"The good news is that governance is in fact being done in most organizations. The bad news is that, despite the connection of governance to increased IT value, most organizations do not believe their governance is effective."

Opening Statement

We have devoted considerable attention to governance recently. Most companies and governmental agencies we deal with feel particularly challenged in IT decision making when resources are tight. After all, many decisions are about choices among alternatives, and when money is not available or, worse, declining, there's more at stake.

Recently, Cutter published a Cutter Benchmark Review (CBR) on IT governance based on a survey of respondents from around the world.¹ We reported both good news and bad news as a result of the survey. The good news is that governance is in fact being done in most organizations. And more importantly, the more IT governance is done in organizations, the more organization management believes IT delivers value. The bad news is that, despite the connection of governance to increased IT value, most organizations participating in the CBR survey do not believe their governance is effective. When one considers the amount of energy organizations devote to IT governance activities (prioritization, strategic IT planning, IT budgeting, PMOs, etc.), to continue to do so in the face of doubting its effectiveness is really quite amazing.

These findings led us to ask some important questions about IT governance:

• What, exactly, is IT governance?

• Does IT governance really matter?

• What should organizations do to improve their IT governance?

In this month's Cutter IT Journal, our authors focus on IT governance in these turbulent times. What's particularly exciting about the articles in this issue is that they present real data on these questions and reflect perspectives from all parts of the world.

WHAT, EXACTLY, IS IT GOVERNANCE?

The authors in this issue present six complementary definitions of IT governance. While all six articles tend to emphasize decision making about the use of IT resources, the variety of perspectives shows the degree to which IT governance remains an unsettled field. Paul Clermont relates how his original definition of IT governance -- "well-designed structures and well-crafted methods and processes, diligently and consistently used" -- foundered on the rocks of experience, eventually giving way to a more relationship-oriented approach. Tom Lodahl and Kay Redditt define IT governance as "a set of rules (implicit or explicit) about who decides what in IT, as well as the organizational mechanisms that implement these rules," while Nick Robinson believes its purpose is to "encourage desirable behavior" in the use of IT. Paul Williams laments the fact that, in many organizations, IT governance has come to mean just risk and compliance. He suggests that it has an equally important role to play in "understanding risk, dealing with it, and undertaking initiatives that bring value-creating opportunities." Wim Van Grembergen and Steven De Haes argue that the term "IT governance" itself is misleading; since the business value from IT investments must always be created on the business side, they believe we should be talking instead about "enterprise governance of IT."

Clearly there is a lot to choose from for an IT governance definition. However, Bill Walton cuts to the chase with a very helpful analogy that leads to a statement of fundamental concerns. He introduces the notion of "The Tragedy of the Commons" to show how businesses must prioritize their demand for IT or run the risk of damaging the shared IT resource through overexploitation. Walton, like several of the authors, distinguishes between "governance" and "management" and, further, identifies clear frameworks where each occurs. Walton overviews three governance frameworks (ISO/IEC 38500, Calder-Moir, and COBIT), and other authors talk in depth about these and other frameworks (e.g., Val IT) as well.

An underlying governance theme, though, is most clearly stated by Lodahl and Redditt. They focus on the importance of "fusion" in business and IT management thinking. Their point -- backed up by considerable data -- is that the value of IT governance comes from the joint participation of both communities in planning and decision making, and that this interaction, in turn, is the source of IT's delivery of value to the organization. This concept of fusion/interaction also underlies Clermont's approach to governance as well as Van Grembergen and De Haes's point about "enterprise governance of IT."

That said, we're still left with different conceptions of IT governance. On the one hand, the basis of Robinson's article and of Van Grembergen and De Haes's reported research is formal frameworks like COBIT and the implicit assumption that these form the basis of formal methodologies and processes to be used by organizations in their IT governance. Williams echoes this notion when he observes that "value does not arise by accident.... A more positive and structured approach to enterprise governance of IT will help ensure the delivery of value." On the other hand is Clermont, who makes a compelling (poignant?) case for informality and togetherness between IT and business, akin to Lodahl and Redditt's "fusion" concept. He concludes that "it's time to focus your approach to governance away from structures and formal methodologies and toward direct commonsense steps."

