IT Governance is an architectural framework that functions as a structure to ensure the organisation’s IT Strategy is aligned with its business strategy. With a best practice framework, an organisation can generate measurable results between strategies and goals. This includes a holistic view of stakeholder’s interest as well as the staff needs and the processes required in every stage of work. IT Governance is also known as the bridge that integrates overall business governance. This integration often involves not just the governance but also the risk and compliance factor through organizing activities in processes with clearly defined process outcomes that can be linked to the organisation’s strategic objectives.
The primary goals for IT Governance are to:
- assure that the use of information and technology generate business value,
- oversee management’s performance and
- mitigate the risks associated with using information and technology.
Every organisation implements IT governance infrastructures to ensure they meet the internal and external requirements with best practice in place and control. This would usually differ for every organisation based on regions as a different region would be under different regulations from the local authorities. The difference usually involved the protection of confidential information, financial accountability, data retention and disaster recovery.
IT Governance frameworks are widely used in both public and private sectors. The official IT governance will be on the radar of any organisation in any industry in order to comply with regulations requirements from financial to technological accountability.
The most common initiative for an organisation to kick start with IT Governance is to start with a framework that has been created by the industry experts for years and that has been used by most organisations globally.
The most commonly used frameworks are:
- COBIT: Published by ISACA, COBIT is a comprehensive framework of “globally accepted practices, analytical tools and models” designed for governance and management of enterprise IT. With its roots in IT auditing, ISACA expanded COBIT’s scope over the years to fully support IT governance. The latest version is COBIT 2019, which is widely used by organizations focused on risk management and mitigation.
- ITIL: Formerly an acronym for Information Technology Infrastructure Library, ITIL focuses on IT service management. It aims to ensure that IT services support the core processes of the business. ITIL comprises five sets of management best practices for service strategy, design, transition (such as change management), operation and continual service improvement.
- COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO’s focus is less IT-specific than the other frameworks, concentrating more on business aspects like enterprise risk management (ERM) and fraud deterrence.
- CMMI: The Capability Maturity Model Integration method, developed by the Software Engineering Institute, is an approach to performance improvement. CMMI uses a scale of 1 to 5 to gauge an organization’s performance, quality and profitability maturity level. According to Calatayud, “allowing for mixed-mode and objective measurements to be inserted is critical in measuring risks that are qualitative in nature.”
- FAIR: Factor Analysis of Information Risk (FAIR) is a relatively new model that helps organizations quantify risk. The focus is on cybersecurity and operational risk, with the goal of making more well-informed decisions. Although it’s newer than other frameworks mentioned here, Calatayud points out that it is already gained a lot of traction with Fortune 500 companies.
When reviewing the framework that best suits your organisation, understand your corporate culture would be the key to a decision. The consideration includes the framework or model that fits well for your organisation and resonate with your stakeholders. To keep the programs, to achieve a significant result an organisation should always keep the communication open between parties involved. Also, always measure and monitor the progress of the implementation and not hesitate to seek external assistance if help is required.