ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Q&A: IT governance first steps for SMEs

Q&A: IT governance first steps for SMEs

| Posted at 8:39 AM by ISACA News | Category: COBIT-Governance of Enterprise IT | Permalink | Email this Post | Comments (0)

Q:        My company has a small IT staff, and a minimal budget, but we recognize the importance of IT governance. How should we implement effective governance over IT (GEIT)?



A:        There’s no doubt that governance over IT is needed in enterprises of all sizes, but smaller ones certainly have limitations that have to be considered. We asked Robert Parker, a member of ISACA’s Framework Committee and a past international president of the association, to give you advice. His answer follows.


At its core, governance is about alignment and value. For IT governance, we want to align the strategies, goals and objectives of IT with those of the enterprise to ensure that IT effectively supports and drives the entity.


With a limited budget you should concentrate on the value proposition that can be driven from effective alignment. The first step is to determine if:

  • The entity has documented an effective enterprisewide mission, goals and objectives
  • The IT organization has developed an IT mission, goals and objectives that are aligned with and support the enterprisewide mission, goals and objectives
  • The IT organization has developed strategic and tactical plans to operationalize its strategy
  • The IT organization has developed metrics to monitor and evaluate its performance

Based on your findings, next determine:

  • The maturity of the enterprise’s strategic initiatives
  • The maturity of IT’s strategic initiatives
  • The level of alignment of IT’s strategic and tactical initiatives with those of the enterprise

Once this analysis is complete, the next step is to determine the status of the current initiatives and their ability to form the basis of an IT governance program, as well as their weaknesses and proactive solutions to improve them.


Having established the current status of enterprise and IT initiatives, take the following steps:

  • Develop a position paper summarizing the findings and recommending a “go forward” plan to increase/improve the entity’s IT governance activities.
  • Ensure that any IT governance initiatives have an executive sponsor.
  • Working with the sponsor, enhance the position paper to provide:
    • The issue (e.g., a lack of IT governance)
    • Why it is an issue (e.g., IT projects are not aligned with the enterprise strategy and, as such, opportunities to effectively help the enterprise achieve its goals are being missed. Provide a few short examples and the “costs” of ineffective IT governance.)
    • Alternatives to improving IT governance—Indicate two or three approaches that the enterprise may take, and outline the pros and cons of each as well as their anticipated annual costs and any one-time costs.
    • Recommendations—Include the preferable approach supported with reasons why it is the best option.

One of the first projects should be to prepare an IT penetration assessment based on a functional business model, including functional decomposition to include subfunctions, activities and tasks. This will indicate, at a minimum, for each subfunction: 

  • The current level of IT penetration (e.g., 50 percent of activities are computerized compared to what could be computerized)
  • The quality of the current IT penetration (how good are the current IT applications)
  • The potential for additional IT improvements (what could be supported by IT)
  • The importance of the subfunction to the business unit

The best way to obtain this information is through a questionnaire supported with interviews.


Next, map the assessment of the IT penetration at the subfunction level against the enterprise’s strategic goals and objectives and perform a gap analysis.


At this point, you will have a report that indicates:

  • How effectively IT has penetrated and supports the subfunctions and, if rolled-up, the functions. (e.g., of the 50 percent computerized, only 40 percent are meeting users’ needs and the remainder require extensive revisions)
  • How the IT penetration supports the enterprise’s critical and strategic initiatives (e.g., in the previous example, the “good” uses of technology in the subfunction would be 20 percent [40 percent of the 50 percent].  If this subfunction is critical, a 20 percent rating indicates a poor level of alignment.)
  • Recommendations for what comes next

At this stage, we have looked at alignment. We still have to assess value; in other words, is the entity getting value for the money spent on IT? This may require a separate project to determine exactly how much is spent on IT, as some costs may come out of business unit budgets and not IT budgets. Once the IT costs are known, you can perform an effectiveness audit to determine if value is being received.


ISACA offers several resources to facilitate your IT governance journey, including COBIT Quickstart, 2nd Edition; Board Briefing on IT Governance, 2nd Edition; and Getting Started With Value Management (the latter two are available as free downloads). You may also wish to visit ISACA’s COBIT community to network with peers and see how their organizations are implementing IT governance. With all of the materials out there, the good news is that there is no need to reinvent the wheel.


We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.  

To view all blog posts, please click on the ISACA Now button in the blue box on the left.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.