The emerging role of IT governance

IT managers and practitioners think of IT governance in varying ways. Some see IT governance as "command and control" over IT initiatives; others consider it a corporate mechanism that implements a big brother approach to apply top-down constraints. From the perspective of the IT practitioner (those who represent businesses productivity), it is often seen as an unnecessary evil that stagnates the creativity and productivity of the organization. Yes, IT governance does embody management according to stringent regulations, standards, and policies, but regulation is just a subset of the overall importance of IT governance for your business. In fact, good IT governance is a strategic enabling force for your business. It is embraced by all levels in the organization and reaches far beyond the four walls of IT.

Good IT governance aligns your business strategically to support the evolution of an enterprise architecture so that it delivers consistent and scalable business value. IT governance helps you measure your business's growth and success, including its financial health. In this article we present an emerging and comprehensive perspective on IT governance that addresses your root business performance criteria -- not simply the need to satisfy IT programmatic concerns such as compliance adherence and risk management. We also introduce tools for addressing the challenge of developing, delivering, and managing an IT governance solution for your business: the IBM® Rational® Development Organization Transformation framework and the IBM IT Governance Approach.

What is IT governance?

In order to discuss IT governance and its relevance to your business, we need to define governance. One informal definition of the verb govern is "to enact and control the policies and standards of a group, organization, or country." Because governance is an enacting force, it must be further refined using operational terms -- i.e., governance is a process. And we can define "process" as "a series of actions, changes, or functions bringing about a result."¹ We'll cover the results of IT governance in a moment. First, let's assemble the pieces of this definition: "Governance enacts and controls the policies and standards of a group in a series of actions, changes, or functions which bring about a result." Now, let's extend this definition of governance in an operational context. Governance:

1. Establishes chains of responsibility, authority, and communication (decision rights)
2. Establishes measurement, policy, standards, and control mechanisms to enable people to carry out their roles and responsibilities²

In terms of IT governance, Item 1 above provides a static view of governance, bringing the structure of the enterprise into view, including how it functions and the roles and responsibilities for each member of the enterprise. As you may know, specification of the flow of decision rights is most often stated in a Responsible Accountable Consulted Informed (RACI) matrix. The RACI matrix is one of the artifacts of a governance solution.

Item 2 above provides a dynamic view of governance focused on business performance. The enterprise defines and institutes corporate policies (identifying the standards the business is going to follow and specifying a set of measures and controls) and, in turn, these policies are enforced by their business processes. Artifacts produced to define the dynamic view of governance include a policies library and governance effectiveness measures.

At its heart, governance in any form is about leadership. And IT governance is about the way in which leadership accomplishes the delivery of mission-critical business capability using Information Technology strategy, goals, and objectives. IT governance is concerned with the strategic alignment between the goals and objectives of the business and the utilization of its IT resources to effectively achieve the desired results.

IT governance disseminates authority to the various layers in the organizational structures within your business, while ensuring appropriate and prudent use of that authority. This doesn't refer simply to hierarchical structures; experience has taught us that network structures allow for specialization, teaming, and building infrastructure to support those teams. Specialization allows the sum of the parts of the organization to be greater than the whole.

However, structuring ourselves into networks can be counter-intuitive, and assembly of teams and sub-teams can often be a daunting task. Furthermore, experience has taught us that as teams grow in size and as the mission of the organization grows larger and more complex, the ability of individuals to communicate effectively and share a consistent vision decreases significantly.³ The addition of each new individual to a given project increases the potential communications traffic exponentially. Consequently, the need to implement a deliberate approach for the assembly of well-governed structures, processes, and tools requires deliberate planning, tactics, and methods.

Governance is not only for large organizations. Small organizations have a need for good governance as well. However, there are obviously a smaller number of control points to be deployed in a smaller operation.

What are the results of IT governance?

