Information technology (IT) governance is a subset discipline of
corporate governance
Corporate governance is defined, described or delineated in diverse ways, depending on the writer's purpose. Writers focused on a disciplinary interest or context (such as accounting, finance, law, or management) often adopt narrow definitions th ...
, focused on information technology (IT) and its
performance
A performance is an act of staging or presenting a play, concert, or other form of entertainment. It is also defined as the action or process of carrying out or accomplishing an action, task, or function.
Management science
In the work place ...
and
risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from
The Principles of Scientific Management
''The Principles of Scientific Management''1911 is a monograph published by Frederick Winslow Taylor. This laid out Taylor's views on principles of scientific management, or industrial era organization and decision theory. Taylor was an American ...
,
Total Quality Management and ISO 9001
Quality management system
A quality management system (QMS) is a collection of business processes focused on consistently meeting customer requirements and enhancing their satisfaction. It is aligned with an organization's purpose and strategic direction (ISO 9001:2015). I ...
.
Historically, board-level executives deferred key IT decisions to the company's IT management and business leaders. Short-term goals of those responsible for managing IT can be in conflict with the best interests of other stakeholders unless proper oversight is established. IT governance systematically involves everyone: board members, executive management, staff, customers, communities, investors and regulators. An IT Governance framework is used to identify, establish and link the mechanisms to oversee the use of information and related technology to create value and manage the risks associated with using information technology.
Various definitions of IT governance exist. While in the business world the focus has been on managing performance and creating value, in the academic world the focus has been on "specifying the decision rights and an accountability framework to encourage desirable behavior in the use of IT."
The IT Governance Institute's definition is: "...
leadership
Leadership, both as a research area and as a practical skill, encompasses the ability of an individual, group or organization to "lead", influence or guide other individuals, teams, or entire organizations. The word "leadership" often gets view ...
,
organizational structure
An organizational structure defines how activities such as task allocation, coordination, and supervision are directed toward the achievement of organizational aims.
Organizational structure affects organizational action and provides the foundat ...
s and
processes to ensure that the organisation's IT sustains and extends the organisation's strategies and objectives."
AS8015, the Australian Standard for Corporate Governance of Information and Communication Technology (ICT), defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
Background
The discipline of information technology
governance
Governance is the process of interactions through the laws, social norm, norms, power (social and political), power or language of an organized society over a social system (family, tribe, formal organization, formal or informal organization, a ...
first emerged in 1993 as a derivative of corporate governance and deals primarily with the connection between an organisation's strategic objectives, business goals and
IT management
Information technology management or IT management is the discipline whereby all of the information technology resources of a firm are managed in accordance with its needs and priorities. Managing the responsibility within a company entails many o ...
within an
organization
An organization or organisation (Commonwealth English; see spelling differences), is an entity—such as a company, an institution, or an association—comprising one or more people and having a particular purpose.
The word is derived from ...
. It highlights the importance of value creation and accountability for the use of information and related technology and establishes the responsibility of the governing body, rather than the
chief information officer or business management.
The primary goals for information and technology (IT) governance are to (1) assure that the use of information and technology generate
business value In management, business value is an informal term that includes all forms of value that determine the health and well-being of the firm in the long run. Business value expands concept of value of the firm beyond economic value (also known as economi ...
, (2) oversee management's performance and (3) mitigate the risks associated with using information and technology. This can be done through board-level direction, implementing an
organizational structure
An organizational structure defines how activities such as task allocation, coordination, and supervision are directed toward the achievement of organizational aims.
Organizational structure affects organizational action and provides the foundat ...
with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the
organisation's strategic objectives.
Following corporate governance failures in the 1980s, a number of countries established codes of corporate governance in the early 1990s:
* Committee of Sponsoring Organizations of the Treadway Commission (USA)
* Cadbury Report (UK)
* King Report (South Africa).
As a result of these corporate governance efforts to better govern the leverage of corporate resources, specific attention was given to the role of information and the underpinning technology to support good corporate governance. It was soon recognized that information technology was not only an enabler of corporate governance, but as a resource, it was also a value creator that was in need of better governance.
