Surveying IT Governance

The concept of governance in business is not an overly complex concept, but its implementation can be dizzyingly elaborate. Surveying it very broadly, we find that it variously and passionately refers to accountability, alignment or control. However, these references are not competing with each other but instead reflect the richness of the problem that we can summarize at an even higher level: "management".

I.

Ever since Frederick Taylor, the science of good management has been characterised by a small number of factors all related to the same idea -- demonstrable effectiveness of resource, or what sometimes is just as well called resource optimization.

In order to optimally utilize resources, a few critical success factors of their management always pertain:
- definition of their conditions (clarity)
- measurability of their application (certainty)
- direction of their effort (relevance)

Over the years, there have been many ways to interpret and discuss each of these essential scientific qualities of the management effort -- arguably none more persistently than accountability, alignment and control. Typically, different particular roles in the organization's community -- such as sponsors, executives, operators or clients -- host and promote different interpretations, according to the responsibility within their respective roles. But this does not mean that they are separated or indifferent to each other. All interpretations can be inspired by some of the same key business issues -- such as whether resources are economical and why; whether outcomes are improvable and how; or whether advantage is sustainable and where.

Nonetheless, particular blends of roles and issues bring distinct sensitivities, or perspectives, to the observation of the resource impact on business performance. When it comes to handling IT as a business resource, the perspectives interpret topics like economy, improvement and advantage by assessing things to be managed -- for example, characteristics of the IT resource inventory like supply, configurations, and distribution; or characteristics of the IT resource deployments like capacity, processes, or access.

Having multiple perspectives is a good thing. Any one of them will usually catch something of importance that the others missed. For the sake of planning, these "catches" bring up interdependencies -- for example between supply and capacity -- that affect or exemplify the logic of expected benefits versus risks.

Revealing such logic is a breakthrough. The collective effect of these perspectives is that through their sustained diligence, they bring a regular visibility to the dynamics behind whether the resource impact is:
- good or bad (preferred),
- intentional or unintentional (prescribed), and
- correct or incorrect (allowed).

Formally interrelating their sustained diligence, Governance brings those three "dimensions" of impact to evaluate and coordinate the state of the business operation. The effectiveness of that is largely in revealing and reminding that each dimension can develop ad hoc and/or independently of the others, but that they need to be blended into a compatible set of conditions for supporting business goals. Decision-makers and designers of all kinds throughout the enterprise quickly engage the views, because in particular those two roles must assure that the business value of the resources emerges systematically in operations.

In other words, the effect of IT Governance is to institutionalize the business management of IT.

II.

Emphasizing a proactive stance, it is easy to appreciate that this effort at "managed assurance" is most often projected as "control". Maturing the assurance effort into repeatable and reliable success strategies, practitioners have collaborated for years on organizing and sharing their learnings by creating frameworks that:
- memorialize and increase awareness of significant assurance opportunities,
- guide selection and decision of priorities and methods, and
- establish terms and conventions for monitoring and analysis.

However, behind these frameworks for success, there are varying nuances to the idea of "control", ranging from influence to facilitation to command. Meanwhile, particular roles and circumstances generate a variety of individual business needs. Together, as opportunities and catalysts, these nuances and needs have combined in different ways to spawn different frameworks that all continue to be cultivated.

Over time, different frameworks can each grow out to a point where they overlap others; but if these frameworks are to provide reliable guidance, their overlaps need to be reconciled to ensure that the various frameworks do not work at cross-purposes, despite the intensity and complexity of how elaborate they may become.

Before worrying about that, perhaps there is an even more pressing problem in the organization: a seriously imbalanced mix of individual control efforts already actually implemented for the many aspects of IT activity that ought to be governed. Today, that imbalance may feature incompatible, inconsistent and/or variously unsustainable approaches - in which much of the organization is already invested financially, mechanically or politically. Aside from choosing and trusting a framework to make sense of that variety and envision "leveling it out", there is the substantial pragmatic challenge of herding the cats.

The current wisdom on attacking this problem is that governance should be instituted "top-down" in the organization. A key virtue of that approach is that it minimizes the chance that adopting governance will suffer a "two steps forward one step back" syndrome, because authority and accountability are more rigorously enforced.

But a key challenge in it is that governance itself must be done in the service of the type of progress that the overall business needs. DIfferent parts of the organization contribute to progress in different ways. And different organizations often need to make different kinds of progress.

This throws attention towards the idea that IT governance should not be one-size-fits-all. Put differently, IT governance should not be just a set of "controls that makes alignment for business accountable" -- rather, IT governance must be a competency that demonstrably solves the right business problems.

III.

One key to demystifying adoption of practical IT governance is to first see, in more generic terms, what it is that is being addressed.

We have the range of carefully labelled starting points including "control by" certain parties; "accountability to" certain parties; and, "alignment for" certain parties. But while these may indeed indicate the particular involvement of different roles, the first thing to consider is the commonality of their interests.

Much of the commonality can be expressed and contained through explicit policies and rules. These share the ability to consistently regulate decisions about real-time events -- and it is vitally important for multiple co-operating stakeholders to draw confidence from that. For most organizations, this issue of aligning all decision-making and production design to some standards is the major driver of adopting IT governance. It is a direct response to the need for reducing the "collateral damages" of the organization's complexity -- such as operational costs, errors and liabilities. In effect, standards or regulations represent the party for which the resource utilization is aligned. In the abstract, this party might just be be the "desired future version" of the current organization. In the concrete, it might be a customer, sponsor or other (like the government) stakeholder who has enough immediate influence on opportunities or constraints to be able to dicate the terms of operation. Here, for example, we see Sarbanes Oxley, ISO9000, CoBIT and other directives in force.

