• Bookmark

IT Governance 101: IT Governance for Dummies, Part 2
The Marriage Counselor

By Paul Wilkinson

COBIT Focus | 1 April 2019

Both business and IT are “unconsciously incompetent”1 when dealing with the issues relating to both the need for and scope of IT governance in this age of digital disruption. That is the thesis of the first installment of this 2-part series. This second installment addresses what can be done to foster understanding between business and IT and recognize the value in the relationship between the 2 so that both parts of the organization are working toward achieving the strategic goals of the enterprise.

Part 1 concluded with the fact that current evidence supports the argument that there are a lot of “dummies” out there when it comes to IT governance. The idea stems from the fact that there are business and IT stakeholders who show little thought or judgement about what IT governance really means and what they should be doing about it, and that some people are doing things in a very careless manner.

Part 1 of this series posed the question: “If nobody takes the lead, then who should take the lead?”

This installment also attempts to answer that question.

BRM—Brave This Ridiculous Mess or Business Relationship Management?

Thanks to leadership coach, speaker and consultant Peter Lijnse for the ridiculous mess, or rather the definition. If practitioners are to “brave this ridiculous mess,” then both the business and IT need to raise their game.

The answer to the question “Who should take the lead?” lies, partly, with the role of the business relationship manager (BRM). IT organizations need to develop BRM as a core capability. Why? Well, nothing else that has been tried seems to have helped. It also fits in with the McKinsey findings in “Partnering to Shape the Future IT’s Imperative.”2 The BRM Institute paints a clear vision of a future of business and IT convergence with IT as a strategic partner, but, for many, this is a bridge too far considering where they currently are in terms of both business and IT maturity.

The Marriage Counselor

Those in IT can use BRM to start repairing the relationship between business and IT and, at the same time, gather critical business understanding for the IT provider organization. This will help break the internal focus of IT organizations, which is one of the most frequently identified top-scoring Attitude, Behavior, Culture (ABC) worst practices in global workshops.

A better business understanding between business and IT will help shape IT prioritization mechanisms and help IT show that it understands the business, winning trust and credibility. BRM can provide important input for continual service improvement initiatives within IT service management (ITSM), helping IT professionals make improvements focused on business value.

The BRM role also needs to speak the language of governance to try to get boardroom and business leaders to take accountability and gain buy-in for not only governing IT, but also in the broader sense for enterprise governance to ensure digital transformation success. Easier said than done. This will require BRM to be able to get both parties speaking the same language. A translator is needed.

COBIT as Babel Fish and Engagement Model

Babel Fish was, in fact, a translation device, “Small, yellow, leech-like and probably the oddest thing in the universe. You stick it in your ear and can instantly understand anything said to you in any form of language…effectively removing all barriers to communication between different cultures.”3

Nobody is suggesting anybody should be sticking anything in their ears…well, apart from ear plugs to drown out all the shouting. However, there is certainly the need for some similar translation device to enable the 2 different cultures of business and IT to understand each other’s language.

Actually, COBIT is a very powerful Babel Fish. COBIT should be the best friend of any chief information officer (CIO) wanting to bridge the business and IT divide and help focus business attention on governing IT. Organizations may be slow to adopt this framework if it is misinterpreted as a compliance stick with which to beat IT. On the contrary, COBIT is an instrument the CIO and business relationship manager would be wise to understand and embrace. COBIT is one of the best frameworks that has been developed as an IT governance and management tool.

Goals Cascade

The goals cascade is the most carefully guarded aspect of COBIT. It is something IT organizations are strongly urged to embrace and customize to their specific business needs. Using the goals cascade might help IT remind business line managers about the strategic business goals and how IT supports and enables these. Why should IT be reminding the business? What nonsense is this? Remember the Chicken and the Egg section in part 1.

