IT governance is often wrongly delegated to the CIO. That situation must change if it is to meet the principles defined in corporate governance, says Julie Short.
A collapse of trust in business management over the past 10 years has led to regulations to make good corporate governance mandatory. With the recent financial crisis, corporate governance has again received close attention.
It seems professional investors are willing to pay a premium for companies with strong, effective corporate governance. But IT executives, considered the guardians of key IT corporate assets, often struggle to implement effective IT governance in line with corporate governance goals.
Corporate governance provides the structure for determining organisational goals, allocating the authority to achieve them and monitoring performance to ensure those objectives are attained. Although several principles of corporate governance influence IT governance, there are two where this influence is substantial:
- Disclosure and transparency
This refers to the financial and operational information of the organisation and foreseeable risk factors.
- Responsibility of the board of directors
This involves ensuring strategic guidance to the organisation, effective monitoring and responsibility to stakeholders.
Although the degree of liability varies from country to country, board members are expected to act in the best interest of stakeholders to approve strategy, to oversee management, to make key decisions and to approve the systems of risk oversight and internal control. Capital spending on IT assets may be as much as 50 per cent of the total capital spending in some organisations.
But when it comes to managing those assets, few boards understand how much their organisations rely on IT for continuing operations and information assets that reside in numerous applications in their infrastructure. Few realise how much of a role IT plays in enabling or hindering their business strategy.
Few boards realise how many business decisions rely on the information contained in these assets. Even fewer have the fundamental knowledge needed to ensure that the appropriate oversight is in place. But these issues do not relieve them of responsibility to ensure the company’s IT assets are governed appropriately.
IT governance is not simply the management of IT but refers to how organisations must ensure that IT assets deliver business value and whose performance is measured and risks are mitigated. As with all governance, there is no single solution.
Effective IT governance must be a cohesive, integrated process aligned with the business, compatible with the management decision-making style and culture, and perceived by business management as providing value.
Too often IT governance has been left to the CIO without engaging the board, which has the responsibility to understand the inherent risks and strategic importance of IT. I firmly believe that boards must be more involved in IT governance to ensure their organisations will be able to sustain operations and implement future strategies.
I also believe IT professionals need to educate themselves on the principles of corporate governance to work more closely with the business and to implement IT governance in a manner that supports the principles of corporate governance.
Gartner’s IT Governance Demand-Supply Model clearly states that IT governance is a business goal, not just an IT goal. IT governance is defined as addressing two main areas: demand-side governance – deciding what IT should work on – and supply-side governance – deciding how IT should do what it does.
Demand-side governance is a management investment decision-making and oversight process; therefore, it is primarily a business management responsibility, driven by the decision authority delegated under the corporate governance umbrella.
Supply-side governance is primarily the CIO’s responsibility and is the mechanism that ensures compliance with corporate policies, such as those addressing regulatory compliance, security and procurement.
In speaking with clients, I see the lines between the business and IT becoming more blurred. I see IT tasks being performed in the business, business taking on IT leadership roles and vice versa.
But when it comes to IT governance, I see that often this is erroneously…
…delegated to the CIO, largely due to a perception that anything to do with IT should be handled by the CIO.
As a result, the term ‘governance’ has become overused and misunderstood. IT leaders should understand that IT governance is only effective when it is driven by corporate governance and defined as a cohesive process by using five steps: strategise, plan, implement, manage and monitor.
IT governance must integrate all governance structures by identifying the appropriate touchpoints, and using relevant inputs and outputs from other structures. Although supply-side governance involves significantly more CIO responsibility than demand governance, it is vital that supply-side IT governance includes and addresses the corporate governance policies aimed at ensuring the board meets its responsibilities to stakeholders.
At the same time, the board is accountable for demand-side IT governance and must take the lead by providing direction for ensuring that the organisation’s resources are effectively managed and protected. The only way to do this is to ensure that all IT governance – whether demand- or supply-side – meets the principles defined in corporate governance.
CIOs also have a responsibility to ensure they understand the principles of corporate governance, specifically disclosure and transparency, and the responsibilities of the board. Knowledge of these principles can help IT leaders gain the business involvement they need.
They are widely accepted or even mandated by law in many countries. They are also well-understood by senior executives and are of great interest, because key executives can be personally liable for breaches to these principles.
CIOs should create a bridge of understanding with these senior executives, linking the principles and the responsibilities of management with the functions and processes of IT.
A common understanding in this area can help both sides to integrate business and IT management, thereby gaining more business participation in demand-side governance and driving the approach and policies of supply-side governance. It can lead to more clearly establishing IT governance as a component of corporate governance.
Many clients tell me they cannot get the attention and involvement of the board to participate in IT governance, but I maintain that CIOs need to employ strategies aimed at obtaining this involvement. These strategies might include increasing the knowledge and awareness of the principles of corporate governance among the IT management team or using available resources to ensure a common understanding of what is in place and where the likely risk candidates are.
CIOs might also consider creating a coalition of supporters to craft and send co-ordinated messages to the board, as well as using current relationships with senior business management as a means of sponsoring engagement with board members.
The bottom line is that IT is an integral part of the business. Organisations should consider IT to be just as critical to the organisation’s success as any other business unit. Business and IT leaders should regard IT governance as an opportunity to integrate their spheres of influence.
They should also move towards a more cohesive model, providing a better understanding of the role of IT in the organisation and enabling IT to contribute its share to meeting the principles of corporate governance.
Julie Short is a research director at analyst firm Gartner. The Gartner Program and Portfolio Management & IT Governance Summit 2010 is taking place on 16-17 June at the Lancaster London Hotel in London.