Building and Maintaining Effective Mechanisms for Implementing IT Governance 

Download Article Article in Digital Form

Today’s IT business environment requires regulatory compliance, cost control, availability, risk management, business alignment, timely project delivery, change and continuous innovation to deliver stakeholder value. Fulfilling these demands heightens pressure on boards and executives to ensure effective oversight of IT, making IT governance integral to overall corporate governance.

IT governance allows organizations to encourage desirable behavior when using IT. There are three key aspects:

  • What are the essential decisions that must be made for effective management and IT usage (IT domains)?
  • By whom should they be made (governance styles)?
  • How will they be monitored to ensure control (mechanisms)?

Well-designed, well-understood and transparent governance mechanisms are critical. Building and maintaining these mechanisms forms a continuum (see figure 1) that requires desire for change, identification and accountability for required changes, and ongoing monitoring to ensure that the desired results are achieved.

Implementing IT Governance

Top-down IT governance addresses what, who and how IT decisions are made and acted upon. Conceiving the governance model (the what, who and how) is the first step. Implementing it is the second step, and this can be accomplished with a seven-phased approach:

Figure 1

  • Phase 1: Initiate program—What are the drivers? The impetus for IT governance is a desire for change that stems from the strategic plan of the business, from which the IT strategic plan is derived. This requires obtaining ownership at the board and executive level, establishing initial awareness and involvement of business and IT management, and establishing an IT governance project organization.
  • Phase 2: Define problems and opportunities—Where are we now? The next step is to assess existing IT governance processes (as-is situation assessment) and identify problems and opportunities. At this point, a team should be identified and charged with detecting problems and opportunities in later phases.
  • Phase 3: Define road map—Where do we want to be? Based on the results of the as-is assessment, the focus moves to defining what an ideal IT governance model should look like (e.g., IT is an essential part of strategy, IT’s business impact is measured and monitored, IT is viewed as a strategic business asset and managed as a portfolio, IT participates in technology investment decisions, and IT has board-level oversight and executive leadership). The outcomes of the definition process should be communicated to business and IT leaders, and an implementation road map established.
  • Phase 4: Plan program—What needs to be done? The IT project work commences in this phase by establishing effective governance. This includes identifying people and groups to be involved (and their level of involvement), such as the IT steering committee, the IT project steering committee and the chief information officer (CIO). In addition, an IT project governance methodology, IT portfolio management, budget control and reporting standards are established.
  • Phase 5: Execute plan—How do we get there? Obtaining the participation of the business is paramount, and can often be greeted with resistance. Accordingly, it is critical to focus on relational and change management mechanisms. Parties can be brought on board through alignment processes (e.g., IT investment approval process, architecture exception process, service level agreements, formal tracking of business-IT value) and effective communication (e.g., executive announcements; formal/ad hoc committee work; IT governance education delivered by the CIO; working with managers who stray from desirable behaviours; increasing transparency by housing policies, standards and performance on web-based portals).
  • Phase 6: Realize benefits—Did we get there? In this phase, the effectiveness of IT governance implementation is determined by considering a number of factors, including a comprehensive model for managing all IT resources, improved executive participation, strategies and business objectives for IT investment, alignment between the business and the IT department, decision making and communication, perception of IT value, IT risk management, return on assets, lower IT costs, transparency of IT, IT performance tracking, and IT innovation.
  • Phase 7: Review effectiveness—How do we keep the momentum going? The final phase of the continuum entails monitoring and reviewing IT governance, planning for its sustainment, and assessing its effectiveness. This should include shifting focus from relational mechanisms to improving structures/processes once the governance framework is embedded. In addition, a performance management system (balanced scorecard) should be introduced to facilitate continuous monitoring of IT governance effectiveness and ongoing framework enhancement.

Building and Maintaining Effective IT Governance: Pitfalls and Key Success Principles

The journey to effective IT governance is fraught with many challenges. Common pitfalls that may hinder the success of IT governance include:

  • Inadequate board oversight (competency and engagement)
  • Lack of senior management commitment and support
  • Not obtaining sufficient business involvement in governance initiatives
  • High levels of organizational complexity
  • Internal politics (IT governance brings a shift in decision rights.)
  • IT committees staffed with the wrong people
  • Structuring IT too low or in the wrong place in the organizational structure
  • The three C’s (culture, resistance to change, lack of appropriate communication)
  • Resistance to standards and accountability
  • Lack of understanding of responsibilities
  • Poor change management
  • Trying to do too much at once
  • Circumventing IT governance processes and practices
  • Difficulty demonstrating value and benefits

Figure 2 outlines leading practices to overcome pitfalls.

Figure 2


The outcomes of a successful implementation are worth the challenge, producing both shorter-term, tangible benefits (such as reduced cost) and long-term benefits (such as enhanced management of IT-related risk, improved relationships between business and IT, and increased business competitiveness). Leveraging the leading practices that have been outlined will assist the board and C-suite executives on their journey to IT governance effectiveness.


Ingrid Robinson, CPA, CIA, is a senior manager in the enterprise risk services group of MNP LLP in Toronto, Ontario, Canada, with more than 15 years’ experience in the audit, governance, risk and controls profession. She currently serves on the board of directors for Hospice Palliative Care Ontario, Canada.

Margaret Jodha, CPA, CGA, is the finance director at Verizon Canada, with more than 20 years of experience in progressively senior finance leadership roles.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.