A Sloan management review article titled “No One Knows Your Strategy—Not Even Your Top Leaders” revealed that “Only one-quarter of the managers surveyed could list 3 of the company’s 5 strategic priorities. Even worse, one-third of the leaders charged with implementing the company’s strategy could not list even one.”4 And these are the very same leaders who are insisting all their IT demands are the most important. What relation these have to strategic goals seems to be neither here nor there. IT professionals get shouted at by even more business leaders with conflicting priorities and then blamed for not supporting the strategy. Who needs IT governance? Someone, somewhere is being very silly indeed.

Linking Pin to IT Management

One of the powerful aspects of COBIT is that it acts as the glue between governance and management, describing both governance and management processes. Its concept of cascading enterprise goals to IT goals to enabler goals and metrics ensures consistent communication and alignment. These enablers such as Processes are where all the IT management frameworks can be plugged in, helping to give the frameworks a business context and ensuring that they focus on delivering value and outcomes, not just outputs. As stated by one expert in the United Arab Emirates, “I think often because organizations do not do a goals cascade things feel disconnected and orphaned, but once you do a proper goals cascade you can see and feel the interconnection and how goals are interdependent on each other to achieve the enterprise-level goals.”5

You Cannot Have Everything. Somebody Has to Make Decisions. I Have Decided I Want It All. Now

COBIT describes the enterprise governance of information and technology (EGIT) as Value creation = Benefits realization (Performance), Risk optimization (Conformance) and Resource optimization (balancing between benefits and risk). Resource optimization is particularly important in these days of digital transformation in which every business manager seems to be insisting that it is not possible to do business without the latest flashy bit of IT such as big data, artificial intelligence (AI), robots and Uber…Uber?! Yes, Uber, as this is what one business manager was overheard saying, “We want an Uber solution, something that disrupts our market…Now!”

Clearly, these exploding business demands for new benefits exist and, at the same time, IT is expected to make everything secure, replace all that legacy stuff that is slowing down the Ubering, and stop IT from breaking as well. Oh, and by the way, please fix the C-level manager’s printer first. It is broken.

Governance Is All About Desirable Behavior

As illustrated in this 2-part article, there are numerous, almost habitual undesired behaviors exhibited by both IT and the business when it comes to desirable behaviors in using (or should I say abusing) IT as a strategic business resource. In global workshops year in, year out, the top 3 ABC themes emerge:

  1. Neither partner makes an effort to understand the other.
  2. No understanding of business priority and impacted is demonstrated.
  3. Everything has the highest priority according to users.

Einstein is often quoted as having said (without evidence), “The definition of insanity is doing the same thing over and over again but expecting different results.” 6 IT governance seems to be ignored, year in, year out, yet different results are expected. It is time to change behaviors.

What Was That Definition of IT Governance Again?

“Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.”7

Unfortunately, most IT organizations only read the first bit and then leap onto the word “framework” and start certifying everyone in ITIL, DevOps, The Open Groups Architecture Framework (TOGAF), IT4IT, CSX, International Organization for Standardization (ISO) ISO 27001, ISO 20000 and spawning a whole set of professionals with more letters after their name than actually in their names, requiring bigger business cards. Process managers would also be advised to look at COBIT as it shows how a process relates to IT goals, suggested metrics, relationships to other processes and the key activities that auditors will be looking for to demonstrate control.

Most business organizations skip over the second bit, “encourage desirable behavior.” Particularly, desirable behavior around decision rights—decisions that need to be made relating to prioritizing scarce IT resources between performance and conformance. This applies at the strategic level (prioritizing business and IT portfolio of investments), the tactical level (prioritizing applications and changes and business requirements) and the operational level (prioritizing requests, incidents and technical debt).

An example of this frequently encountered is with the latest adoption of DevOps. In response to the business demanding more and faster solutions, DevOps is seen as an important enabler. DevOps teams then become confronted with allocating time to new features (benefits) and technical debt (risk). Usually, technical debt gets left on, or dropped off the backlog in favor of the new features, until the technical debt comes back to bite stakeholders, who then blame IT. As can be seen in a workshop with 2 IT leadership teams, there was a recognition of the need to engage with the business in agreeing on effective BizDevOps—effective decision making and desirable behaviors.8

There is another example of the type of changes required in behavior taken from the Grab@Pizza business and IT-alignment simulation, which is written in the form of a screenplay.9 It is important to ask whether an organization’s chief executive officer (CEO) champions IT governance in this way.


