What Governance Is ... and Is NOT
There is a growing interest and awareness of IT Governance, but a new ISO standard (see sidebar) makes clear that the term is often misused. What we are really seeing is a rise in interest in IT Governance and Information Assurance – sometimes termed Information Security. These two, long with Service Management (ITIL) these will provide the three supports for business-IT alignment.
But Governance is something distinct. It has a passive part and an active part – the ying and yang.
- The active part of Governance is setting policy, not issuing commands: setting a course not steering.
- The passive part of Governance is tracking the business against strategy objectives and policy: taking a navigational fix not weighing the cargo.
Thus IT Governance is about understanding how right we do IT, and defining “how right” in terms of policy and strategy of the organisation.
The four “hows” in the diagram of the header are what Governance is about. The “how well” is only meaningful once the “right things” are defined in terms of what the organisation needs IT to do.
Governance itself is a process.
The people responsible for Governance shuuld be concerned with setting policy and bounds. They should not be concerned with fixing things that go out of bounds. I they do, then they are no longer governing. The boundary between the two and the roles and responsibilties needs to be clearly understood.
Many organizations are offering a service they label “GRC” – Governance, Risk Management and Compliance. Often this is a semantic shift from their work on Risk Analysis, Risk Management and Regulatory Compliance, and approaches Governance in a bottom-up manner and puts too much emphasis on the skills they already have on the operational side.
The international Standards organisation, ISO, released a new standard ISO38500: Corporate Governance of Information Technology, defining that very word. The standard defines Governance as three activities:
- Direct,
- Evaluate and
- Monitor.
The new standard makes it clear that Governance pertains to command and control – not measurement, policing or adjustment we can hope to see the emergence of a term that nicely wraps up the operational (i.e. non-Governance) aspects of Risk and Compliance parts ofGRC: Assurance
COBIT and related publications are nearest to an IT Assurance CBOK, and the ValIT publications are on the way to being the CBOK for IT Governance. ISCACA is working on a RiskIT framework.
[ Back to top ]
… And Is Not
The GRC approach confuses things by introducing Risk Assessment and Management, and Compliance. Both of these have to do with operational matters.
Governance is not reporting, or security, or dashboards or risk management, or even project management.
For the most part, Risk Management is not Governance. Most of Risk Management has to do with operations; it is an ongoing, lower-level activity.
In fact Management itself is not Governance. Management is about “getting things done”, handling resources and meeting objectives.
And Operations is where the difference lies, for these things are about executing, not about
The closely intertwined concepts of IT Risk, Assurance and Compliance are about how safelywe do IT, and defining “how safely” in terms of safe for the organisation.
All these things that are being mislabelled as Governance under the GRC banner are about executing the commands of the governors, or providing them with information, or ensuring the organisation complies with their policies. Steering the ship is not governance. Even more so, rowing the ship is not governance.
[ Back to top ]
