Governance versus management—this is a conversation I have been involved in many times over the years, and not just in the IT sphere. Many organizations struggle with drawing a line between these two disciplines. In this article, I attempt to define governance and management and to show where one stops and the other starts.
Defining IT governance and management
Let’s look at both in simple terms:
- The governance function of an organization is responsible for determining strategic direction.
- The management function takes that strategic direction and translates it into actions that will bring the organization closer to achieving the strategic goals.
Governance, when applied specifically to the IT organization and its management, is no different. Those responsible for IT governance will look to the overall governance of the organization aligning with their vision, mission, and goals, and ensuring that the strategic direction being taken within IT aligns with the overall business strategy.
IT governance: Different roles, different duties
Put simply, governance is about leading and management is about doing. Sounds easy, doesn’t it? Unfortunately, the lines are not always as clear as they could be. Somewhere in the middle ground, management and governance often become confused and, fed by this confusion, major problems can grow.
Both functions will see more success when those responsible for governance and management understand their roles clearly and stay within their lanes. In Distinguishing Governance from Management, Barry S. Bader outlines seven guiding questions to determine whether something falls under governance and is thus the board’s responsibility:
- Is it big?
- Is it about the future?
- Is it core to the mission?
- Is a high-level policy decision needed to resolve a situation?
- Is a red flag flying?
- Is a watchdog watching?
- Does the CEO want and need the board’s support?
While Bader was not referring specifically to IT governance and management, the principles remain the same.
If we were living in a perfect world, managers and employees would all know and understand their duties and responsibilities and act on them responsibly. Sadly, that isn’t always what happens. That is why the governance function is ultimately accountable if they are not diligent in their oversight responsibilities.
All organizations will face known and unknown risks. New technology has exacerbated these risks, making them more prevalent and intrusive to business. Those responsible for governance must work closely with IT personnel and senior executives on overseeing risk management and establishing a healthy risk appetite for the business.
Trust for successful governance and management
The critical success factor for IT governance and management is a community of trust. When those in IT governance do not trust those in IT management to undertake initiatives that will meet the strategic goals, the governance folks are apt to step in and try to take over the management function. This is symptomatic of a deeper cultural issue that needs to be resolved.
Persistent confusion between governance and management responsibilities is counterproductive; both sides need to stay in their own swim lanes. If the board is not confident that their managers cannot deliver to the strategy they have set, then they need to invest in training or coaching to help them succeed, or they need to decide if they have the right people in the right roles.
Real world success
So, what does the governance–management relationship look like? Imagine that the IT governance group decide that the organization move all services to the cloud. With this strategic direction decided, it is up to the IT management team to determine how best to achieve this outcome.
The management group tasks groups within the IT organization with investigating options, determining which services can be moved and which ones must stay in-house, and presenting the options in a paper that will then go back to the governance group for a final decision. With all information to hand, the governance team decide on an option to move ahead with. They approve the budget and give the management team a timeframe for completion.
The governance team will now step back and allow the IT organization to undertake the necessary tasks. Management will keep the governance board informed. Unless there are factors at play that impact the ability of the solution to meet the board’s requirements, or there are cost overruns that exceed any allowed contingency, they will leave the implementation of the project to their management team.
The COBIT framework for IT governance
The group that has the responsibility for governance must govern; they must provide leadership and strategy. They must focus on the big picture. Governance is all about planning the framework for work and ensuring that it is done.
That’s why it must be separate from management, which is responsible for organising and executing the work. The governance group needs to keep away from making managerial level decisions and being a part of the day-to-day implementation of strategy.
COBIT® (Control Objectives for Information Technology) is a framework for governance and management, specifically tailored to IT. COBIT clearly separates the governance and management activities using mnemonics:
- Evaluate, Direct, and Monitor (EDM) covers the governance activities. EDM is about ensuring that stakeholder needs are evaluated to identify and agree on objectives that must be achieved, directed through prioritization and decision making, and monitored for performance and compliance against objectives
- Plan, Build, Run, and Monitor (PBRM) covers the management activities. PBRM is about ensuring that all activities undertaken and monitored are in alignment with the direction set by the governance function.
If you are involved in either the governance or management layers of an IT organization, you will find very valuable insights in the COBIT framework on the ISACA website.
Additional resources
For more on IT governance and management, check out these BMC Blogs:
- IT Governance: An Introduction
- Governance in the ITIL 4 Service Value System
- 5 Great IT Governance Books
- COBIT 2019 vs COBIT 5: What’s The Difference?
- Cloud Governance vs Cloud Management: What’s the Difference?
- IT Risk Management & Governance