The international standard ISO 38500 provides a framework for the effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. The purpose of IT governance is to promote effective, efficient, and acceptable use of IT in the organization while assuring stakeholders, informing the board and providing a basis for objective evaluation.
The implementation of IT governance will enable organizations to create optimal value from the use of IT through effectively and efficiently leveraging resources, optimizing risk management and delivering real benefits to the business.
Governance is the system by which the current and future use of IT is directed and controlled. Governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve the business plans and enterprise strategic objectives. It includes a strategic road map and policies for using IT within an organization.
Management is the system of controls and processes required to achieve the strategic objectives set by the organisation's governing body. Management is subject to the policy guidance and monitoring set through the governance of IT.
IT Governance Framework
An IT governance framework provides guidance about the governance, management and operation of IT across the enterprise in alignment with its enterprise goals. The governance framework will assist management assign roles, clarify responsibilities and establish accountability for decision-making that impacts on the achievement of the enterprises strategic objectives.
An IT governance framework is based on a set of processes with clearly defined expected outcomes, a management system to co-ordinate delivery and governance model to maintain alignment with strategic objectives.
IT Governance Charter
As part of the IT governance framework, an IT governance charter and policies are established and used to outline the decision-making rights and accountability framework for IT governance that will enable the desirable culture in the use of IT within the organisation. The IT governance charter communicates the primary responsibilities and the delegated authority.
This delegated authority is founded on a number of core principles, for example, it does not divest the board of their responsibilities concerning the exercise of the delegated power or the performance of the assigned duties in the charter.
For an organization to function effectively, it has to determine and manage numerous linked activities. An activity or set of activities using resources, and managed in order to enable the transformation of inputs into outputs, is considered a process. Often the output from one process directly forms the input to the next.
The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management to produce the desired outcome, can be referred to as the “process approach”.
An advantage of the process approach is the ongoing control that it provides over the linkage between the individual processes within the system of processes, as well as over their combination and interaction. When used within a management system, such an approach emphasizes the importance of understanding and meeting requirements and the need to consider processes in terms of added value.
IT Governance Mechanisms
An IT governance framework comprises relevant organisational structures, processes and mechanisms that enable IT to deliver value to the business and mitigate IT risk. The IT governance framework should be appropriate and applicable to the organisation. It should facilitate and enhance the organisation’s ability to reach its strategic objectives by making the most appropriate decisions about incorporating IT into its operations, programmes and services on a secure and sustainable basis.
Management is responsible for implementing the organisational structures, processes and mechanisms for the IT governance framework. A wide range of IT governance mechanisms can be implemented as part of the IT governance framework at the governance, management and operational layers.
Typical mechanism include strategies, goals, objectives, leadership, policies, roles, responsibilities, plans, schedules, deadlines, frameworks, architecture, processes, standards, etc.
IT governance is about accountability for key decisions relating to the use of information and related technology in support of the business’ value creation opportunities. An accountability framework is used by the CIO to clarify the respective decision making authority and responsibilities across the IT management team.
The IT governance charter, accountability framework, committee terms of reference, performance contracts, role and job descriptions and outsourcing contracts are tools to outline the role, responsibilities, decision-making authority and accountability assigned to individuals and groups of individuals within the IT governance framework.