I deliver a lot of courses and workshops on IT Governance and on the Governance of IT. (Yes – there is a difference). One of my favorite exercises is to put the word “GOVERNANCE” up on the white board and then I put a stack of pens on the table and ask the attendees to write the first word that comes into their minds when they think of Governance.
A simple little exercise that opens a lot of eyes as to the different perspectives on governance. The term governance is used inconsistently within organizations. There are those that are focussed on being able to pass an audit, those who want to gain and demonstrate that they have control, and so on. I then proceed to explain my view on good governance.
I walk up to the front of the room. I tell them that this room represents our fictitious organization and I am the leader of this organization. The people in the first row are my first line management team. They report to me. If I am governing well, the leaders in the front row will make the same decisions as I would make. They would have appropriate policies, guidelines and rules that I put forward. These leaders are both accountable for, and have the authority up to, a certain level of risk and a certain level of financial expenditure. This affords me the luxury of focusing on things that are of higher risk or of a higher strategic importance.
As the leader of this organization, I have 2 primary responsibilities:
- “Manage” all aspects of risk and financial decision making that are not addressed by the corporate governance model
- Continually improve the Corporate Governance Model
The better I handle item #2, the less I am doing item #1.
I then look at the next row of people in the workshop and I tell them that they represent the second line management team. They report to the first line. If I am doing a really good job of governance, they will have the appropriate policies, guidelines and rules to support their management decisions up to a level of financial and risk control that we set for them. They will be making the same decisions that their management team would be making, which would be the same decisions I would be making. This model is replicated all the way down the organization to enable consistent decision making throughout the organization. Sounds obvious.. and a little to too easy...
Now for reality…
In order for a governance model to be effective you must consider at least these 5 principles:
- Measurement and Continual Improvement
It is very easy to take this to such an extreme that any benefits from tighter governance are lost to the bureaucracy of the model. It is important that the policies, guidelines and rules that are put in place allow for a certain degree of flexibility. There are always unknowns and a good governance model will allow for them. The pendulum will naturally swing from flexible to rigid and back again. A good governance model will help us address the extreme swings.
The purpose of good governance is to drive consistent behaviours through the organization. These behaviours must be modelled by senior leadership. While there is no guarantee that the organization will emulate the desired behaviour exhibited by their leaders, it is a much better bet that undesired behaviour will be emulated.
The desired behaviour of an organization must be realistic and practical. Putting together a governance model that requires the organization to comply to rules, policies and guidelines that can not realistically be done in the context of an individuals job, is likely to be met with resistance and will cause staff to circumvent the processes. In order to ensure that the governance model is both fit for use and fit for purpose, stakeholder engagement is critical throughout its creation and continual improvement.
When it comes to governance shortcomings, focus must be on the governance model and not on people. It is seldom that negligence can be labeled as the root cause of an issues related to governance. Even when people fail to follow established policy, you can often attribute it to poor communication or awareness. It is important to continually market the desired behaviour. Recognizing and rewarding the desired behaviour at every opportunity goes a long way to establish the behaviours as part of the culture. If you are trying to establish more of a risk taking culture and you slam someone who takes a risk that they believed was acceptable – what are the odds that that individual will take risks in the future?
The problem with governance is that it exists even when we dont plan it. Nature abhors a vacuum and when we fail to govern, systems will organically grow into place. This means that varying and conflicting pockets of governance and management will start to surface in the organization. As consultants, we see it all the time. Different sets of policies or rules depending on the manager you report to.
Governance requirements change all the time and the holes in the governance model show up as stakeholder pain points and as triggers. It is important to be on top of the required changes to the model – at all times. Governance is not a project, it must be continually monitored and improved in order to be able to keep it aligned with the organizational goals and objectives.
Of course – you cant cover a topic like governance in one blog article but hopefully it gives you some thing to think about. I strongly recommend my clients look at IT Governance by Weill and Ross or consider taking a COBIT 5 course