IT governance and IT processes
Updated: Jul 8, 2019
Current IT governance frameworks such as COBIT focus on IT's internal processes. Governance can be made even more effective by including metrics structured around systems.
COBIT is very broad, and system governance is not a replacement, but complementary. Our Metrici Advisorproduct can be used to capture, analyse and report on many of the key metrics that COBIT uses.
But there is a difference in emphasis between COBIT and system governance. COBIT is arranged around IT's internal processes, and system governance is arranged around systems.
The focus on process is absolutely appropriate to ensure that the IT function works effectively. But an exclusively process-based approach has drawbacks.
The approach is too inward looking. It over-emphasises IT functional activities (such as ensuring IT staff are properly trained, or how well IT suppliers are monitored) at the expense of the IT deliverable - viable, working systems that deliver valuable business benefit.
It requires a reasonably high degree of process maturity. Without this, most organisations find it hard to understand and adopt a governance approach structured around processes.
It does not suggest where to direct action. It may identify, for example, that disaster recovery is generally weak and that testing is generally strong. But it does not highlight which systems actually need better disaster recovery, or which systems buck the trend and have weak testing. As a result, it tends to suggest broad "IT initiatives" rather than focussed individual improvements.
It makes little sense outside IT. In fairness to COBIT, most of its measures are externally relevant system qualities or relate to the broader business. However, it presents these measures structured around internal IT processes, and not around things the rest of organisation understands.
System governance redresses this balance. It focuses on the outcome of IT processes, as shown in the capabilities and qualities of the systems. It does not require a high degree of process maturity. It directly suggests where to act. And it makes sense outside IT because it presents IT issues structured around systems that are familiar to the broader organisation.
System governance still allows you to view measures by process. But an exclusively process-based approach does not allow you to view measures by system because the underlying facts are not gathered per system.
If you use a process-based framework like COBIT, consider using system governance within it. This will help you distinguish between externally significant outcomes and internal working practices. It will help you make the figures relevant and understandable outside IT. Our comparison found that 60% of COBIT's key metrics relate to systems and can be captured, analysed and presented using a system governance approach. (Of the remainder, 20% are general IT-business relationship measures, and 20% are measures of internal IT practices.)
If you do not use a governance framework, you can use system governance anyway. Unlike COBIT, it does not aim to give you control and assurance of IT's internal processes. But it will give you many of the same measures you need to manage IT effectively, at a fraction of the cost of a full process-based governance framework.