IT

GOVERNANCE
WHAT IS IT GOVERNANCE
The concept of “Governance” simply means
the process of decision making and the process
by which decisions are implemented.
IT Governance is the rules and regulations
under which an IT department functions. It is a
mechanism put in place to ensure compliance
with those rules and regulations
IT Governance primarily deals with connections
between business focus and IT management . The
goal of clear governance is to ensure the investment
in IT, general business value and mitigate the risks
that are associated with IT Projects.
WHY IS IT GOVERNANCE
IMPORTANT?
 IT governance enables an organisation to:
 Demonstrate measurable results against broader business strategies and goals.
 Meet relevant legal and regulatory obligations.
 Assure stakeholders they can have confidence in your organisation's IT
services (Strong stakeholder relationships)
 Facilitate an increase in the return on IT investment.
 Comply with certain corporate governance or public listing rules or
requirements.
 Risk detection and mitigation.
 Resource management.
 Consistent performance and decision-making.
TYPES/DOMAINS OF IT
GOVERNANCE
 IT governance is not generic. Different governance frameworks exist.
These frameworks have the ability to adapt to the different needs and
priorities of a company.
 In the vast realm of IT, a business can develop its entire strategy around a
specific problem that evolves as the product or team matures — and this
can look completely different depending on what stage the business is in.
 An emerging company may want to focus on how to use IT to drive
growth fast while a more established corporation would have the
resources to double down on IT as a way to prevent and predict major
risks.
 Here are several types/domains of IT governance that teams can focus on:
1. VALUE DELIVERY
 For most organizations, technology is necessary for employees to meet key performance
indicators and drive business results. IT governance outlines clear roles, responsibilities, and
expectations that teams must adhere to so that technology investments deliver tangible value
that stakeholders can see and measure.
 Recommended best practices for ensuring value delivery:
 Define what value means for your organization: Is your business strategy currently driven by revenue
growth, customer retention and satisfaction, or other factors? Having a clear understanding of what
success means will help you correctly quantify value with appropriate metrics.
 Measure success with a balanced scorecard: Monitor IT performance across four areas: learning and
growth, internal operations, customer, and financial. Successful organizations use this approach to
help them identify short-term and long-term strengths, weaknesses, and opportunities.
 Consistently iterate and improve your strategy: Collect data and share feedback with stakeholders
regularly to always stay up-to-date with how your organization executes IT processes, if IT efforts are
meeting KPIs, and what your metrics look like compared to industry standards.
2.IT STRATEGIC ALIGNMENT
 If value delivery revolves around measuring actual results, then strategic alignment supports those
efforts by creating an environment where IT initiatives are always in sync with business objectives.
 This form of IT governance aims to strengthen cross-functional collaboration, allowing technology to
integrate seamlessly across all business departments to enable better IT strategic planning.
 IT-enabled business strategies occur when technology can effectively empower the right people and
processes at the right time. Teams are equipped with the support they need to execute business-critical
tasks faster by using technology to:
 Build better feedback loops and accelerate decision-making between all stakeholders.
 Optimize all forms of resource expenditure, whether that’s employee productivity and bandwidth, time, or
money.
 Shorten ramp-up times and learning curves for employees so they can contribute value faster. Collect and
analyze business data to set consistent standards, encourage innovation, boost customer experiences, and
future-proof processes.
