"Although many organisations have the best intentions, they fail in practice due to a limited understanding of governance’s true purpose and insufficient emphasis on the processes needed to support effective decision-making."
Donna Bales
Principal Research Director
Info-Tech Research Group
The importance and criticality of IT governance in this age of ever-evolving and fast-paced technology advancements cannot be over-emphasised. Many organisations who have awaken to this truth try to pull all stops to ensure drastic improvement in their IT governance practices. Unfortunately many fall into the trap of either doing too much, focusing on the wrong things or simply doing the right things the wrong way.
To avoid being caught up in the vicious cycle of remaining ineffective while expending a lot of effort, it is important to understand the common IT governance pitfalls. Getting results with minimum effort is anyone's enviable prize and avoiding the IT governance pitfalls will get you closer to this prize.
In this article I would like to share insights from years of practice and learning through different vehicles including training, networking and simply reading. More importantly, these insights are based on lessons learned about what works and what doesn't work in the quest to implement successful IT governance.
Read further to understand what is effective IT governance, what practices hinder effective IT governance (the pitfalls) and how to avoid these practices. The list of pitfalls mentioned here is in no way exhaustive but represent the common traps that most practitioners fall into while pursuing the goal of effective IT governance.
What is Effective IT Governance?
"Effectiveness" simply refers to the ability to produce the desired results. Therefore using the expected IT governance outcomes, as presented in the article, "The Crucial Importance of IT governance", is the logical approach to measure IT governance effectiveness. The diagram below summarises these outcomes:
The pitfalls listed below represent common mistakes that hinder organisations from achieving these IT governance outcomes.
What are the common practices that hinder IT governance effectiveness?
The following practices, mostly done with good intention, unfortunately tend to derail the realisation of IT governance benefits. The role players engage in these practices largely due to lack of experience, limited knowledge and low levels of skills.
Over-Emphasis on Compliance
Compliance is an integral part of governance, and an important one for that matter. However, focusing all your energy on compliance is likely to keep you unnecessarily busy even with not so important activities and time-wasters.
For example, many public sector organisations are pressured to adopt and comply with best practice IT governance frameworks, mostly COBIT. Most auditors, when assessing compliance, just go through the COBIT documentation page by to identify areas of non-compliance. This is done irrespective of whether a specific recommended practice is applicable to the organisation or not. To most auditors I have encountered, the mere mention of the fact that you have adopted COBIT, means that you are expected to follow its practices to the tee. These include both junior and very senior auditors by the way.
It must be pointed out though that some of the best practice frameworks and standards do provide an approach to contextualise the standards or recommended practices through scope definitions, e.g., CIS. However, many insist on certain minimums, which I find unnecessarily burdensome.
To a certain extent, the same behaviour is observed with regards to other standards such as Centre for Internet Security (CIS), National Institute of Standards and Technology (NIST), International Standards Organisation (ISO), etc. Many organisations, in their sincere eagerness to maintain good IT governance, tend to overdo things. They pursue compliance without due consideration of their organisation's context to determine what is necessary. configure the standards without taking into consideration the organisational context. This leads to a false assumption of advanced IT governance maturity.
Too Many IT Policies
Some IT governance practitioners mistakenly think that there has to be a policy for every IT process. There current ITIL 4 version has 34 processes which are now referred to as practices. As a result, some people believe that an organisation must define 34 policies.
The situation is even worse with COBIT 19 which has 40 processes. Policies are official controls of an organisation and violation thereof may lead to dismissal. The governing body is responsible for approving policies. Imagine a situation where the governing body approves 34 policies in a year from a single functional area of the organisation!
Even in situations where not all policies get approved at the governing body level, the organisation still has to implement and monitor adherence to the policies. It would really be a nightmare to monitor compliance and report on performance against such a big number of policies.
Inadequate Delegation of Responsibilities
Implementing IT governance at enterprise, strategic and tactical levels requires the establishment of governance implementation structures or committees. These committees must be composed of the right people in terms of competency, i.e., knowledge, skills and attitude, and level of authority.
These individuals must have the essential knowledge about IT governance and appreciate its impact on the organisation. They must know how to execute governance responsibilities in general and be ethical individuals in word and in practice. Of equal importance, they must have the relevant authority to make the required high impact decisions.
When assigning responsibilities to a committee, the organisation must consider the level of decision-making. It is futile and dangerous to assign decision-making powers for strategic initiatives to a committee at a tactical level. Conversely, committees operating at strategic level must not be expected to make decisions of a technical nature without properly considered recommendations from a tactical governance committee.
