• Bookmark

IT Governance 101: IT Governance for Dummies, Part 1

By Paul Wilkinson

COBIT Focus | 22 January 2019

There are a lot of IT governance “dummies” out there.

dummy (noun)
:a stupid or silly person1

silly (adjective)
:showing little thought or judgement2

stupid (adjective)
:acting in an unintelligent or careless manner3

Before deciding not to read on, arguably, there are a lot of us out there showing little thought or judgement about what IT governance really means and what we should be doing about it. When reviewing some of the facts and figures herein, it appears that some people are doing things in a very careless manner.

There Is No Need for IT Governance. That Is Old Thinking.

This statement is heard often these days: “We are in the age of digital transformation. IT governance is old thinking.” Really?!

A Forbes article discussing the reasons organizations fail at digital transformation stated, “…if you don't spend time changing people's behaviors, you don't spend time changing culture and how people make decisions, all of this falls flat.”4 The lack of effort to change organizational culture sounds like a very careless approach to investing an organization’s resources.

How careless exactly? A Genpact article revealed that “…companies are wasting nearly (US) $400 billion per year on digital initiatives that do not generate the expected return on investment.”5

This amount of failure should make people sit up and take note.

What Has This Got to Do With Governance?

There are many definitions of IT governance. One standout was published in 2004: “Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.”6 If we look at these facts, there seems to be some less-than-effective decision-making and some fairly undesirable behavior going around.

What (un)desirable behavior do we currently see concerning IT governance? See the following sections, which describe these behaviors.

The Business Approach

When confused, or not having given it enough thought, the best approach to IT governance from the business perspective seems to be shout loudly then blame IT. Either that or approach IT governance (as the majority seem to) as governance, risk and compliance (GRC), skipping over the first 2 words and focusing on the compliance. After numerous highly publicized corporate financial disasters, compliance and control became the order of the day, with auditors becoming the custodians of the governance stick with which to beat IT.

The IT Approach

The majority of readers in IT will ignore this article thinking it has nothing to do with them, as if IT is not part of the business, saying: “Oh that is a business thing! Annual audits and stuff…a lot of noise, flapping about and then we can go back normal.” While, in the meantime, those same folks are wondering why IT continues to struggle with becoming a strategic partner and why IT continues to be the target of shouting.

One reason, perhaps, for the shouting is that IT personnel seem to show little thought or judgement on how all of their IT management frameworks, such as ITIL, provide (er, should provide) input into IT governance to enable effective evaluating, monitoring and directing of IT value7 there being 2 aspects to value: value creation and value leakage. The frameworks become the goal, not how they enable business performance and reduce business risk. It seems those in IT implement these frameworks in a very careless manner.

The Chicken and the Egg

Getting the right amount of thought and judgement from silly people is a sort of chicken-and-egg situation. Should stakeholders wait for the chicken (business) to first start recognizing and applying IT governance to drive IT-enabled business value, or should the egg (IT) break out of its shell and start convincing the business that many IT problems and business value leakage can be traced back to a lack of governance?

Waiting for the Business
One could wait for the business, however, findings in an ISACA research report, Better Tech Governance Is Better for Business, revealed that “more than two-thirds of all respondents say their company’s top leaders need to prioritize strengthening connections between IT and business goals.” The report went on to reveal that “only 55% say their organization’s leadership team board is ‘doing everything it can.’”8 Unfortunately, the research did not ask “How effective is your board at shouting and blaming IT?” This would have resulted in a significantly higher score.

Waiting for IT
One could wait for IT, however, as reported in a McKinsey report, “IT organizations continue to struggle with performance issues, both in conventional IT and in areas that are critical for the future.”9 Which means there are problems with trust and credibility. Will the business listen to IT? The McKinsey results showed “Many respondents—especially on the business side—see their IT organizations as replaceable by third-party providers.”10 So much for being a trusted advisor or strategic partner. Very careless of us.

It Could Be a Long Wait

It seems that both parties are “unconsciously incompetent.”11 It would appear that both the business and IT are unconsciously incompetent about IT governance, perhaps one reason why business and IT alignment is still high in the list of priorities12 after all these years.

A Bad Name

This lack of thought and judgement, which, as already stated, has resulted in a compliance and control focus, has given IT governance a bad name, compounded by the fact that people judge it as primarily a tick-the-box exercise rather than as an improvement instrument. These findings were confirmed by Tichaona Zororo, director on the ISACA Board of Directors, who stated, “Governance should be principles and outcome based not rule based,” adding “Too many audits report on what is NOT working rather than advice on improvements aimed at increasing Value.”13

Increasing Value? What Has That Got to Do With Compliance?

Attention needs to be shifted to value. Why?

