Control over the IT process of Provide IT Governance that satisfies the business requirement for IT of
- integrating IT governance with corporate governance objectives and complying with laws, regulations and contracts
- preparing board reports on IT strategy, performance and risks, and responding to governance requirements in line with board directions
- Establishing an IT governance framework integrated into corporate governance
- Obtaining independent assurance over the IT governance status
- Frequency of board reporting on IT to stakeholders (including maturity)
- Frequency of reporting from IT to the board (including maturity)
- Frequency of independent reviews of IT compliance
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
There is a complete lack of any recognizable IT governance process. The organization does not even recognize that there is an issue to be addressed; hence, there is no communication about the issue.
2 Initial/Ad Hoc when
There is recognition that IT governance issues exist and need to be addressed. There are ad hoc approaches applied on an individual or case-by-case basis. Management’s approach is reactive, and there is only sporadic, inconsistent communication on issues and approaches to address them. Management has only an approximate indication of how IT contributes to business performance. Management only reactively responds to an incident that has caused some loss or embarrassment to the organization.
3 Repeatable but Intuitive when
There is awareness of IT governance issues. IT governance activities and performance indicators, which include IT planning, delivery and monitoring processes, are under development. Selected IT processes are identified for improvement based on individuals’ decisions. Management identifies basic IT governance measurements and assessment methods and techniques; however, the process is not adopted across the organization. Communication on governance standards and responsibilities is left to the individual. Individuals drive the governance processes within various IT projects and processes. The processes, tools and metrics to measure IT governance are limited and may not be used to their full capacity due to a lack of expertise in their functionality.
4 Defined when
The importance of and need for IT governance are understood by management and communicated to the organization. A baseline set of IT governance indicators is developed where linkages between outcome measures and performance indicators are defined and documented. Procedures are standardized and documented. Management communicates standardized procedures, and training is established. Tools are identified to assist with overseeing IT governance. Dashboards are defined as part of the IT balanced business scorecard. However, it is left to the individual to get training, follow the standards and apply them. Processes may be monitored, but deviations, while mostly being acted upon by individual initiative, are unlikely to be detected by management.
5 Managed and Measurable when
There is full understanding of IT governance issues at all levels. There is a clear understanding of who the customer is, and responsibilities are defined and monitored through service levels. Responsibilities are clear and process ownership is established. IT processes and IT governance are aligned with and integrated into the business and the IT strategy. Improvement in IT processes is based primarily upon a quantitative understanding, and it is possible to monitor and measure compliance with procedures and process metrics. All process stakeholders are aware of risks, the importance of IT and the opportunities it can offer. Management defines tolerances under which processes must operate. There is limited, primarily tactical, use of technology, based on mature techniques and enforced standard tools. IT governance has been integrated into strategic and operational planning and monitoring processes. Performance indicators over all IT governance activities are being recorded and tracked, leading to enterprise-wide improvements. Overall accountability of key process performance is clear, and management is rewarded based on key performance measures.
6 Optimized when
There is an advanced and forward-looking understanding of IT governance issues and solutions. Training and communication are supported by leading-edge concepts and techniques. Processes are refined to a level of industry good practice, based on results of continuous improvement and maturity modeling with other organizations. The implementation of IT policies leads to an organization, people and processes that are quick to adapt and fully support IT governance requirements. All problems and deviations are root cause analyzed, and efficient action is expediently identified and initiated. IT is used in an extensive, integrated and optimized manner to automate the work-flow and provide tools to improve quality and effectiveness. The risks and returns of the IT processes are defined, balanced and communicated across the enterprise. External experts are leveraged and benchmarks are used for guidance. Monitoring, self-assessment and communication about governance expectations are pervasive within the organization, and there is optimal use of technology to support measurement, analysis, communication and training. Enterprise governance and IT governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise. IT governance activities are integrated with the enterprise governance process.