What Governance Isn't

Governance is hot. "Governance" is the "in" word right now in IT. It is also a word that is suffering badly from terminological debasement, something the IT Skeptic has railed against on this blog before. Look for more on this in the near future.

Novática: revista creada en 1975 por ATI (Asociación de Técnicos de Informática)Here is an article (pdf) by the IT Skeptic published in Novatica magazine, on "What Governance Isn't", which discusses this same debasement problem. If you are a Spanish speaker, as a fair chunk of the planet is, then you should consider a subscription to this IT magazine.

Look for the new ISO standard on governance to be published in April or May (ISO number yet to be assigned). It sounds to me to be right on the money in defining the term "governance" [as if they needed to know that the IT Skeptic agrees]. Hopefully it will put a brake on the terminological slide.

I attended a most interesting discussion on the meaning of the word "governance" at a local-branch ISACA "think tank" recently.

Governance is not management, not doing. It is steering the organisation. Command and Control. Or as the new standard has it: Direct, Evaluate, Measure.

As the term becomes more debased, governance is most often confused with two management activities: measurement and policy compliance.

Governance is done by governors. If they are not a governor (within the domain of consideration) then what they are doing is almost certainly not governance. What they are doing is serving governors: implementing mechanisms to enable governance, providing information for feedback to governance, acting to meet directives of governance; making corrections to stay within policy bounds.

We'll have more to say on this.


missing the point

I think several comments here are missing the point. Governance is indeed about "specifying the decision rights and accountability framework". It is NOT about making decisions and it is NOT about operationally enforcing desirable behaviours (which is what Change Management does).

the operational implementation, measurement and policing of the directives of governance is not governance, any more than Change Management is management. We have "waste management officers" - let's not let the poor word governance suffer the same fate.

ITIL vs CobiT Definitions

CobiT's definition of Governance simply states:

The method by which an organization is directed, administered or controlled.(CobiT 4.0)

You mentioned:

the operational implementation, measurement and policing of the directives of governance is not governance, any more than Change Management is management.

So would you disagree with the ITIL Glossary?

Ensuring that Policies and Strategy are actually implemented, and that required Processes are correctly followed. Governance includes defining Roles and responsibilities, measuring and reporting, and taking actions to resolve any issues identified.(ITIL V3 Glossary)

I'm particularly interested in separation of duties; "following the rules vs setting the rules". Take for example, a decision to adopt ITSM...

John M. Worthington
MyServiceMonitor, LLC

There are of course grey

There are of course grey areas here, but the new standard defines Governance as Direct Evaluate and Monitor.

let me try to clarify:
watching a high level dashboard of say profitability is governance. Creating the dashboard or collating the numbers is not.
Directing that the organisation must show a profit is governance (or deciding that this year we will not because growth is a priority). Deciding how to adjust operations so as to be profitable is not governance [grey area]. taking corrective action when the organisation is not profitable is not governance.
Viewing sufficient feedback information to ensure that directives have been followed is governance (Evaluate). Creating those feedback reports (Audit, Management) is not.
BAU operational actions to stay within directives is not governance. Changing the directives to respond to persistent failure to comply is.

So it all depends on how one interprets "Ensuring" "measuring and reporting" and "taking actions"

Directing vs. Deciding

It is tough to do this for a comment titled "There are of course greys", but even you fall into you own trap by stating:
Directing that the organisation must show a profit is governance (or deciding that this year we will not because growth is a priority).

So the decision on profit is not in the management domain, but in the governance domain?

Of course directors make decisions

Of course directors make decisions, they make decisions about policy.

Back to the ship analogy: they decide the course, not how to steer

Grey is the new Black

Seems to me a lot of the interesting value might be in the "Grey Area".. The difference between passive and active value creation for an IT organization might be how governance is executed in that grey area..

Its the diversity (because of representation) of a governance structure and its ability to apply that perspective to some of the most challenging problems in IT, that can be uncovered by the evaluation of metrics associated with governance that is interesting. Thats why my belief in "decisions".

"Deciding how to adjust operations so as to be profitable" is the interesting question...

Similar questions exist in all governance structures at all levels.

