IT governance is more than risk management
Equally, the heading could have said that IT governance is
more than just …
• Strategic business / IT alignment
• Project governance
• Project portfolio management
• IT architecture
• IT strategy
• Software, hardware, and network planning
• Service management
• Contingency planning (business continuity and disaster
recovery).
In truth, IT governance covers all of these – and more!
There is an excellent article by Jason Cole which
provides entertaining background reading about IT
governance and why it is more than just one of the
specialist topics listed above.
The reason there is so much confusion is that there are
(inevitably!) vested interests at work. Each of the
specialist areas has its own protagonists and self-serving
groups who expend much of their energy on staking a claim
to exclusive use of “IT governance” in their areas of
expertise.
This is perhaps most obvious in the areas of risk
management and (project) portfolio management.
The first is represented by ISACA, who have been – rightly
– promoting their CoBIT tool as a standard control tool for
IT processes. The mistake made by some people, however, is
to equate the CoBIT control tool with IT governance, which
is a much broader topic. This has been acknowledged by
ISACA and its IT Governance Institute (ITGI) in recent
publications and announcements, but too many people still
think of IT governance in terms of risk management and
controls.
The second is represented by suppliers of software
solutions that can help control projects and application
portfolios. Again, one glance at our list at the top of the
page and you will understand why project and application
portfolio management is just one, limited (although
crucial) view of IT governance.
Now I’m not about to criticise each group’s products and
services – they are all specialised areas and each is an
important component of IT governance. But none of them is –
individually – going to provide you with an IT governance
solution.
To understand why – and to understand where the solution
lies – you need to take a step back and put yourself in the
shoes of a non-technical owner, director or executive. This
owner, director or executive knows that IT is crucial to
the organisation and wants to be comfortable that IT is
being applied safely, reliably, and efficiently, in support
of the organisation’s day-to-day operations and strategies.
Which of those specialist topics above will interest the
owner/director/executive? The answer is – all of them – but
in plain language and linked together and
presented in clear summary form. In other words,
an integrated framework that helps the director/executive
to understand the big picture and hold a meaningful,
jargon-free, conversation about IT with the business and IT
managers.
Lo and behold, do I have a deal for you! (but without the
steak knives, sorry!). This link will take you to IT
Governance Ltd, a UK based publisher and on-line book
store specialising in corporate governance, IT
governance, IT security, and related resources. The
link will take you to a page about Alan Calder’s book
“IT Governance: A Director’s Perspective”, which is an
excellent primer for the integrated view of IT
governance that I have been ranting about for the last
500 words. Explore a bit further through the web site,
and you will find some other useful resources such as
the Calder-Moir IT Governance Framework (which links
to a free four-page overview) and the related IT
Governance Framework Toolkit (at which point I must
disclose my vested interest in your purchase of same,
in the form of royalties). IT Governance Ltd also has
a great selection of books and tools covering each of
the specialist topics we started with, including the
IT security, ITIL and CoBIT hotspots.
But remember, as you equip yourselves with specialist
books, ask yourself how you are going to explain all this
to a non-technical owner, director or executive. The
answer, surely, must be that you can’t delve into each
specialist topic, but must organise and summarise at a
higher, integrated, overview level. Look for a framework
that helps you to do that.
Next: IT governance for small and micro
business