As we have defined it, governance affects business performance, and it ideally helps you outperform your competition. We will extend this a bit further to assert that governance defines business performance, specifically the performance of your IT resources as they're applied to your business's strategic objectives. Good IT governance leads directly to increased productivity, higher quality, and improved financial results. Poor IT governance, on the other hand, leads to programmatic waste, bureaucracy, lower morale, and diminished overall financial performance.

To underscore the importance of good IT governance practices, consider the production of goods or services for your customers. Your customers generally only have visibility into your business where they interface for the purpose of making requests (e.g., ordering), receiving value (e.g., products), or providing information (e.g., surveys). It is the efficiency and coordination of your internal business processes that compose end-to-end customer experience; this is an aspect of business performance and should be measured and improved. In order to positively impact business performance, your IT governance process must have focus and visibility on this overall (end-to-end) business process with which your customers interact. Poor IT governance loses sight of the customer in favor of satisfying regulations, standards, and policies in isolation. Local gains in process efficiency and productivity often do not provide favorable results in the context of the end-to-end business process. Furthermore, the implementation of externally imposed regulations on internal business processes must be accounted for in ways that positively impact your customers experience, not simply as the apparent overhead of compliance; doing otherwise simply introduces risk into your business. Good IT governance addresses whole end-to-end business processes and coordinates the activities of the enterprise over time and across organizational boundaries.

The IT governance landscape

IT governance should not be considered a company initiative. It is not a project that begins and ends, but rather is the fabric of your business and transcends time, leadership, and initiatives. And whether you have organic (grown unintentionally) or deliberate (grown intentionally) IT governance, the questions you should ask include: "How good are my IT governance processes at effectively delivering strategic business value year after year?" "Are my processes repeatable, predictable, and scalable; are they truly meeting the needs of my business (outside of IT) and my customers?"

It is no more likely that a single IT governance process will work for all IT business processes than it is for every one of your customers to be satisfied with the exact same product or service configuration for any given product or service that your company produces. Therefore, a number of IT governance related processes must be considered. The integrated collection of available IT governance processes is referred to as the IT governance landscape.

IT governance is a subset of enterprise governance, which at the highest level drives and sets what needs to be accomplished by IT governance. IT governance itself encompasses systems, infrastructure, and communication. Product development governance, like IT governance, is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprises that develop products (as opposed to service delivery, for example). Development governance is governance applied to development organizations and programs, and is a subset of IT and product development governance. Development governance encompasses the software development lifecycle. Figure 1 illustrates these relationships, highlighting development governance.

View image at full size

Figure 1: Types of governance relationships within an enterprise

Traditionally, the IBM Rational organization has focused nearly entirely on the development governance space by offering tools and technology solutions designed to increase the productivity of software development teams. However, there are many reasons why organizations decide to introduce governance into their organization; software development productivity improvement may be related to only a few of those reasons. As Maria Ericsson has noted,⁴ IBM frequently supports efforts to build Service Oriented Architectures (SOAs) to provide IT support for compliance or geographically distributed development, and to provide support for the development of governance solutions generally. Figure 2 illustrates a sample IT governance landscape with each IT governance discipline enumerated in the outer ring (just one of which is development governance). This sample IT governance landscape is reflective of one that your business requires to meet its business performance criteria. The IBM IT Governance Approach at the center of Figure 2 is discussed below.

View image at full size

Figure 2: Sample IT governance landscape

The IT governance solution (the combination of IT governance disciplines implemented across your enterprise) typical in today's enterprises includes features of many of the disciplines listed in Figure 2. However, in order to gain control over the effectiveness of your overall solution and to have that solution actively promote the delivery of strategic value to your business (i.e., undergo transition to deliberate and effective IT governance), you should consider a comprehensive adoption and continuous improvement approach using a Development Organization Transformation (DOT) approach centered around the evolution of your Enterprise Architecture (EA).

