How do you manage your IT? Do you have a carefully constructed road map for investment and service development based on extensive consultation with the board? Or is every new IT development just a reaction to who's complaining the loudest about something? If you're like many IT departments, the chances are that you're somewhere in between the two. Decisions aren't completely reactive, but the strategy that guides them isn't as formal as you'd like. This is where IT governance can help.
What is IT governance?
IT governance is a framework to couple IT investments to business strategy, ensuring that the money you spend on IT helps propel the business in the direction it wants to go. It also defines a set of best practices to help you implement and operate IT systems and services more effectively for better outcomes.
IT governance gives you a consistent reference for important questions, such as who determines strategic direction and makes tactical decisions? How do you avoid overlapping responsibilities? How do you measure results? Who is accountable for the results?
Formalising these things is important for any organisation that wants its IT to run more smoothly and serve the business better, but it's especially useful for those that face strict regulations, such as GDPR for privacy, or PCI-DSS for managing personal financial data.
Choosing a governance framework
Building IT governance takes time and gentle steering. It begins by defining a clear IT governance structure. You generally don't go into an IT governance project without a framework.
There are several frameworks and methodologies to choose from, based on your company structure and desired outcomes. You can often use them in conjunction with each other. If you want a heavy focus on risk control, then something like Control Objectives for Information and Related Technology (COBIT) can help. That's a framework created by Information Systems Audit and Control Association (ISACA), which helps you build technical controls to manage business risks. Another industry association, the FAIR Institute, publishes a governance methodology focusing on information risk called the Factor Analysis of Information Risk.
For those interested in building and streamlining IT support and IT services, the UK government's IT Infrastructure Library (ITIL) can help to build effective IT services and operations. Then there's the Capability Maturity Model Integration (CMMI), which helps to streamline IT processes and services, not to mention procurement.
Planning your IT governance initiative
When creating your IT governance structure, consider your stakeholders. Who are they and how are their needs being met? Changing working practices carries the risk of aggravating some people, especially if there are different political factions in your company or agendas aren't already aligned.
Identify and listen to all parties to try and find consensus. This includes operational staff from the lowest level, who must follow the IT governance strategy in practice. It also means getting executive buy-in from the top to push through wide-ranging policies and processes.
Other things to plan for include an evaluation of your existing operations. Look at your current policies and processes, and assess the current dependencies in your IT ecosystem. Review your service delivery performance by collecting metrics on response times and resolution rates. That will allow you to see how aligned your current IT operation is with business strategy and regulatory requirements so that you can conduct a gap analysis.
An IT governance framework isn't just useful to ensure that you're running a tight ship for daily IT operations. It also helps you to plan for the big stuff, too, like the implementation of a privacy management discipline, or a migration to the cloud. It might also reveal some useful insights, such as the need to outsource functions like IT support. When you do outsource non-strategic parts of IT, a governance practice can help you manage those relationships, too.
One thing's for sure: you'll feel much better with a map in one hand and the other hand on the rudder, guiding your IT operation where you want it to go.