The effect of IT on a business's ability to perform and be competitive - and specifically what happens if you get it wrong - can be enormous. Iain Parker of the Boxwood Group looks at the crucial area of IT governance.

Most IT departments are run on ever tighter budgets with fewer resources than we would like. IT managers are rarely provided with good, clear and precise information about business priorities. However this is critical in order to assign resources effectively to meet the demands of different business units with different priorities.

The need to chase demanding project targets from even more demanding customers often conflicts with the need to maintain current services.

This situation appears to be getting more complicated and more emotive as each year passes. Time spent fighting for key resources within the IT department is no way to ensure that the business is getting what it needs from IT for the good of the organisation.

Prioritisation and communication

The solution to this issue lies in the creation of a transparent decision-making structure for IT, in order to provide managers, teams and individuals with clear and agreed priorities, as part of an overall approach to IT governance.

Without a suitable decision-making structure in place it will be impossible to ensure that IT is delivering to the best interests of the entire organisation and not just the most powerful business units. The questions that you need to be asking yourselves are:

  • What is the most effective way to engage all the directors to ensure that the technology investment supports and drives the business strategy?
  • What is the best way for the business and IT managers to work together to maximise the investment in technology, in order to maximise business value and reduce business risk?
  • How do I ensure that the organisation's technical direction is delivering technical innovation to the business?
  • How do I improve IT processes and procedures to improve consistency of delivery and reduce risk to the business?
  • How do I produce relevant and transparent performance information across IT to support the decision-making structures?

If you can answer all these questions then you will almost certainly have a clearer statement of prioritisation from the organisation's leadership. As a result this will lead to business value being increased, resources being deployed more appropriately, risks to the business being reduced and the IT department will be able to provide increased surety of delivery.

Unfortunately a good decision-making structure is only part of the story; you then have to make sure everybody knows about the changes brought about by IT governance and that IT staff are aware of the decisions. This communication needs to reach executives and the board, members of the IT department and colleagues in the business.

If people don't know what is being asked of them then it will never be delivered. The whole area of communications is typically poorly managed, either because people think a presentation will do the job or because senior managers struggle to engage with their staff. Communication of IT governance requires several approaches so you need to consider:

  • How is the importance of IT governance presented to the organisation, especially the decision-making structures?
  • How will business and IT stakeholders be managed so they support IT governance and are fully aware of the prioritisation decisions that are being made?
  • How will people get opportunities to ask questions and engage in the IT governance process?
  • How will you ensure that senior management 'walk the talk' and visibly support prioritisations made through the decision-making process?
  • How will anybody paying 'lip service' to the prioritisation process be brought in line?

Finding practical answers to these communication challenges and embedding effective communication into normal, day-to-day activities is essential to making IT governance transparent. Only then will you be able to ensure that IT delivers to the business as a result of clear prioritisation and realise the associated benefits this brings to an organisation.

Embedding processes and procedures

Improving the consistency of IT delivery is a paramount consideration for effective IT governance. Most IT organisations have processes and procedures explaining how services are delivered both for projects and operations.

Often these processes and procedures are codified but not maintained, neither are they actively policed and there is only a tacit understanding of what may be acceptable.

Adopting process for process sake will not help anybody and it will definitely not motivate your people to improve the way that they work.

However when pressed most people in an organisation want to do a good job and deliver to the best of their ability, provided they have the right tools for the task at hand. In this instance the tools are a suitable framework of processes and procedures with linkage into appropriate standards.

Changing the way people work cannot be done overnight and any attempt to do so must be paced to match the culture of the organisation. Implement too much change and people cannot absorb it all into normal operation, implement too little change and people become frustrated and unmotivated.

Control OBjectives for Information and related Technology (COBIT) provides a useful framework because it provides coverage across the breadth of an IT organisation, but there are also a myriad of guidelines that can be employed as well, e.g. ITIL®, ISO17799, CMMI and PRINCE2. Although COBIT provides good breadth its limited depth usually means that it must be supported by more detailed standards, such as those listed above.

COBIT can also appear overly complex when first encountered and a pragmatic approach is required in order to identify which of the 34 processes and 318 associated control objectives should be addressed first, from the four domains of Planning & Organisation, Acquisition & Implementation, Delivery & Support and Monitoring.

Determining the correct mix of complementary standards and embedding them in a live, dynamic work setting is a key element to successful IT governance. However it is important to retain a measure of flexibility so that exemptions from process can be exercised by senior management when business needs require it, but not when an individual feels like it.

Once IT-wide processes and procedures have started to be formalised it is important that continuous improvement becomes normal practice, in order to maintain the momentum and ensure that good practice does not fall in to disrepair.

