By Alex Breeding

When I first started in the beer business, the president of the company I joined told me he didn’t know why I was there. He said he could sell beer with a pad of paper and a pencil. I told him that might be true, but that, as the IT director, I could enable the sales force to sell more beer using computers. Four years ago, we had fewer than 40 computers and two servers. Today, we have more than 250 computers and 12 servers, and we sell a lot more beer. The company couldn’t function without computers. IT has become a business necessity. And like every other aspect of a successful business, IT must be properly governed.

In years past, IT stood as the only department that championed the cause of technological advances. We tried to convince other departments that we could provide them with lots of easy-to-use tools that would allow them to do their jobs better. Now other departments often drive IT projects. The job of a CIO is to further the business objectives and strategies of the entire organization by way of IT. In light of this, IT governance cannot be isolated. It must be considered as an integral part of the enterprise.

IT governance
Enterprise governance concerns itself with the responsibilities and actions of the board and executive management (CIOs). It holds them responsible for the strategic direction of the enterprise, ensuring that objectives are achieved and that resources are used appropriately. Likewise, IT governance requires an organization to properly align IT strategy and utilize IT resources to provide competitive advantages for the company. Stated simply, IT governance applies enterprise governance principles to the IT department.

IT touches every aspect of business. Considering this, it should be obvious that IT governance is as necessary as standard business management. And while effective IT governance can generate real business benefits, such as reputation, trust, and market share, poor management carries risks. The speed of business today often requires near-immediate decisions based on sales data and market trends. Those decisions cannot be made if the systems providing that information are down. And employees caught browsing inappropriate Web sites or sending offensive jokes through e-mail can dramatically affect a company’s reputation for years. There are simply far too many negatives involved to allow inappropriate or misaligned use of IT resources.

How it works
IT governance usually occurs at various levels within an organization. Team leaders receive direction from managers; managers report to the executive; and the executive (i.e., CIO) reports to the board. Clearly this will not be effective without proper alignment of IT objectives and goals with buy-in or direction from the board.

Since IT governance is part of a broad framework of corporate governance, it begins with support at the board level. The Organisation for Economic Co-operation and Development has published Principles of Corporate Governance, which covers in depth the rights, roles, and equitable treatment of shareholders, disclosure and transparency, and the responsibilities of the board. (You can download this report from the IT Governance Institute’s Web site.) Among the board’s responsibilities are reviewing and guiding corporate strategy, setting and monitoring achievement of performance objectives, and ensuring the integrity of the organization’s systems. To provide appropriate governance for IT systems, the board must ensure that the IT department is properly aligned with the business objectives of the company.

The goals and objectives of the company must be clearly articulated, and IT must share that vision. The expectations of the IT department should be clearly communicated to include IT’s effect on profitability, market share, and service quality. Quantifiable goals must be set and responsibilities clearly defined. All business units must take ownership for accomplishing business goals, and IT must share in that responsibility. IT should assist other business units in determining what business systems are required to accomplish their goals and should specify how technology will be used to meet those objectives. Educate all team members in a business unit’s operations. Without appropriate knowledge, IT will not make appropriate recommendations.

Once goals and objectives have been established, continuous review and improvement is necessary. Clearly defined objectives provide direction. IT’s actions are based on direction provided by clearly defined objectives. On completion of any action, the performance must be measured against suitable success metrics. Compare the results achieved with the metrics and make adjustments in accordance with the previously defined objectives. Any adjustments made will provide better direction, which will lead to more successful actions. This continuous loop provides a framework for improvement (see Figure A).

Figure A

Support alignment with standards
In addition, there are emerging standards and other guidelines. Information Systems Audit and Control Association has published one of the standards: “Control Objectives for Information and related Technology” (COBIT). COBIT is in its third edition and comprises 34 high-level control objectives and 318 detailed control objectives designed to help businesses maintain effective control of IT. The entire documentation set is available online here. You’ll find more information regarding the U.S. House of Representatives implementation of COBIT here.

The International Standards Organization’s ISO 17799 is titled “Information Technology–Code of Practice for Information Security Management.” It focuses on security and provides direction for the creation of an effective IT security plan.

A third standard is from the Information Technology Infrastructure Library. It’s primarily designed to identify best practices and manage service levels. Organizations such as the U.S. Navy and Procter and Gamble have used this standard and realized substantial savings.

These three standards differ, with COBIT being strong in metrics and controls, ISO 17799 covering security, and ITIL focusing on processes, especially help desk issues. Of course, other companies have developed ad hoc methods of IT governance. But these standards provide an existing framework and incorporate best practices of other high-profile organizations. There’s no need to reinvent the wheel. Review these standards and apply what will work in your culture.

You’ll find additional detailed information at the IT Governance Portal. This site includes documents, case studies, and links to numerous sites of IT governance resources, including various professional and government organizations concerned with a wide range of enterprise governance.

Proper IT governance ensures that IT’s performance is aligned with the organization’s objectives and that business units are empowered to achieve business goals, ensures that resources are used appropriately, and helps to mitigate risks.