Although IT governance has been studied and codified, how many IT organizations can actually demonstrate and quantify improvement in their management and control of IT governance? COBIT 5 puts significant focus on IT governance, as well as the measurement and management of the quality of governance. COBIT 5 emphasizes that the purpose of governance is to provide consistency. It’s also about ensuring the following take place:
1) IT decisions are made in line with the enterprise’s strategies and objectives.
2) IT processes are overseen effectively and transparently.
3) Compliance and regulatory requirements are confirmed.
4) Governance requirements for board members are met.
Goals for governance
COBIT 5 suggests IT operations measure themselves against three process improvement goals. Understanding each goal and the recommended metrics can help IT leaders improve their IT governance.
1. Strategic decision-making is effective and aligned with the requirements of the enterprise’s stakeholders. In one of my recent posts, a reader suggested “a thorough assessment of corporate strategy and the board's understanding of IT governance” is key. COBIT 5 is based on the same insight. Two metrics are used to measure success in this case: actual vs. target cycle time for key decisions and level of stakeholder satisfaction. These are interesting metrics. The first asks, “Do you make decisions for initiatives fast enough (defined as ‘on the expected timeline’)?” The second looks at overarching stakeholder sentiment regarding IT.
2. The governance system for IT is embedded in the enterprise. For me, this begs the question, “Is IT part of the enterprise, and is its governance an enterprise function or an IT function?” COBIT 5 recommends three metric here: the number of roles, responsibilities, and authorities that are defined, assigned, and accepted by appropriate business and IT management; degree to which agreed-on governance principles for IT are evidenced in process and practices; and the number of instances of non-compliance with ethical and professional behavior guidelines. The first is about fundamental responsibilities for governance being set. At the same time, processes and practices need to be based on the company’s governance principles. And lastly, governance needs to ensure that ethical and professional behavior is within the corporate standards of business conduct. For IT the most pressing issue in this regard is often protecting customer and employee privacy rights.
3. Assurance is obtained that the governance system for IT is operating effectively. Governance, of course, must be measured against a standard. Three metrics are recommended: the frequency of independent reviews of IT governance; the frequency of IT governance reporting to the executive committee and board; and the number of IT governance issues reported. Together, these paint a complete picture. How often is governance reviewed externally or at the board level to ensure that the system of governance is robust? Robustness having been assured, the telltale sign of effective governance is how many issues were reported in a given timeframe? Clearly, this number should be low.
So where should you start?
As I often suggest, you should start where the most immediate value can be driven. Frankly, I would start with number of roles, responsibilities, and authorities that are defined, assigned, and accepted by appropriate business and IT management. In my book, governance starts with accountability. What do you think? What would be first on your list? Share your thoughts in the comments below.
Blog post: Making COBIT 5 part of your IT strategy
Solution page: IT Performance Management