The Rise of Governance and AssuranceInterest in IT governance is rising rapidly, but a new ISO standard will make clear that the term often is misused, writes ITSM Watch columnist Rob England.
IT service management started something. It broke IT free of the shackled thinking that IT was about doing things with technology and writing programs. It said there is a higher level of thinking about how we do that stuff. It introduced a second idea too: that how is about process, and process doesnt need technology, it needs Bodies of Knowledge (BOKs, my term not ITILs. ITIL talks about framework.).
In the case of ITSM, the focus of that how is around understanding how well we do IT and defining how well in terms of what the organisation needs us to do. Of course, this how well was framed as a process issue and it spawned ITIL as its BOK.
ITIL is often seen as the answer to ITs service requirement, but it isnt. The change required to meet the service requirement is not a process one, it is a people one, and the answers are cultural not procedural (let alone technological). The tools to support changing the people include ITIL. Now there is a new area of higher level thinking emerging in IT, and it is all in a muddle. It is a mix of the concepts of governance, risk, assurance and compliance.
What Governance Is Not
Governance shouldnt be mixed up in there. Governance is something distinct. The passive part of governance is tracking the business against strategy objectives and policytaking a navigational fix, not weighing the cargo. The active part of governance is setting policy, not issuing commands; setting a course, not steering. So, IT governance is understanding how right we do IT, and defining how right in terms of policy and strategy of the organisation.
Note that governance is not reporting, or security, or dashboards or risk management, or, as Ive seen lately, project management. Management is not governance. All these things that are recently being mislabeled as governance are about executing the commands of the governors, or providing them with information, or ensuring the organisation complies with their policies. Steering the ship is not governance. Even more so, rowing the ship is not governance.
The bulk of risk management is not governance. Most of risk management is operational. The closely intertwined concepts of IT risk, assurance and compliance are about how safely we do IT, and defining how safely in terms of safe for the organisation (not in the sense of human safety, though that is one subset).
The governors are concerned with setting policy and bounds. They arent concerned with fixing things that go out of bounds. If they are, then they are no longer governing. This is not wrong, it just needs to be clearly understood when the governors are taking an operational role.
Governance and the ISO
Help is at hand to rescue the much-abused term governance. The international standards organisation, ISO, is about to release a new standard defining that very word. The standard has no number yet. It exists as ISO/IEC PRF 29382: Corporate governance of Information Technology. Publication is expected within a few months. The standard defines governance as three activities: direct, evaluate and monitor.
Once the new standard makes it clear to the IT community that governance pertains to command and control, not measurement, policing or adjustment we can hope to see the emergence of a term that nicely wraps up the operational (i.e., non-governance) aspects of risk, assurance and compliance.