By now, it should be understood (through legislation, regulations, standards, etc.) that boards, executives, and IT must collaborate in order to gain alignment and provide value for stakeholders. The inherent challenge with this is how to do it right when determining how to both govern and manage enterprise IT. There has been a lot of buzz these days about how an enterprise should delineate between “providing direction” and “executing on that direction.” Do they have to be separated or should they be blended? Are there organizational boundaries that define their respective spans?
Why separate governance and management?
One of my major issues with IT governance is that, historically, IT has essentially been told to govern ourselves. Having been in those shoes, let me tell you that it is extremely difficult. IT needs guidance and direction from a higher authority in order to provide meaningful value to the business. Separating governance and management promotes accountability at all levels. It also provides a mechanism for good enterprise governance that focuses on stakeholder value by balancing performance and conformance.
According to the COBIT5 framework by ISACA, “Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.” This means that governance should:
This means that a key responsibility of governance is to evaluate, direct, and monitor (EDM). If you think I made that part up, think again –it came straight out of COBIT, and here’s the good part — COBIT adopted this from the international standard for IT Governance: ISO38500.
Management, on the other hand, plans, builds, runs, and monitors activities to align with and support the governance objectives. If you’re trying to get the organizational separation straight, think of it like this: Governance is a responsibility of the board, while management is a responsibility of the executive management. The figure below is a good representation of how this might look in a typical enterprise.
How does COBIT support this model?
There’s one place that I’ve found to be the most applicable viewpoint on this subject. To date, COBIT is the only comprehensive framework that assists enterprises in achieving objectives for the governance and management of enterprise IT: Realizing benefits while optimizing risks and resources. Based on five key principles and seven enablers, COBIT supports IT governance and management holistically. The key principles include: Meeting stakeholder needs, covering the enterprise end to end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. That last principle is the focus of this post.
Using the figure below I have illustrated how the COBIT domains support not only the governance of enterprise IT, but the management as well. There are five COBIT domains (one governance and four management) that align with, and support the separation of governance and management.
Frameworks are not standards and can be modified to meet the needs of most organizations, as long as the necessary separation between governance and management exists. Without this separation, there is risk with respect to accountabilities and responsibilities at different levels. If you are looking for some great information regarding the governance of enterprise IT, take a look at the ISACA COBIT5 site (http://www.isaca.org/COBIT/Pages/default.aspx). This would be a great starting point.