What is IT governance anyway?

What is IT governance? What does it include or exclude? Who is responsible for it? These questions are frequently asked in the Blogosphere and elsewhere. Right now it’s the subject of some interesting discussion at Andrew Clifford’s IT Toolbox blog, which includes a good post by Andrew and some quality observations from others. However, the answers are less elusive than some debate suggests.

IT governance does have a formal definition: “IT governance is a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.” (IT Governance: Guidelines for Directors, p20.)

Because it deals with all aspects of governance of IT, it includes system governance. Andrew is absolutely correct in identifying that there are significant systems issues – and I would argue that these issues exist primarily because of an absence of IT governance, in the sense that the organizational governance framework has failed to consider what information and, therefore, what systems requirements the organization will have.

IT governance should be owned by the board. It’s not an IT management responsibility any more than financial governance is a financial functional responsibility. Governance is the board’s job. The board is quite capable of governing IT, if it would only put its mind to it. There are a number of respectable IT governance frameworks that reflect this fundamental principle, including CobiT, the Australian Standard AS 8015:2005 and the IT Governance framework identified in ‘IT Governance Today: a Practitioner’s Handbook’.