The principles and best practices of IT Governance (ITG) have a single, straightforward goal: provide the enterprise with the means and support to achieve its goals for its customers and stakeholders. It is a purposeful practice in which investment should generate value and where employee success is measured by results over responsibilities. As ITG grows in importance to a company’s ability to succeed, it also grows in complexity: increasingly, nothing about it is straightforward, which accounts for the steady stream of articles and posts citing ITG best practices or mistakes to avoid.
A decade ago IT career expert Martha Heller posted a list of five ITG best practices on CFO that have held up extremely well: get your business priorities straight; assess whether projects are realizing their business case; limit participation to retain focus and accountability; understand investment does not equate to success and responsibility differs from accountability; and finally, find what works and “stick with it, because every senior manager in your company should know your approach to IT governance like the back of his or her hand.”
Heller’s list was prescient, but ITG, and its importance, has grown exponentially during the past decade. According to Gartner, Worldwide IT spending is projected to total $4.5 trillion in 2022, an increase of 5.1% from 2021. If you play a role in your organization’s ITG there is a lot on your plate, exacerbated by an explosion of data that’s increasingly difficult to manage, track, and govern. Two years into the pandemic, there is also the supply chain crisis, inflation, and global political situations preventing the arrival of a “new normal.”
Today an expanded view of ITG best practices is forming, which is especially relevant for those involved in TPRM. On the ISACA’s blog, Ravikumar Ramachandran provides three key priorities for governance practitioners in 2022, which compliment Heller’s list in a changing environment:
TPRM practitioners also need to be aware of the cyber hygiene practices of 3rd and Nth parties, and cannot assume they are performing at expected or required levels of diligence, recently illustrated in a list published by CIO of seven eye-opening ITG myths outlining potential minefields every ITG and TPRM professional should read, leading off with Shared Assessments’ own Tom Garruba on the importance of assessing the risk of outsourcing business processes.
Shared Assessments Vice President Ron Bradley believes inclusion is an increasingly crucial factor in ITG, and avoiding it has the potential to impact the entire organization. As such, it’s imperative to ensure your governance committee includes necessary stakeholders including leaders from your business units. Ten years ago, Heller cautioned against bringing in too many people, arguing it can undermine accountability and focus, but Bradley sees a business imperative to getting buy-in early and often from leadership and business partners, whose support is essential to avoid a nonchalant attitude towards governance and compliance.
“The ‘tone at the top’ is crucial,” Bradley believes, “to the success of any governance program. Without support from leadership and business partners, running a governance program is not likely to be successful.” Bradley also advocates for regularly scheduled meetings with the IT Governance committee. These meetings should include discussions and reviews of metrics and provide reports to leadership on a regular basis.
Ten years down the road, Bradley adds a final thought confirming Heller’s earlier thoughts on the subject:
Don’t reinvent the wheel. Many organizations have successfully implemented IT governance programs. Learn from their programs and avoid the pitfalls they may have encountered. Make a conscious effort to include Internal Audit, risk managers, compliance, privacy, and sourcing. Be flexible. Gather frameworks from trusted sources and make them your own. Adjust as you figure out what works or what doesn’t.
Most importantly, don’t make this a paper exercise. Ensure your policies are in line with best practices and are impactful for your organization.