In Australia, the AS8015 Corporate Governance of ICT was published in January 2005. It was fast-track adopted as
ISO/IEC 38500
ISO/IEC 38500 is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a fr ...
in May 2008.
IT governance process enforces a direct link of IT resources & process to enterprise goals in line of strategy. There is a strong correlation between maturity curve of IT governance and overall effectiveness of IT.
Problems
IT governance is often confused with
IT management
Information technology management or IT management is the discipline whereby all of the information technology resources of a firm are managed in accordance with its needs and priorities. Managing the responsibility within a company entails many o ...
,
compliance and
IT controls. The problem is increased by terms such as "governance, risk and compliance (GRC)" that establish a link between governance and compliance. The primary focus of IT governance is the stewardship of IT resources on behalf of various
stakeholders whose ranking is established by the organisation's governing body. A simple way to explain IT governance is: ''what'' is to be achieved from the leveraging of IT resources. While IT management is about "planning, organizing, directing and controlling the use of IT resources" (that is, the ''how''), IT governance is about creating value for the stakeholders based on the direction given by those who govern.
ISO 38500
ISO/IEC 38500 is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a fr ...
has helped clarify IT governance by describing a model to be used by company directors.
While directors are responsible for this stewardship it is not unusual to delegate this responsibility to management (business and IT) who are expected to develop the necessary capability to deliver the performance expected. Whilst managing risk and ensuring compliance are essential components of
good governance
Good governance is the process of measuring how public institutions conduct public affairs and manage public resources and guarantee the realization of human rights in a manner essentially free of abuse and corruption and with due regard for th ...
, the primary focus is on delivering value and managing performance (i.e. "Governance, Value delivery and Performance management" (GVP)).
Frameworks
There are quite a few supporting references that may be useful guides to the implementation of information and technology (IT) governance. Some of them are:
*
AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
*
ISO/IEC 38500:2015 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
*
COBIT
COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance.
The framework is business focused and defines a set of generic processes for the ma ...
is regarded as the world's leading IT governance and control framework. COBIT provides a reference model of 37
IT processes
It or IT may refer to:
* It (pronoun), in English
* Information technology
Arts and media Film and television
* ''It'' (1927 film), a film starring Clara Bow
* ''It! The Terror from Beyond Space'', a 1958 science fiction film
* ''It!'' (1967 f ...
typically found in an organization. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and a maturity model.
ISACA
ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. published COBIT2019 in 2019 as a "business framework for the governance and management of enterprise IT". COBIT2019 consolidates replaces COBIT 5, which itself replaced COBIT 4.1, Val IT and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with TOGAF and ITIL.
*IGPMM- The Information Governance Process Maturity Model depends on maturing 22 processes that help identify – and improve the management of – information value, cost and risk. CGOC updated the IGPMM in March 2017.
The processes reflect the needs of the key information stakeholders, including legal, records information management (RIM), privacy and security, lines of business and IT. The maturation for each business process moves through four stages:
** Stage 1: Ad hoc and inconsistent
** Stage 2: Siloed and manual
** Stage 3: Siloed, consistent and instrumented
** Stage 4: Integrated, instrumented and optimized
Other frameworks offer a partial view on IT Management & IT Governance Processes:
*
CMM - The Capability Maturity Model: focus on software engineering
*
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of detailed practices for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of business.
ITIL de ...
- Focus on IT Service management
*
ISO/IEC 20000
ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.
ISO/IEC 20000, lik ...
- Focus on IT Service management
*
ISO/IEC 27001
ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
- Focus on Information Security Management
*ISO/IEC 27005 - Focus on Information Security Risk Management
*
ISO/IEC 29148 and
IREB - Focus on Requirement Engineering
*
ISO/IEC 29119 and
ISTQB
The International Software Testing Qualifications Board (ISTQB) is a software testing certification board that operates internationally. Founded in Edinburgh in November 2002, the ISTQB is a non-profit association legally registered in Belgium.
I ...
- Focus on Software Testing
Non-IT specific frameworks of use include:
*
PRINCE2
PRINCE2 (PRojects IN Controlled Environments) is a structured project management method and practitioner certification programme. PRINCE2 emphasises dividing projects into manageable and controllable stages.
