This week I delivered a presentation at the ISACA (formerly known as the Information Systems Audit and Control Association) North America Computer Audit, Control and Security (NACACS) conference in Las Vegas. It was my third time speaking at a CACS conference and ISACA of North America selected the same presentation chosen by New Zealand CACS and the Canada CACS – IT governance.
I’ve been evangelizing the power and promise of IT governance for more than past four years now. The vast majority of my audiences have only a cursory understanding of this critical discipline. So I was delighted the NACACS committee chose my IT governance presentation because it gave me yet another opportunity to preach to the choir. I have some very pointed views about IT governance and I relish the opportunity to present them to an IT governance audience. ISACA forums provide that audience. Their new professional association slogan is: “Trust in, and value from, information systems,” but for a couple of years their slogan was, “Serving IT Governance Professionals.” Their web site continues to make reference to the “…IT governance professionals it serves.”
Even though it was the last day of the week-long event, there were at least 150 people in the room. Everyone in attendance was a member of ISACA and nearly all of them worked in IT audit. I was very encouraged. I let them know my presentation was meant to indoctrinate the uninitiated and that I was eager to hear their risk and compliance-hardened reactions and opinions. I invited everyone to ask questions during the presentation and I invited comments and critique of my content. I delivered my usual presentation and in doing so, stated these assertions:
“Take a look at these six definitions of IT governance. I am sharing half-dozen definitions because I contend there is not a consensus in the industry as to exactly what IT governance is.”
Reaction to Assertion 1: insert chirping crickets here
“Here are the principles of IT governance. If anyone is doing anything in regard to information technology and they are not meeting these principles, then they should stop it because it is a waste of time/money.”
- Ensure IT is aligned with the business
- Ensure IT delivers appropriate value to the business
- Ensure IT appropriately manages risk
- Ensure IT appropriately manages resources
- Ensure IT appropriately manages performance
Reaction to Assertion 2: insert picture of tumbleweed rolling by here
“Here are the decision-areas of IT governance (according to Peter Weill and Jeanne Ross of MIT CISR). These decision areas encompass every decision an enterprise can possibly make in regard to information technology”:
- IT Principles (defining the IT archetype)
- Enterprise Architecture
- Infrastructure Strategies
- Business Needs (systems and applications)
- Investment (all IT spend)
Reaction to Assertion 3: if I had dropped a pin I would have had no problem hearing it hit the floor
“Though the various IT governance committees are not responsible for execution, it is irresponsible at best, and negligent at worst, for IT governance committees to make decisions without ensuring and assuring the enterprise has these IT governance processes in place and optimized to realize said decisions“:
- Integrated Business IT Planning
- Architecture Management – Standards Review
- IT Investment Assessment, Prioritization, Funding Benefits Realization Accountability
- IT Financial Resource Allocation
- Project Execution Decision-making
- Emerging Technology Evaluation Adoption
- Client Relationship Management
- Building Maintaining Applications Infrastructure
- Provisioning of IT Services
- Strategic Sourcing Services
- Audit Risk Management
Reaction to Assertion 4: Cue Simon and Garfunkel here, “Hello darkness my old friend…”
“The worst thing about IT governance is the first two letters of its name: ‘I’ and ‘T’. These first two letters help perpetuate the misconception that IT governance is a function of IT or the responsibility of the CIO. IT governance should have been named ‘Business governance of IT’ because then maybe boards and business leadership would assume their IT governance leadership role. As it stands, discussion about technology is still an ad-hoc agenda item for most boards, and business leaders are woefully absent from participating in far too many information technology decisions.”
Reaction to Assertion 5: There was not an immediate response after I made this assertion, but I did get some questions later asking how to engage the business.
Once again, I made my assertions about IT governance and once again, the audience accepted them. This was despite the fact that I made these assertions to a group of IT governance professionals who very likely did not have similar perceptions or beliefs when they entered the room. I realize some folks may have chosen not to take the speaker to task, or may not have cared enough to even bother. I also realize this was Day 5 in Las Vegas for many of them so they may have simply been on cruise control. I fully understand their silence does not necessarily signify agreement.
Some people might consider the absence of challenge to my assertions to be a form of validation. But despite making these assertions in almost one hundred forums around the world with nary a protest, I don’t feel validated at all. I don’t think I will feel validated until business-led IT governance fosters the appropriate IT governance mechanisms (roles and processes) to enable reasoned and rational information technology decisions that realize the principles of IT governance – in every enterprise.
Until then, I will continue to evangelize IT governance and I will continue to make what I thought to be controversial assertions about the discipline, despite my inability to conjure any controversy.
Steve Romero, IT Governance Evangelist
Article source: CA ITGovernance Blog