Josh Hamit understands why IT governance sometimes gets a bad rap.
“When I and others think of governance, it has the connotation of being slow and having a lot of hoops to jump through, and that’s scary for an organization in this age of digital transformation,” he says.
Hamit then asks: “In a time when we need to embrace innovation, how do we do that in a way that governance won’t slow us down?”
It’s a challenge Hamit has been tackling as CIO at Altra Federal Credit Union, where he has implemented a governance model that uses appropriate guardrails for risk management yet still enables adaptability and speed.
More specifically, Hamit’s governance structure defines roles and responsibilities; assigns decision-making and accountability; and creates procedures meant to keep his technology team working on strategic priorities. It also includes policies to ensure IT adheres to required standards and regulatory requirements but with enough flexibility so IT can pivot to meet emerging business needs.
“So much of governance is about maximizing IT investments so that it provides value to the organization,” says Hamit, who is also a member of the Emerging Trends Working Group at the IT governance association ISACA.
Hamit says weekly meetings with senior business and IT leaders enable the organization to quickly reprioritize when needed. Agile practices have empowered IT staffers to make their own decisions. And the policies around risk assessments and change management ensure tech products and services meet regulatory and security requirements as well as user needs.
“We have a good structure in place to be nimble and adjust as needed when new things come up, but we still have guardrails to keep IT from veering off in its own direction,” Hamit adds.
IT governance at a crossroads
IT governance is the collection of policies, processes, and tools that guide and govern how the technology function operates.
“It’s a natural part of running an organization [that’s] supposed to enable you to get the outcomes you want to produce,” says Valence Howden, principal director in the CIO practice at Info-Tech Research Group and an analyst who helps organizations succeed through optimizing how they govern themselves.
Some CIOs have adopted frameworks that articulate the elements that make up its approach to governance. Others have less formalized strictures. And still others have never fully or directly addressed the topic so instead get stuck with whatever workflows and habits happened to develop over the years.
Regardless of how the IT governance came to be, experts say many CIOs are clinging to a governance philosophy focused on traditional IT requirements around availability and stability.
“We use it to control things. Governance has become a way of restricting something that could or does go wrong,” Howden says.
CIOs now need a different approach to IT governance.
Today IT leaders need a governance strategy centered around adaptability and innovation, and one that allows their technology teams to move as fast and change as often as markets demand. But they also need this governance model not to sacrifice availability, stability, and security — all of which remains as critical as ever.
“Change, and the velocity of change, means governance has to look different now,” Howden adds.
An imperative to change
The need to change how IT is governed is significant and widespread, according to one recent study.
“The State of Strategy Execution: Embracing Uncertainty to Adapt at Speed,” conducted by Lawless Research and commissioned by software company Planview, found that the inability to quickly adapt strategy execution leads to a decline in growth, opportunities lost to competitors, decreased customer retention, and major loss of profit.
According to the report, executives cited complex governance and approval processes as a top barrier to adapting to change; the executives also listed unclear and conflicting priorities as well as a lack of resources for approved projects as the other two big barriers to agility. Given such research, it’s clear there’s a need for more responsive governance models — particularly in IT.
“We need to tie technology investments to market success. That’s how we now need to regulate the business of technology,” says Nicola Morini Bianzino, global CTO for professional services firm EY.
As such, IT needs different rules guiding its operations, Bianzino says. “There is a big push to shift the IT function to be a business function, to be a driver of growth,” he adds.
There’s evidence that organizations are indeed taking actions to be more responsive to market changes. Lawless Research found that 89% of surveyed respondents said their organizations plan to improve speed in adapting to change and disruption.
The new elements of IT governance
IT governance models that support adaptability, agility, and speed incorporate a number of new ways of operating the IT department, say consultants and executives who have adopted such approaches.
To start, these governance models embrace agile development principles; they do that by building in the policies, procedures, and tools specific to agile development rather than trying to simply tweak the rules that worked for monolithic application deployments.
For example, these governance models eliminate the need for committee reviews and approvals for planned software releases, thereby truly empowering product owners to manage roadmaps while also empowering product teams to make decisions and accept accountability for their choices.
“Part of this is simply accepting that to move with more speed or more velocity you must run this without having a heavy hand on everything,” Howden says.
These new IT governance models built for agility and adaptability also commit to shorter software development cycles by putting in place policies that enable them, says Asaf Weisberg, ISACA board director and founder and CEO of the security and risk management consulting firm introSight.
They do the same for high-performance cross-functional teams by reworking resource management plans so that these teams are given the capabilities they need and are managed as well as evaluated based on this new way of working — and not according to outdated models where the various IT disciplines work separately in an assembly-line fashion.
“It’s a different way of looking at resource management,” Weisberg adds.
Additionally, this new governance philosophy lays out how it will support real-time risk management handled by the teams themselves so they can respond to the ever-changing cybersecurity risk landscape, Weisberg says.
Furthermore, these modern IT governance models embed risk assessment into decision-making processes and use workflow tools to automate adherence to rules and regulations.
“These tools say, ‘These rules are mandatory so you must do these things in a certain way,” Howden explains. “Then that thinking becomes part of everyone’s work.”
These governance frameworks address the need to create space for innovation, too, Bianzino says, “so you’re moving the organization to a mindset where they’re pushing the envelope.”
They sometimes also address the CIO’s own role — as well they should, Bianzino adds. CIOs must focus on driving business, he says, even if that means splitting off the part of the position that deals with IT operations such as cost optimization, vendor management, and uptime.
Bianzino says forward-facing IT governance also calls for the CIO to report to the CEO or COO; as he explains, an adaptable IT department can’t have a CIO who is “buried three or four layers under the board.”
Finally, experts say this new IT governance approach should extend beyond the IT department itself. “If another department spins up technology, they have to be governed the same way, too,” Howden says.
Of course, modern IT governance still requires guardrails. “Leaving [governance] too loose isn’t good either, so rules of engagement need to be defined,” Bianzino says.
So leading CIOs embed into their new governance structures the rules and limits that are required based on their own organization’s needs, risk tolerance, and regulatory requirements.
But they do so in ways that won’t unnecessarily impede adaptability and responsiveness.
For example, Howden says CIOs that delegate authority to the lowest possible levels within their IT departments to enable agility also establish guidelines on what risk scenarios need to go to senior leaders for discussion.
Or, in another example, CIOs demonstrate trust in teams by granting them autonomy but then also establish metrics to hold those teams accountable.
Moving governance into the future
Some experts advocate for even bolder changes to the notion of IT governance.
“What we need is a completely new operating model for the organization that goes above and beyond IT,” says Marcelo De Santis, who as executive advisor at the technology consultancy Thoughtworks works with executives on their digital transformations and corporate innovation strategies.
All types of organizations must be ready to adapt quickly and to constantly innovate, he explains, so the way they operate must match that need.
“It’s the new business-as-usual for all organizations, whether they’re digital natives or traditional companies. That’s how the world works today; so companies need an operating model for change, not stability,” De Santis adds.
He points to the five elements that his firm has identified as critical to what it calls the “responsive organization” operating model.
It starts with having a top-level strategy that focuses on customer value; a portfolio process that facilitates, measures, and improves customer value by supporting short periods of experimentation; a flexible technology architecture and agile practices; autonomous product teams; and the use of the right measures to determine success.
De Santis says governance is embedded into this operating model because the focus on customer value and the use of appropriate success metrics requires attention to both traditional areas of concern such as availability and security as well as modern ones such as responsiveness, user experience, and agility.
He adds: “CIOs must push for implementation of a frictionless model that will help the whole company be more adaptable to constant market changes.”