ISO38500 may be too late; the word "governance" is rapidly equalling "management"

The word "governance" is in danger of total debasement. ISO38500 may be only half-cooked but that is because it arrived just in time... or perhaps too late.
There have been concerns raised about ISO38500. One reader wrote to me with some valid questions about ISO38500

I would like to know your opinion on the actual value of the quite new ISO/IEC 38500 standard for IT Governance (or about its "father" the AS8015).That is if you think that 38500 is just a start-up of a long trip or something more valuable as a first step...
I am surprised that a Standard can be defined without a minimum practice at its foundation. Above all by considering that the Australian version has been defined at the beginning of 2005, that is almost 3.5 years ago.

I think such questions/concerns are valid. ISO38500 defines a term and its broad shape. We must wait for more guidance on what certifiable IT Governance actually looks like.

But there is plenty of evidence around that 38500 is desperately needed, and possibly too late to save the total erosion of meaning of "governance".

Take this article as just one example:

Every organization, large or small, must make decisions about how to use their resources in the best interests of the enterprise. The demand for data, projects, people and money always exceeds the supply of those resources. This is the core of governance: how to make those decisions in the best interests of the enterprise – not what is in the best interests of a particular function, but in the best interests of the organization. Of course, we all have different opinions about what that means. A governance process that ensures that the correct projects are completed and the correct people are involved in prioritizing them is essential to success.

They are talking about management. Governors might check that managers are making these decisons well.

choosing projects that create value is inherently a strategic activity and should involve corporate leadership...Much of the written work on governance focuses on the structural features or methods for managing a collection of projects. Topics such as policies, procedures, standards, data definition, roles, responsibilities, accountabilities, business rules, data redundancy, master data, structured and unstructured data, privacy, security, data usage, data quality, auditability, authorities and decision making are all valid and important to address. However, research and experience indicates that effective governance processes are characterized by both methodological comprehensiveness and social interventions where key stakeholders build collaborative relationships and shared understanding.

Putting aside the consultant babble of "effective governance processes are characterized by both methodological comprehensiveness and social interventions where key stakeholders build collaborative relationships and shared understanding" that would win me Bullshit Bingo in one sentence, the bits I can understand are talking about management.

If this is governance, what does the Board do? If this is not management, what is?


From your quotes, you are

From your quotes, you are 100% right. Those quotes talk about management.

One of the points of governance is that it's separate from management - it checks up on management - it governs it. The governors, sorry, the "governance roles", must not have any vested interest in approving mgt decisions because it makes themselves look good: they must not be the managers: they must be non-executive. (The importance of non-executive directors at board level and the splitting of chairman and CEO roles is the same kind of thing; ignoring it gives us Enron. [My bid for oversimplification of the month, but I'm still right.])

Is it perhaps the case that true governance simply isn't happening?* - Thereby leaving the term free for those trying to advise the managers (that includes me) to use and abuse? We vendors, trainers, consultants and bloggers are less likely to get the attention and the money of the true non-executive corporate governors, so let's go for the managers.

Having an International Standard won't by itself stop this dilution of the term; having CEOs and CIOs afraid of governance will.

* (Why might IT governance not be happening - as in, not going down to an effective level? My experience of SOX and COBIT governance efforts suggests that they all have a tendency to focus on very few controls, and even then to drop some of them when the resistance shows up. And in the case of SOX, to focus only on the ability to produce financial reports. If corporate governance is so hard, it doesn't bode well for the value of IT governance.)

Syndicate content