Enterprise Governance Getting the Balance Right describes 2 dimensions of enterprise governance:14

  • Corporate governance (conformance), e.g., potential for value leakage
  • Business governance (performance), e.g., value creation

These 2 dimensions need to be in balance as demonstrated in the focus on compliance and control herein. This appears to be remarkably similar to an IT governance issue (Evaluate, Direct, Monitor) and a board responsibility.

Cannot Be My Responsibility. I Am Unconsciously Incompetent.

Another recent report also revealed that, in early adopters (digital transformation), only 22% said the chief executive officer (CEO) is leading the adoption. In mature adopters, it is 44%. One reason, “When digital progress is led by technologists, companies often end up with glittering technologies that either go unused or fail to meet the business’s objectives.”15 Business objectives? Sounds like another IT governance issue. But, do not believe it just because it is written here. In a conference session titled “Should IT Align With the Business or Business Align With IT in the Age of Disruption,” Professor Alex Slow ascribed this failing to a number of things, one being: “A failure of IT governance, if it did not incorporate emerging technologies into its role.”16

Why did IT not tell anyone? Probably because stakeholders were too busy shouting.

Do Not Look at Me. I Am Just a Service Provider.

In a McKinsey report entitled “Partnering to Shape the Future IT’s Imperative,” a table showing the most significant root causes of IT’s shortcomings revealed “Weaknesses in IT’s operating model e.g., how it is structured and managed” as the top, and “Lack of clarity on IT’s priorities and/or organizational role.” The report goes on to recommend “IT organizations and their business counterparts must then rethink the business–IT engagement model.” The good news is, however, that the report stated that “76% of executives feel that IT should play a partner role to the business.”17

However, in order for IT to gain the trust and credibility to be seen as a partner, IT must raise its capabilities and shift from the ad hoc order taker (still a number of organizations) to service provider (the vast majority of IT organizations are still on this journey) to trusted advisor and strategic partner (very few). However, an ITSM survey revealed that “only 13% of [IT service management] ITSM professionals know exactly how their IT organization’s annual investment in IT positively impacts their business,”18 which makes it difficult to become a strategic partner.

If Nobody Takes the Lead, Then Who Should Take the Lead?

With all this shouting and denial going on, it would appear that the services of a marriage counselor are needed. Someone to help teams overcome the unconscious incompetence. Somebody to stop all the silly, stupid behavior.

Part 2 of this series will look further at the marriage counselor capability.

Paul Wilkinson

Has been actively involved in ITSM for more than 35 years in the roles of IT manager, managing consultant, service development manager and as ITIL developer. He was coauthor of the ITIL publication Planning to Implement IT Service Management, and he was a member of the ITIL advisory group for ITIL Version 3 and in the Architects team for ITIL practitioner. Wilkinson is also codirector and owner of GamingWorks, the company that developed the internationally renowned Apollo 13—an ITSM case experience ITSM simulation game, as well as business and IT alignment, project management, and DevOps business simulations delivered by a global partner network of more than 400 partners. He was also coauthor and developer of the ABC of ICT (The Attitude, Behavior and Culture of ICT) publications, having conducted ABC workshops and simulation workshops with delegates representing more than 4,000 organizations worldwide.


1 Cambridge Dictionary, dummy definition
2 Ibid. silly definition
3 Merriam Webster Dictionary, stupid definition
4 Rogers, B.; “Why 84% of Companies Fail at Digital Transformation,” Forbes, 7 January 2017
5 Genpact, “CFO Challenges in a Digital World
6 Weill, P.; J. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business Review Press, USA, 2004
7 Wilkinson, P.; “What Does IT Value Look Like?” IT Chronicles, 2016
8 ISACA, Better Tech Governance Is Better for Business, USA, 2017
9 McKinsey & Company, IT’s Future Value Proposition, July 2017
10 Ibid.
11 Broadwell, M. M.; “Teaching for Learning (XVI.),” The Gospel Guardian, 20 February 1969, vol. 20, no. 41, p. 1-3a
12 Luftman, J.; “The Transformational IT- Business World and IT Strategy,” Rutgers Business School, 6 August 2018
13 Zororo, T.; “The Changing Landscape of IT Auditing,” ISACA Norway Chapter Sommermøte 2016, Oslo, Norway, 2016
14 International Federation of Accountants, “Enterprise Governance: Getting the Balance Right,” USA, 2004
15 Kane, G.; “Is the Right Group Leading Your Digital Initiatives?” MIT Sloan Management Review, 3 August 2018
16 Slow, A.; IT Service Management Forum 2017, IT Service Management Singapore Chapter, 2017
17 McKinsey, “Partnering to Shape the Future—IT’s New Imperative,” USA, 2016
18 Mann, S.; “ITSM Statistics—Does IT Know the Business?” ITSM Tools, 24 July 2018