The debate will occur when an organization decides to improve its IT governance. Should it adopt a formal framework like COBIT and work to implement IT governance processes as defined there? Or should it work on existing processes, strengthening the degree to which business and IT work together? Or should it perhaps use a combination of these approaches? These are important questions to the extent an organization believes there's a gap to be filled, and that a framework or definition offers a target to be achieved. This begs the question, of course, of whether IT governance really matters.

DOES IT GOVERNANCE REALLY MATTER?

Lodahl and Redditt answer this question with a direct "Yes," and the other authors certainly agree. More significantly, the articles in this issue (and our own research, reported in CBR) offer plenty of data to support that answer. But what does this mean? It's not completely clear. Walton suggests one perspective, saying that IT governance matters to how IT is used in the organization, as distinct from how IT is supplied. Williams describes governance in terms of "value management." Both of these views are very business-focused. Van Grembergen and De Haes, on the other hand, interpose IT goals between governance (COBIT and Val IT processes) and business goals. And while Robinson's focus is business value, he uses IT-focused components in his article's frameworks, such as IT architecture and IT infrastructure. So what is the target for IT governance? Is it IT's use, IT supply, or both?

This all suggests that there is some variance in what people believe about exactly how IT governance matters. That is, what exactly is the focus of the decision making to be done, and the outcomes of that decision making, through the application of IT governance processes? At one end of the spectrum we find that IT governance focuses almost exclusively on the use of IT, relegating the issue of "IT supply" to IT management. In this view, business management really does not care and should not care about the details of IT delivery. At the other end of the spectrum, we see great interest in IT strategies.

Resolving this issue -- identifying the target for IT governance -- is at least as important as identifying and executing the processes of IT governance. All six articles agree that increasing IT's business value is the ultimate goal, but how best to get there is the debate.

WHAT SHOULD ORGANIZATIONS DO TO IMPROVE THEIR IT GOVERNANCE?

Given that IT governance matters, and that we have an idea of what IT governance should include, how should an organization proceed? There sometimes is an assumption with frameworks like COBIT, ITIL, and the like that all these apply equally to all organizations and the IT departments within the organizations. As with the other debates, there are significant differences among the six articles in this respect -- not so much in differing results, but in whether the issue of "fit" for governance is considered.

Here two elements of "fit" stand out. First is size -- does it matter? And second is culture -- are there different approaches to IT governance for different kinds of organizations? In terms of what actually is being done in organizations, Van Grembergen and De Haes report on over 500 organizations worldwide. One conclusion is that size does matter -- smaller organizations have adopted fewer IT governance processes than larger ones. Another conclusion is that industry matters -- the financial services sector has implemented more processes than other industries. Van Grembergen and De Haes report geographic differences as well.

Robinson focuses his article on organizational profiling, explicitly fitting the governance processes to the business and the IT organization. He talks about culture and business models and offers a framework for identifying the latter. This leads him to a "style pattern" as a way to diagnose where a company is and identify the resulting profile for governance. He concludes, "IT governance cannot be approached in a haphazard manner.... It requires structured, systematic thinking and an understanding of an organization's personality traits." To provide that structure, Walton offers a framework consisting of "range," "reach," and "cadence" for identifying an approach to IT governance, and then he maps it onto the governance/management/operational layers of organizational behavior.

CONCLUSION

There's often an unfortunate tendency for IT governance to focus on prioritization of existing resources and the demands for those resources. Years ago a CIO remarked to us, "If prioritization merely reorders the same old projects, who cares? What we need is better projects!" In IT governance terms, he's asking for engagement with the business (per Lodahl/Redditt's "fusion") to provide better insight into what is possible and, more important, what is potentially transforming for the business. Without question, this is an important, maybe even dominant, aspect of IT governance.

We have thoroughly enjoyed the process of developing this issue of Cutter IT Journal and the interaction with the authors. We hope you enjoy this important contribution to the IT governance literature and we invite you to contribute to the debate by e-mailing us your thoughts and responses.

ENDNOTE

¹ Piccoli, Gabriele (ed.). "IT Governance in 2009: A Thorn in IT's Side." Cutter Benchmark Review, Vol. 9, No. 9, 2009.

ABOUT THE AUTHORS

Robert J. Benson

Thomas L. Bugnitz