3.PERFORMANCE
MANAGEMENT
 IT management is a term that encompasses a range of operational activities within the IT
function, one of them being a specific set of guidelines aimed to hone in on IT performance.
 IT performance refers to the quality and effectiveness of all technology processes within the
organization. When measuring IT performance, organizations may look into factors like:
 IT efficiency: Are your IT processes helping your organization meet goals without expending
additional or unnecessary resources to complete tasks?
 Service quality: Are your internal or external end-users satisfied with the technology solutions and
services they receive from your organization?
 Digital adoption: Are your end users equipped with the tools and resources to build technological
proficiency and close any digital skill gaps?
 Data security and privacy: Are your IT tools and processes enhanced with the necessary systems and
protocols to protect sensitive data from unauthorized access, cyberattacks, and data breaches?
4.RESOURCE MANAGEMENT
 Unlike performance management, IT resource management focuses on the backend operations
that dictate the feasibility of any IT initiative — like the people, budgets, and systems that
need to be allocated for digital transformation efforts.
 IT management frameworks help companies define standard operating procedures (SOPs) and
decision-making criteria for all resource planning, allocation, and monitoring. For example,
organizations structure their IT projects around internal or industry-wide guidelines for
procurement activities, asset maintenance, asset disposal, and vendor acquisition.
 Resource management is a type of IT governance that calls for strict and forward-looking
planning. Failure to acquire or prioritize limited resources will completely dismantle IT
projects. Poor IT resource management can lead to irreversible disaster for organizations
working with tight roadmaps, limited funding, and high stakeholder expectations.
5.RISK MANAGEMENT
 The number of cyberattacks globally increased by 38% in 2022. As more businesses and consumers
move toward cloud-based apps and services, the risks of unauthorized access to personal and private
data have never been more prevalent.
 IT governance also involves organizations carving out risk management protocols for every
technology-driven initiative put in place. A foundation for IT risk management must involve:
 Risk identification: Defines how IT departments should monitor networks and report irregularities,
vulnerabilities, and threats to the business.
 Risk assessment: Helps IT departments and stakeholders agree on prioritizing risks for quick and immediate
resource allocation when incidents occur.
 Risk mitigation: Helps organizations create and optimize workflows for preventing risks from emerging or
recurring, such as strategies for compliance assessment, incident resolution, and security training
 Crisis management and disaster recovery: Outlines clear steps for IT departments to minimize damage when a
crisis happens, whether that’s through creating backup systems and data recovery protocol or communicating
with experts, legal teams, and stakeholders
IT GOVERNANCE
FRAMEWORKS, MODELS AND
STANDARDS
 These are sets out principles, definitions and a high-level
framework that organisations of all types and sizes can use
to better align their use of IT with organisational decisions
and meet their legal, regulatory and ethical obligations.
IT GOVERNANCE
FRAMEWORKS, MODELS AND
STANDARDS
 Companies can work with IT governance frameworks that various IT organizations and groups
have developed over the years.
 Instead of building out protocols from scratch, these frameworks give teams a clear starting
point for integrating industry-standard IT best practices into their existing organizational
culture and processes.
 IT governance framework helps to:
 Clarify IT operations.
 Statement of inputs and outputs of operations.
 Clarify the main process objectives.
 Explanation of performance measurement techniques.
 Here are a few of the most popular IT frameworks that businesses use to protect and upgrade
their IT functions:

1. COBIT
 The COBIT framework is a well-known set of guidelines that helps businesses manage their
IT processes to ensure complete control and compliance. COBIT is used to strengthen
alignment between IT initiatives and business strategy by emphasizing areas like information
and risk management.
 2. ITIL
 The ITIL framework defines IT management practices that companies commonly use to
improve the quality of their IT delivery services. This framework covers ares such as service
strategy design and operations, incident management, and change management.

 3. COSO
 Organizations use the COSO framework to oversee their overall IT operations’ compliance,
reliability, and safety. Risk management is a core focus area with this framework, giving
businesses guidelines for understanding, prioritizing, and managing IT risks that can threaten
business strategies. This framework is commonly used by accounting firms, financial
organizations, and publicly traded companies.
 4. CMMI
 The CMMI IT governance model helps organizations improve their processes and
performance to reach the highest level of organizational maturity. This framework defines best
practices for IT areas like process standardization, performance measurement, and internal IT
training so businesses can create a productive and process-driven environment necessary to
attain organizational maturity.

 5. FAIR
 The FAIR framework was created to help businesses manage IT risk, often complementing IT
security programs. Large corporations that manage high volumes of confidential information
use this framework to help their IT departments predict and quantify risks such as data
breaches and loss.
 6. ISO/IEC 38500:2015 IT Governance Framework:
 ISO/IEC 38500:2015 is an IT Governance Framework that helps people at the top of the
organization better understand their legal and ethical obligations in their companies' use of
information technology.
EIGHT MAJOR
CHARACTERISTICS OF GOOD
GOVERNANCE
Participatory: participation by both men and women is a key cornerstone of good

governance. Participation could be either direct of through legitimate institutions
or representatives. Participation need to be informed and organized. This means
freedom of association and expression on one hand and an organized civil society
on the other hand.
 Rule of Law : Required fair legal frameworks that are enforced impartially
 Transparency: Transparency means that decisions taken and their enforcement are
done in a manner that follows rules and regulations. It also means that
information is freely available and directly accessible to those who will be
affected by such decisions and their enforcement. It also means that enough
information is provided and that it is provided in easily understandable forms and
media.
 Responsiveness : Good governance requires that institutions and processes try
to serve all stakeholders within a reasonable timeframe.
 Consensus Oriented : there are several actors and as many view points. Good
governance requires mediation of the different interests to reach a broad
consensus on what is in the best interest of the whole and how this can be
achieved. It also requires a broad and long-term perspective on what is needed
for sustainable development and how to achieve the goals of such
development.
 Equity and inclusiveness: ensuring that all its members feel that they have
stake in it and do not feel excluded from the group. This requires all groups
have opportunity to participate and be heard.
 Effectiveness and efficiency: good governance means that processes and
institutions produce results that meet the needs of business while making the
best use of resources at their disposal. The concept of efficiency in the context
of good governance now also covers the sustainable use of natural resources
and protection of environment.
 Accountability: accountability is the key requirement of good governance. Not
only governmental institutions but also the private sector and civil society
organizations must be accountable to the public and their institutional
stakeholders. Who is accountable to whom varies depending on whether
decisions and actions taken are accountable to those who will be affected by its
decisions or actions. Accountability cannot be enforced without transparency
and rule of law.
GOOD IT GOVERNANCE
PROVIDES THE FOLLOWING
ADVANTAGES
 Standardized process and procedures to better manage IT
environment.
 Maximize return on IT investment
 More effective use of IT because of closer alignment with the
business
 Alignment with corporate objectives
 Consistency with IS strategy and Policy
 Accountability and transparency in decision making that impacts on
IT.
Different organizations have different IT governance
structures. The following are some of the roles and
their responsibilities:
WHAT A IT
MANAGER
DO
 EIGHT CORE ACTIVITIES
 Anticipating new technologies.
 IT must keep an eye on emerging technologies.
 Work closely with management on decisions.
 Weigh risks and benefits of new technologies.
 Participating in setting strategic direction.
 IS can act as consultants to management.
 Educate managers about current technologies/trends.
 Innovating current processes.
 Review business processes to innovate.
 Survey best practices.
 Developing and maintaining systems.
 Build or buy software.

Copyright 2010 John Wiley & Sons, Inc.

 EIGHT CORE ACTIVITIES
(CONTINUED)

 Supplier management.
 Carefully manage outsourced IT.

 Architecture and standards.

 Be aware of incompatibilities.
 Inconsistent data undermines integrity.

 Enterprise Security
 Important to all general managers.
 Much more than a technical problem.

 Business continuity planning

 Disaster recovery.
 “What if” scenarios.

Copyright 2010 John Wiley & Sons, Inc.

 BUSINESS CONTINUITY
PLAN
 Approved set of preparations and sufficient procedures for
responding to a variety of disaster events.
 What do we do in case of an emergency such as 9/11?

 Three major stages of BCP:

 Pre-planning - management’s responsibility is defined, possible
risks are evaluated, and a business impact analysis is performed.
 Planning - alternative business recovery operating strategies are
determined.
 Post-planning - familiarizes employees with the plan through
awareness and training programs.

Copyright 2010 John Wiley & Sons, Inc.

 MANAGING DATA, INFORMATION
AND KNOWLEDGE
 Managing information and knowledge in the enterprise
is of particular concern to IS.
 Database administration.
 Includes the collecting and storing the actual data created,
developed, or discovered.
 Deciding on format, location, and indexing of stored data.

Copyright 2010 John Wiley & Sons, Inc.

MANAGING INTERNET AND NETWORK
SERVICES
 Intranets, extranets, Web pages, and e-mail are becoming essential
in most business environments.
 General managers must interact with the Web master, Web
designers, and Web developers.
 Networking groups design, build, maintain, and manage the
network architecture.
 Managers must be concerned with telecommunications and their
costs.

