Styles of IT Governance
I had the pleasure of being invited along to one of Simon Wardley’s Leading Edge Forum dinners last week. Kate Craig-Wood did a great job of summing it up so I don’t have to:
I hope to return to the questions of corporate irrationality in another post.
The dinner was under Chatham House Rules, so I won’t say who got me started on the subject of IT Governance. I was however provoked into a realisation – that IT Governance is just a type of regulation, and that much can be learned by looking at what regulators do and how that works out for stakeholders.
The three types of regulation
I’ve worked in financial services for over 12 years now, and in that time I’ve observed 3 types of regulation:
- Rules – prescriptive regulation that says exactly what you can and can’t do. The best archetype for this that I can think of is the Monetary Authority of Singapore (MAS), but there are plenty of others.
- Principles – the regulator documents a number of principles that they expect participants to adhere to, but does not go into implementation detail. The US Securities and Exchange Commission (SEC) and UK Financial Services Authority (FSA) are typical examples that spring to mind.
- Comparative – the regulator expects participants to model their behaviour on each other (with some nudging towards that being a high water mark rather than lowest common denominator). This is how things work in Switzerland under the Eidgenössischen Bankenkommission (EBK).
Of course there are interactions between the models, so quite often practices that emerge from a comparative regime get encoded into a rules based regime.
How this relates to IT
Large enterprise IT shops spend billions of dollars on staff, equipment, software and services each year. Like a government they need to show that there are rules, and that the rules are being abided by. This is where IT governance comes in.
In most cases I would observe that IT governance is essentially a rules based approach. This ends up casting people who have ‘architect’ in their title into two roles:
- Drafters of legislation – much like the armies of lawyers working behind the scenes in parliaments, congresses and assemblies the world over.
- Counsel – for those that need to understand the legislation and how to abide by it (or push through new laws).
I don’t think it’s always been like that, and if I go back to my early career in enterprise IT it seemed that we were exiting a period of principle based governance, where the principles were baked into an organisation’s culture.
The opportunity
Creating, managing and supervising a large (and ever expanding) body of law rules isn’t particularly productive, so it’s worthwhile looking at where situations arise for alternative styles of governance (and whether styles can be commingled as they are in global financial services).
A particularly strong argument for the comparative approach should exist for organisations that feel they’re behind industry norms. The analogy I use here is cavity wall insulation. If I live on a street where all of my neighbours have had cavity wall insulation installed then I don’t need to make myself a discounted cash flow spreadsheet for an investment appraisal for cavity wall insulation. I should instead be asking my neighbours which contractors were good and/or cheap. If I’m cheeky then I could even ask how quickly they expect their investment to pay back (and hence benefit from their analysis). A similar argument might then extend to building a private cloud, creating a data dictionary or whatever.
Principle based approaches also have a lot to offer, as they are lighter touch (from a manpower and weight of documentation perspective), and easier to achieve buy in around.
In each case, a crucial factor should be balancing the cost to the organisation of running a given governance approach versus the expected benefit (in stopping bad things from happening).
Conclusion
Just as there are a number of different approaches to regulation, so should there be parallel approaches to IT governance in the enterprise. So much of the output of rules based approaches is one size fits all, even when it clearly doesn’t; so there are lessons to be learned, and alternatives to be tried, in finding a holistic and balanced approach. The purpose of IT governance is to ensure that the organisation is doing the right thing, and this process should start with the means of governance.
Filed under: architecture | 1 Comment
Tags: architecture, comparative, enterprise, governance, IT, law, principles, regulation, rules, strategy
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Meta.ai Oh My!
- Looking for AI use-cases — Benedict Evans
- the biggest threat facing your team
- Why has Hugh Grant settled his phone hacking claim against the Sun?
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
- AI isn't useless. But is it worth it?
- Pluralistic: The true post-cyberpunk hero is a noir forensic accountant
- Subaru battery drain due to missing 3G network
- Paying maintainers: the HOWTO
- SARS-CoV-2 airborne infection probability estimated by using indoor carbon dioxide | Environmental Science and Pollution Research
Chris Swan's Weblog 
When IT Governance is useful, it brings clarity to roles, responsibilities and decision-rights for individuals and groups of people. When it becomes Governance for Governance’s sake – i.e. approached from a control or compliance perspective – it’s almost always overly bureaucratic and burdensome.
I believe IT Governance should facilitate efficient decision-making, and not try to do anything more than that. When architects start believing that their role is primarily about IT governance then I would argue they have lost the plot and won’t add value to their organisation.
Perhaps a better analogy than industry regulation is town planning. I’m sure we’ve all experienced the outcomes of both good and bad town planning in locations we know. Good town planning involves focusing on the minimum set of enforceable rules and principles to ensure quality decisions are taken which benefit the wider community. When it descends into petty box ticking and setting rules for the sake of having rules, then it loses its purpose and legitimacy with the people it is trying to serve.
Another point I would make about IT Governance is that in my experience it tends to create a mindset which is “I’m doing my job properly if the auditor/regulator is ok with it”. There is so much more to good IT management than just keeping an auditor happy, yet I’ve worked with a depressingly large number of people over the years for whom that is their primary motivation and mindset.