As part of my preparation for a panel discussion entitled The Strategic Roles of Governance in Delivering Enterprise Capabilities for the Open Group Summit in Kuala Lumpur on 18th August 2014, I revisited the topic of governance. The term is often abused in an attempt to make something sound more interesting, with such ridiculous examples as "SharePoint Governance". Governance is something that governors do, not managers. It's the stuff that board members do: they direct, monitor and evaluate how their managers are running the business. Some highlights from various sources follow.
Robert Tricker wrote first book to use the title Corporate
Governance in 1984 and defined the difference between governance and management
as:  “Management runs the business; the
[governance] board ensures that it is being run well and run in the right
direction”.
Peter Weill defines governance as “Specifying the decision
rights and accountability framework to encourage desirable behaviour in the use
of IT” and identifies 5 critical IT domains:
- principles
- architecture
- infrastructure
- business application needs
- investment and prioritisation
ISO 38500, the international standard for Governance of IT
defines governance as “The system by which the current and future use of IT is
directed and controlled.” and stipulates “Corporate governance of IT involves
evaluating and directing the use of IT to support the organization and
monitoring this use to achieve plans. It includes the strategy and policies for
using IT within an organization.”
ISO 38500 refers to six dimensions that need to be addressed:
- Responsibility
- Strategy
- Acquisition
- Performance
- Conformance
- Human Behaviour
Weill’s ‘desirable behaviour’ and ISO 38500’s ‘human
behaviour’ are key. It’s about directing, monitoring and evaluating what people
actually do. Effective governance recognizes the inherent weaknesses of the
human condition and takes appropriate measures.
It has been observed that the most important word in the
title of ISO 38500, ‘Governance of IT’, is ‘of’. IT is governed by another
body, not by itself. IT departments manage IT, and are governed by directors at
a higher level of authority.
While ISO 38500’s scope is limited to IT, COBIT addresses a
broader scope, explicitly referring to information and related technology as
two separate entities that deserve to be managed in their own right. COBIT’s
definition exhibits similarities with ISO38500 because it also speaks about ‘direct
and control’: “A structure of relationships and processes to direct and control
the enterprise in order to achieve the enterprise’s goals by adding value while
balancing risk versus return over IT and its processes”. 
