Simply put “governance” means: the process of decision-making and the process by which decisions are implemented (or not implemented). Governance can be used in several contexts such as corporate governance, international governance, national governance and local governance. And of course, out concern: IT Governance.
Corporate governance has been a high profile topic in recent years principally because of public concern at a lack of control at the top of organisations. There is a perception that, in certain cases, senior managers appear to have been able to act without restraint and that inadequately designed systems have failed to prevent fraudulent, inefficient or inappropriate behaviour.
A well-defined and enforced corporate governance provides a structure that, at least in theory, works for the benefit of everyone concerned by ensuring that the enterprise adheres to accepted ethical standards and best practices as well as to formal laws. To that end, organizations have been formed at the regional, national, and global levels.
In recent years, corporate governance has received increased attention because of high-profile scandals involving abuse of corporate power and, in some cases, alleged criminal activity by corporate officers. An integral part of an effective corporate governance regime includes provisions for civil or criminal prosecution of individuals who conduct unethical or illegal acts in the name of the enterprise.
Information Technology Governance
IT Governance is more than merely good management practices and IT control frameworks.ISO 38500 clarifies this by making it clear that IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.
It is easy to recognise the potential benefits that technology can yield, but successful organization need to translate those benefits into specifics that are of value to them, and to understand and manage the risks associated with implementing new technologies. The challenges and concerns this involves will include:
- Translating and communication value-focused vision and objectives
- Aligning IT strategy with the business strategy
- Cascading strategy and goals down into the enterprise
- Providing organizational structures that facilitate the implementation of strategy and goals
- Insisting that an IT control framework be adopted and implemented
- Measuring IT’s performance
Effective and timely measures aimed at addressing these top management concerns need to be promoted by the governance layer of an enterprise. To achieve these ends, boards and executive management need to extend governance they already exercise
over the enterprise, to IT.
over the enterprise, to IT.
IT Governance is not a matter for the IT department alone – is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
Purpose and Objectives
The purpose of IT governance is to direct IT endeavors, as expressed in the list above, and these translate into the following objective for IT:
- To align IT with the enterprise and realize the promised benefits
- To use IT to enable the enterprise by exploiting opportunities and maximizing benefits
- To apply IT resources responsibly
- To manage IT-related risks appropriately
The overall objectives of IT governance activities are to understand the issues and the strategic importance of IT, to ensure that the enterprise can sustain its operations and to ascertain that it can implement the strategies required to extend its activities into the future. IT governance practices aim at ensuring that expectations for IT are met and IT risks are mitigated.
The point is not to be good at the process of compliance, or governance, or risk management for its own sake – the point is to harness IT more effectively in support of achieving business objectives and managing financial, strategic, and operational risks.