Continuous improvement is often seen as a review to identify what went wrong after a major project failure. If this is the approach that is taken, it will not work. A variety of both formal and informal approaches is required when implementing continuous improvement so you need to consider:

  • How does your organisation differ from every other organisation and how will this impact continuous improvement?
  • What areas should continuous improvement apply to? Is it projects only or all areas of IT?
  • Should more informal 'buddying' type techniques be used as well as formal reviews?
  • How will you ensure that reviews capture good things as well as the things that need to be changed?
  • How do you ensure that views are included from everybody, not just the 'loud' people?
  • How do you ensure that review items get actioned and progressed and not just forgotten?
  • When things go well how do you celebrate success?

The route to improving IT governance through using better processes and procedures is not a simple one and requires significant effort and investment, especially to deploy a culture of continuous improvement.

The good news is that if you treat the implementation as a programme then you can adjust the pace to match the needs and culture of your organisation. You can also ensure that IT governance acts as an enabler for IT delivering more to the business whilst reducing risk and motivating people through improving the quality of their work.

Strategy-driven performance measurement

IT governance is a meandering and complicated topic that is often twisted around to mean different things to different people, despite a widely accepted definition provided by the IT Governance Institute1. However in simple terms what the board really wants is an IT department that supports the delivery of the business strategy, creates business value and reduces business risk.

In practice this requirement is frequently imposed on IT departments by administrators, who lack the detailed understanding of how IT delivers its services and the value IT can bring.

The result is a plethora of metrics and complex scorecards, which translate to meaningless, petty bureaucracy to those who actually work in IT. What is worse is that in reality this adds little, if any, value to boardroom decision-making.

Perhaps it's time for a pragmatic rethink about your IT governance and how IT is measured, in order to provide strategy-driven performance measurement as an enabler that empowers your people to deliver what the board actually wants, rather than just ensuring you get a 'tick' in the compliance box.

Performance measurement is often seen as an overhead or inconvenience, which does little to help staff in their daily work. This may be because data is sometimes collected because it can be, rather than because it's actually helping to make decisions or drive the business forward.

However performance measurement should be an integral part of IT governance, in order to help the IT department show that it is delivering against the priorities set by the business to create value and reduce risk.

This data can also identify successes, which is clearly important if you strive to manage your staff well. And finally the data will determine when things are not going well and should focus attention on any corrective actions that are needed.

The key question is: 'What to measure?' Typically too many aspects are measured and monitored, which annoys and subsequently alienates people.

Alternatively the metrics can focus too much on 'lag' measures (what has happened) rather than 'lead' measures (what may happen). The real question people should be asking is what are the goals of the IT department and how do these support the strategy of the business?

The answer lies in the use of an IT strategy map, a tool that demonstrates one of the key criteria mentioned at the start, namely how IT is 'supporting the delivery of business strategy'.

This is a natural extension of the balanced scorecard concept developed by Kaplan and Norton in the late 1990s2 and strategy mapping subsequently published in 20043. Its strength lies not only in its simplicity but also the concise articulation of how measures demonstrate delivery of IT goals, which in turn demonstrate the delivery of IT strategy to support the overall business strategy.

The ability to demonstrate the linkage between strategy, goals and measures and how different goals support each other is fundamental to ensuring that IT delivers to the business.

Once the IT strategy map has been defined it is important to select appropriate measures so that they are seen to be useful. The questions you need to be asking yourself are:

  • Am I using the right number of measures and are they linked to the strategy?
  • Do I have the correct mix of 'lag' and 'lead' measures to ensure the right balance?
  • How do I know that the measures selected are practical to collect without altering what it is I'm trying to measure?
  • How do I ensure that the measures used reflect the behaviours that I want to see?

Performance measurement is not an easy area to master for any organisation or department within an organisation. This is made even more complicated for the IT department, due to the ever-changing demands from the business and the pace of change.

However the use of strategy-driven performance measurement enables IT to clearly demonstrate that it is delivering what the business wants or for the business to articulate what it wants better.

Either way strategy-driven performance measurement will provide you with the right information upon which to take decisions, in order to ensure that IT delivers to the business through better IT governance.

Iain Parker MBCS is a member of the BCS Elite group and a recognised specialist in implementing IT governance. He works for the Boxwood Group delivering IT governance projects. 


  1. IT Governance Institute (2003) Board Briefing on IT Governance. IT Governance Institute.
  2. Kaplan, R. and Norton, S. (1996) Balanced Scorecard: Translating Strategy into Action. Harvard Business School Press.
  3. Kaplan, R. and Norton, S. (2004) Strategy Maps: Converting Intangible Assets into Tangible Outcomes. Harvard Business School Press.