7 things you should know about IT governance, including choosing a framework and how to ensure a smooth implementation.

Organizations need an IT governance framework to ensure that their IT investments support business goals. The framework provides a structure for corporate and IT management to align the organization’s technology with its business strategy. The need for formal corporate and IT governance practices across U.S. organizations was fueled by the enactment of laws and regulations, including the Gramm–Leach–Bliley Act (GLBA) and the Sarbanes-Oxley Act, in the 1990s as a result of high-profile corporate fraud cases.

• What is IT governance?

IT governance is a formal framework for aligning IT strategy with business strategy. By following this structure, organizations can measure their results toward achieving their strategies and goals. A formal program also takes stakeholders’ interests into account, as well as the needs of staff and the processes they follow. In the big picture, IT governance is integral to overall enterprise governance.

• What’s the relationship between IT governance and GRC (governance, risk, and compliance)?

Calatayud states that IT governance and GRC are the same things. “While GRC is the parent program and the framework to use is often determined by where the CISO reports to—for example, if he or she reports to the CIO, the scope may be IT focused; if he or she reports outside of IT, GRC can cover more business risks beyond IT.”

• Why do organizations implement IT governance infrastructures?

Today’s organizations are held to many regulations governing the protection of customer and company information, financial accountability, data retention, and disaster recovery, among others. They’re also under pressure from shareholders, stakeholders, and customers.

To meet internal and external requirements, many organizations implement a formal governance program to ensure they have the right controls.

• What kind of organization uses IT governance?

Public and private organizations need a way to ensure that their information technology (IT) functions to support business strategies and objectives. And any organization that needs to comply with regulations related to financial and technological accountability should put a formal IT governance program on its radar. However, implementing a comprehensive IT governance program requires a lot of time and effort—and quite a bit of planning. For very small entities that practice only essential IT governance methods, the goal will be a full-fledged IT governance program; for larger organizations with a lot more regulatory accountability requirements, it may be best to implement an “essential” IT governance policy first and then build out from there.

• How do you implement an IT governance program?

The easiest way to get started is to use an existing framework that’s been developed by industry experts and used by thousands of organizations. Many frameworks include implementation guides that help organizations phase in an IT governance program with fewer speedbumps.

The most used frameworks are:

1. COBIT: COBIT is a framework of “globally accepted practices, analytical tools, and models” designed for the governance and management of enterprise IT. ISACA expanded COBIT’s scope over the years to fully support IT governance. The latest version is COBIT 2019, which is widely used by organizations focused on risk management and mitigation.
2. ITIL: Formerly an acronym for Information Technology Infrastructure Library, ITIL is a set of practices that aims to ensure that IT services to support the core processes of the business. The five ITIL sets are service strategy, design, transition (such as change management), operation, and continual service improvement.
3. COSO: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a framework for evaluating internal controls. COSO’s focus is less IT-specific than the other frameworks, concentrating more on business aspects like enterprise risk management (ERM) and fraud deterrence.
4. CMMI: The Capability Maturity Model Integration (CMMI) method, a software engineering approach to performance improvement, uses a scale of 1 to 5 to gauge an organization’s level of quality and profitability maturity. According to Calatayud, “allowing for mixed-mode and objective measurements to be inserted is critical in measuring risks that are qualitative in nature.”
5. FAIR: Factor Analysis of Information Risk (FAIR), a relatively new model for quantifying risk, focuses on cyber security and operational risk. The goal of FAIR is to help companies make more informed decisions. Although it’s newer than other frameworks mentioned here, FAIR has quickly gained traction with Fortune 500 companies.

• How do I choose which framework to use?

Most IT governance frameworks are designed to help you determine how your IT department is functioning overall, what key metrics management needs and what return on investment the business is getting from its investments.

The COBIT and COSO frameworks are used mainly for risk, but ITIL helps streamline service and operations. As previously mentioned, CMMI is intended for software engineers, but it has expanded to include processes in hardware development and service delivery as well as purchasing. FAIR is squarely for assessing operational and cyber security risks.

When reviewing frameworks, it is important to consider your corporate culture. Does a particular framework or model seem like a natural fit for your organization? Does it resonate with your stakeholders? This framework may be the best choice.

However, you do not have to choose only one framework. For example, COBIT and ITIL complement one another in that COBIT often explains why something is done or needed whereas ITIL provides the “how.” Some organizations have used COBIT and COSO, along with the ISO 27001 standard (for managing information security) when designing their information technology governance frameworks.

• How do you ensure a smooth implementation and positive results?

One of the most important paths to success is executive buy-in. Calatayud recommends forming a risk management committee with top-level sponsorships and business representation. He also recommends sharing results with the board or audit committee to “develop real attention when items begin to get ignored.”

As with any significant project, you should always keep communication lines open between various parties and measure and monitor the progress of the implementation.