Process 1: Establish IT Governance

Published: April 25, 2008   |   Updated: October 10, 2008


Governance describes the leadership, decision-making structure, processes, and accountability that determine how an organization gets work done. Governance starts at the top, but it requires participation at every level of the organization. The nature of the decisions made and information passed to other GRC participants is portrayed in Figure 3. As it shows, there are ways for all members of the organization to contribute to successful governance.

Looking at the various groups that pass information across the organization shows that it is helpful to have a common way to communicate about GRC information. This GRC SMF focuses on the mechanisms for connecting these levels using risk management and control activities, which results in better decision making and the establishment of accountability for results.


Figure 3. The governance environment: participants and information types

IT governance can be enhanced through the clarification of objectives, roles, and responsibilities and through the application of risk management across the IT service lifecycle. This ensures that IT is able to understand business strategy and requirements, deliver value to the business while mitigating IT risks, and establish accountability throughout the lifecycle.

In everyday terms, these concepts will be made more concrete by the specific role and activities involved. For example, the IT professional setting up Microsoft® Exchange Server mailboxes will need to know the policies regarding e-mail retention and purging and ensure that these policies are effectively enforced through configuration rules and Group Policy. The IT manager needs to be aware of management’s objectives regarding corporate communications and what regulatory requirements might be involved in order to make sure that appropriate legal opinion is brought to bear so that required policies are developed.

The CIO and other executives must make their determination that their organization’s strategy and any regulation affecting corporate communication is rational and that they have set appropriate direction and policy for the rest of the organization to follow.


Figure 4. Establish IT governance

Activities: Establish IT Governance

At the activity level, IT governance processes help align IT with the business through the decision-making process used to define actions for achieving strategic goals. This alignment happens through trade-off discussions and decision making. As mentioned before, governance is a management process that defines decision rights, makes sure that risk tolerance has been factored into the decisions, and provides a way to set expectations that can be assessed through a compliance process. Establishing the governance structure and process should be done before decisions need to be made. Doing this will help identify the appropriate business and IT representatives who will jointly make decisions and be held accountable. The results of governance activities ultimately affect how initiatives and technologies are chosen and provide the context for the most prized IT resource—people—to realize opportunities and benefits.

The process to establish IT governance includes the following activities:

  • Setting vision. Setting vision is not window dressing. This activity determines the overall governance structure for IT and creates decision-making power and accountability. The culture of the IT organization will be heavily influenced by the way governance is embraced and put into action.
  • Aligning IT to the business. This activity will also determine the suitability of the fit between overall governance for the organization and IT governance specifically. IT governance will suffer if this coordination is not established.
  • Identifying regulations and standards. Industry-specific regulatory requirements and standards play a critical role in gauging the exactness and rigor required for IT governance. These factors need to be examined and appropriately applied.
  • Creating policy. Getting policy right helps guide performance that delivers results based on expected behaviors and appropriate resource use.

Table 5. Activities and Considerations for Establishing IT Governance




  • The organization is subject to regulatory or other external requirements for governance
  • Management wants a clear understanding of the way IT is run
  • Business management wants to understand the contribution IT makes to business results

Set vision

Key questions:

  • What are the top strategic goals of the business?
  • What level of formality is needed to meet GRC requirements?
  • How is IT value realization measured?
  • How should IT performance be measured?


  • Clear strategic business goals
  • Relevant requirements from applicable standards and regulatory bodies
  • History of organization’s compliance (or non-compliance)
  • Indication of organization’s risk tolerance
  • Internal audit’s recommendations for governance
  • Defined approach for measuring value realization
  • Defined performance indicators


  • Structure of forums for governance activities
  • Governance policies and communication plans
  • General plan for IT risk management
  • Accountability for governance decisions
  • Performance monitoring and metrics
  • Value realization requirements
  • IT governance charter and owner

Best practices:

  • Understandable goals and clear implications require good communication. Give plenty of opportunities to ask questions, restate, and paraphrase.
  • When possible, map IT governance activities to existing business processes for strategy, planning, and decision making.
  • Design the information architecture so that performance monitoring and regulatory compliance monitoring can make use of the same information when possible.
  • For more information about vision setting and strategy alignment, see the MOF Business/IT Alignment Service Management Function.

Align IT to the business

Key questions:

  • Which key stakeholders are needed to make trade-off decisions?
  • Which qualifying and decision- making processes does the business use to determine general initiatives and projects?
  • What is the organization’s approach to risk? What is its culture of compliance to directives?


  • Business-prioritized goals, management directives, and identified owners
  • Legal’s interpretation of regulatory requirements
  • Clear compliance requirements from the perspective of both business and IT


  • Identified participants for various governance meetings (such as steering committees)
  • Coordinated business and IT planning activities
  • Factors to be considered in IT strategic planning
  • Clearly understood roles and responsibilities between business and IT

Best practices:

  • Reduce political turf battles by bringing stakeholders together with a clear process for determining tradeoffs and agreed-upon escalation paths.
  • Business/IT alignment can occur across many levels of an organization; provide a forum for discussion at multiple levels.
  • For more information about vision setting and strategy alignment, see the MOF Business/IT Alignment Service Management Function.

Identify regulations and standards

Key questions:

  • What industry-based standards or regulatory requirements are drivers for the organization?
  • Is there a generally accepted framework (such as COBIT or ISO 20000) that maps well to the organization in terms of both industry and company compliance culture?


  • Business representation of regulatory requirements for the business
  • IT analysis of IT service management frameworks
  • IT capabilities and constraints: skills and technologies


  • A governance framework that represents the least organizational burden for the greatest benefit to efficiency, effectiveness, compliance, and alignment with the business

Best practices:

  • Frameworks are starting points. They provide the core concepts that then require elaboration and application to the realities of the specific organization.
  • A deep understanding of company and industry factors is needed to adapt the framework to the unique considerations of one’s own company.
  • IT professionals have technical knowledge that should be considered when applying the chosen framework so that it is achievable and supportable.

Create policy

Key questions:

  • What are the areas where the company wants to explicitly require desired behaviors?
  • What processes should have specific performance measures defined by policy?
  • What does legal representation say about the proposed policy?


  • Any non-compliance or regulatory issues where the company has fallen short of desired actions
  • Senior managements goals for corporate behavior with implications clearly understood


  • Documented and communicated policy
  • Mapping from policy to control objectives
  • Policy enacted into practice

Best practices:

  • For more information about policy creation and use, see the MOF Policy Service Management Function.
  • Audit provides evidence-based evaluation and recommendations regarding policy enactment and the control environment.