I am devaluing the majority of the work in governance, that is the framework. The block and tackle of getting a decision framework, what to measure etc.. is all very important.. Its when this information gets in the hands of people and discussions happen that is most interesting..

Brad Vaughan


Funny.. I thought governance was the act of governing..

And in performing the act of governing, you really think governance is not about making decisions???

Brad Vaughan

yes - really

Brad - I can hear you thinking, and I must admit that it looks a bit peculiar at first sight - and it's also not easy to follow up on. But I totally agree with the Skeptic on this.
When we started the ITGA (IT Governance Association, NL) a couple of years back, the first thing the team agreed on was the strict separation of governance and management. From what I've learned from the new ISO standard on IT Governance, this separation was enforced there as well.
The domains of governance and management are separated - but as usual when we set up domain borders, this is done by a grey wavery line. It's hard to get it crystal clear and not run into semantic of philosophic problems. One definition solution I usually apply here is that governance can also set the borders, the bandwith, the limits, for the management decision domain. Governance then not only details *how* decisions are taken and by whom, but it also sets the restrictions for the system.
Eg: "you may develop systems as you like, but you need to follow specific requirements from a list of relevant guidelines (eg SoX)."
Or: "you may outsource as much as you want, but you must be able to prove alignment to average market pricing levels - by means of a recognized benchmark."
Governance is focused at 'control' and therefor at risk management; if you want to get in control of your organization, you'll need to set some rules, as well as some specific restrictions to the road you want to take.

The gears are whirring

I think alot of governance definition comes down to the point I made about external control vs. internal alignment.. The role of the group is a little different depending on its degree of "externality". Internal alignment is essential, because when alignment becomes external, then governance turns into regulation.

Take the securities and exchange commission vs the board of a public company vs IT governance board as two sets of governance bodies over the same management structure. One is is external control, external alignment (alignment to itself, shareholders in general), whereas the board of a pubic company is external control, internal alignment. Finally a IT governance organization would be internal control, internal alignment (again, it also depends on perspective, because the IT governance board would be external to IT)

+ $0.02

Brad Vaughan

I see the point, but it needs more definition

I cans see the point, but it needs some definition to support the broad based statements and also the functional need for it to be that way..

I fully understand the separation of management and governance. This is the whole basis of most systems of government. You separate the Political system from the Bureaucratic one.

You cannot say Governance is not about decisions. Because its just the type of decisions they make which is they issue. They are not about operation decisions, but they do shape the operating model of the company.

Lets use some examples of governance bodies (IMHO) and try and see how the point you make pans out;

Board of a private company - they certainly approve a lot of things (fiscal policy, bonus's, salaries, acquisitions), and the ultimate head of management for a company is responsible to them. It is true within the operating model they have no power, so they are not part of an escalation process (unless for exemption from the operating model). And they do not have operating responsibility, mostly they are not even members of the company. They are mostly subject matter experts providing advice to the CEO and executive team, or representatives of large interests in the company (this bit sounds very regulatory)

Project Steering Committee - i would say similar to board, they set the project governance framework and the project manager (the ultimate head of the project) is responsible to them. They have not operating power unless a decision is required that requires exemption from the operating model.

Change Advisory Board - So I poorly used the word Change Management as a governance process. I should have said the Change Advisory Board as a governance body over change management. I see a similar pattern.

I would be interested to hear if everybody thinks these are examples of Governance Bodies and what are the defining characteristics (not too interested in paper definition, because there is too much possible interpretation, more interested in the practical experience).

The one area of contention I see is the escalation of decisions. In both the Steering Committee and Change Advisory Board models, the escalation issue is a tool used by the leader of the operation process (ie. Project Manager, Change Manager) to provide some representative decision and afford some coverage from the political system that is a organization of any complexity. Its not obvious in the Company Board example, because the CEO has more true power over the management organization.

So maybe governance role changes depending on the structure its is governing. I personally see IT Governance needing to place this role of political cover for the CIO between the management heads that have equal or more power to them. This is just my view of how it needs to work in practice. This is not a strict part of the definition of governance, I will admit.


Brad Vaughan

Could ITIL be driving interest in governance?

