The 5 Domains of IT Governance
October 22, 2013
What is IT Governance?
In recent years several high profile incidents of corporate fraud and failure helped bring the topic of corporate governance to the forefront of many business agendas. With IT now widely regarded as both a fundamental business tool and a significant factor in future business planning, effective mechanisms to align corporate governance with the management and use of IT have also surfaced as high priority items on most corporate agenda’s (BSI, 2008).
The ability to actually deploy effective IT governance was hampered by the absence of applicable frameworks, standards and best practices working in tandem. With the advent of ISO 38500 in 2008 however an international standard for IT governance was finally made available and other frameworks and best practices quickly fell in line. In particular, resources such as COBIT 5, VAL IT, Risk IT, PMBOK, CMMI, COSO, ISO 27001, ISO 9000, ISO 20000, and ITIL v3 to name just a few have provided invaluable guidance to companies of all shapes and sizes on how best to realize their exclusive IT Governance needs and objectives.
The 5 Domains of IT Governance
But frameworks and standards aside, what is IT governance and how can it be effectively realized within the business? Ask a room of IT governance professionals and business executives this question and chances are each one would provide a different answer. Fortunately, the ISACA organization, a leading global provider of certifications, knowledge, advocacy and education of information systems, assurance and security has developed some useful guidance which separates IT Governance into 5 separate domains (ISACA, 2013) each of which are briefly described below:
1. Framework for the Governance of Enterprise IT
Organizations need to implement an IT Governance framework which stays in continuous alignment with enterprise governance and the key drivers (both internal and external) directing the company’s strategic planning, goals and objectives.
- This framework should wherever possible attempt to utilize industry standards and best practices (COBIT, ITIL, ISO, etc.) in accordance with the explicit needs and requirements of the business.
- The IT Governance model should be driven at the top level of the organization with roles, responsibilities and accountabilities fully defined and enforced across the organization.
2. Strategic Management
To be effective in enabling and supporting the achievement of business objectives, business strategy must drive IT strategy. As such the strategy of business and IT are intrinsically linked and efficient and effective business operations and growth relies on the proper alignment of the two.
3. Benefits Realization
IT Governance helps the business realize optimized business benefits through the effective management of IT enabled investments. Often there is considerable concern at a board or senior management level that IT initiatives are not translating into business benefits.
- IT Governance aims to ensure IT benefits through the implementation of value management practices, benefits realization planning and performance monitoring and response.
- Key to benefits realization is the establishment of effective portfolio management to govern IT enabled investments as well as the design and utilization of appropriate performance metrics and reporting methods which are managed and responded to accordingly. The realization of a culture focused on continuous improvement can further help ensure benefits realization is achieved through a constant focus on improving business performance.
4. Risk Optimization
In an increasingly interconnected digital world, the identification, assessment, mitigation, management, communication and monitoring of IT related business risk is an integral component of an enterprises governance activities.
- While activities and capabilities for risk optimization of IT will differ widely based on the size and maturity of the organization and the industry vertical in which they operate, of most importance is the development of a risk framework which can demonstrate good governance to shareholders and customers in a repeatable and effective manner.
- Some important components of this dimension include business continuity planning, alignment to relevant legal and regulatory requirements and the development of a risk appetite and tolerance methodology used to assist with risk based decisions.
5. Resource Optimization:
To be effective, IT requires sufficient, competent and capable resources (people, information, infrastructure and applications) in order to meet business demands and execute on the activities required to meet current and future strategic objectives.
- This requires focus on identifying the most appropriate methods for resource procurement and management, monitoring of external suppliers, service level management, knowledge management, and staff training and development programs.
What is perhaps most important here however is not that all 5 IT governance domains are fully inserted into the enterprise, but that the recommendations, standards and best practices contained in the domains are considered and applied in accordance with the needs, requirements and capabilities of the business. As such the ISACA model is arguably most useful when it is considered as a basic guideline for injecting IT governance best practices into the business when and where they are specifically needed. It is however advisable that no matter the size and maturity level of the business at least some elements from each domain should be present to ensure effective IT governance.
Notably, while Long View has implemented many of these standards and best practices via its own IT governance program in alignment with these domains to meet its own internal IT needs and strategic objectives, it has also incorporated this approach to deliver a unique IT Governance implementation in accordance with the IT services delivered to its customers. The sophistication and maturity of Long View’s IT Governance program is considered not only an important enabler for allowing the company to meet strategic objectives and ensure optimal operational performance, but is also viewed as a key differentiators over competitors when providing these same practices and capabilities to its customers. While this entry has attempted to provide a glimpse into the basic framework of what constitutes IT governance, future posts will delve deeper into each of these 5 domains and provide further insight as to not only how these can be used to strengthen and mature IT governance capabilities within a business organization, but also how Long View has applied these standards and best practices both internally and within its customer facing service portfolio.
Follow me @SeanDMcLeod
BSI (2008) BS ISO/IEC 38500:2008 Corporate governance of information technology. London: BSI Publications
ISACA (2013) CGEIT Review Manual 2013. Illinois: ISACA Publishing