As part of my preparation for a panel discussion entitled The Strategic Roles of Governance in Delivering Enterprise Capabilities for the Open Group Summit in Kuala Lumpur on 18th August 2014, I revisited the topic of governance. The term is often abused in an attempt to make something sound more interesting, with such ridiculous examples as "SharePoint Governance". Governance is something that governors do, not managers. It's the stuff that board members do: they direct, monitor and evaluate how their managers are running the business. Some highlights from various sources follow.
Robert Tricker wrote first book to use the title Corporate Governance in 1984 and defined the difference between governance and management as: “Management runs the business; the [governance] board ensures that it is being run well and run in the right direction”.
Peter Weill defines governance as “Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT” and identifies 5 critical IT domains:
- business application needs
- investment and prioritisation
ISO 38500, the international standard for Governance of IT defines governance as “The system by which the current and future use of IT is directed and controlled.” and stipulates “Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.”
ISO 38500 refers to six dimensions that need to be addressed:
- Human Behaviour
Weill’s ‘desirable behaviour’ and ISO 38500’s ‘human behaviour’ are key. It’s about directing, monitoring and evaluating what people actually do. Effective governance recognizes the inherent weaknesses of the human condition and takes appropriate measures.
It has been observed that the most important word in the title of ISO 38500, ‘Governance of IT’, is ‘of’. IT is governed by another body, not by itself. IT departments manage IT, and are governed by directors at a higher level of authority.
While ISO 38500’s scope is limited to IT, COBIT addresses a broader scope, explicitly referring to information and related technology as two separate entities that deserve to be managed in their own right. COBIT’s definition exhibits similarities with ISO38500 because it also speaks about ‘direct and control’: “A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes”.