IT Governance: Why It Needs to Change
IT Governance: Why It Needs to Change by Jon Scolamiero
IT Governance strikes terror to the hearts of nearly everyone doing day-to-day IT work.
The term has been misunderstood and misapplied. Sometimes unintentionally–the vague “governance as basic organizational policy.” Sometimes maliciously–the ever-popular “because I said so.” This abuse of the term has earned IT Governance an undeserved reputation as the millstone weighing people down, preventing anyone from trying to get stuff done.
With good IT governance, organizations can effectively operate, grow, and scale. Good governance is so crucial that pundits, analysts, and tech bloggers spill gallons of digital ink on the topic every year. Moreover, the first question decision-makers often ask when considering any IT decision is “How will we apply governance to it?”
With good IT governance, organizations can effectively operate, grow, and scale.
Since governance is such a crucial and timeless topic, I’m going to spend the next few weeks writing a series tackling IT Governance. For this post, I’ll start right at the foundation, reaffirming what the goals of IT governance actually are and focus on how bad governance kills innovation and culture. Later on in the series, we’ll move onto exploring what successful IT Governance looks like in the real world.
Why IT Governance
We know what governance is. But what’s often lost (and this is the problem) is why governance is. When you look at the early years of IT governance, you see that the goals are broadly defined as:
- assure that IT is being used to generate business value
- oversee management’s performance
- mitigate the risks associated with using IT
In other words, the original intent of IT Governance was almost uniformly about managing decision-makers rather than doers.
But try and define how IT Governance is done today. Actually, don’t, because you almost immediately run into a Gordian Knot of many competing and even contradictory definitions. Take a look at these varied definitions from several sources:
- “Decision rights and accountability framework to encourage desirable behavior” – Weill and Ross
- “Leadership, organizational structures and processes to ensure that the organization’s IT sustains and extends the organization’s strategies and objectives” – ISACA
- “An IT governance framework should answer some key questions, such as how the IT department is functioning overall” – CIO Magazine
It’s all over the place. Worse yet, the goals of governance become obfuscated and away from managing decision-makers to managing the doers
Further tangling the governance knot
Gartner’s definition of governance captures the sentiment of what IT Governance (ITG) is supposed to help organizations achieve, while simultaneously tightening that Gordian knot. Gartner defines ITG as processes that ensure effective use in IT enabling an organization to achieve its goals. The definition then separates ITG into two branches: IT demand governance and IT supply-side governance.
The Gartner’s alphabet soup of definitions provide a good foundation on which to build an IT Governance model. Yet, in every case, these definitions focus on the process(es) and what the processes should do. Actually creating those processes is left up to each organization. This has led to an entire industry built around creating, standardizing, and selling these processes to organizations as “formal governance models.”
In addition, the Gartner definitions slightly shift the focus of IT Governance from decision makers. This shift is subtle but important, because the resulting “formal governance models” drive processes focused more on controlling the doers.
What are organizations using for governance?
Formal governance models have many names, scopes, and styles, but some of the most popular include the industry standard ISO/IEC 38500:2015, as well as frameworks such as COBIT5, IGPMM, CMM(I), ITIL, TOGAF, Six Sigma, and more. These models span the whole spectrum of focuses and intent from the lean engineering roots of Six Sigma, to the US Department of Defense stringency of CMMI. Many of these frameworks focus on delivering policies and procedures to control the day-to-day execution of IT work, which are then tailored for a given organization.
You would expect successful organizations to be well served by such a broad spectrum of formal definitions and models with decades of history behind them, supported by deep benches of analysts, consultants, and trainers. Yet the data tells a very different story.
Formal Governance Models are Failing
In a recent Digital Business Teams survey by Gartner, traditional governance approaches are underperforming for leaders of teams that have one foot in IT and one in the business. 70% of those surveyed stated that their companies’ standards were not designed to apply to digital business teams.1 Essentially, governance was getting in the way of teams creating business value through technology.
Even deeper research shows how much traditional IT Governance hampers innovation, and dulls culture. These models tend to kill rather than foster the IT doers’ mission for creating (by means of innovation and creativity) business value.
Culture and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
In Understanding the Dimensions of IT Governance Culture, Rowlands, De Haes, and Grembergen shine a spotlight on both the lack of organization-level research around the impact of people and culture on governance, but also how that plays a role in business outcomes. “[C]ulture and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.”
To address this, they propose a new model driven by empirical research, as well as how culture impacts the implementation of ITG. This makes clear the fact that ITG is driven by culture and ITG’s success or failure directly impacts business outcomes. As recently as 2018, research was showing that new ITG models were needed.
Quite simply, research shows that if the old formal ITG models were sufficient, they would have delivered satisfactory business results.
In their 2018 article, “IT Consumerization and the Transformation of IT Governance“, it shouldn’t come as a surprise that Gregory, Kaganer, Henfridsson, & Ruch’s research produced complementary results to Rowlands, et al.. Yet their findings went even further, demonstrating the true impact of consumerization on ITG. They state, “IT consumerization not only challenges the foundations of IT governance but ultimately also transforms it.”
The unprecedented speed and depth which IT consumerization has subsumed our lives has led to a situation where the goals of ITG should remain the same, and yet the foundations on which we build ITG processes need to transform. Even to the point where the processes themselves need a complete overhaul, which once again supports the conclusions of Rowlands, et al.
IT Governance is Killing Innovation.
Finally in an article by Horne and Foster from a 2013 issue of the Harvard Business Review, the authors state the situation simply: “IT Governance is Killing Innovation… [W]hen it comes to IT’s ability to allocate investments in response to the new work environment, traditional governance processes prove grossly outdated.”
Formal and traditional governance processes (as research shows) are not delivering the results and outcomes expected. Why is that? The reasons are obvious. Traditional models of IT Governance are less focused on the original goals of IT Governance (prioritizing business value, controlling decision makers, and mitigating real risks), and more focused on controlling the day-to-day operations of front-line workers in order to avoid risk. This has ultimately killed innovation, and led to dysfunctional culture situations.
Whether via academic research, corporate results, or first-hand experience, one thing is clear. The traditional IT Governance models have failed at the original goals. They are not driving an increase in quantifiable business value, they have not appropriately controlled management’s performance, and they have not created adaptive organizations when it comes to responding to risk. Rather than using IT to unlock an organization’s creative spark and creating business value while mitigating risk, they have caused calcification instead.
There Needs to Be a Better Way.
The results above speak for themselves: IT Governance, as it’s currently constituted in the IT world, isn’t working. This doesn’t mean that IT Governance is dead and should be relegated to the dustbin of ideas. It does mean, however, that how we think about IT Governance, and how we apply it needs to change dramatically, especially in light of the exponential changes we face every day in IT.
What should that change be? I talk about that in my next blog. Click the banner below to find out how to start re-framing the way you build your governance models.
1. Gartner. “Balancing Autonomy with Control: New Governance Models for Digital Business,” October 2020