IT Governance

Here's a topic that I've been struggling to conceptualize lately.  What does information technology (IT) governance mean and why is it important?  This is another of my thinking out loud posts, so please feel free to offer any helpful suggestions for improving my understanding.

IT governance stems from the concept of business governance.  And the term governance is borrowed from the political concept of governing a nation.  When governing a nation, the government sets and establishes the freedoms and constraints on individual action and decision making.  I'm not saying this is the best definition of government, but it is my working premise.  Similarly, business and IT governance set the context for decision-making in organizations by setting freedoms and constraints.

Governance in both these contexts is differentiated from management and strategy.  Strategy can be described as the long term goals and objectives of an organization.  Established by the executives, this vision of the company's future drives lower level tactical and operational objectives.  Management involves the implementation of these long-term goals and objectives.  It involves the directing the people and resources so as to achieve the desired goals efficiently and effectively.  In my understanding of governance, it provides the framework for how to make management level decisions.

For example, a strategic goal may be to facilitate IT growth through outsourcing partnerships with major consulting firms.  At the managerial level, the expectation would be that decisions that require IT growth should strongly consider outsourcing partnerships.  The problem comes from ensuring that managers throughout the organization enact the strategic goal in similar and congruent fashions.  The solution to this problem is developing a governance board the creates frameworks for decision-making and reviewing major decisions to ensure compliance.  In the case of outsourcing partnerships, the governance board might establish policies for reviewing consulting companies in an objective and systematic way to ensure that the best partnership is established, that the existing partnerships are given full consideration, and that the IT solution is congruent with the overall strategy.  They may further review outsourcing proposals to ensure they meet the appropriate criteria and constraints.

Every organization will govern IT in unique ways.  Some will be very strict and require every new IT project to be approved by an IT governance board.  Some will only require medium and large project approval, say projects over $100,000 budget.  Some organizations will have primarily business managers on the IT governance board, while other organizations will stock the board with primarily IT managers.  Some organizations will have very weak governance, enabling local decision-making with few constraints, while other organizations will have a strong centralized governance.

IT governance becomes an essential part of an organization as it grows too large for a single person to confirm and direct the implementation of strategy by managers.  While the traditional hierarchical management structure works for simple strategies, the sprawl of today's organizations makes for radical differences in implementation of IT resources unless a governance board directs and reviews lower level decisions.  Furthermore, efficiency from economies of scale can only be gained when the entire organization uses the same IT infrastructure, which is only possible if a centralized decision making unit provides the necessary framework.

Not that all is rosy using governance boards.  There can be problems when governance boards become so restrictive that business units end up adopting new technologies that are not best for them, even if the technology is best for another business unit.  I saw an example of this at one of the consulting projects I worked on years ago.  Our client had adopted SAP's ERP system.  While we were implementing our proprietary project management system, their governance board was questioning whether they should scrap our project and use SAP's project management system.  However, the business unit with whom we were working strongly recommended against using this ERP module because it did not met their business needs.  We finished implementing our software before this disagreement was resolved, but articulates what I see as a potential problem with governance boards.

As part of this process in understanding IT governance, a colleague and I will, over the next couple years, start a research project looking at IT governance, particularly a subset called data governance, in a variety of organizations.  Some of the research questions we want to answer are: What, if any, are the relationships between governance structures and management practices?  What, if any, are the relationships between governance structures and methodology?  What, if any, are the relationships between governance structures and external regulations?  Since my colleague and I are both IT ethics researchers, our larger research question will be how does ethical and political theories influence data governance structures?  And how do those structures enable or prohibit ethical decisions in organizations?  We may also explore how various ethical perspectives of senior executives impact the choice of governance boards or how the ethical perspectives of the governance board impacts the choice of directives.  There are a number of angles we can pursue that should hopefully enable a better understanding of the role of ethics in IT organizations and suggest best practices for enabling organizational success.