Business leaders often misguidedly assume IT governance is all about the nuts and bolts of technology, when IT governance is about the information viability of an organization, according to Butler Group research director Tim Jennings.
At the highest level, governance is about establishing sound management, policies and procedures to ensure that companies' information systems meet corporate objectives. Therefore, the focus of IT governance must be on the information risks within the business, not just on the technology, Jennings said.
"If you look at networks, servers and storage, they all need to be managed to run efficiently. But that's only a small part about what governance is. IT governance is an ongoing process that will constantly need to be redefined. But there is no out-of-the-box solution that is going to fulfil all an organization's governance requirements, despite what some vendors might like us to believe."
Driving a need for better IT governance practices is the pressure to comply with more legislative and regulatory frameworks, whether that be CLERP 9 (a proposed set of financial reporting reforms to oversee auditors and corporations' reporting processes) in Australia, or the Sarbanes-Oxley Act for companies doing business in the US.
While the CFO is responsible for a company's financial stability, CIOs' parallel with the CFO is to mitigate the serious risks to an organisation failing to adhere to local compliance regulations.
"The [penalty] may be a CEO going to jail. And that risk should give the CIO the opportunity to strengthen his or her role within the business," Jennings said.
"For example, if a CEO wants to invest in a new plant for a factory, the CFO can say 'That could jeopardise the financial stability of the company'. Likewise, the CIO should be have the power to say, if a sales director wants to install a new CRM system, 'That may risk us being able to comply with information legislation and I can't allow that to happen'."
This is where corporate governance and IT governance meet, Jennings said.
He believes the CIO's role shouldn't just be that of technology's caretaker, but the guardian of information within the organization.
Jennings said IT leaders' awareness of their responsibilities under governance requirements has matured over the last nine months, particularly in the banking sector.
Yet while executives within banking now have titles like 'head of governance', even companies in this industry feel they're only halfway towards where they'd like to be, he said.
Governing a time bomb
CIOs need to live with the reality that given the budgetary constraints IT has suffered for the last few years, technology investments will forever be judged by harsher criteria, Butler Group analyst Tim Jennings said.
"IT has got to pay its way just as any other business unit or service. And that's a big frustration for organizations now - that IT hasn't been subject to the same rules as other parts of the business.
"It's been 'Let's be speculative and throw some money at an IT project, and hey it didn't work, but let's not worry, we'll try again'.
"This blindsighted approach to IT is backfiring at the board level. Executives are frustrated that not only have they not seen a return from IT, but there is no formal mechanism for measuring a return," Jennings told Computerworld.
He recommends that a starting point for IT governance is for companies to employ techniques like portfolio management, where there is a finite budget for IT investment.
"We hear a lot about high profile project failures. And yet we go into each new project trusting that it's all going to work this time. We shouldn't do that - history shows that 30 percent of our IT projects have failed. So there's a reasonable expectation that 30 percent of future projects will fail. Companies need to examine how well their projects are aligned with the organization's business strategy and prioritize projects on that basis."
Jennings said the whole board is responsible for defining IT strategy and the CIO is responsible for executing that strategy.