rules and regulations around compliance, so you can reduce risk and eliminate liability.
• Better align your IT department with the company’s overall business objectives, so they can prioritize their projects better.
• Better measure performance for your IT department and optimize their processes, so they don’t have to waste time on clunky processes that had previously been in place.

Tips for IT Governance Implementation and Planning

When it comes to IT governance, it’s best to approach the implementation and planning of a great process by understanding that one size does not fit all. Here are some tips to get you started.

1. Understand what role IT governance is going to play in your organization, whether it be led by the CIOs or at the department level.
2. Start with one of the templates we defined above. There are many that give you actual steps to take to implement successfully, like the COBIT, which gives inputs, objectives, methods to measure performance and more. (37, to be exact!)
3. IT staff — once it’s implemented, don’t shy away from participation. It might seem like adding extra steps to your day, but the more you can keep your department aligned with the overall business goals, the less you have to validate your value to the company.

How ProjectManager Helps With IT Governance

Above all else, implementing a proper IT governance process needs to start with buy-in not just from the top, but all the way down. Getting everyone on the same page is what ProjectManager does best.

Need to collaborate with your IT system administrator? ProjectManager gives you cloud-based Gantt charts so you can schedule tasks, assign dependencies, collaborate with your team and track performance on all of it. Since ProjectManager is online, it also means your IT staff gets an easy rollout, with no implementation or training required. So you can load your tool right in your browser and get back to business.

ProjectManager is also rife with tracking and reporting tools, so you can always see how IT projects are progressing. Our project dashboard reports project data in real time in easy-to-read charts and graphs. If you’re looking for more traditional reporting, our software has an automated project reporting tool where you can create status reports, variance reports, workload reports and more with just one click.

key metrics on a project" width="1568" height="816" />

Clunky IT governance processes can set your IT staff back. Oversee optimized performances and analyze risk with ease. ProjectManager is dedicated to giving teams the software they need to plan processes, assign tasks and collaborate effectively. Sign up for our free 30-day trial today.