IT governance and Enterprise Architecture

To transform your organization for the purpose of improving your ability to deliver on strategic value, you must focus on the evolution of your EA. To help in this, your IT governance solution should:

• Focus on removing defects from your EA that matter to your business. Defects may include either broken and/or missing automation and business processes.
• Increase productivity by finding and fixing defects faster through improved automation and processes (transform the way you think and act).

Enterprises that depend on their IT resources to execute business strategy are becoming increasingly more complex. Murray Cantor has noted⁵ that the increasing complexity of our lives and businesses is practically unavoidable, but that there are ways in which you can and must understand and diminish the impact that complexity brings to your business. Reducing enterprise complexity, thereby increasing the effectiveness of your organization, depends on your ability to effectively manage and subsequently evolve your EA to meet the needs of your business. EA is not only about the IT infrastructural resources acquired and in place to automate the business; it is also (and perhaps more importantly) about the organizational alignment of your business. What organizational units do you have? What services do they provide? How do they interact to support your strategic initiatives? Are they aligned to enhance the effectiveness of the enterprise or is each organizational unit only really concerned with its own (local) efficiencies? Where does accountability for the delivery of strategic value lie? Hopefully not between the organizational boundaries (where no one is effectively, singularly responsible).

To truly understand (and hence be in a position to effectively manage) the complexity of your EA, you should understand the alignment of your EA strategically. Specifically, you should know how your EA implements your company's operating model. In the book EA as Strategy,⁶ Ross et al. describe the operating model as establishing a buffer between your relatively rigid Enterprise Architecture and your relatively fluid corporate strategy. It establishes integration and standardization requirements for your Enterprise Architecture by defining the long-term vision or roadmap for your business in terms of the operational needs of your business. The book defines four operating models, which are summarized in Figure 3.

View image at full size

Figure 3: Four company operating models

The degree to which your company can implement new initiatives to support changes in business strategy is known as business agility. Business agility is thus measurable through an analysis of the qualities of your operating model (longer range needs) against how well suited (flexible) your EA is at providing an implementation of those qualities -- i.e., how adaptable your EA is in the face of market conditions that lead changes in corporate strategy.

To summarize: Your IT governance solution offers the necessary visibility and execution vehicle for the management and transformation of your EA to become aligned with your business's strategic needs. Thus, the development and delivery of an IT governance solution requires the following:

• Business transformation. Business transformation is a key executive management initiative that attempts to align the technology initiatives of a company more closely with its business strategy and vision. Business transformation is achieved through efforts from both the business and the IT sides of the company. The CIO is ultimately responsible for the IT organization and its transformation. And this transformation requires Enterprise Architects who develop and execute the transformation strategically.
• Enterprise architects. Typically, an Enterprise Architect is seen as a key figurehead, the bridge between business and IT. They often report to the CIO and are responsible for communicating in and between the different businesses as well as fostering adoption of an effective EA. Enterprise architects are tasked with designing, implementing, and communicating the realities of effective EA, including securing buy-in from C-level executives down through the ranks.

IT governance solution context

IT governance is not simply a concern of your IT organization. It is the concern of your whole company, and especially for your business initiatives that depend on IT resources for execution.

Developing your IT governance solution without the full and proper context of your business (see Figure 4) will likely result in a solution that is not designed to support the strategic objectives of your business. An IT governance solution designed and implemented "within the four walls of IT" will be designed to benefit only the IT organization; in fact, that same solution stands a great chance of benefiting no one, since it has not considered the entire value chain of the business. Even worse, it will negatively impact the business in ways that may be relatively invisible across organizational boundaries. Here's a simple example. A company's overall IT budget is monitored by the finance organization, which tracks IT projects according to estimated costs and actual expenditures. Imagine that a particular project requires the IT team to invest in a commercial, off-the-shelf software (COTS) package, but rather than pegging this expenditure to the project at hand, an oversight in IT governance allows this software to be paid for out of the general IT budget. While misrepresenting the project's true cost may matter little to the IT team, the mistake might matter a great deal to the finance team in their project-by-project ROI reporting to the executive leadership. Thus, it is at such organizational boundaries where your IT governance solution may demonstrate its greatest value, or cause organizational failure. Without proper forethought and management support for building the kind of organizational transparency necessary for success, your attempt to build an effective IT governance solution may fall short of expectations.

