A review of Governance of IT

Here is an important book: Governance of IT, by Alison Holt. Everyone in any role of authority in IT should read it, and anyone else would benefit from a better understanding of governance as well - it is a horrendously misunderstood and misused term.

Better still, everyone in executive management or governance of any organisation should read it. Well I can dream.

No excuses for not reading it: it is just over 100 pages.

Alison was the chair of the original ISO/IEC working group that developed the ISO/IEC 38500 standard Corporate Governance of IT. This book explains it.

I say to anybody who will listen that the most important word in the whole ISO38500 standard is in the title, and it is the word "of". "IT Governance" is a misleading term. Governance is done to IT not by IT. Governors govern. The ISO38500 standard makes this crystal clear. If you use "governance" to refer to management, supervisory, reporting, control, or audit activities within IT, stop it.

The ISO38500 standard is only 6 pages long. The first half of Alison's book explains the standard and why it matters. The second half explains how to make it happen. That's a lot of horsepower in 100+ pages! The text is clear and readable, in the no-nonsense style we Kiwis have. (Yes Alison is a compatriot - she lives just down the road from me!).

I do have a couple of issues with the book:

• ITIL's Service Portfolio Management is a primary mechanism for interfacing governance with IT, possibly the primary mechanism. It is certainly an essential tool for communicating when asking governors for evaluation of a decision. Governors need to be involved in the balancing of demands across the portfolio of both planned and active services. But it is not even mentioned in the book.
  Put another way, there is little discussion (except for one section on p93) of one of the biggest issues in IT today: how the business makes demands on IT which so deprive the BAU operations of resource that they break. Governors need to monitor and evaluate the tension between protecting the existing investment in IT and the delivery of new value from it.
• I'm less enthusiastic about Kaizen, which is embraced in the book. I agree with Charles Betz in his book Architecture and Patterns for IT on a point that I bring out in my "Standard+Case" approach: only some of IT can be standardised, i.e. can be reduced to factory-style repeatable transactions. Much of it can't. I think the application of Taylorism to IT has limited value and in fact can be damaging. The factory is the business process that IT supports - manufacturing information transactions. IT isn't a factory: IT builds the factory's "plant". Kaizen only works for standardised repeatable activities.
• There is no IT policy framework in existence, anywhere, as far as I can tell. Policy is the fundamental mechanism for governors to direct. I'd love to see some guidance on how to create a set of policy, how to structure it, how to audit it for completeness. (This has been a planned project of mine for so m many years now that I guess I better admit I'm never going to get it done).

I find nothing else to fault this book for - except perhaps I wished for more. But in the modern age nobody reads books of substance, and they think about them even less. So this is a book of its age - small enough to be accessible to the flibbertigibbet executives and managers of today.

The other issue this book faces is the profound challenge facing all those interested in better governance of IT: how the hell to get the people who should be reading it to read it. Good luck with that.

But you can read it, and you should.