What can be concluded from all this rambling and ranting?

  • Everyone must stop being silly about IT governance. IT in the era of digital transformation is too critical. Too much value is being lost.
  • Everyone must stop being careless about value creation.
  • IT governance must shift its focus from conformance to also enabling and ensuring performance.
  • IT governance must be taken out of the realm of auditing and control “ticks-in-the-box” to a performance improvement capability.
  • IT management frameworks should be viewed in terms of enabling good governance and enabling business and stakeholder value.
  • Using the COBIT goals cascade is a good way of aligning business and IT goals for both performance and conformance needs and cascading this throughout the organizations (top to bottom and end to end).

IT governance should be seen in the context of enterprise governance, especially in this era of digital transformation, which, in essence, means business transformation. If 84% of digital transformation initiatives fail,10 success requires an alignment between enterprise governance and IT governance.

Somebody must take the lead. As the ABC themes show, IT and the business need a marriage counselor. Remember that in the business and IT marriage, when the relationship becomes poor and the pain too much, only 1 party can outsource the other. It is in IT’s own interest of survival to be seen as a relevant and strategic partner and to try and repair the relationship and stimulate desirable behavior by both parties. The BRM is an ideal role and capability, and COBIT is an ideal tool for dialog and improvement.

In COBIT, Ensure benefits delivery is a core IT governance process. One goal is “Optimal value is derived from IT investment through effective value management practices in the enterprise.”11 This is where BRM and its approach to value management is a perfect fit.

No more “dummies.”

Paul Wilkinson

Has been actively involved in ITSM for more than 35 years in the roles of IT manager, managing consultant, service development manager and as ITIL developer. He was coauthor of the ITIL publication Planning to Implement IT Service Management, and he was a member of the ITIL advisory group for ITIL Version 3 and in the Architects team for ITIL practitioner. Wilkinson is also codirector and owner of GamingWorks, the company that developed the internationally renowned Apollo 13—an ITSM case experience ITSM simulation game, as well as business and IT alignment, project management, and DevOps business simulations delivered by a global partner network of more than 400 partners. He was also coauthor and developer of the ABC of ICT (The Attitude, Behavior and Culture of ICT) publications, having conducted ABC workshops and simulation workshops with delegates representing more than 4,000 organizations worldwide.


1 Broadwell, M. M.; “Teaching for Learning (XVI.),” The Gospel Guardian, 20 February 1969, vol. 20, no. 41, p. 1-3a
2 McKinsey & Company, “Partnering to Shape the Future—IT’s New Imperative,” Digital McKinsey, May 2016
3 Adams, D.; Hitchhiker’s Guide to the Galaxy, Del Rey, USA, 1979
4 Sull, D.; C. Sull; J. Yoder; “No One Knows Your Strategy—Not Even Your Top Leaders,” MIT Sloane Management Review, 12 February 2018 /
5 Khan, Z. R.; Emirates Nuclear Energy Authority
6 Quora.com, “When Albert Einstein Said, ‘Insanity is doing the same thing over and over again and expecting different results,’ What Is the 'Thing' He Had in Mind?
7 Weill, P.; J. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business Review Press, USA, 2004
8 Wilkinson, P.; “Why Courage Is a Core DevOps Requirement,” IT Chronicles, July 2018
9 Wilkinson, P.; “From Pizza to Performance: A Business & IT-Alignment Experience,” IT Chronicles, June 2018
10 Rogers, B.; “Why 84% of Companies Fail at Digital Transformation,” Forbes, 7 January 2016
11 ISACA, COBIT 5, USA, 2012