Simply put, IT governance is putting structure around how organisations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results.
An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
So how do you actually implement everything involved in IT governance?
It doesn’t make sense to reinvent the wheel by starting from scratch, so don’t even try. Start with a framework; there are many to choose from, but using at least one means everything has already been organised and bullet-proofed by industry experts worldwide. These frameworks even offer implementation guides.
And most companies use a framework. According to a survey by PricewaterhouseCoopers in conjunction with the IT Governance Institute, 95 per cent of companies use one of the major IT governance frameworks, while only a few create their own.
The frameworks
Here is a quick rundown on the choices:
CoBIT: This framework, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. Basically, it’s a set of guidelines and supporting toolset for IT governance that is accepted worldwide. It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. The latest version, released in May 2007, is CoBIT 4.1. CoBIT is well-suited to organisations focused on risk management and mitigation.
ITIL: The Information Technology Infrastructure Library (ITIL) from the government of the United Kingdom runs a close second to CoBIT. It offers eight sets of management procedures in eight books: service delivery, service support, service management, ICT infrastructure management, software asset management, business perspective, security management and application management. ITIL is a good fit for organisations concerned about operations.
COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission. It includes guidelines on many functions, including human resource management, inbound and outbound logistics, external resources, information technology, risk, legal affairs, the enterprise, marketing and sales, operations, all financial functions, procurement and reporting. This is a more business-general framework that is less IT-specific than the others.
CMMI: The Capability Maturity Model Integration method, created by a group from government, industry and Carnegie-Mellon’s Software Engineering Institute, is a process improvement approach that contains 22 process areas. It is divided into appraisal, evaluation and structure. CMMI is particularly well-suited to organisations that need help with application development, lifecycle issues and improving the delivery of products throughout the lifecycle.
The choices
Most companies go with CoBIT or ITIL, but others can also fit the bill. For operations, try ITIL. For application development and lifecycle issues, try CMMI. For risk, use CoBIT. CoBIT is also a great umbrella framework. But combining frameworks can also make sense, says Ron Saull, an IT Governance Institute trustee. You might want to use CoBIT as an overall framework; then use ITIL for your operations, CMMI for development and ISO 17799 for security.
In fact, combining frameworks is fairly common; the PricewaterhouseCoopers study found that in 65 percent of cases, companies use CoBIT and ITIL together or with lesser-known frameworks. But most importantly, use a framework that fits your corporate culture and that your stakeholders are familiar with. If the company is using one of these frameworks and can leverage it to be its IT governance framework, all the better.
