by N. Dean Meyer

What is governance and what should IT leaders be doing about it?

Feb 28, 20057 mins
IT GovernanceIT Leadership

At the corporate level, especially in the shadow of the Sarbanes-Oxley Act, governance has come to mean ethics and truthful financial reporting.

In IT circles, it more commonly means resource management, especially investment (e.g., project) approval processes.

Some think of governance as the mechanisms of accountability to ensure that staff deliver on their promises.

Still others define governance as management controls to make sure that the IT function does what it’s supposed to. This often takes the form of committees that “help” IT leaders make their management decisions, especially popular in two situations.

  1. When the CIO or the IT organization is unpopular, governance is used by business-unit leaders as an excuse to meddle in the management of IT in ways that arm’s-length customers would never do to their suppliers in the real world.
  2. Where IT is decentralized, the term is used to justify some form of corporate control over the various business-unit IT groups that were originally established to circumvent corporate controls, generally resulting in political battles, stress, wasted time, damaged relations and little in the way of benefits to anybody.

The Real Meaning of the Term

So what’s the real meaning of the term?

All of the above. Governance means all the processes that coordinate and control an organization’s resources and actions.

Its scope includes ethics, resource-management processes, accountability and management controls.

Implementing Governance

With this broadly defined challenge, what should CIOs do about governance? Let’s first look at what doesn’t work….

In many cases, governance has been implemented in a narrow and often harmful way—as oversight through steering committees and auditors. The results are generally bureaucratic, imposing convoluted approval processes on already-burdened organizations. Heavy-handed, top-down controls squelch entrepreneurship, bog organizations down and drive administrative costs up.

Admit it, the last thing we need is more bureaucracy! Fortunately, oversight is not the only mechanism of governance.

Oversight prevents people from doing the wrong thing, be that making a bad investment or disregarding ethics and law. But why is oversight needed? Why do people do the wrong things and hence need to be controlled?

Organizations generate signals that guide everybody’s behavior. Most leaders recognize the power of metrics, but signals also come from an organization’s culture, structure, resource-management processes and methods. When these signals are poorly designed, people do the wrong things and oversight is needed to catch them.

As an alternative to oversight, leaders can adjust the signals within an organization so that people automatically do the right things in the first place. This systemic approach creates an environment where staff are empowered and entrepreneurial, yet behaviors and resources are controlled and well coordinated.

Look at the way the real world works. In a market-based economy, entrepreneurs naturally please customers and manage suppliers because that’s what it takes to succeed. The need for auditors and police is minimal, and certainly does not extend to daily management decisions.

Systemic governance is less costly, more comprehensive, empowering, flexible, and highly responsive since everybody is continually adjusting their behaviors to the needs of the situation. Oversight should only be used as a last resort, when systemic governance just can’t ensure sufficient control.

In practical terms, how can CIOs implement governance systemically?

Ethics and Integrity

Ethics and integrity can be treated through culture. Contrary to popular beliefs, culture is one of the easiest things for a CIO to change. The key is focusing on behaviors rather than values. To change culture quickly, leaders document all the desired behaviors (practices), then roll them out with education, modeling and metrics.

When the right behaviors are well defined and widely practiced, then even when one person slips, others around him or her are there to catch the organization before it falls into dangerous practices.

Resource Governance

The IT organization is a business within a business, serving customers throughout the company (its market) with a range of products and services. In this context, the resource-governance processes within organizations can be considered an “internal economy.”

Most of us believe in market economics outside the office. The same principles can be applied within organizations. Instead of bureaucratic hurdles, market economics provide the most effective approach to resource governance. See Beneath the Buzz: Portfolio Management for one model for this.

IT budgets can be treated as accounts that belong to clients, put on deposit at the beginning of each year in order to buy IT’s products and services all year long. When clients manage these, their expectations are more likely to match available resources. Meanwhile, IT is empowered (like any entrepreneur) to manage its business without clients’ meddling. It can decide its cost structure, including setting aside time and money for sustenance activities like training and product research, as long as its prices remain competitive. And it can invest in its infrastructure (with funding approved by its chain of command, not by clients) to provide reliable services now and in the future.


Accountability depends on a healthy structure. Good organizational structure defines jobs based on the lines of business within the IT organization (not old-fashioned roles, responsibilities and tasks). It defines what groups “sell,” not what they do. Structuring around lines of business establishes individual accountability for results—the products and services delivered to customers both in the business units and within IT itself. As with ethics, personal accountability can be reinforced through culture. An organization’s culture can define the behaviors of empowerment that manage people by results rather than by telling them what to do.


Controls go beyond resource governance and individual accountability. Particularly where an IT function is decentralized, corporations are concerned about compliance with product standards to gain bulk-purchasing discounts, and with architectural standards and policies to ease systems integration. Again, the best form of governance is systemic. The only reason decentralized IT staff would deviate from corporate directives is if it’s in their parochial best interests to do so.

The answer is not to demand altruism (self-sacrifice for the greater good) and then attempt to enforce it (a losing battle). Instead, business units should benefit from corporate coordination.

For example, if corporate staff offer products at a price that’s lower than what business units could buy independently, then business-unit staff will naturally buy through corporate IT. When corporate IT staff view business units as clients and approach them in a customer-focused manner, they build voluntary consortia to get bulk-purchasing discounts. And they don’t antagonize clients who choose to pay more for products that are non-standard but better fit local needs.

As to standards, it’s reasonable for corporate executives to demand that business units submit data (such as financials) in a standard format. With this as a management requirement, standardizing IT protocols becomes the most cost-efficient way to get the job done.

The Result

The result of systemic governance is an IT department that empowers clients to choose what they’ll buy and then delivers on its promises. It is customer focused, and produces good value while investing in its own capabilities to ensure its future viability. And systemic governance empowers staff without any loss of control.

This kind of organization doesn’t need committees to oversee it, complex approval processes to make sure clients aren’t asking for things they don’t really need, or inflammatory attempts to disempower corporate or decentralized IT staff.

With a systemic approach to governance, people naturally do the right things because the “rules of the game” are set up that way.

Dean Meyer helps IT leadership teams design high-performance organizations. Author of six books, numerous monographs, columns and articles, he brings innovative systematic approaches to what others consider the “soft” side of leadership. Contact him at or visit his website for information that can help you implement these ideas, or with suggestions for other buzzwords to analyze in future columns.