Styles of IT Governance
I hope to return to the questions of corporate irrationality in another post.
The dinner was under Chatham House Rules, so I won’t say who got me started on the subject of IT Governance. I was however provoked into a realisation – that IT Governance is just a type of regulation, and that much can be learned by looking at what regulators do and how that works out for stakeholders.
The three types of regulation
I’ve worked in financial services for over 12 years now, and in that time I’ve observed 3 types of regulation:
- Rules – prescriptive regulation that says exactly what you can and can’t do. The best archetype for this that I can think of is the Monetary Authority of Singapore (MAS), but there are plenty of others.
- Principles – the regulator documents a number of principles that they expect participants to adhere to, but does not go into implementation detail. The US Securities and Exchange Commission (SEC) and UK Financial Services Authority (FSA) are typical examples that spring to mind.
- Comparative – the regulator expects participants to model their behaviour on each other (with some nudging towards that being a high water mark rather than lowest common denominator). This is how things work in Switzerland under the Eidgenössischen Bankenkommission (EBK).
Of course there are interactions between the models, so quite often practices that emerge from a comparative regime get encoded into a rules based regime.
How this relates to IT
Large enterprise IT shops spend billions of dollars on staff, equipment, software and services each year. Like a government they need to show that there are rules, and that the rules are being abided by. This is where IT governance comes in.
In most cases I would observe that IT governance is essentially a rules based approach. This ends up casting people who have ‘architect’ in their title into two roles:
- Drafters of legislation – much like the armies of lawyers working behind the scenes in parliaments, congresses and assemblies the world over.
- Counsel – for those that need to understand the legislation and how to abide by it (or push through new laws).
I don’t think it’s always been like that, and if I go back to my early career in enterprise IT it seemed that we were exiting a period of principle based governance, where the principles were baked into an organisation’s culture.
Creating, managing and supervising a large (and ever expanding) body of
law rules isn’t particularly productive, so it’s worthwhile looking at where situations arise for alternative styles of governance (and whether styles can be commingled as they are in global financial services).
A particularly strong argument for the comparative approach should exist for organisations that feel they’re behind industry norms. The analogy I use here is cavity wall insulation. If I live on a street where all of my neighbours have had cavity wall insulation installed then I don’t need to make myself a discounted cash flow spreadsheet for an investment appraisal for cavity wall insulation. I should instead be asking my neighbours which contractors were good and/or cheap. If I’m cheeky then I could even ask how quickly they expect their investment to pay back (and hence benefit from their analysis). A similar argument might then extend to building a private cloud, creating a data dictionary or whatever.
Principle based approaches also have a lot to offer, as they are lighter touch (from a manpower and weight of documentation perspective), and easier to achieve buy in around.
In each case, a crucial factor should be balancing the cost to the organisation of running a given governance approach versus the expected benefit (in stopping bad things from happening).
Just as there are a number of different approaches to regulation, so should there be parallel approaches to IT governance in the enterprise. So much of the output of rules based approaches is one size fits all, even when it clearly doesn’t; so there are lessons to be learned, and alternatives to be tried, in finding a holistic and balanced approach. The purpose of IT governance is to ensure that the organisation is doing the right thing, and this process should start with the means of governance.
Filed under: architecture | 1 Comment
Tags: architecture, comparative, enterprise, governance, IT, law, principles, regulation, rules, strategy