What is IT Governance? And Why Does it Need to Change?

IT governance has a reputation for striking terror in the hearts of nearly everyone doing day-to-day IT work.

It’s easy to see why there is collective anxiety around the subject. The term has been misunderstood and misapplied — sometimes unintentionally (the vague “governance as basic organizational policy”), and sometimes maliciously (the ever-popular “because I said so.”). This abuse of the term has earned IT governance an undeserved reputation as the millstone weighing people down, preventing anyone from trying to get stuff done.

But there is a way out of this exasperating bottleneck and discourse. Solutions involve restoring the original goals that IT governance was designed to accomplish. Think creativity generated with productive collaboration and effective processes rather than bureaucracy and micromanaged teams. Let your ITG stakeholders breathe a little while establishing workflows necessary to high-performing IT governance models.

When the framework is implemented with care and consideration of an organization’s unique strengths, IT governance can be a game-changer.

With good IT governance, organizations can effectively operate, grow, and scale. Good governance is so crucial that pundits, analysts, and tech bloggers spill gallons of digital ink on the topic every year. Moreover, the first question decision-makers often ask when considering any IT decision is “How will we apply governance to it?”

With good IT governance, organizations can effectively operate, grow, and scale.

Since governance is such a crucial and timeless topic, I’m going to spend the next few weeks writing a series tackling IT governance. For this post, I’ll start right at the foundation, reaffirming what the goals of IT governance actually are and focusing on how bad governance kills innovation and culture. Later on in the series, we’ll move on to exploring what successful IT governance looks like in the real world.

What is IT governance?

IT governance is how an organization leverages IT solutions to support its enterprise. With the right framework, IT governance ensures that computers and internet and all things technology are managed internally in pursuit of a company’s mission and goals.

The concept of IT governance emerged around 1993, stemming from corporate governance—a means to manage and operate an organization. But today many organizations struggle to find the right IT governance game plan and consequently they fall behind on their implementation goals. This is a widespread problem. The Harvard Business Review even reported that IT governance “kills innovation” and it is time to rethink “traditional IT project-centric approaches to identifying and funding capital investment opportunities.”

Why IT governance?

We know what governance is. But what’s often lost (and this is the problem) is why governance is necessary. When you look at the early years of IT governance, you see that the goals are broadly defined as:

  1. To assure that IT is being used to generate business value
  2. To oversee management’s performance
  3. To mitigate the risks associated with using IT

In other words, the original intent of IT governance was almost uniformly about managing decision-makers rather than doers.

But try and define how IT governance is done today. Actually, don’t, because you almost immediately run into a Gordian Knot of many competing and even contradictory definitions. Take a look at these varied definitions from several sources:

  • “Decision rights and accountability framework to encourage desirable behavior.” – Weill and Ross
  • “Leadership, organizational structures and processes to ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.” – ISACA
  • “An IT governance framework should answer some key questions, such as how the IT department is functioning overall.” – CIO Magazine

It’s all over the place. Worse yet, the goals of governance become obfuscated and away from managing decision-makers to managing the doers.

Further tangling the governance knot

Gartner’s definition of governance captures the sentiment of what IT governance (ITG) is supposed to help organizations achieve. Gartner defines ITG as processes that ensure effective use in IT, enabling an organization to achieve its goals. The definition then separates ITG into two branches: IT demand governance and IT supply-side governance.

Gartner’s alphabet soup of definitions provide a good foundation on which to build an IT Governance model. Yet, in every case, these definitions focus on the process(es) and what the processes should do. Actually creating those processes is left up to each organization.  This has led to an entire industry built around creating, standardizing, and selling these processes to organizations as “formal governance models.”

In addition, the Gartner definitions slightly shift the focus of IT governance from decision makers. This shift is subtle but important, because the resulting “formal governance models” drive processes focused more on controlling the doers.

What IT governance frameworks are being used?

Formal governance models have many names, scopes, and styles, but some of the most popular frameworks:

These models span the whole spectrum of focuses and intent from the lean engineering roots of Six Sigma, to the US Department of Defense stringency of CMMI. Many of these frameworks focus on delivering policies and procedures to control the day-to-day execution of IT work, which are then tailored for a given organization.

You would expect successful organizations to be well served by such a broad spectrum of formal definitions and models with decades of history behind them, supported by deep benches of analysts, consultants, and trainers. Yet the data tells a very different story.

