An introduction to IT Governance The subject of IT Governance is becoming

increasingly important to organisations of all sizes and across every industry. In this insight axin introduces the concept of IT Governance, explains why it is important and introduces a governance framework that can be applied within any organisation.

What is IT Governance? Many formal definitions for IT Governance exist, including this one from the IT Governance Institute: IT Governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of leadership and organisational structures and processes that ensure that the organisations IT sustains and extends the organisations strategies and objectives. In more straightforward terms, IT Governance can be defined as being the means by which an organisation ensures that its IT supports its business strategy. To achieve this, IT Governance must provide a controlled and consistent structure for making decisions about how the organisations IT resources will be utilised to deliver maximum value whilst minimising the associated risks. IT Governance should be viewed as a subset of corporate governance and hence an organisations IT Governance framework should be designed to ensure consistency with the broader corporate governance framework that exists within the organisation. Why is IT Governance Important? Probably one of the most common and convincing reasons for the need for governance within IT is the frequent failure of IT services and projects to meet the organisations requirements. Increasingly, there is also a level of dissatisfaction with ITs ability to innovate. IT Governance provides a framework within which such issues can be addressed by providing visibility and accountability for key decisions regarding IT resources, priorities and investment and also by defining processes for managing the delivery of services and projects and for ensuring that performance is reported and reviewed. Other factors driving the growth in importance of IT Governance include: The role of IT and its contribution to the success of the organisation has grown significantly this trend will continue with IT playing an increasingly key role in the future. If performing well, IT can be a business asset that can provide competitive advantage. IT can enable growth, cost reduction and new products and service IT can be high risk: poor implementation, projects that do not deliver expected benefits and application and network downtime can have a major effect on todays performance and the achievement of long-term goals. IT is not a low-cost, low-impact technology. It is investment intensive. The IT strategy, applications and infrastructure must be appropriate for the organisations business model and strategic goals to ensure an acceptable return of investment.

Increased scrutiny on corporate governance and the resulting requirements for risk identification and management. Information is increasingly subject to legislation and audit. Such regulation places obligations on organisations to take appropriate steps to secure the data they hold and to control the way in which it is accessed and used. A model for IT Governance There is no single or standard IT Governance methodology that fits every organisation. Factors within the wider organisation and even outside of the organisation will have an influence on the way in which IT Governance is performed. Such factors include:: The organisations business strategy and goals, policies, ethics and culture. Industry practices and relevant quality standards or accreditations. Regulation, codes of conduct and/or legislation covering corporate governance. As a result, when advising clients that wish to establish IT Governance for the first time or that wish to improve their existing arrangements, axin recommends the use of an IT Governance framework. This framework provides a high level model and identifies the six key areas on which any organisation must focus in order to establish effective governance.

The primary aim of the framework is to ensure that the organisation addresses each of the key areas and that it also understands the relationships between them. The level of detail and content within each area is determined by the organisations requirements and its broader corporate governance arrangements. The framework is, therefore, applicable to any organisation, as it does not prescribe the processes, structures, controls, etc, required in each of the key areas and nor does it dictate the level of detail required

within each areas. Hence using this approach a client is able to establish an initial IT Governance model quickly and to then develop this model over time and to a level of detail that meets its needs. axin also recommends that clients use existing processes, structures, etc, where appropriate to ensure a standard approach across the organisation. For example, if an organisation already has an established risk management methodology, then this should also be used for risk management within its IT Governance model. IT Governance Framework: Key Areas The IT Governance Framework comprises the following six key areas: Accountability. Alignment. Delivery. Reporting. Risk Management. Resource Management.

The framework diagram is designed to underline the principle that IT Governance is a continuous process, with the areas of Risk Management and Resource Management being shown in the centre of the model as they support, and are central to, the other four key areas.

Accountability Establishing clearly defined roles and responsibilities for IT and IT Governance. Ensuring the IT Governance model is understood by all IT stakeholders. Ensuring the right balance between accountability and authority.

Alignment Ensuring IT Strategy is aligned with business strategy. Ensuring a balanced approach to investment in services and projects that support the current organisation and that help to grow or transform the organisation.

Making informed decisions about the use of IT resources across the organisations priorities: new markets, reducing costs, increasing revenues, improving customer satisfaction and/or customer retention.

Delivery Managing the delivery of IT services and projects within the agreed budget and time constraints and to the required levels of quality. Managing the contribution of IT to the achievement of the organisations goals. Ensuring transparent and repeatable processes are in place for managing project and service delivery.

Reporting Measuring and monitoring the performance of all IT services and projects. Regular reporting of relevant information to all IT stakeholders. Identifying and promoting best practice and addressing areas requiring improvement.

Risk Management Implementing a standard approach for identifying, documenting, evaluating and monitoring risks. Ensuring that significant risks are understood by all relevant stakeholders. Ensuring that risk management is reflected throughout the organisations processes, structures, controls and policies. Establishing a mechanism for escalating changes in risks when agreed tolerances have been breached.

Resource Management Establishing clearly defined responsibilities for IT and ensuring adequate and appropriate resources are available. Managing utilisation and ensuring efficient use of IT resources (people, suppliers, hardware, software, data, etc). Implementing appropriate processes, controls, policies, skills, etc to manage IT projects and services. Establishing processes and policies for the, recruitment, development and retention of skilled IT staff.

Establishing IT Governance Establishing a complete and detailed IT Governance model can be a long process and may involve significant change within the IT function and the wider organisation. The timescale and extent of the change will depend on the maturity of the IT function in terms of is processes, controls, etc, and the organisations culture and existing corporate governance arrangements.

Where significant change is required, axin recommends a staged approach across each of the key areas. A staged approach starts with a review of the maturity of the IT function and an assessment of the IT related issues and risks facing the organisation. A staged implementation plan would then be developed with the earlier stages implementing changes to address the most significant issues and risks.
At the end of each stage axin also recommends that the assessment of issues and risks is updated and the order and/or content of subsequent stages amended, as appropriate. Summary IT Governance can be defined as being the means by which an organisation ensures that its IT supports its business strategy. An organisations IT Governance framework should be designed to ensure consistency with its broader corporate governance framework. IT Governance is becoming increasingly important due to factors such as failures in IT delivery and the impact these can have on an organisations performance and increased scrutiny in areas such as corporate governance and data protection. There is no single or standard IT Governance methodology that fits every organisation. axin recommends the use of an IT Governance framework that identifies the six key areas on which any organisation must focus in order to establish effective governance. The amount of work required to establish an IT Governance model will depend on the maturity of the IT function and the organisations culture and existing corporate governance arrangements.