The Rise of Governance and Assurance

IT service management started something. It broke IT free of the shackled thinking that IT was about doing things with technology and writing programs. It said there is a higher level of thinking about how we do that stuff. It introduced a second idea too: that “how” is about process, and process doesn’t need technology, it needs Bodies of Knowledge (BOKs, my term not ITIL’s. ITIL talks about “framework”.).

In the case of ITSM, the focus of that how is around understanding how well we do IT and defining “how well’” in terms of what the organisation needs us to do. Of course, this “how well” was framed as a process issue and it spawned ITIL as its BOK.

ITIL is often seen as the “answer” to IT’s service requirement, but it isn’t. The change required to meet the service requirement is not a process one, it is a people one, and the answers are cultural not procedural (let alone technological). The tools to support changing the people include ITIL. Now there is a new area of “higher level thinking” emerging in IT, and it is all in a muddle. It is a mix of the concepts of governance, risk, assurance and compliance.

What Governance Is Not

Governance shouldn’t be mixed up in there. Governance is something distinct. The passive part of governance is tracking the business against strategy objectives and policy—taking a navigational fix, not weighing the cargo. The active part of governance is setting policy, not issuing commands; setting a course, not steering. So, IT governance is understanding how right we do IT, and defining “how right” in terms of policy and strategy of the organisation.

Note that governance is not reporting, or security, or dashboards or risk management, or, as I’ve seen lately, project management. Management is not governance. All these things that are recently being mislabeled as governance are about executing the commands of the governors, or providing them with information, or ensuring the organisation complies with their policies. Steering the ship is not governance. Even more so, rowing the ship is not governance.

The bulk of risk management is not governance. Most of risk management is operational. The closely intertwined concepts of IT risk, assurance and compliance are about how safely we do IT, and defining “how safely” in terms of safe for the organisation (not in the sense of human safety, though that is one subset).

The governors are concerned with setting policy and bounds. They aren’t concerned with fixing things that go out of bounds. If they are, then they are no longer governing. This is not wrong, it just needs to be clearly understood when the governors are taking an operational role.

Governance and the ISO

Help is at hand to rescue the much-abused term “governance”. The international standards organisation, ISO, is about to release a new standard defining that very word. The standard has no number yet. It exists as ISO/IEC PRF 29382: Corporate governance of Information Technology. Publication is expected within a few months. The standard defines governance as three activities: direct, evaluate and monitor.

Once the new standard makes it clear to the IT community that governance pertains to command and control, not measurement, policing or adjustment we can hope to see the emergence of a term that nicely wraps up the operational (i.e., non-governance) aspects of risk, assurance and compliance.