IT expenditures have increased substantially. It is estimated that worldwide IT spending has grown 5 percent to 8 percent in recent years and will approach $3 trillion for 2007.1 Yet IT project failures, budget overruns, security breaches and compliance snafus are still abundant. In fact, in 2006, Gartner estimated that more than $600 billion had been squandered on ill-conceived or poorly executed IT projects.2 And according to Standish Group, only 30 percent of projects are considered successful.3


It is clear that simply pouring more money into IT won’t necessarily fix a company’s problems or mitigate its risks. However, with a successful IT governance plan in place that merges the needs of business and IT executives, IT governance can prove to be a valuable initiative. But before executives get serious about IT governance, they should take into account a few best practices to avoid the potential pitfalls.


A Balancing Act


IT governance is about balancing the interests of investors and stakeholders by focusing resources on the creation of value while ensuring there is a system of control and accountability. It is important to note that value creation and accountability are interdependent. In other words, it is about doing the right things and doing them the right way.


IT governance is the system by which IT is directed and controlled. It should:


  • Address the roles and responsibilities of groups and individuals such as the board, business and IT managers;
  • Articulate the rules and procedures for making IT decisions;
  • Provide a structure through which IT objectives are set, attained and monitored.

Some organizations that live with little or no IT governance may feel that bureaucracy could slow things down, cost too much or even divert important focus away from the business. But if the mission of IT is to provide systems the business wants, it is equally important to provide systems the business actually needs. IT should not make those decisions independently.


IT governance is as much about value realization as it is about controls. An organization must go beyond prioritization of projects and see all the way through to the value delivered to the business.


Where to Begin


A travel plan should include a roadmap and also consider the preferences and tolerances of the travelers. Likewise, an IT governance plan should begin with prioritization of initiatives and establishment of clear milestones. But any plan for progress must also be internally consistent. For example, it doesn’t make sense to establish a business case development standard and implement it without establishing the review and approval process. These cannot be separated. It may also be a prerequisite that a budget and resource management process precede both. With the journey may come commitment to IT governance and competence, but achieving milestones and reaching the final destination will be the real reward.


One of the first steps a company should take is to evaluate current IT governance practices. The best way to do that is with the tried-and-true capability maturity model. The maturity evaluation helps hone in on the most important issues. The participants in this process should be the key stakeholders, such as executive management or internal process owners.


The maturity model evaluation can be done in four simple steps:

  1. Select and define the relevant areas of IT performance. Develop a simple framework that focuses on high-level factors covering the IT performance areas that are of critical concern to the business. The maturity of critical performance areas will help diagnose where governance improvement efforts could help the most. The following questions should be answered before moving forward:

    • How adaptable or flexible is the technology infrastructure in meeting the needs of the business?

    • How is IT measured in business terms?

    • How are IT investment decisions proposed, shared and delivered?

    • How is accountability for IT divided between the business and IT?

    • How important is it for IT resources to know the business?

    • How effective are business people at recognizing and defining IT needs?

    Notice that answering these questions does not require an in-depth understanding of any published framework or model. It is important for business process owners to provide input on what these questions should be. IT can facilitate – not dictate – a discussion to help identify and select what is most relevant from the business’s perspective. It is equally important that risk management issues such as compliance, business continuity, security and privacy be discussed so the business understands and accepts its role in incorporating these into its priorities.


    If the relationship between IT and the business process owners is known to be dysfunctional or polarized, it may be wise to use a third-party facilitator. A good facilitator will uncover important issues that could otherwise be lost. A facilitated discussion is a good way to build a bridge with the business with minimal controversy.


  2. Develop key factors for each performance area and survey stakeholders. Each of the performance areas identified in Step 1 should have multiple factors that will help focus the evaluation of that area. For example, to use the maturity model to gauge how the performance areas share accountability, it may be relevant to know:

    • Whether and how often risks and successes are shared.

    • Whether and to what degree the business and IT trust one another.

    • To what extent projects include business sponsors at a level commensurate with the project scope.

    Scoring is based on stakeholders selecting one of five statements that corresponds to the maturity level that best matches current practice. For example, a level 1, or low-maturity, statement might be, “IT cannot be trusted to deliver on its promises.” A level 5 maturity statement might be, “IT always completes projects successfully.” Low scores on the maturity model are a strong indication that the business may believe that IT must be micro-managed to ensure success. High scores indicate that the business has high confidence in the ability of IT to deliver on commitments.