Perhaps some of the new V3 guidance (Strategy, Portfolio, et al) is stirring up this pot?

Having slammed into a CMDB wall at ramp speed, we're now building 'portfolios' (and maybe even 'PMDB's :) ). While I don't expect the 'business' to ever take its foot off the accelerator (speed up!), I can't help but wonder if some of this is a result of them ('the business') being as addicted to technology as we are to oil.

Perhaps giving them a seat in the front of the car will help them see the potential carnage that lie ahead. I wonder if 'governance' is an attempt to get 'the business' to accept its share of responsibility for driving this death trap...

Are 'governance' initiatives an attempt to slow 'the business' down to 50 miles over the speed limit? I thought we (IT/business) were at least on the same highway (if not in the same car). Well, if ITIL has anything to do with the increased desire for 'governance' (slow down!) than we should stir the pot some more and offer the ITIL Service Strategy definition:


Ensuring that Policies and Strategy are actually implemented, and that required Processes are correctly followed. Governance includes defining Roles and responsibilities, measuring and reporting, and taking actions to resolve any issues identified.

Of course, this thread would have to prefer the term 'steering' for obvious reasons. The only thing I wonder is, are we steering the same vehicle?

John M. Worthington
MyServiceMonitor, LLC

Its not the brake

My comment about regulation also applies to governance being considered a brake to the speed of execution. In fact using governance properly should actually speed up business adoption of IT and IT execution. This is assuming you have an organization with any form of complexity. Same statement applies to change management (itself a form of governance). Change management should be able to speed the execution of change (those that need speed) and only slow those that need more rigorous consideration.

The separation of governance and execution starts to become a little useless if you have a company with a simple structure. A company that has 1 product in 1 geographic market with 1 addressable customer base would find it very difficult to seperate governance from execution and very expensive to try. Governance in this context becomes second nature to management. A good leader is a good governor in the simplest case.

Brad Vaughan


An interesting definition of (IT) governance is from Weill & Ross:

"IT Governance: specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT"

The latter part cannot be enough emphasized. It has to do with ABC (Attitude/Behavior/Culture) or CAE (if I recall a previous post by the skeptic correctly). In the end, it is what you want to achieve with governance.

Also, in my opinion governance has to do with both meeting (mostly external) threats (compliance/conformance) and living up to expectations (performance).

Its not regulation

I have a couple of points..

I see the mistake that sometimes people implement governance as regulation. There needs to be some differentiation of these two areas. The discipline of governance should include some understanding that the "governors" have some stake or alignment to the thing they are governing.

The other point I would make is the complete lack of mention of the word "decision".. Its implied in "Direct", but this word has more implications in line management and not governance. Decision is passed down to "doers", who direct resources for action..

$0.02 as always (current tally $2.76)

Brad Vaughan

Shortcuts and human nature

An interesting post, governance certainly seems to be moving up the business agenda.

Last November, half of the UK population discovered that the Customs and Excise department had copied their personal information (including banking information) on to two CDs which were subsequently ‘lost in transit’ via a courier to another government department.

They have not been recovered and there is an obvious concern that the data may be in the possession of criminals.

Procedures had not been followed, partly because there was an attempt to save money.

My take on governance is that:

“Those of us who have worked within a highly procedure-driven environment can understand the frustrations which are commonly felt, where what appears on face value to be the simplest of tasks seems to take forever to gain sign off through many layers of bureaucracy."


“Sometimes we, as individuals, may think we know why a process works in a certain way and, based on our limited knowledge, take shortcuts just to shorten the time taken to achieve the same results. But all too often, because we don’t have the experience of the whole community of practice which has developed the process, we unwittingly introduce risk.”

In conclusion,

“People will always try to shortcut procedure and it is that human nature which we’ve seen tackled in other industries through communication, automation and implementing new approaches to cross functional governance.

With IT, unless we can clearly identify weaknesses in dataflow (defined as the flow of data between business assets, which includes people), easily explain process and make sure the true costs of taking shortcuts are clearly understood, it is only a matter of time before there are further catastrophic data breaches.”

You may be interested in reading the full post 'Governance and Government' here.

Syndicate content