IT governance models and approaches
Traditional approaches to IT management have included centralized, decentralized, federal and distributed structures, which also serve as useful labels for IT governance models (Peppard and Ward, 1999; Schwarz and Hirschheim, 2003).
The centralized IT governance model relies on a strong, positive, capable IT steering committee that is able to interact with the board directly, or through a one-step intermediary. All infrastructure proposals emanate from this group and all IT proposals need to gain its backing. It will have substantial delegated authority. It may be chaired by the CEO, another executive director, or a senior business manager. IT risk is one of its key areas of responsibility (along with benefits and strategy) but, as an holistic approach is necessary, this will not mean that a subcommittee is formed. In each of its formal meetings, risk reports will be produced for the board. Urgent risk matters will be dealt with on a pre-arranged basis (chairman and two others, for example), and those risks beyond a specified level will require participation of the full committee. Each segment of the risk portfolio will be the responsibility of an individual, who reports to this committee. In smaller organizations one individual may take responsibility for several of the segments. This committee should have a formal meeting with the board on a regular basis, at least annually.
The fully distributed IT governance model has, in effect, a full IT steering committee for each division. Each of these steering committees behaves in a similar fashion to the above, except that there will need to be an intermediary role to deal with the board – unless each division has its own board. The intermediary role may be an individual or a small team, which is able to interact with each of the divisional steering committees. It will also need to have excellent channels of communication with the board.
In the federated model, there is some balance between the central authority and the subordinate divisions. Each division will need to accommodate the IT steering committee role, which it can do through an individual, a small team or a formal committee. The central authority will have an IT governance group that includes representation from the divisions as well as those functions that are centrally managed. This IT governance group is the direct channel to the board.
Centrally managed risk management functions may include IT service continuity, information assets – especially if there is a strong legal basis to those assets – security and partner relationships. There is then the potential for each of the federal units to take charge of its IT strategy and benefits for itself, along with risks that are wholly within its territory.
The rate of change of use of IT in the organization may have an overriding influence if, for example, a new technology is creating a fundamental change in the way the organization approaches its customers or suppliers. In such cases there will be a tendency to adopt a more centralized approach. Correspondingly, if IT use has completely stabilized in the organization, the IT governance role can become more rudimentary. There is the proviso that, although development and implementation may have effectively ceased, the organization’s dependence on IT through IT service continuity and information assets may be very high.
Similarly if the use of IT in the industry is changing, there is a need for heightened activity in the IT governance function. Other environmental issues, such as reawakening regulators or impending legislation, should also cause changes to the IT governance model, rather than be dealt with through ad hoc fixes.
In designing the IT governance model for the organization, it is particularly important that two-way channels be established for all employees who may be the initial warning of risk issues, participants in mitigation or recovery activities, or the originator of an initiative.
[Beating IT Risks Ernie Jordan and Luke Silcock]
Popularity: 10% [?]
