Information technology governance, however, is a subset discipline of Corporate Governance. Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a part of the overall Corporate Governance Strategy of an organization. In simple words, IT Governance is putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results.
An IT governance framework answers some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications and infrastructure.
Organizations and businesses need a structure or framework to ensure that the IT function is able to sustain the organization’s strategies and objectives. The framework and level we need depends on the size, industry or applicable laws or regulations. In general, the larger and more regulated the organization, the more detailed the IT governance structure should be.
IT Governance Framework
It doesn’t make sense to reinvent the wheel by starting from scratch. Start with a IT governance framework; there are many to choose from, but using at least one means everything has already been organized by industry experts.
A IT governance framework includes three elements:
- Governance principles – the principles by which all IT initiatives will be governed
- Governance structure – the roles and responsibilities of the major stakeholders in the IT governance decision-making process, including committees and organizational elements at the branch level
- Governance process – the various stages required to review, assess and approve or reject new IT initiatives
Implementing good IT governance requires a framework.
The framework Control Objectives for Information and related Technologies (COBIT) was developed in 1996, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. Basically, it’s a set of guidelines and supporting tool set for IT governance that is accepted worldwide. It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. COBIT 2019 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL) and related standards from the International Organization for Standardization (ISO).
The Information Technology Infrastructure Library (ITIL) from the government of the United Kingdom runs a close second to CoBIT. The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage.
ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist. ITIL describes processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization’s strategy, delivering value and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.