IT Governance first surfaced in the late 1990’s after many major computer system failures and issues surfaced in the global media. The 1990’s saw the recognition that computer systems were essential to the operation of a modern business enterprise. Many audit firms identified a need to review IT Governance in their annual audits and IT organizations scrambled to create some form of governance. In 1998 the ISACA (formerly Information Systems Audit and Controls Association) create the ITGI (Information Technology Governance Institute to define what IT Governance should be.
In the early days of IT Governance many CIO’s created review boards and steering committees internally to the IT organization and were basically a checkbox for annual audits.
Today IT Governance means placing control over computer systems, computer operations, computer system investment, acquisition, and development in the hands of the business owners and managers.
There are two key levels of Governance required. One is at the board of directors (or ownership) level of an enterprise and the other is at the business management level. The driving force is the fact that IT or whatever it is called in your organization should be a service organization that provides systems and resources that support the business. The IT organization does not own or control systems, computers, or technical resources. They are simply the custodians that maintain them at the behest of management.
The role of the Board of Directors or Owners of the Enterprise.
Most methodologies recommend that the board form and fund an IT Governance committee to create policy for the operation of the IT entities within the enterprise such as guidelines on purchasing versus developing software, the return on investment expected from computer systems. Additionally, the IT Governance committee must review IT and computer systems on an ongoing basis to insure that the objectives of the enterprise are being met.
Operational Management and Governance
An executive steering committee consisting of the CEO and senior executives of your enterprise needs to be formed to review all IT activities and projects that exist within your enterprise. Many smaller projects are delegated to functional area executives within the organization often based on cost of the projects. The executive steering committee reviews overall budgetary allocations to the various business units as well as projects exceeding a certain dollar value. They may also get involved with smaller projects that cross multiple areas of the enterprise.
In all cases these bodies are completely responsible for the decision making in terms of requirements, buy versus build, and the cost effective implementation of system projects as well as the ongoing ROI (return on investment) for any given system and or project.
The key here is that the business units are in charge. IT provides services to implement the wishes of the business units.
In my book I point out that while new systems acquisition or development are often reviewed by management it is rare that anyone reviews existing systems to determine if they are still providing the return on investment over their cost of continued support and operations. Many companies find that over 80% of their IT budgets are being spent maintaining old systems with very little new functionality or value being provided. The book explains both the risks of system maintenance as well as the cost factors and risk factors involved. The bottom line is there comes a time when a system has reached the end of its useful life. This is where the board of directors needs to take charge and review findings and initiate financially sound mandates.