article banner
From Where We Sit

Why we need IT governance

If there were no rules for one day and you could be outrageous, what would you do? I would travel the world, splurge on luxuries, and spend everything on memories.

We always desire for independence or the license to do what we want. But imagine a society with no rules, with no governing body to oversee our actions and activities.

Imagine driving a car without the need to be licensed or without traffic lights. Imagine a family with no parents to steer their children on the right direction and with no rules to enforce.

It may sound like absolute freedom, but the absence of governance would be disorder or, more accurately, chaos.

 We are all governed by rules in our daily life, and we follow these rules without knowing it. After all, we have unwritten rules at home, at school, and at work.

We know that red means stop, and that green means go. We follow the rules imposed in our favorite sport to avoid fouls and penalties.

We politely raise our hands at school to be called on by our teacher. Our parents impose curfews. Even in our profession, we have to follow guidelines, criteria, and requirements to ensure competency.

But what does governance mean? Why is it important?

According to the Cambridge Dictionary, governance is “the way that organizations or countries are managed at the highest level, and the systems for doing this.”
Good governance ensures the consistency and repeatability of processes. Most importantly, these consistency and repeatability must be cascaded from the highest level of the organization.

Governance, so to speak, is a very critical element of any organization and, most of the time, we apply governance features without even knowing it.

Let us move on to a more specific subject: information technology (IT) governance.

We are in an era of rapidly changing and evolving technology and complex operating environments. The demands of IT are everywhere. Today, companies are willing to invest in automation rather than stick to simpler, more manual processes.

IT makes our life easier and, more importantly, more efficient.

So what does IT governance do? How does it differ from IT management? Should your organization care? What will it contribute to your organization? How do you implement it?

What is IT governance?

If you’re an IT student, IT graduate, IT professional, or an employee of a technology company, you have likely heard of the term “IT governance.”

IT governance does not differ from other governance processes. In fact, IT governance is a formal decision framework to ensure that IT investments support business needs.

IT is now regarded as an integral part of an organization’s strategy. It is not enough to have IT systems and to expect them to deliver strategic value to the organization.
Instead, there is a need to evaluate, deliver, monitor, and govern the value creation efforts of the IT system.

Strategic alignment between IT and the organization’s objectives is a critical success factor. IT governance helps achieve this alignment by economically, efficiently, and effectively deploying secure and reliable technology information.

How does it differ from IT management?

The Control Objectives for Information and Related Technologies (COBIT) 5 framework makes a clear distinction between governance and management.

These two disciplines encompass different types of activities, require different organizational structures, and serve different purposes.

This is how COBIT 5 defines governance: “Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”

This definition ensures that the three key activities—evaluating, directing, and monitoring—are represented. Monitoring in the governance context means ensuring that monitoring outcomes are achieved in support of the provided direction and expected objectives.

Management, on the other hand, is defined by COBIT 5 as: “Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Information management encompasses the management of structured and unstructured data, in electronic, paper or other media formats. It may encompass portions of knowledge management as a formalized organizational capability.”

Information management plans, builds, runs, and monitors the practices, projects, and capabilities that acquire, control, protect, deliver, and enhance the value of data and information assets in alignment with the direction set by the information governance body.

In simpler terms, governance must provide leadership and strategy, focusing on the “big picture” and ensuring that the strategy is executed. As such, it is distinct from management, which organizes the work and implements the systems of governance.

Governance is doing the right thing, while management is about doing things right.

To steer or to row?

If an organization wants to be successful, it should allocate the tasks of both rowing and steering—both different, but equally important—to deliver the best results to the organization.

American authors David Osborne and Ted Gaebler wrote, “those who steer the boat have far more power over its destination than those who row it.”

The Board of Directors and management both have different roles, and both are key to the success of an organization. What is crucial is ensuring that each person understands and values their role.

According to Governance Today, “a boat does not go anywhere if it is not rowed, but could go anywhere if not steered—clarifying who does what and when is a good start to good governance.”

Should my organization care?

Your organization should definitely care. Implementing IT governance is extremely beneficial to an organization.

IT services are generally improved. IT governance also increases business sustainability and profitability, if implemented correctly.

IT governance assures: (1) the creation of value through the use of IT, (2) the overseeing of management performance, (3) the mitigation of the risk associated with the use of IT, and (4) an oversight over the IT systems so that there is alignment between the organizational goals and the IT system goals.

However, we should always remember that the desired outcomes that shape IT will vary between industries and organizations.

How do you implement it?

All organizations are unique. They should evolve their own governance process based on their needs and culture.

How they evolve also depends on the size of their organization and at what level of authority the organization employs.

Deciding to develop a robust IT governance framework is no walk in the park. It needs thorough planning, research, and resources that best fit your organization.

IT governance is an ongoing process and not a one-time destination. IT governance is not only about IT. It affects all aspects of your organization.

More importantly, as daunting as the implementation of your IT governance is, you still need to instill behavior and awareness at all levels of the organization, not just with senior management and the Board of Directors.
IT is complicated, but IT governance doesn’t have to be.

Jan Nolasco is a Managing Consultant of Advisory Services at P&A Grant Thornton.We’d like to hear from you! Tweet us: @PAGrantThornton, like us on Facebook: P&A Grant Thornton, and email your comments to or


As Published by The Manila Times dated 17 October 2018