Likewise, consistency results from adopting widely-proved guidelines for essential management practices. While "best practices" are propagated because they correlate with successful outcomes, the true value of adopting them is that they include the highest degree of validated measurability -- which translates into predictable improvements in manageability. As such, they need not replace already-successful measurement-based management -- but for managers under excessive pressure from complexity, they accelerate the implementation of low-risk comprehensive measurement. Here, for example, we see ITIL, CMMI, and other instruments featured prominently.

But despite the meaningful differences between those distinct example directives above, they all have the same practical goal: managing the business's preferences, intentions and allowances regarding resource selection and deployment against demand.

This practical commonality doesn't make the challenges easier, but it reminds us that an organization's existing abilities and initiatives for those same management tasks should be pointed at the impending or mandated policies, standards or guidelines. Why? Not just as enterprise housekeeping but, recalling the primary management theme of effectiveness, so that business progress is more strongly enabled. Before that re-orientation is done, we don't know what else new is necessary.

IV.

With the more generic overview in place, it is easy to appreciate the scope of reasons and benefits usually described within the initiative for IT governance.

"IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives." As seen on its website, the IT Governance Institute (ITGI, at www.itgi.org) continues that introduction to IT governance with a short checklist of things that governance must cover:
- ensure that "IT is strategically aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated."

The scope of coverage indicates that the business reliance on IT requires broad organizational accountability. This makes sense particularly in the sense that the business is a customer of IT. But the nature of the actual governance problem is better suggested by the idea that IT utilization is aligned for business. In this latter sense, business is a function, and as the format and value of the function changes over time, governance must deftly support realignment of IT utilization for enabling and supporting the function.

In other words, without diving down into the weeds, this functional outlook gets more directly to the matter of how governance accomplishes what it should accomplish.

As a high-level frame of reference for thinking about governance, the following idea makes a basic assumption about the business's "return on management" -- namely, that managment is given the day-to-day responsibility to take the organization from the current state to the "planned to be" state.

In order to do that, management must generally focus on achieving clarity, certainty and relevance of the resources it handles. But it must specifically focus on influencing resource impacts by wedding the clarity (definition) to the utilization. We tend to think of governance as being about "how things are done," but the closest examination of what we mean by that shows we are more considering "what things are done". The decisions about those things tend to focus on whether they are appropriate, and on what they require.

Consequently, the crucial work of coordination that governance can execute revolves around managing in terms of the "As Intended" Definitions of resource utilization. These are covered in three broad areas that hierarchically comprise the value chain for resource utilization.

Top-down, the business value hierarchy is:
Value: Objectives and Portfolios that align resources to needs
Fit: Architecture and Standards that align resources to requirements
Quality: Assets and Projects that align resources to purpose

As a result, we can see the parallel impacts cascaded (top-down) as well:
- Performance;
- Risk; and,
- Capacity.

Understanding governance from this high-level functional perspective has three major advantages.

1. It is less confusing as to where and why issues such as costs (financial controls), mechanics (processes and support), and politics (decision rights and organization structure) fit into the scheme of things.

2. It also becomes more obvious that the uniqueness of any organization -- which is readily detectable at the level of costs, mechanics and politics -- in no way divorces it from the general opportunity to govern IT effectively in accordance with general principles.

3. Finally, it is more apparent that the multiple roles in an organization can identify goals and opportunities to collaborate on improving existing governance capabilities incrementally, while not violating the interest of a top-down view of enterprise-wide consistency.

IV.

Governance practitioners and supporters take advantage of the last point above. Their challenge is to figure out where to plug into governance, and why. This shows up on both the "supply" side of the it industry and on the "demand" side.

For example, Microsoft focuses on operational excellence, yet to establish a business case for its solutions it talks about three things to consider: save more money (deployment), make more money (productivity) and keep more money (efficient support). These benefits, to be produced with Microsoft functionality, come with legal and financial restrictions on the availability of Microsoft technology, and corporate stakeholders (both internal and external) place further boundaries around how production is allowed to generate the benefits. Governance, through its frameworks and models, is instrumental to connecting the allowances for supply and capacity to the allowances for production and impact. Decision-makers and production designers must actualize the recommended connections.

On the demand side, distinguished practitioners such as CIO Emeritus Len Tenner of Hewitt Associates caught what might be the single most important observation about IT governance, as introduced by authors Peter Weill and Jeanne Ross in their book "IT Governance". Said Tenner in his recap: "effective firms must customize IT Governance to match their organizational approach and business goals."

But this just reminds us that the hands-on challenge of doing IT Governance is for the organization's leaders to define, produce, deliver and support governance itself -- an ongoing, multidisciplinary, cross-functional effort at developing and maturing a competency.

Certainly not the last definition of that competency, but a pretty exemplary one, is from deep inside an office in a department of a non-profit organization whose success is also increasingly reliant on effective IT:

"IT Governance - A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes." (Austin Community College Internal Audit Office)

The message in offering that citation is that the phenomenon of IT Governance is not about an industry, a business model, a market segment or a product, and not even primarily about technology. Instead, it is primarily about a management discipline focused on a business resource.

The involvement in IT Governance must be championed not by "business people versus IT people", nor by "executives versus producers", nor "auditors versus employees". Instead, it must be championed by managers at all levels of the organization.

Posted by Malcolm Ryder at 3:06 PM | Comments (0) | TrackBack

February 4, 2006