Achieving corporate objectives with IT governance

Definition: What is IT governance?

IT governance is nothing more than a framework used to make sure that the IT infrastructure supports the corporate strategy and objectives. It oversees processes and data assets as well as management structures and regulatory compliance requirements.

It is an area of corporate management whose importance is often underestimated: business decisions can only effectively support objectives if the IT strategic orientation is in line with the company’s goals.

An adequate IT governance strategy covers the following areas:

• IT strategy and objectives
• Roles and responsibilities
• IT risk management
• Resource management
• Collaboration and communication
• Compliance
• Measurement and monitoring of performance

It is through the interplay of these factors that a company systematically and structurally aligns its entire IT and controls its use.

Connection with corporate governance

IT governance is, therefore, linked to corporate governance, which in turn belongs to the area of governance, risk and compliance (GRC). Together, they ensure appropriate leadership, management and control of resources and sensitive data by applying certain principles, processes and practices.

Governance in general protects and promotes the interests of all stakeholders: It is about having firm structures that protect and benefit all stakeholders. Where corporate governance takes a holistic view of the company, IT governance focuses primarily on targeted IT service management.

In addition, IT governance overlaps in some respects with data governance, which aims to use information and high quality data to effectively to achieve objectives.

IT governance vs. compliance

IT governance and compliance are closely related. Each contributes to a company’s performance and integrity.

To help achieve more compliance, IT governance does the following:

• Identifies compliance requirements, such as the general data protection regulation (GDPR)
• Integrates compliance into IT strategy and processes
• Monitors and reports on compliance
• Manages risks
• Creates transparency and traceability

The Role of ISO/IEC 38500

This is the international standard that provides governance guidelines for corporate IT environments. Companies use the guideline to adjust their IT resources so that they comply with the ISO/IEC 38500 standard.

The following principles are important here:

1. Responsibility: This should be borne by the company management (top-down principle).
2. Strategy: The IT strategy is subordinate to the corporate strategy, which defines the requirements for IT.
3. Acquisition: The IT budget should be consistently based on requirements – and subject to transparent decisions.
4. Performance: The performance of IT services must match the requirements of the respective departments and divisions.
5. Conformance: IT services must be provided in accordance with standards, norms and specifications.
6. Human Behavior: The needs of users (internal and external) must be taken into account.

Objectives of IT governance

Its general purpose is to effectively use the company’s IT resources in order to achieve relevant goals, minimize risks and create tangible added value.

The following goals are important:

• Aligning with corporate objectives: The overriding imperative of governance is to align IT strategy and activities with overarching business objectives. In this way, IT ideally makes an active contribution to the company’s success and creates competitive advantages.

• Value creation: This goal is closely related to the previous point: The use of IT systems should generate added value for the company. This can be achieved, for example, through optimized processes, greater efficiency or higher customer satisfaction.

• Building effective strategies: Data and data management are the new gold – and the IT department plays a key role. They must be data stewards and use available information strategically. This helps establish clear data security processes for the entire company.

• Mitigate IT risks: This is about IT protection, which companies improve by, for example, updating software and systems in use. It also involves securing networks and data, training employees and limiting shadow IT – the unauthorized use of hardware and software. Entire teams are deployed in large companies for this area.

• Creating synergies: IT has to deal with plenty of different stakeholders, each of whom has different expectations. Governance can be used to bring together seemingly conflicting interests so that added value is created on all sides.

• Measuring performance: Checking that everything is functioning properly and working towards relevant goals is also the task of IT governance. In concrete terms, this means, analyzing the benefits of certain IT projects using key figures and data. This ensures that IT activities and strategies deliver their intended benefits.

Selecting the Right Framework

Governance is made easier by relying on an established framework. Such a framework specifies how organizations can achieve a good level of governance based on concrete practices and measures.

If you want to implement an IT governance program, you will benefit greatly from a suitable framework. Here is an overview of some frameworks.

1. ITIL (Information Technology Infrastructure Library)

ITIL provides best practices for IT service management (ITSM). Although ITIL focuses on ITSM as a whole, it provides helpful guidelines and processes to support IT governance.

In principle, this framework provides the strategies to successfully set conditions that are used to achieve good IT compliance.

2. COBIT (Control Objectives for Information and Related Technologies)

COBIT is a widely used framework developed by the Information Systems Audit and Control Association (ISACA). It provides comprehensive best practices and objectives for governing the IT environment and is geared towards the company’s objectives.

3. NIST Cybersecurity Framework

NIST primarily aims to improve cybersecurity. However, this framework also provides a set of practices and controls that organizations can use to enhance their overall oversight of the IT environment. NIST can be used flexibly by organizations of all sizes.

4. PRINCE2 (Projects IN Controlled Environments)

This is a process-oriented framework that is used to run, manage and monitor projects effectively. It can also be used to manage IT projects in a structured manner. Even if it does not focus exclusively on governance, PRINCE2 provides effective support.

5. TOGAF (The Open Group Architecture Framework)

This framework focuses on enterprise architecture management. Companies can use TOGAF to establish a comprehensive architecture for their IT landscape that aligns systems with business objectives.

Tips for a successful IT governance strategy

Once business objectives and an appropriate framework have been defined, a strategy can be implemented. The following tips may prove useful.

Define clear responsibilities and roles

There is always a need for people to take responsibility and drive processes forward. The project management principle of defining roles early on also applies here: it should be clear which IT managers, IT employees and stakeholders are responsible for workflows, reporting or monitoring performance. In general, everyone involved should know their responsibilities and what is expected of them.

Involve stakeholders

Since IT impacts the company as a whole, governance must not be a purely internal project of the IT department. If the strategy is to serve the interests of all stakeholders as far as possible, these must first be taken into account. Communicating and collaborating transparently with stakeholders therefore counts immensely.

Define and monitor key figures

Data and key figures, such as KPIs, are important in order to focus on specific performance and achieve relevant progress. For example, it is very helpful to define IT standards and set up mechanisms to monitor IT systems and processes. On this basis, a valid evaluation can be made of how successful a strategy and related actives are – changes can then be made, if necessary.

Working with feedback

It is not only about quantitative key figures, but also about qualitative feedback. People, such as employees or stakeholders, can be asked to what extent the IT systems and activities contribute to achieving the company’s goals. This can be done with a short questionnaire or simply through discussions. It goes without saying that those responsible should then take the feedback into practice: if it is justified in terms of content, it deserves to be part of the implementation.

Continuously improve processes

Continuous optimization is also part of functional. IT governance is not a project that is completed at a certain point in time. Instead, it should be a constant focus for those responsible. Over time, process management makes adaptations and improvements.

Conclusion: IT governance – a strategic undertaking

Governance inevitably plays a major role for companies. It is closely related to the areas of risk management and compliance and focuses on strategic corporate goals.

An IT governance solution focuses specifically on the management of IT, including the use of systems other IT-specific factors. Its objectives include acting strategically in line with corporate goals, increasing added value and minimizing IT risks.

To achieve good IT governance, companies should be guided by a suitable framework and consistently pursue a strategy – including clear responsibilities, performance indicators, adjustments and improvements.

Find out how OTRS can help you with IT governance.

Contact our experts