It is adopted in many countries wor ...
and
PMBOK
The Project Management Body of Knowledge (PMBOK) is a set of standard terminology and guidelines (a body of knowledge) for project management. The body of knowledge evolves over time and is presented in ''A Guide to the Project Management Body of ...
- Focus on Project Management
*
ISO 22301
ISO 22301:2019, ''Security and resilience – Business continuity management systems – Requirements'', is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, im ...
- Focus on Business Continuity
* The
Balanced Scorecard
A balanced scorecard is a strategy performance management tool – a well structured report, that can be used by managers to keep track of the execution of activities by the staff within their control and to monitor the consequences arising from t ...
(BSC) - method to assess an organization’s performance in many different areas
*
Six Sigma - Focus on quality assurance
*
The Open Group Architecture Framework
The Open Group Architecture Framework (TOGAF) is the most used framework for enterprise architecture as of 2020 that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. TO ...
(TOGAF) - methodology to align business and IT, resulting in useful projects and effective governance
Professional certification
* Certified in the Governance of Enterprise Information Technology (
CGEIT) is a certification created in 2007 by
ISACA
ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. . It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination was held in December 2008.
* COBIT5 Foundation, COBIT5 Assessor and COBIT5 Implementation are certifications created in 2012 by
ISACA
ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. .
See also
*
Computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Data governance
Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data govern ...
*
Enterprise architecture
*
Information governance
Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compl ...
*
IT portfolio management
*
Project governance
Project governance is the management framework within which project decisions are made. Project governance is a critical element of any project, since the accountabilities and responsibilities associated with an organization's business as usual ...
*
Service governance
Service governance is a means of achieving good corporate governance through managing internal corporate services across and throughout an enterprise. It engages stakeholders and delivery channels for the purpose of effectively managing risk, as ...
References
Further reading
* Blitstein, Ron, 2012
"IT Governance: Bureaucratic Logjam or Business Enabler" Cutter Consortium.
* Brown, Allen E. and Grant, Gerald G. (2005) "Framing the Frameworks: A Review of IT Governance Research," Communications of the Association for Information Systems: Vol. 15, Article 38.
* S. De Haes, and
W. Van Grembergen, “Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises”, ''Journal of Enterprise Information Management'', Vol. 22, No. 5, 2009, pp. 615–637.
* Georgel F., ''IT Gouvernance : Maitrise d'un systeme d'information'', Dunod, 2004(Ed1) 2006(Ed2), 2009(Ed3), . "Gouvernance, audit et securite des TI", CCH, 2008(Ed1)
* Lutchen, M. (2004). ''Managing IT as a business : a survival guide for CEOs.'' Hoboken, N.J., J. Wiley.,
* Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics)
*
Van Grembergen, W., ''Strategies for Information technology Governance'', IDEA Group Publishing, 2004,
*
Van Grembergen, W., and S. De Haes, ''Enterprise Governance of IT: Achieving Strategic Alignment and Value'', Springer, 2009.
*
Wim Van Grembergen, and S. De Haes, “A Research Journey into Enterprise Governance of IT, Business/IT Alignment and Value Creation”, ''International Journal of IT/Business Alignment and Governance'', Vol. No. 1, 2010, pp. 1–13.
* Weill, P. and Ross, J.W. (2004). ''IT Governance: How Top Performers Manage IT Decision Rights for Superior Results,'' Boston, MA, Harvard Business School Publishing,
* Wilkin, C.L. and Chenhall, R.H. (2010). A Review of IT Governance: A Taxonomy to Inform AIS, Journal of Information Systems, 24 (2), 107–146.
* Wood, David J., 2011. "Assessing IT Governance Maturity: The Case of San Marcos, Texas". Applied Research Projects,
Texas State University-San Marcos
Texas State University is a public research university in San Marcos, Texas. Since its establishment in 1899, the university has grown to the second largest university in the Greater Austin metropolitan area and the fifth largest university ...
(This paper applies a modified COBIT framework to a medium sized city.)
{{DEFAULTSORT:Information Technology Governance
Corporate governance