Description

IT Governance is the framework of processes and decision making structure within an organization applied through clearly defined policies and procedures relative to oversight of technology assets across the enterprise. The primary focus of IT governance is the stewardship of IT resources on behalf of various stakeholders. IT Governance is critical to a business to assure that the investments in IT generate business value on an on-going basis. As business processes and technology are integrated, businesses are compelled to provide IT governance in order to manage their financial, operational and compliance risks.

There is no universally accepted or mandated model for IT governance. However, there are a number of frameworks established by governing or standards bodies or industry associations across the globe. Well known frameworks and standards include ISACA Control Objectives for Information and Related Technology (COBIT) and ISO/IEC 38500, an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Overview

IT governance focuses on delivering business value of technology through four focus areas – Strategic Alignment with stakeholder values, Performance Measurement, Risk Management and IT Value Delivery. Enterprise Architecture frameworks that provide blueprints of the enterprise business processes, systems, information, infrastructure and technology are one of the foundational elements to implementing IT governance. Architects at all levels play an important role in this process. Enterprise Architects facilitate creation of the enterprise architecture. The Enterprise Architecture framework serves to provide context and content of technology assets and services that run and/or support the business. Enterprise Architecture, Portfolio Management and, Information Risk and Security are recognized as strategic pillars for planning and implementing enterprise wide governance of technology.
Architects of all roles – Business, Information, Infrastructure and Software have to keep governance requirements foremost in designing and managing architectures. Different architect role holders are responsible for governing architecture viewpoints, standards and assets for their respective areas of concern. Architects also enforce compliance and keep the architecture aligned with business changes. But the role of architects goes beyond providing a governance structure. Architects have to play a critical and leading role in design of the enterprise architecture that can enable effective governance in a globally distributed business and technology portfolio. Therefore, architects should not view governance as an overhead. Instead, the focus should be on a disciplined approach to meeting architecture requirements to deliver business value and mitigate risks, thus ensuring governance in a proactive, rather than reactive manner.

The major challenges architects have in the area of IT governance are related to knowledge and disciplined adoption of practices for governance. The better embedded an architecture function is within the IT organization and the better alignment between business and IT, the easier it is to govern over the lifecycle. Architects should also create enablers for governance such as reference architecture, architecture principles, standards and policies. Creation of an architecture governance framework will lead to increasing maturity and re-use of assets and IP. Architects should promote self-governance by ensuring business value is delivered from IT solutions and that architectural requirements for technology are well designed and implemented.

Proven Practices

Setting up and building and Enterprise Architecture using an EA framework.
Establishing clear EA governance structure for strategic alignment, risk mitigation and escalation.
Formation of an Architecture Review Board.
Creating a culture of self-governance as opposed to regimentation, through living standards, guidelines and practices.
Architect solutions (consider all architectural requirements).
Adoption of an industry standard/model for governance such as COBIT.
Usage of enterprise reference architecture and industry standards.

Sub-Capabilities

Corporate Governance of IT

Corporate Governance of IT is the planning and implementation of initiatives and procedures to ensure that the IT services used by an organization, and the technology which supports them, deliver value, are efficient in use of resources, and are compliant with all relevant legislation and regulations. COBIT and ITIL are among the two well-known frameworks that are generally accepted as models for implementing governance. Governance models generally take a pyramid structure representing accountability and decision making hierarchy across operational, managerial and executive levels in an enterprise. Operational responsibilities and activities are delegated downwards while escalation and ownership flows upwards.

Iasa Certification Level	Learning Objective
CITA- Foundation	Learner will be able to describe focus areas of corporate governance Learner will be able to identify widely adopted frameworks for corporate governance Learner will be able to describe the relevance of enterprise architecture in context of corporate governance Learner will be able to distinguish between governance, risk management and compliance objectives
CITA – Associate	Learner will be able to design solution architecture in alignment with corporate governance objectives at a project level. Learner will be able to use reference architecture, guidelines and standards to align with Enterprise Architecture. Learner will be able to demonstrate alignment with Enterprise Architecture to Architecture Review Board.
CITA – Specialist	Learner will be able to set-up governance framework, processes and standards for their area of specialization for the enterprise. Learner will be able to participate in Architecture Review Boards to review compliance to governance objectives and processes for architecture.
CITA – Professional	The Learner will be able to improve and enhance governance processes in their area of specialization. The Learner will be able to set-up governance framework, processes and standards for the enterprise. The Learner will be able to set-up Architecture Review Board and define objectives in alignment with Corporate Governance Framework for the enterprise.