View image at full size

Figure 4: Context for IT governance solution development

Figure 4 illustrates a model⁷ of the relationships between IT governance (as implemented through your IT governance solution), your ability to perform (your Foundation for Execution), and your businesses capabilities (your Enterprise Architecture). This model underscores the importance and role of IT governance as being primarily responsible for the coordination and evolution of your EA using the IBM Rational platform. To be able to adequately show (at a high level) the challenges associated with EA and the role IT governance has in addressing these challenges we need another view of this model, provided by Figure 5.

View image at full size

Figure 5: IT governance solution architecture

Figure 5 shows that there are several organizational units that must participate in the delivery of an automated business process (e.g., software applications). These three organizational units are responsible for 1) development of the solution using the IBM Rational Unified Process®, or RUP®, 2) creation and management of enterprise reusable services using the SOA Lifecycle, and 3) deployment and management of the solution using the IBM Tivoli® Unified Process. Additionally, notice that each organizational unit executes its own governance discipline (development governance, services lifecycle governance, and operations governance).

One of the main challenges for this type of organizational structure is the coordination of effort and resources across organizational units. In fact, it would not be uncommon for the three organizational units to be operating on their own timetables, using their own budget and resources. As an example, let's consider that the development team has a need for enterprise services changes in order to be able to move forward with development and deployment; this entails a cross-organizational working arrangement. Let's also assume that there are many, many projects ongoing at the company. Getting the time and resources of the enterprise services team to make changes in a timely manner may be next to impossible without the coordination and prioritization role of IT governance (incidentally, this is one of the main reasons we see organizations struggling to get software development lifecycle (SDLC) iteration timelines down to 2-6 weeks; many organizations are plagued with software development lifecycle (SDLC) iterations of many months due to this challenge).

It is these types of organizational challenges (as well as others) that must be addressed by your IT governance solution. And it is the IBM IT Governance Approach in combination with the Development Organization Transformation framework that forms the business process foundation upon which and effective IT governance solution is developed, deployed, and maintained.

The IBM IT Governance Approach

As illustrated earlier in Figure 2, your IT governance solution will be composed of many kinds of IT governance entities called governance disciplines. Predictably managing the complexity of these interconnected IT governance disciplines to craft a unified IT governance solution for your business is the focus and driver behind the IBM IT Governance Approach (shown in the center of Figure 2).

Overview

Soon to be available as an IBM Rational Method Composer plug-in, the IBM IT Governance Approach is an iterative approach to planning, designing, implementing, deploying, monitoring, controlling, and changing the operational processes of business operations which rely on information technology. Figure 6 depicts the structure of the IT Governance Approach using graphics similar to one used by RUP.

View image at full size

Figure 6: The IBM IT Governance Approach

The IT Governance Approach provides your company a comprehensive, repeatable, and predictable lifecycle business process for the development, adoption, and continual improvement of your IT governance solution. It provides all of the concepts, activities, artifacts, roles, and associated relationships among these elements that you would expect from the definition of a robust business process. The IT Governance Approach presents and discusses the critical characteristics of IT governance solutions (e.g., its relationship to project risk dynamics, strength of governance, and business value interests).

Architecture

The IT Governance Approach is uniquely positioned to increase the likelihood that the IT governance solution you develop and deploy will both align strategically and execute to result in realized business value. To accomplish these objectives the IT Governance Approach is architected into two high level stages: the strategic alignment stage, and the business execution stage.

The strategic alignment stage ensures that the business has appropriately aligned the use of its IT resources to the strategic goals and objectives of the business. The business execution stage ensures alignment of these goals and objectives by instrumenting them with a fully integrated and capable IT governance solution infrastructure tool set.

