Johan Hammerstrom shares thoughts prompting his webinar in August 2012 on IT Governance.
This April I was asked to “pinch hit” at the Nonprofit Technology Conference (NTC) and give a last-minute presentation on…IT Governance.  It was not a topic I would have picked on my own, nor was it an issue I had given much thought.  I spent the week before the conference studying the subject and became very interested.  At first glance, it’s hard to think of a less exciting subject.  But after digging below the surface, it becomes apparent that many of the IT problems suffered by organizations can be traced back to IT governance.
It is an issue not only for non-profit organizations, but also organizations of all sizes, structures and purposes.  As a result, a variety of frameworks and disciplines have emerged over the past 20 years to make sense of the unique governance challenges posed by information technology…and also to provide possible solutions.  I only had time for a cursory review of the field in preparation for my talk, but as I researched the different standards, the one that seemed the most interesting and relevant to small non-profits, surprisingly enough, was COBIT.  COBIT is now in its 5th iteration and is a pure acronym that once stood for “Control Objectives for IT”.  It is a large and sophisticated framework that can be applied to even the largest corporate entities.  But I found many of its most essential lessons to applicable to small and medium sized non-profits.
This is not entirely surprising because Control is not a style or objective that fits within the culture of many non-profits.  But, if you’ll bear with me, you might find that it speaks to some of your IT problems.
What is IT Governance, anyways?
According to the IT Governance Institute, IT Governance is essentially the leadership, organizational structures and processes that ensure that IT sustains and extends the mission.  The specific leaders, structures and processes are going to vary from organization to organization, but overall they should all share some defining features outlined by COBIT.
The COBIT 4.1 framework consists of the following 5 focus areas:

  1. Strategic Alignment
  2. Value Delivery
  3. Risk Management
  4. Resource Management
  5. Performance Measurement

Can we talk?
Each of these is an essential part of IT Governance.  The most important being strategic alignment.  IT needs to understand what is most important for achieving the mission of the organization…and the organization needs to establish expectations for what IT is supposed to be delivering.  In other words, there needs to be a dialogue in which the organization (leadership, primarily) communicates the business requirements, which are often in the form of…

  • Business Continuity
  • Reporting
  • Compliance
  • Automation/efficiency
  • Remote access
  • Support
  • Culture
  • Cost

It is not simply a matter of business leadership filling out a survey and giving the answers to the IT Department/Staff.  It needs to be a dialogue and, in fact, in many instances, it is more likely that the IT Department is pulling the requirements from the key stakeholders in the organization…as a dentist might a tooth in some cases.  So there needs to be an expectation on the part of the IT staff that there are certain questions only the leadership can answer.
IT Governance maturity is a journey
Organizations do not need to be perfect.  Maturity in any area is a journey that takes time…and maturing in IT Governance is no different.  But what is needed is…

  1. Leadership willing and able to have dialogue
  2. Organizational Structures that enable the conversation
  3. IT Director/CIO that can own it
  4. Processes that support it
If the leadership is in place, and the right IT owner (typically an IT Director or CIO) is available, then it becomes possible to establish an ongoing dialogue which can help to achieve Strategic Alignment.  This dialogue can be structured by focusing on the last 3 focus areas of COBIT.  Specifically, the dialogue should seek to answer the following questions…
  1. What Resources are required to meet the Business Goals?  (Resource Management)
  2. What risks are tolerable?  (Risk Management)
  3. What measurements are needed?  (Performance Measurement)

Because it is a dialogue, IT staff need to be able to research, analyze and present various IT solutions with an understanding of how they may or may not meet he business goals of the organization, along with any trade-offs that might be required.  The IT department is fundamentally responsible for providing the rest of the organization with an understanding of IT Solutions.  At the same time, the rest of the organization, especially the leadership, has a fundamental responsibility for some understanding, however basic, of how IT supports the mission.

“I just want it to work” isn’t working
It is no longer acceptable for the leadership to say, “I don’t care how it works, I don’t want it to know how it works, I just want it to work.”  This all to common refrain will close the door on a much needed dialogue.  Every IT solution is a complicated balance between a certain investment cost and a certain set of features.

For example, consider disaster recovery.  If you were to ask the leadership of an organization, “How long can our IT system go down?”  The answer, of course, would be never.  It can never go down, it never should go down.
However, if the IT department formulates the question as, “We can invest $20,000 in a system that is guaranteed to only go down 3-4 times per year, or a$100,000 for a system that will never go down”, suddenly the leadership needs to make some cost/benefit decisions.  Now the organization can take on some level of IT risk and assign a financial value to that rest, and therein make a responsible decision.  This is not a decision that should be made solely by the IT Department based on a given budget, without any input from leadership, programmatic staff, or other departments.

How to get started?
If you made it this far and are interested in hearing more, contact us!