Back

What you need to know about IT governance

IT governance is defined as the structure for aligning an organization’s IT and business strategies through the application of a formal framework to produce measurable results in achieving strategies and objectives. A formal program also takes into account the interests of stakeholders, as well as the needs of staff and the processes they follow. Overall, IT governance is an integral part of overall corporate governance.

The relationship between IT governance and Governance, Risk & Compliance (GRC)

Governance, risk and compliance is often the parent program, setting the framework for IT governance. The scope of GRC is often IT-focused, except in cases where security relates to outside of IT, and in that case covers business and other risks more extensively.

The reasons for its implementation

Organizations today are subject to numerous regulations governing the protection of confidential information, financial accountability, data retention and disaster recovery, among others. They are also under pressure from shareholders, stakeholders and customers. To ensure they meet internal and external requirements, many organizations implement a formal IT governance program that provides a framework of best practices and controls.

The customer base

Public and private sector organizations need a way to ensure that their IT functions support their strategies and objectives. A formal IT governance program should be on the radar of any organization that needs to comply with regulations related to financial and technological accountability. However, implementing a comprehensive IT governance program takes a lot of time and effort. While very small entities may practice only essential IT governance methods, the goal for larger, more regulated organizations should be a full-fledged IT governance program.

"Most IT governance frameworks are designed to help determine the overall functioning of the IT department: the key metrics that management needs and the return that IT is bringing to the business through its investments."

Where should you start?

The easiest way is to start with a framework that has been created by industry experts and used by thousands of organizations. Many frameworks include implementation guides to help organizations build an IT governance program with less acceleration, the most important of which are listed below.

COBIT (Control OBjectives for Information and related Technology): Published by ISACA, COBIT is a comprehensive framework of globally accepted practices, analytical tools, and models designed for the governance and management of enterprise IT. With its roots in IT auditing, ISACA has expanded the scope of COBIT over the years to fully support IT governance.

ITIL (Information Technology Infrastructure Library): ITIL focuses on IT service management. It aims to ensure that IT services support core business processes. ITIL includes five sets of best management practices for service strategy, design, transition (such as change management), operation and continuous improvement.

COSO (Committee of Sponsoring Organization for the Threadway Commission): COSO’s focus is less IT-specific than other frameworks, concentrating more on business aspects such as Enterprise Risk Management (ERM) and fraud deterrence.

CMMI (Capability Maturity Model Integration): Developed by the Software Engineering Institute, CMMI is a performance improvement approach that uses a scale of 1 to 5 to assess the level of maturity of an organization’s performance, quality and profitability. This system allows the addition of measures for qualitative risks.

FAIR (Factor Analysis of Information Risk): FAIR (and OpenFair) is a relatively new model that helps organizations quantify risk. The focus is on cybersecurity and operational risk, with the goal of making more informed decisions. While it is newer than the other frameworks mentioned here, we are already seeing it gain popularity with Fortune 500 companies.

Choosing the right framework

Most IT governance frameworks are designed to help determine the overall functioning of the IT department: the key metrics that management needs and the return that IT is bringing to the business through its investments.

Where COBIT and COSO are primarily used for risk, ITIL helps streamline the department and operations. While CMMI was originally intended for software engineering, it now involves hardware development, service delivery and procurement processes. As mentioned earlier, FAIR is used solely to assess operational and cybersecurity risks.

When reviewing frameworks, the corporate culture must be considered. A framework or model should normally come naturally to an organization. It should resonate with stakeholders.

That said, it is entirely possible to select only the elements of interest from each governance framework. For example, COBIT and ITIL complement each other in that COBIT often explains the “why” something is done or needed while ITIL provides the “how”. Some organizations use COBIT and COSO, as well as ISO 27001, for information security management.

Strategic consulting services from a trusted partner will help you identify the optimal framework for developing your IT governance program.

Bernard Plante
Conseiller stratégique
ESI Technologies