Delivering consistent and quality IT services for customers is not easy – and can be even more challenging – if they are not governed effectively. For example, how can an IT organisation look to improve if it doesn’t measure the amount of service-impacting incidents properly?
Take the high profile service outages of several major banks in recent years for example. Their customers were unable to make transactions or access services for periods of time. Even in such a highly regulated environment as financial services, where IT is governance is generally tighter, there are no guarantees that the outages could’ve been prevented by governance alone.
Equally, too much governance could be seen as overly bureaucratic. A complicated – and lengthy – change control process could drive the wrong behaviour from some members of the IT organisation in that they may simply bypass the process.
In any case, a business is often dependent on its IT services, and as such, there needs to be controls in place to not only protect – but gain value for – their customers. This of course needs to be appropriate as not all businesses are financial service providers needing tight control.
What is governance and why is it important?
Before implementing any type of governance, it is worth understanding what it actually is. According to Wikipedia, “governance refers to all processes of governing undertaken…and relates to the interaction and decision-making among the actors involved in a collective problem”.
The Harvard Business School describe IT governance as “specifying the decision rights and the decision-making mechanics to foster the desired behaviour in the use of IT”.
A key thing to note is that governance is not the same as management. Ultimately, ITSM governance is concerned with control, compliance and performance.
It is important that ITSM governance has effective decision-making in place; drives the right behaviours (and, by implication, discourages the wrong behaviour); and has policy and processes are in place so that it is easier to discover issues and remedy them quicker.
Going back to our banking example earlier, HSBC had an issue with ATMs and Online Banking in 2011 but were able to pinpoint it and restore service within 2-3 hours. If they didn’t have good governance in place, it feasibly could have taken considerably longer to obtain information and decisions.
What are the different aspects of ITSM governance?
In order to understand, design and communicate effective ITSM governance, Harvard Business School suggests “a decision, rights and accountability framework” should be created that covers aspects like:
- What decisions should be made and what information should be considered
- Who can make decisions and who is accountable for them
- How can decisions and governance be measured?
You might also want to consider different aspects like those the in the table below:
|Aspects||Questions or things to consider|
|1. People||Communicating with guiding principles that inform and involve all relevant staff; leverage their expertise; and ensure strong input from Senior Management|
|2. Process||Governance should be controlled and executed through policy, process, ownership and performance|
|3. Technology||What technology and tools are required to support the process?|
|4. Information||What data such as measurements and metrics are required to inform decision making?|
|5. Services||What are they; how much do they cost; and how do they add value to the business?|
|6. Suppliers||What are their processes and metrics and how are they involved in your governance?|
|7. Customers||Who are your customers and how do they benefit from your governance?
How can you evidence your governance improves service costs, their perception and value delivery?
|8. Corporate Governance||How does your governance align to the corporate governance, strategic objectives and architecture; and are IT involved at the right level within the organisation in this regard?|
How is ITSM governance executed?
After considering what aspects to include in ITSM governance, it is equally important to consider how to design and execute it in practice. The following are some suggestions you might want to consider when implementing ITSM governance.
Firstly, identify the types of frameworks and methods to be used – particularly if you are starting from scratch. Whilst not exhaustive, the following are some common methods and how they can be applied:
- COBIT is an IT governance framework that focuses on what should be covered in processes and procedures and they can be directed and controlled.
- ISO/IEC standards like 20000 (Service Management), 27000 (Security) and 38500 (IT Governance) are international standards provide specific advice and controls IT can be audited against to gain industry recognised certification
- TOGAF is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise and service orientated architecture
- Other specific best practices for governance such as PRINCE2 for projects; USMBOK and ITIL for service; MoR for risk management; CMMI for benchmarking and maturity.
Secondly, ITSM needs to be involved with – or even own – certain internal governing bodies like:
- IT Pipeline and Portfolio Board to understand the upcoming projects and be ready to design, transition and operate the services being delivered as necessary
- Architecture Governance Board to influence and ratify all architecture designs and decisions
- Change Advisory Board to review/approve changes – particularly to the live production environment
- Other Governance or Steering Groups involving the business to ensure IT is represented appropriately
Thirdly, ITSM Governance needs to ensure key policies, processes and metrics in place. This may vary depending on the needs of the organisation but things like incident, change and release policies should be created to ensure service-related issues or changes are controlled, evaluated, measured and resolved in appropriate way to ensure minimum risk and impact to the business.
Finally, and arguably, the most important thing is to build an improvement culture that involves the support of the whole IT organisation. By establishing quick wins; involving staff in the policy development; and empowering them to take ownership as appropriate; and using improvement techniques Deming’s Plan Do Check Act cycle; ITSM governance is more likely to be established accepted and acted upon by the IT organisation.
The key things to remember when implementing ITSM governance are to:
- Ensure it is appropriate for your organisation and limit bureaucracy were possible
- Remember that governance is not management and is primarily about driving effective decision-making and ensuring control and performance of services
- Make sure it aligns to the strategic and corporate governance and objectives of your organisation
- Control, improve and mature governance through policy, process, benchmarks and measurements using industry best practice if practicable to do so.
- Develop and maintain an improvement culture within the IT organisation so that staff understand the value of – and contribute to the success of – ITSM governance
- UK banks struck by IT outages – Information Age (2011)
- SOA governance – Wikipedia (2016) –
- ISO/IEC 38500 – Corporate Governance of IT – Wikipedia (2016)
- The Role of ITIL in IT Governance – Rick Leopaldi RL Information Consulting LLC (2016) –
- Why Does IT Governance Matter? – Ricardo Chavira Associate Director, Governance, Service Management & eServices (Yale) (2013)
- Governance over IT Service Management Processes using COBIT 5.0 – Ben Martin (2013)
- 6 Success Factors for ITSM Governance Structures – Edward Rivard for ITSMWatch (2011)
- IT Service Management leads to IT Governance – ITSM Academy (2010)
- Governing ITIL with COBIT – David Nichols (2008)
This article was contributed by Jon Morely – Vice-Chair of the itSMF UK Service Transition Special Interest Group and IT Service Transition Manager at the University of Nottingham.