These two stages are further decomposed into four lifecycle milestones that define intermediate business level objectives that are to be accomplished throughout the lifecycle. These milestones and their definitions are summarized in Figure 7.

View image at full size

Figure 7: Architecture of the IBM IT Governance Approach
Click to enlarge.

Lifecycle ITG Alignment Milestone. This milestone specifies that the criteria to define/identify a strategic alignment between business and IT organizations is in hand. It also indicates that the IT governance solution team has completed the setting of objectives for the remainder of the IT Governance Approach lifecycle, including having defined precisely how business is aligned with IT, how IT is internally aligned, how (technology infrastructure) architecture is aligned, and what risk management strategies must exist. "Alignment" may be described through a rigorous traceability model that describes the dependencies, exploitations, and performance measurements across projects and organizations. Your IT governance solution must provide the enabling strategy for this alignment.

Lifecycle ITG Foundation Milestone. This milestone specifies that your IT governance solution has been baselined, and that a foundation that enables strategic execution has been fully described and concretely implemented through applicable documentation and environment automation. The IT governance solution design has been completed and is approved for introduction to project teams. Additionally, the business is ready with an implemented project and portfolio management infrastructure and process.

Lifecycle Business Performance Milestone. This milestone specifies that a collection of meaningful business performance metrics exists that is sufficient to engage in an assessment of the impact of your IT governance solution. At this milestone, project teams will have executed using your IT governance solution. However, there is not stipulation on project team execution that requires or aligns any level of completion of projects to this milestone (i.e., there is no relationship between this milestone and project execution). The real-world project data collected to this point is a snapshot of data from all participating (governed) projects.

Lifecycle Business Value Milestone. This milestone results in an objective assessment of whether or not business value is able to be efficiently delivered through use of your IT governance solutions. Note that this milestone is not aligned with the actual delivery of any results from any (governed) project. Additionally, this milestone will result in the availability of prioritized recommendations for improving the capabilities of your IT governance solution.

IT governance solution enablement

Your IT governance support unit (your Governance Center of Excellence, or CoE) designs, implements, and enables your organization by using the methodology and process expressed through the IBM IT Governance Approach. However, most organizations will also require a programmatic approach to enable perhaps hundreds of projects across tens of organizational units managing perhaps hundreds or thousands of individual practitioners. If you compound the size of the organization with the amount of time required for enablement and the constantly changing business initiatives and access to resources, you can understand the extent of the challenge regarding introduction of real, substantial, and permanent change. To address this challenge we recommend an approach using the IBM Rational Development Organization Transformation (DOT) framework⁸.

Participation of your Governance CoE using the DOT with each governed project is a critical element that helps to ensure the proper use of and adherence to your governance solution. Doing this should require the members of the Governance CoE to interact physically with project teams, meaning they should be present, either in the same physical space or virtually present via tele- or video-conferencing, especially during introduction to a new or changed governance solution. It is insufficient to simply document your governance solution, establish enablement channels (instructor led training, CBT, self-study, etc.), and "hope everyone gets it."

The DOT approach assists an organization through understanding its needs and challenges related to its ability to meet objectives and goals of the business. It starts by improving the capabilities that will drive the most value to the organization, while balancing the organization's ability to change. The communication of these improvement opportunities is in the form of waves of change, which form a transformation roadmap, as shown in Figure 8.

View image at full size

Figure 8: Example of waves of change for a single change wave initiative

Each of the change waves is executed via one or more capability packages. A capability package has the following characteristics; it:

• Implements strategic need -- determined through a Balanced Scorecard flow down, executive direction, removal of defects, and/or other assessment of your business
• Defines a deployable set of practices
• Contains Process, Tools, and Team Dynamics
• Is aligned with IT governance solution influencers and inputs including regulations, standards, and policies (e.g., SOX compliance objectives, CMMI, RUP, SE&A, etc.)
• Has multiple levels of maturity
• Contains a deployment template and general measures that are tailored and instantiated with each change wave and for each product, program, and/or application

