The Rise of Governance and Assurance

Interest in IT Governance is rising rapidly, but a new ISO standard makes clear that the term is often misused. What we are really seeing is a rise in interest in IT Governance and Assurance. Along with Service Management these will provide the three supports for business-IT alignment, as predicted by the IT Swami.

IT Service Management started something. It broke IT free of the shackled thinking that IT was about doing things with technology and writing programs. It said that there is a higher level of thinking about how we do that stuff.

It introduced a second idea too: that “how” is about process, and process doesn’t need technology, it needs Bodies of Knowledge (BOK, or ITIL prefers to say “framework”).

In the case of ITSM, the focus of that how is around understanding how well we do IT and defining “how well’” in terms of what the organisation needs us to do.

Of course this “how well” was framed as a process issue and it spawned ITIL as its BOK.

ITIL is often seen as the “answer” to IT’s Service requirement, but it isn’t. The change required to meet the requirement is not a process one, it is a people one, and the answers are cultural not procedural (let alone technological). The tools to support changing the people include ITIL.
Now there is a new area of “higher level thinking” emerging in IT, and it is all in a muddle. It is a mix of the concepts of Governance, Risk, Assurance and Compliance.

Governance shouldn’t be mixed up in there. Governance is something distinct. The passive part of Governance is tracking the business against strategy objectives and policy: taking a navigational fix not weighing the cargo. The active part of Governance is setting policy not issuing commands: setting a course not steering. So IT Governance is understanding how right we do IT, and defining “how right” in terms of policy and strategy of the organisation.

Note that Governance is not reporting, or security, or dashboards or risk management, or – as I’ve seen lately – project management. Management is not Governance. All these things that are recently being mislabelled as Governance are about executing the commands of the governors, or providing them with information, or ensuring the organisation complies with their policies. Steering the ship is not governance. Even more so, rowing the ship is not governance.

The bulk of Risk Management is not Governance. Most of Risk Management is operational. The closely intertwined concepts of IT Risk, Assurance and Compliance are about how safely we do IT, and defining “how safely” in terms of safe for the organisation (not in the sense of human safety, though that is one subset).

The governors are concerned with setting policy and bounds. They aren’t concerned with fixing things that go out of bounds. Or if they are then they are no longer governing. This is not wrong; it just needs to be clearly understood when the governors are taking an operational role.

Help is at hand to rescue the much-abused term “Governance”. The international Standards organisation, ISO, released a new standard ISO38500: Corporate governance of information technology, defining that very word. The standard defines Governance as three activities: Direct, Evaluate and Monitor.

Now the new standard makes it clear to the IT community that Governance pertains to command and control - not measurement, policing or adjustment - we can hope to see the emergence of a term that nicely wraps up the operational (i.e. non-Governance) aspects of Risk, Assurance and Compliance. Assurance is a good catch-all word. I quite like Policing but I doubt it will catch on – too threatening for these PC times [for our British readers that is PC as in Politically Correct not Police Constable].

With that new concept gaining centre stage alongside Service and Governance as the third leg of the IT tripod supporting business-IT alignment, we can control how well, how right and how safely we do IT.

Just as the change required to meet the IT Service requirement is not a process one, it is a people one, so too with IT Governance and Assurance. Nevertheless, the BOKs and the tools are required to support that change.

People will look for BOKs aligning as neatly with IT Governance and Assurance as ITIL does with IT Service. COBIT and related publications are nearest to the IT Assurance BOK, and the ValIT publications are on the way to being the BOK for IT Governance.

The growth of IT Service Management as a discipline within IT has been a good thing, and long overdue. But it has been a lopsided process: Service Management is not everything (not to hear some pundits tell it). Now we are seeing rising interest in “IT Governance”, which if you look into it is actually interest in both IT Governance and IT Assurance/Policing (and the underlying technology and processes to provide the data for both Governance and Assurance/Policing, and to enact their directions).

The ITIL industry is worth several billion dollars a year. Now there are two new markets opening up, the vendors are salivating. The reaction of some CIOs will be horror at whole new vistas of IT spending, but just as ITSM is becoming a normal expectation of IT so too will Governance and Assurance.
In twenty years we will wonder what the fuss was about (remember how exciting it was to actually monitor and manage your computers?). In the meantime, look forward to some excitement as IT Service’s star fades and two new ones burst into the sky.

This article first appeared in early 2008 but the website is no longer available so I am re-publishing it here