Lack of Understanding of IT governance
To many leaders in organisations IT governance is confined to policies, compliance, risk and security. Yet the fundamental purpose of IT governance is not well understood. Many leaders do not understand that the primary purpose of IT governance is to ensure that the right technologies are acquired and used to achieve the organisational goals. With this understanding comes a number of concepts such as strategic alignment, value extraction, resource optimisation, etc.
If one fully understands the purpose of IT governance, they will be able to adopt the right governance practices. For example, if any organisation in this day and age does not have or have not initiated the development of an Artificial Intelligence (AI) strategy or policy, it means they lack the proper understanding of IT governance. It means they have not considered the impact of this dominant technology trend in their industry and their organisation.
Failure to Adapt to Change
The world of technology is changing at an exponential rate. It is important for organisations to adapt to their governance practices to keep up with the changes. This requires that organisations must be aware of and understand the trends and their implications on the organisation.
Adopting and adapting best practices and standard is good but not enough. This is because when changes happen, these practices have to be updated and by the time a new version is released it might be too late for react. Remember that these are called best practices presumably because they are derived from observing real-life practices of those organisations that implement effective and efficient practices. To research and analyse those practices takes some time and may not be ready for certain new technology disruptions.
How to Avoid the IT Governance Pitfalls
Implement a Context-Sensitive IT Governance Model
The adoption of best practices is a noble thing to do for any organisation that wants to improve their performance. However, it is counter productive to try and implement everything from the best practice framework or standard without considering your organisation's context. It will lead to unintentional burdens of having to comply and report on things that are irrelevant for your situation.
For example, organisations that have outsourced their IT services do not need to manage the software development process. For outsourced software development projects, they must manage the project quality process instead. Unfortunately, it happens very often especially in the public sector that auditors would register a finding that the organisation, which has outsourced software development, does not have an approved software development lifecycle (SDLC) policy.
The process of optimising IT governance must therefore start with establishing business context. Consider the size of your organisation, your strategic direction and your industry trends, customer expectations, among others. This way you will be able to properly align the best practices and standards to your internal and external environments and design an IT governance model that works for your organisation - not one that is a burden to implement.
Be a Learning Organisation
In today's world, information technologies are essential for every part of the organisation to achieve efficiencies and gain competitive advantage. It is therefore the responsibility of everyone to understand the technology trends, not just the IT department. The HR practitioner, for example, is better positioned to understand the Artificial Intelligence (AI) use cases in HR than a business analyst or an IT specialist.
IT solutions are built for organisation's users and to achieve business goals. The user departments must be empowered to understand the trends and determine their relevance for the organisation.
Designing and implementing an effective IT governance model requires knowledge, skills and experience. With the exponential rate of changes in technology, an agile IT governance model that is capable of adequately responding to changes is essential. The organisation must adopt and embed a culture of innovation and agility. Competency building and continuous improvement must be an integral part of the organisation's culture.
Keep Your Eyes on the Prize
To avoid the IT governance pitfalls requires that IT governance practice should be governed, i.e., be directed towards its purpose. It is therefore essential that an IT governance policy be developed to ensure that the right principles are adopted and implemented in line with the organisation's strategic direction.
"Policy for the governance of IT is established to reflect the decisions of the governing body and guide the organisation’s use, expectations and impact of IT."- ISO/IEC 38500:2024
The best start is to consider adopting the ISO/IEC 38500 principles. These are essentially governance principles from ISO 37000 with descriptions of implications for the acquisition and use of IT. They place IT governance right within enterprise governance and make it difficult (if not impossible) to practice IT governance outside of enterprise or corporate governance. The key success factor is to focus on Sustainability and Resilience and develop Key Performance Indicators to continuously monitor performance and implement continuous improvement.
Conclusion
One of my favourite quotes attributed to Albert Einstein says, "Everything must be made simple, but not simpler." I am a firm believer in making the basic elements of a phenomenon as simple and as few as possible without losing the essence of its representative principle. This enhances problem solving and advancement.
It baffles me to notice that of the three major supporting functions of an organisation, namely, Human resource management, Financial management and Information Technology, the former two have no more than seven processes defining their practices and the latter, IT, has more than 32 processes defined by both famous standards, i.e., ITIL and COBIT. This serves to complicate the function and making it more of a mystery than it is, which is music to the cyber criminals' ears.
It is clear that achieving effective IT governance requires a return to the basics (in the form of the original purpose of IT governance) and at the same initiating a change in organisational culture to one driven by agility, innovation and resilience.
