IT Governance: New Term, Same Challenge

By Graeme Philipson

(Back to article)

Reprinted from Melbourne's The Age

Twelve years ago, I started a magazine called MIS, which stood for Managing Information Systems. It was a magazine for corporate computer system managers on how to manage those systems.

MIS magazine still exists, but under the slightly different title of "Managing Information Strategies" and publisher, John Fairfax. It is now one of the longest-lasting magazines in the IT industry, probably because it is not specifically about IT.

The management of IT has changed much less than the technology itself. The big questions of how to manage an IT budget, how to introduce technology, and how to deal with end users and senior management, have changed very little over the years.

The recurring theme in IT management has been what is often known as the "alignment of IT and business strategy." When we held our first MIS conference, 10 years ago this week, we adopted that as our theme. The next year we polled our readers on what the theme of the conference should be, and they wanted the same issue.

It is a perennial theme; the issue keeps coming up again. IT governance is a new term, but it is all about IT and business alignment.

The term "IT governance" has become popular in the last 18 months or so, just as the related term "corporate governance" has become much more fashionable. It is as a direct result of the spate of corporate disasters we have seen around the world, many of them a direct result of greed and mismanagement at the highest level.

We had HIH and One.Tel in Australia, and in the US there were Enron, WorldCom and Tyco. The Italian Parmalat disaster is a recent European example. Legislators in all jurisdictions have reacted with a range of laws designed to tighten companies' compliance with corporate laws.

By Graeme Philipson

The most famous, or infamous, of these laws is the Sarbanes-Oxley Act, named after the Senator and Congressman who introduced it. This act, and its many imitators around the world, force companies to comply with existing laws, and the many new laws that deal with corporate honesty. Not only must companies comply, they must be seen to comply, and they must demonstrate how they are complying, by opening up their audit trails and compliance mechanisms.

Failure to do so can lead to criminal penalties, even jail. Now, nothing concentrates the mind of a CEO or board member more than the prospect of going to jail. Sarbanes-Oxley has put the fear of God into senior management in the US and around the world.

It has brought about a vastly increased focus on the process of corporate governance, which refers to the method by which corporations operate - the rules, and how they abide by those rules. This has filtered down to the organization's IT systems.

IT, after, all, stands for "information technology", and governance is ultimately about information. There is an emphasis on security, with both terrorism and hacker attacks on the increase, and on things like disaster recovery and data protection and privacy.

All of this is information and how we handle it. A completely new discipline - IT governance - has come from nowhere in a very short time to help IT managers handle the issues of IT governance.

Although the term "IT governance" may be new, it essentially addresses the issues that have always concerned IT management. All it really does is formalize those issues.

A number of IT governance frameworks are in place, such as COBIT (Control Objectives for Information and Related Technologies) and ITIL (Information Technology Information Library).They are guidelines or checklists for ensuring you are doing things properly.

COBIT is American, ITIL is British. Standards Australia is currently developing Australian IT governance guidelines. There are also other guidelines, such as Basel II in the financial industry and ISO 17799 for IT security.

One of the reasons why the alignment of IT and business is such a perennial topic is because the two areas naturally have different agendas. IT is about technology, business is about profits. These have not always led to the same expectations about IT's role in the organization.

The need for compliance has brought about the formalization of the many traditional aspects of IT management. It has also made senior management more aware of the strategic role of IT to ensure compliance, which in turn has brought a closer alignment of the goals of the organisation and the IT department. That can only be a good thing.

Graeme Philipson is an independent consultant, analyst and writer specialising in the IT industry. Over a 20-year career he has become one of Asia-Pacific's best known and most respected IT market researchers, speakers and journalists. In recent years he has concentrated on electronic commerce and enterprise applications issues.

Want to discuss this topic and/or IT Governance further? Visit our IT Service Management Forum .