IT governance models for success

It is stunning how frameworks so crucial to an organization’s success can end up creating new sets of problems. With every IT governance framework, you want to ensure that IT and business stakeholders are aligned with organizational goals and can generate value with every technology decision. But the results of typical IT governance models are insufficient at best, and sometimes even counterproductive.

Successful models of IT governance must be quick to adapt and respond both to evolving business goals and our ever-changing world. Frameworks must prioritize the generation of business value and to do that means cutting red tape. There’s no one size fits all framework but every IT governance strategy should incorporate speed and mobility to adapt; likewise, stakeholders should feel empowered by the process rather than hindered by bureaucracy.

We have observed great success in the field using a model called the 4 Ps: Portfolio, People, Process, and Platform, which is outlined in the ebook, Your New Governance Framework. Unlike under-performing formal and traditional governance models, the 4 Ps encourage productive collaboration between business and IT departments, data is leveraged, processes are implemented to advance organizational goals, and there’s alignment between business and tech goals.

Formal governance models are failing

To unlock a team’s creativity and boost the innovation of an enterprise, an organization must implement IT governance suited for its goals. It won’t happen through formal models of IT governance which are stagnant and inflexible by design.

In a recent Digital Business Teams survey by Gartner, traditional governance approaches are underperforming for leaders of teams that have one foot in IT and one in the business. 70% of those surveyed stated that their companies’ standards were not designed to apply to digital business teams.1 Essentially, governance was getting in the way of teams creating business value through technology.

Even deeper research shows how much traditional IT governance hampers innovation and dulls culture. These models tend to kill rather than foster the IT doers’ mission for creating (by means of innovation and creativity) business value.

Culture and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.

In Understanding the Dimensions of IT Governance Culture, Rowlands, De Haes, and Grembergen shine a spotlight on both the lack of organization-level research on the impact of people and culture on governance, and also how that plays a role in business outcomes. “[C]ulture and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.”

To address this, they propose a new model driven by empirical research, as well as how culture impacts the implementation of ITG. This makes clear the fact that ITG is driven by culture and ITG’s success or failure directly impacts business outcomes. As recently as 2018, research was showing that new ITG models were needed.

Quite simply, research shows that if the old formal ITG models were sufficient, they would have delivered satisfactory business results.

In the article, “IT Consumerization and the Transformation of IT Governance,” Gregory, Kaganer, Henfridsson, and Ruch’s research produced complementary results to Rowlands, et al. Yet their findings went even further, demonstrating the true impact of consumerization on ITG. They state, IT consumerization not only challenges the foundations of IT governance but ultimately also transforms it.”

The unprecedented speed and depth in which IT consumerization has subsumed our lives has led to a situation where the goals of ITG should remain the same, and yet the foundations on which we build ITG processes need to transform. Even to the point where the processes themselves need a complete overhaul, which once again supports the conclusions of Rowlands, et al.

IT governance is killing innovation.

Finally, in an article by Horne and Foster for the Harvard Business Review, the authors state the situation simply: “IT Governance is Killing Innovation…  [W]hen it comes to IT’s ability to allocate investments in response to the new work environment, traditional governance processes prove grossly outdated.”

Formal and traditional governance processes (as research shows) are not delivering the results and outcomes expected. Why is that? The reasons are obvious. Traditional models of IT governance are less focused on the original goals of IT governance (prioritizing business value, controlling decision makers, and mitigating real risks), and more focused on controlling the day-to-day operations of front-line workers in order to avoid risk. This has ultimately killed innovation, and led to dysfunctional culture situations.

Whether via academic research, corporate results, or first-hand experience, one thing is clear. The traditional IT governance models have failed at the original goals. They are not driving an increase in quantifiable business value, they have not appropriately controlled management’s performance, and they have not created adaptive organizations when it comes to responding to risk. Rather than using IT to unlock an organization’s creative spark and creating business value while mitigating risk, they have caused calcification instead.

There needs to be a better way

The results above speak for themselves. IT governance, as it’s currently constituted in the IT world, isn’t working. This doesn’t mean that IT governance is dead and should be relegated to the dustbin of ideas. It does mean, however, that how we think about IT governance, and how we apply it needs to change dramatically, especially in light of the exponential changes we face every day in IT.

Click the banner below to learn how to start reframing how you build your governance models.