The DOT approach is one of "adoption through execution," which means that as your IT teams make progress toward developing and delivering critical business value they also, at the same time, improve their skills and overall ability to execute. By the end of a change wave execution period your organization's productivity will have measurably increased based on the entrance and exit criteria of the change wave package. Figure 9 illustrates this point by showing the combined effect of traditional project management (vertical axis) with that of capability improvement (horizontal axis). The dashed-line path across the change waves demonstrates the ability to achieve both objectives simultaneously. One caveat here: It is vitally important that the capability improvement (horizontal axis) directly support the needs of the team to deliver business value. It does no good to build capability that does not help to also deliver a higher quality product, ahead of schedule, and/or under the cost budgets.

View image at full size

Figure 9: How capability packages work
Click to enlarge.

Summary

Your vision for IT governance must incorporate ideas and information about the way you execute your business strategy. It is about how you operationalize and subsequently capitalize on market opportunity. It is only at the lowest levels of decomposition that IT governance is about decision rights, compliance with regulations, standards, and policies. And while we do not minimize the extreme importance of these elements for IT governance, we do assert that if your IT governance solution is primarily about being compliant, etc., and secondarily about business execution, then neither your IT organization nor your business is likely to benefit strategically from your implementation. You will have missed out on the larger opportunity that IT governance offers.

Furthermore, IT governance is not only about IT. Do not make the mistake of believing that IT governance fits neatly inside the four walls of the IT organization; it does not. It spills over into and affects nearly all aspects of your business. IT development and operations are wholly reliant on their business stakeholders to understand and deliver strategic business value.

Effective IT governance offers your business the freedom and opportunity to execute and innovate within a given set of business constraints. And you must do this with the greatest possible degree of business integrity coupled with business processes, skills, partners, technologies, and your enterprise architecture.

So, how do you manage and measure the effectiveness of your IT governance solution for your business? This is the core value proposition for the IBM IT Governance Approach.

Notes

¹American Heritage Dictionary, Houghton Mifflin Company, 2000.

² "Operational IT governance," by Murray Cantor and John D. Sanders, The Rational Edge, May 2007.

³ The commonly agreed formula used to describe the amount of direct and cross-channel communications between team members on a project, where 'N' is the number of team members is: [N*(N-1)]/2 = the number of necessary communications channels.

⁴ "The governance landscape: Steering and measuring development organizations to align with business strategy," by Maria Ericsson, The Rational Edge, February 2007.

⁵ "Understanding Complexity," by Murray Cantor, The Rational Edge, November 2007.

⁶ "Enterprise Architecture's Role in Aligning Business & IT," by Allen Brown, Align Journal, July/August 2007.

⁷ Enterprise Architecture as Strategy: Creating a Foundation for Business Execution, by Jeanne W. Ross, Peter Weill, David C. Robertson, Harvard Business School Press, 2006.

⁸ "Transforming your software development capabilities: A framework for organizational change," by Zoe Eason, Lynn Mueller, and Maria Ericsson, The Rational Edge, September 2005.

Downloadable resources

• PDF of this content

Related topics

• Available soon: IBM Redbook -- The IT Governance Approach: Business Performance through IT Execution. Please check the IBM ITSO redbook site for availability: http://www.redbooks.ibm.com/portals/Rational. For more information prior to availability, feel free to contact the authors at lynn.m.mueller@us.ibm.com or aphillipson@us.ibm.com
• Available soon: IBM IT Governance Approach Plug-in for Rational Method Composer. Please check the IBM developerWorks site for availability: http://www.ibm.com/developerworks/rational/downloads/06/rmc_plugin7_1/#7. For more information prior to availability, feel free to contact the authors at lynn.m.mueller@us.ibm.com or aphillipson@us.ibm.com
• "Transforming your software development capabilities: A framework for organizational change," by Zoe Eason, Lynn Mueller, and Maria Ericsson, The Rational Edge, September 2005.