Process 1: Establish IT Governance
Published: April 25, 2008 | Updated: October 10, 2008
Governance describes the leadership, decision-making structure, processes, and accountability that determine how an organization gets work done. Governance starts at the top, but it requires participation at every level of the organization. The nature of the decisions made and information passed to other GRC participants is portrayed in Figure 3. As it shows, there are ways for all members of the organization to contribute to successful governance.
Looking at the various groups that pass information across the organization shows that it is helpful to have a common way to communicate about GRC information. This GRC SMF focuses on the mechanisms for connecting these levels using risk management and control activities, which results in better decision making and the establishment of accountability for results.
Figure 3. The governance environment: participants and information types
IT governance can be enhanced through the clarification of objectives, roles, and responsibilities and through the application of risk management across the IT service lifecycle. This ensures that IT is able to understand business strategy and requirements, deliver value to the business while mitigating IT risks, and establish accountability throughout the lifecycle.
In everyday terms, these concepts will be made more concrete by the specific role and activities involved. For example, the IT professional setting up Microsoft® Exchange Server mailboxes will need to know the policies regarding e-mail retention and purging and ensure that these policies are effectively enforced through configuration rules and Group Policy. The IT manager needs to be aware of management’s objectives regarding corporate communications and what regulatory requirements might be involved in order to make sure that appropriate legal opinion is brought to bear so that required policies are developed.
The CIO and other executives must make their determination that their organization’s strategy and any regulation affecting corporate communication is rational and that they have set appropriate direction and policy for the rest of the organization to follow.
Figure 4. Establish IT governance
Activities: Establish IT Governance
At the activity level, IT governance processes help align IT with the business through the decision-making process used to define actions for achieving strategic goals. This alignment happens through trade-off discussions and decision making. As mentioned before, governance is a management process that defines decision rights, makes sure that risk tolerance has been factored into the decisions, and provides a way to set expectations that can be assessed through a compliance process. Establishing the governance structure and process should be done before decisions need to be made. Doing this will help identify the appropriate business and IT representatives who will jointly make decisions and be held accountable. The results of governance activities ultimately affect how initiatives and technologies are chosen and provide the context for the most prized IT resource—people—to realize opportunities and benefits.
The process to establish IT governance includes the following activities:
- Setting vision. Setting vision is not window dressing. This activity determines the overall governance structure for IT and creates decision-making power and accountability. The culture of the IT organization will be heavily influenced by the way governance is embraced and put into action.
- Aligning IT to the business. This activity will also determine the suitability of the fit between overall governance for the organization and IT governance specifically. IT governance will suffer if this coordination is not established.
- Identifying regulations and standards. Industry-specific regulatory requirements and standards play a critical role in gauging the exactness and rigor required for IT governance. These factors need to be examined and appropriately applied.
- Creating policy. Getting policy right helps guide performance that delivers results based on expected behaviors and appropriate resource use.
Table 5. Activities and Considerations for Establishing IT Governance
Activities |
Considerations |
Assumptions |
|
Set vision |
Key questions:
Inputs:
Outputs:
Best practices:
|
Align IT to the business |
Key questions:
Inputs:
Outputs:
Best practices:
|
Identify regulations and standards |
Key questions:
Inputs:
Outputs:
Best practices:
|
Create policy |
Key questions:
Inputs:
Outputs:
Best practices:
|