by Craig Symons (March 2005)

WHAT IS GOOD IT GOVERNANCE?
Forrester’s Business Technographics® November 2004 United States SMB Benchmark Study found that enterprises spend an average of 4.9% of revenues on IT. In 2005, we expect IT budgets to grow 7% over last year.1 IT is now at the core of most organizations’ ability to execute strategy. Recent legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes- Oxley (SOX), have elevated demands for improved compliance and risk management across the enterprise, and on IT organizations specifically. The result is a “perfect storm” of pressure on CIOs and their IT organizations for better IT governance.

IT Governance Defined
At its most basic definition, IT governance is the process by which decisions are made around IT investments. How decisions are made, who makes the decisions, who is held accountable, and how the results of decisions are measured and monitored are all parts of IT governance. Based on this definition, everyone has some form of IT governance. Unfortunately for many firms, the governance process is ad hoc and informal. There is no consistency across the enterprise, accountability is weak — if present at all — and there are no formal mechanisms to measure and monitor the outcomes of the decisions.

There is just too much at stake today for organizations to leave IT governance to chance or legacy processes. Optimizing IT investments must become a priority. There is a growing trend on the part of large organizations to elevate IT performance to the board of directors level. In addition to the traditional audit committee and compensation committee, boards are adding an IT oversight committee to become more involved in the role that IT plays in enabling and executing the enterprise’s strategy. For example, FedEx has established the Information Technology Oversight Committee to oversee major IT-related projects and technology architecture decisions.

 

Such executive commitments are only natural. IT governance can not exist in isolation but must be a subset of enterprise governance. It is the responsibility not just of IT management but of the board of directors and executive management. According to the IT Governance Institute, IT governance “is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

Implementing good IT governance requires a framework based on three major elements:

• Structure. Who makes the decisions? What structural organizations will be created, who will take part in these organizations, and what responsibilities will they assume?
• Process. How are IT investment decisions made? What are the decision-making processes for proposing investments, reviewing investments, approving investments, and prioritizing
• Communication. How will the results of these processes and decisions be monitored, measured, and communicated? What mechanisms will be used to communicate IT  investment decisions to the board of directors, executive management, business management, IT management, employees, and shareholders?investments?