Continuous Guidance and Oversight

These are activities that focus on overseeing and guiding the performance or operation of a group with the intent of continuous improvement of quality, performance and results.

Iasa Certification Level	Learning Objective
CITA- Foundation	Learner will be able to identify enabling processes for guidance and oversight of architecture. Learner will be able to define common tools and techniques such as standards, references and review cycles to provide oversight. Learner will be able to define key performance indicators such as value, risk and compliance use for process measurement and improvements.
CITA – Associate	Learner will be able to apply oversight and guidance through use of standards, validation techniques and reporting performance at a project level. Learner will be able to define tools and frameworks used to enable oversight.
CITA – Specialist	Learner will be able to design frameworks for oversight and guidance for the business or the enterprise in their area of specialization. Learner will be able to define and track performance of key metrics and use techniques such as root cause analysis for corrective and preventive actions and continuous improvements.
CITA – Professional	Learner will be able to design frameworks for oversight and guidance for the enterprise. Learner will be able to design performance measurement metrics for the enterprise as well as measures for analysis and improvement. Learner will be able to design roadmap for continuous improvement as well as leading and lagging performance indicators (for example business value, time to market, respond to industry and business changes, risk management) to track progress.

Information Security and Risk Management

Information Security and Risk Management is the overall framework for control of Information security in an organization. It is the explicit identification of digital information assets, policies and procedures to ensure confidentiality, integrity, and availability of information, aided by information risk management framework for corporate governance of risks related to information security.

Iasa Certification Level	Learning Objective
CITA- Foundation	Learner will be able to classify types and sources of information generated and used by the enterprise. Learner will be able to distinguish between different types of information assets, types and layers of information security. Learner will be able to identify technology requirements and solutions for information security.
CITA – Associate	Learner will be able to define security architecture requirements to ensure information security at a project level. Learner will be able to identify information security requirements related to their area of concern or specialization.
CITA – Specialist	Learner will be able to identify common frameworks and standards for information security compliance and governance. Learner will be able to implement information risk management framework for the enterprise including information classification, risk assessment and related controls.
CITA – Professional	Learner will be able to design enterprise framework for information security and risk management. Learner will be able to define and implement enterprise information security architecture to align with enterprise information security and risk management objectives.

Related Capabilities

Resources

Articles:

Information Technology Governance – isaca.org
IT Governance Frameworks – www.itgovernance.co.uk
Fundamentals of IT Governance – http://www.isaca.org/JOURNAL/PAST-ISSUES/2010/VOLUME-5/Pages/Fundamentals-of-IT-Governance-Based-on-ISOIEC-38500.aspx
http://companies.mybroadband.co.za/blog/2013/04/29/cobit-5-makes-enterprise-architecture-a-mandatory-discipline/

Blogs/Webcasts/News/Reference sources:

Enterprise Governance of Information Technology: Achieving Strategic Alignment and Value by Wim Van Grembergen (Author), Steven De Haes (Author) ISBN-13: 978-0387848815 ISBN-10: 0387848819
Governance of Enterprise IT based on COBIT 5: A management guide by Geoff Harmer ISBN-13: 978-1849285186 ISBN-10: 1849285187
Information Governance: Concepts, Strategies, and Best Practices (Wiley CIO) by Robert F. Smallwood ISBN-13: 978-1118218303 ISBN-10: 1118218302
Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program by John Ladley ISBN-13: 978-0124158290 ISBN-10: 0124158293
Managing Risk and Information Security: Protect to Enable by Malcolm Harkins ISBN-13: 978-1430251132 ISBN-10: 1430251131

Author

Maya More
AVP – Enterprise Architecture Center of Excellence

Maya More is an IASA member and CITA-Foundation certified architect having over 19 years experience in business technology consulting, enterprise architecture and technology implementation. She has worked with global businesses in multiple countries and industries such as insurance, healthcare and oil & gas. She currently works as Architecture and Technology SME for a leading oil & gas corporation in India.

IT Governance

Description

Overview

Proven Practices