IT Governance

Essentially, IT governance provides a structure for aligning IT strategy with business strategy. By following a formal framework, organizations can produce measurable results towards achieving their strategies and goals. A formal program also takes stakeholders’ interests into account, as well as the needs of staff and the processes they follow.

Viewed holistically, IT governance is an integral part of overall enterprise governance. It can be regarded as an element of corporate governance, aimed at improving the overall management of IT and deriving improved value from investment in information and technology.

IT governance enables an organization to:

• Demonstrate measurable results against broader business strategies and goals.
• Meet relevant legal and regulatory obligations, such as those set out in the GDPR (General Data Protection Regulation).
• Assure stakeholders that they can have confidence in the organization's IT services.
• Facilitate an increase in the return on IT investment; and
• Comply with certain corporate governance or public listing rules or requirements.

ISACA through its IT Governance Institute breaks down IT governance as a general approach into the following focus areas (all driven by stakeholder value):

1. Value delivery: The value contribution of IT to a company's success is to be measured and evaluated.
2. Strategic alignment: The IT strategy must be aligned with the strategy of the company as a whole.
3. Performance management: The focus is on tracking project delivery and monitoring IT services.
4. Resource management: Decisions are to be made about goal-oriented and efficient use of resources
5. Risk management: Risks are to be identified and managed with the focus on safeguarding IT assets, disaster recovery, and continuity of operations. 

IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed. Successful implementation depends on implementing the appropriate change in the appropriate way.

The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:

1. Core continual improvement life cycle—as opposed to a one-off project
2. Change enablement—addressing the behavioral and cultural aspects
3. Program management—following generally accepted project management principles

These components form, respectively, the inner ring, middle ring and outer ring of the implementation life cycle from COBIT 5 Implementation. The seven phases of this life cycle are the following:

• Phase 1: recognition and agreement on the need for an implementation or improvement initiative. In this phase, current pain points are identified facilitating a desire to change at executive management levels.
• Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. 
• Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions.
• Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed.
• Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved, and maintained.
• Phase 6: sustainable operation of the new or improved IT governance initiatives and the monitoring of the achievement of expected benefits.
• Phase 7: the overall success of the initiative is reviewed, further requirements for IT Governance are identified, and the need for continual improvement is reinforced.

IT governance frameworks primarily help organizations to provide a road map and evaluate the performance and effectiveness of IT governance processes. It provides insight into the performance of the IT department and achieves legal and regulatory compliance with respect to IT. In this regard, an IT governance framework can provide reference models for:

• IT processes
• Input and output of processes
• Key process objectives
• Performance measurement techniques

SRC consultants are familiar with several IT governance frameworks (cf. below a list of the most common frameworks). Our experts support you on how to utilize your IT infrastructure and processes in a holistic manner facilitating alignment with core enterprise goals and visions.

Governance frameworks are intended to support the implementation of and compliance with various IT governance requirements. Companies and external service providers can have themselves certified accordingly by independent institutions. The most important IT governance frameworks are:

1. ISO/IEC 38500: It contains guiding principles designed to promote effective, efficient and acceptable use of information technology in organizations. This standard defines IT governance as an essential part of business processes in organizations and places the responsibility for this on corporate management.
2. COBIT: COBIT is considered one of the most important frameworks for implementing IT governance. It was created by the Information Systems Audit and Control Association (ISACA). COBIT comprises a process model with generally applicable and internationally accepted IT process-related requirements. Recently, COBIT 2019 was introduced as the successor to the COBIT 5 version that had been valid until then. The focus of the further development was particularly on making the COBIT 5 framework easier to adapt, especially for medium-sized companies. In addition, current topics such as DevOps and agility as well as cloud were incorporated into the further development.
3. ISO/IEC 20000: This standard deals with the implementation of IT service management. The standard serves as a measurable quality criterion for IT service management. ISO/IEC 20000 specifies the necessary minimum requirements for processes that an organization must implement. Only then can the organization provide and manage IT services in a defined quality.
4. ITIL: ITIL manages IT services across the entire lifecycle. The framework offers a collection of predefined processes, functions, and roles that are found in the IT infrastructure of medium-sized and large companies. A core requirement of the processes is measurability. The assignment of the respective activities is based on roles and functions. ITIL involves proposals for best practices, which are then adapted according to the needs of the respective company.
5. TOGAF: The Open Group Architecture Framework (TOGAF) is primarily concerned with the structure of organizations. It provides a model for the design, planning, implementation and maintenance of enterprise architectures. Companies can use it to plan efficient architectures and/or optimize existing structures.
6. AS8015-2005: A technical standard developed in Australia and published in 2005, this framework is a 12-page framework that includes six principles for effective IT governance.
7. COSO: From the Committee of Sponsoring Organizations of the Treadway Commission, this framework focuses on more general and less IT-focused processes, with an emphasis on enterprise risk management and fraud deterrence.
8. ISO/IEC 27000 series: The ISO/IEC 27000 series refers to several standards that regulate information security in companies. The best known is ISO/IEC 27001, which regulates the provision of requirements for an information security management system (ISMS).
9. IT Grundschutz: In Germany in particular, there are also the IT-Grundschutz catalogs. These are a collection of documents from the German Federal Office for Information Security (BSI). They are intended to help identify and combat security-relevant vulnerabilities in IT environments. For companies and public authorities, the IT-Grundschutz catalogs form the basis for obtaining a corresponding certification. The certification confirms that a company has taken appropriate measures to protect its IT systems against IT security threats.

COBIT is the most commonly used framework for achieving compliance. It is the acronym for Control Objectives for Information and Related Technologies.

ISACA created the COBIT framework to bridge the crucial gap between technical issues, business risks, and control requirements. It helps businesses wanting to implement, monitor, and improve IT management best practices.

The COBIT framework aims to provide a common language for IT professionals, business executives, and compliance auditors to communicate with each other about IT controls, objectives, and outcomes.

Without a common language, an enterprise under audit runs the risk of educating individual auditors about when, where, how, and why specific IT controls were created.

COBIT 5 is based on five key principles for IT enterprise governance:

• Principle 1: Meeting Stakeholder Needs
• Principle 2: Covering the Enterprise End-to-End
• Principle 3: Applying a Single Integrated Framework
• Principle 4: Enabling a Holistic Approach
• Principle 5: Separating Governance from Management

These five principles enable an organization to build a holistic framework for the governance and management of IT that is built on seven so-called "enablers":

1. People, policies and frameworks
2. Processes
3. Organisational structures
4. Culture, ethics and behavior
5. Information
6. Services, infrastructure, and applications
7. People, skills, and competencies

Recently, COBIT 2019 was introduced as the successor to the COBIT 5 version that had been valid until then. The focus of the further development was particularly on making the COBIT 5 framework easier to adapt, especially for medium-sized companies. In addition, current topics such as DevOps and agility as well as cloud were incorporated into the further development.