Copyright 2010 John Wiley & Sons, Inc.

MANAGING HUMAN RESOURCES
 IS must manage its own resources.
 Provide business and technical training.
 Hiring and firing of staff.
 Tracking time, managing budgets, etc.
 Maintain skills inventory.
 Individual managers are responsible.
 OPENAI and Microsoft

Copyright 2010 John Wiley & Sons, Inc.

OPERATING DATA CENTER
 Houses large mainframe computers or rows of servers
on which the company’s data and business applications
reside.
 Managers rarely have direct contact with data center
staff.
 Many organizations outsource data center operations.

Copyright 2010 John Wiley & Sons, Inc.

PROVIDING GENERAL
SUPPORT
 Providing support for users of IS.
 Support requests are normally centralized.
 Centralized help desk – first contact point.
 Forward requests to knowledgeable staff.

 Many companies outsource this function.

 Not uncommon to call support and speak to someone in
another country.

Copyright 2010 John Wiley & Sons, Inc.

WHAT IT DEPARTMENT DOES
NOT DO
 Does not perform core business functions such as:
 Selling
 Manufacturing
 Accounting.
 Does not set business strategy.
 General managers must not delegate critical
technology decisions.

Copyright 2010 John Wiley & Sons, Inc.

 IT GOVERNANCE
STRUCTURES

Copyright 2010 John Wiley & Sons, Inc.

 CENTRALIZED VS. DECENTRALIZED
ORGANIZATIONAL STRUCTURES
 Centralized – bring together all staff, hardware,
software, data, and processing into a single location.
 Decentralized – the components in the centralized
structure are scattered in different locations to address
local business needs.
 Federalism – a combination of centralized and
decentralized structures.

Copyright 2010 John Wiley & Sons, Inc.

Figure 8.3 Organizational continuum
 FEDERALISM
 Most companies would like to achieve the
advantages derived from both centralized and
decentralized organizational paradigms.
 This leads to federalism – a structuring approach
which distributes, power, hardware, software, data
and personnel between a central IS group and IS in
business units.

Copyright 2010 John Wiley & Sons, Inc.

 FIGURE 8.5 FEDERAL IT

Copyright 2010 John Wiley & Sons, Inc.

 DECISION-MAKING MECHANISMS
 Policies may be used.
 The steering committee is common and works well in the
federal archetype.
 IT Governance Council – steering committee at the
highest level.
 Reports to board or CEO.
 Comprised of top-level executives.
 Provides strategic direction and funding authority.

 Lower level steering committees are responsible for

effectively allocating scarce resources.
 Companies usually have one or the other.

Copyright 2010 John Wiley & Sons, Inc.

 MANAGING THE GLOBAL
CONSIDERATIONS
 Large global IT organizations/departments face many
of the same organizational issues as any other global
department.
 For IS, a number of issues arise that put the business at
risk beyond the typical global considerations.
 Table 8.9 summarizes how a global IT perspective
affects six information management issues.

Copyright 2010 John Wiley & Sons, Inc.

 Issue Global IT Perspective
Political How risky is investment in a
country with an unstable
Stability government ?
Transparency Domestically, an IT network can
be end-to-end with little effort
compared to global networks
Business When crossing borders, it is
important to make sure that
Continuity contingency plans are in place
Planning
Cultural IT systems must not offend or
insult those of a different culture
Differences
Sourcing Some technologies cannot be
exported or imported into specific
countries
Data Flow Data, especially private or
personal data, is not allowed to
across Borders cross some borders.
Figure 8.9 - Global Considerations for the MIS Organization
Copyright 2010 John Wiley & Sons, Inc.
Example
India, a country that faces
conflict with Pakistan
SAP-R3 can be used to support
production processes but only if
installed
Concern when crossing
boarders is will data center be
available when/if needed
Using images or artifacts may
be insulting to another culture
Exporting it to some countries,
especially those who are not
political allies is not possible
For example: Brazil
 https://www.youtube.com/watch?v=sJoplcYFdyg
 https://
www.cnbc.com/video/2023/11/21/whats-happening-at-openai-is-a-governance-failure-profess
or-says.html