    Initially, some organizations resort to frameworks such as the Information Technology Infrastructure Library (ITIL) or Control Objectives for Information and related Technologies (CoBIT) to perform maturity evaluations. These are solid frameworks and should be given consideration. However, frameworks can add complexity that the business is not ready to adopt in the early stages of IT governance development.


  3. Decide what maturity level is optimal for the business. Higher-level stakeholders need to identify which performance areas are important to rate and where they should be on the maturity model – not in theory, but in practical terms. It may also be a good idea to qualify the rating by a planning horizon such as one to three years.
  4. Develop an action plan that addresses the largest gaps prioritized by business. By comparing the desired level of maturity to the perceived level of maturity, the business and IT should be able to agree on an acceptable set of required improvements. Periodic reassessment is recommended and will help the organization measure improvement or refocus efforts based on changing needs.

Implementing Frameworks


A recognized framework such as CoBIT can be useful in guiding development of governance processes. Before taking an approach that implements a framework, recognize that the business may not be willing to support a long and potentially costly framework compliance initiative. A framework or a standard should be viewed as a means to an end and not an end unto itself.


The IT governance model shown in Figure 2 illustrates where some of the better known tools and frameworks might be useful.


A framework can be chosen based on how well it addresses some of the business’s key issues and needs. Often, compliance is a major consideration in selecting a framework. In such cases, preference should be given to standards or frameworks that align with compliance requirements. It is possible that one framework could address multiple compliance needs. If not, it may be advisable to adopt portions of two or more different frameworks, for example, using Planning and Organizing from CoBIT and Service Delivery from ITIL.


Avoiding Pitfalls


As with any new business initiative, IT governance has its share of pitfalls. Below are a few of the most common.


  • Ownership and buy-in. IT governance should not be considered an IT project. True ownership includes active participation by senior business leaders who determine investment strategies to enable their business vision. Business partnership recognizes the total cost of ownership with a new application or recommended solution; the cost to implement is only one small piece of the overall cost puzzle.

  • Over deliver. IT governance can be a daunting and overwhelming task, including the creation of modified roles, responsibilities, decision-making criteria, and most importantly, a new language to implement business results. Do not try to resolve the state of IT governance immaturity in an all-encompassing implementation. Instead, identify a smaller pilot project to test the concepts. Celebrate the success of the implemented methods and results, and then apply it to an all-encompassing program.

  • Discipline and leadership – practice what you preach. Enabling change is hard. IT governance requires structure and discipline, which may be viewed as bureaucratic or restraining. But old viewpoints created the chaotic, unsupportable and potentially compromised environments IT governance is now attempting to secure. Exceptions should not be the norm. Make the process flexible to allow for business accommodations, but do not change the rules. Most importantly, IT should not have substitute processes to obtain similar results. Rein in those IT disciplines!

  • Governance software. Walk, don’t run, to automate the process. governance software promises a means to manage IT demands with wonderfully colorful dashboards. Software vendors operate on the assumption that a working governance model is in place, with policies, procedures and methods to determine investment priorities. Automation or visual representation of IT investments will only distract from the infrastructure that is required first. The old “garbage in/garbage out” concept still applies here – if the data that is being put into the system isn’t any good, it doesn’t make any sense to display the garbage faster or more attractively.

Putting IT Governance to Work


IT governance gives the business a reliable means of working with IT without actually knowing IT. Without a common base of predictable services and processes on which to rely, businesses would focus too much time and money on unproductive activities such as resolving problems on their own or acquiring systems that address only a portion of the need. IT governance establishes and maintains structure and process to ensure value and establish accountability and predictability on the assurance and controls side.


Organizations that commit to implementing or improving IT governance processes are often rallying to a need that is compelling enough to warrant stakeholders’ time and effort. More than ever, businesses are dependent on the effective and efficient operation of their IT resources. A solid approach to establishing and re-establishing IT governance will help ensure that business priorities are addressed in a manner that benefits the business and its investors.


Governance is more critical today as increasing numbers of IT threats and security and privacy breaches are made public. Today, more companies seem to be at risk of compromises to their intellectual property, potentially causing serious damage to their reputations. If they work together, business and IT executives can ensure that IT governance is successfully embedded in the organization.




  1. Nick Huber. "Gartner: Firms Waste £351bn Each Year on Ill-Concieved IT Projects.", March 21, 2002.
  2. Gartner. "Gartner Says World-Wide IT Spending to Surpass $3 Trillion in 2007." Business Wire, October 8, 2007.
  3. David Rubenstein. "Standish Group Report: There's Less Development Chaos Today." Software Development Times, March 1, 2007.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access