The concept of IT governance is a hotly debated issue with company executives currently demonstrating very different views towards its implementation, role and benefits. Some equate IT governance with established best-in-class frameworks like CobiT (control objectives for information and related technology) and ITIL (IT Infrastructure Library); some liken it to compliance with external regulations on the level of corporate governance; and others with the alignment of business and IT.
Angeli Hoekstra, national leader of PricewaterhouseCoopers SA Technology Advisory Services practice and global leader for PricewaterhouseCoopers IT Governance services, says there is increasing pressure on managing IT as a business in order to reduce IT risks and to enhance business value.
"But many corporate officers presently feel their IT organisation's current maturity level of providing leadership, organisational structures and processes to achieve business strategy is low and could be improved. IT governance is the vehicle to establish the required improvements."
Hoekstra says there are a number of recommendations to be considered when designing an optimal IT governance strategy. One of the first points to consider is the business strategy and requirements. IT governance should be linked to key business themes and used for enhancing business value, rather than narrowly focussing on the fulfilment of control or compliance requirements.
"And besides aligning IT governance with the broader business, IT governance structures also need to be appropriately aligned with the operational IT environment. If an organisation uses a service-orientated approach (SOA), some IT governance structures would be different to those seen in a more traditional environment."
Another ideal requirement is that IT governance should be driven by top management. "The biggest success in implementing IT governance is in organisations where IT governance has been associated with strong chief information officers who have the full support of executive management.
This reduces the risk that the implementation effort will be faced by resistance from IT staff and business management. Without this top management awareness and commitment, IT governance initiatives tend to fail before achieving their goals."
Hoekstra says there should also be a clear view about the achievable benefits from introducing IT governance, as well as how to quantify and measure them. "In many instances the desired benefits of an IT governance programme are not defined upfront which then makes it impossible to measure them. Some organisations do successfully measure how the governance process performs (based on performance indicators), but only a small number of them measure hard benefits or the eventual outcome of the governance practices (outcome indicators). There are a limited number of mature organisations who are successful in setting up a reporting mechanism for the realisation of important benefits, such as cost reductions, improved customer satisfaction, mitigated risks or enhanced business value."
A big-bang approach to IT governance implementation will in all likelihood fail and will not deliver the required benefits.
Implementation should be gradual and based on reasonable and achievable targets and time frames.
Some IT governance structures also fail because the structure is too complex to achieve targets. Hoekstra says that IT governance should not be over-engineered. "It is important not to overdo the effort with multiple committees, elaborate monitoring and reporting, and overly complicated processes. An over-engineered solution may create more resistance and ultimately be circumvented and consequently less effective."
Hoekstra says that optimal IT governance arrangements will be different for every organisation and dependent on a number of factors in its internal and external environment, including the business strategy, industry and market factors, regulatory environment, organisation size, the organisational governance (such as centralised or decentralised control), risk appetite and dependency on IT.