Over the last several months I’ve been asked by many organizations, companies and industry experts about my opinion on what the perfect governance structure looks like. I have good and bad news for you.
The bad news first. There’s no single blueprint that can be copied and pasted into your organization. I believe this expectation is the result of a misconception that industry frameworks, models and best practices can literally be applied directly to an organization and somehow governance magically appears.
Now for the good news. Governance structures are a key component to any governance system. Most guidance you see today makes it very clear that the board of directors (or its equivalent in your organization) is THE governing body, and everything below that structure is management. I couldn’t disagree more. There are multiple governing bodies in an organization. The challenge is figuring out where they are, why they exist, what they do, and what value they provide to your organization.
Organizations consist of multiple governing bodies. These start at the top and work their way down to what I call the street view. They can include formal chartered bodies or temporary groups charged with a specific focus area for a specified amount of time. Of course, the board receives and disseminates information through committees, but there are more to a governance structure than just committees that report to the board. Enterprises have a huge collection of committees, boards and groups who are charged with governing something. The problem I see is that all of these assemblies are governing bodies, but do not behave as governing bodies and do not understand the distinction between governance and management. Governance sets the rules and boundaries for the scope in which they are chartered to govern. Management, on the other hand, plans, builds, runs and monitors the processes, practices and activities required to implement the governing bodies’ guidance.
There are many examples of these governing bodies: executive committees, architecture boards, risk and audit committees, steering (IT, program, project) committees, change advisory boards, the list goes on. Each of these governing bodies sets the rules and direction for the management charged with implementing their decisions. Here is where I see the confusion: I can be a member of one (or several) governing bodies where I participate in determining rules and boundaries. Outside of that governing body, I am considered management and have to implement and abide by the rules that I just endorsed. This means that as an executive I am part of multiple governing bodies and in some cases they contradict each other. Therefore, when I do my “day job” I have to determine which guidance I’m supposed to be following.
Let’s take a recent example. I worked with a global organization who asked me to assess and provide feedback on their governance structures. My first goal was to look into their fractured governing bodies. Here’s a snapshot of what I found:
- 37 global committees, a 31% increase in the last 12 months
- 81% of these governing bodies had no charters
- 43% created policies that violated policies from other committees
- 37% were deemed no longer required by the members
- 23% were “ad hoc” and have been for over 2 years
- 19% are no longer addressing the issues they were originally designed to address
- 51% were considered a “waste of my time” to the members
- 23% of committee members claimed that they did not follow the rules they endorsed in the committees they sat on
- Here’s the best part…this organization assessed their governance practices at maturity level 4
Now that you’ve listened to me rant about the issues, let’s get to my suggestions.
Wherever you are in an organization, there is always a governing body (or several) that guide your actions.
No organization or individual can manage their operations without rules. What governing bodies guide your decisions? For example, as a CIO of a very large organization there were essentially two governing bodies that guided my management decisions: the board of directors and the executive steering committee. Now, let’s say you are a new project manager in the same organization. Who are your governing bodies? The board? The executive steering committee? Likely not. As a new project manager, your governing bodies would likely be along the lines of a project steering committee or review board.
Get an inventory of all your governing bodies and understand their relationships with other governing bodies.
Look at the statistics above about my recent client. Committees, boards and decision-making bodies are routinely created that go undocumented, unchecked and ungoverned. Do your enterprise a favor and identify all these bodies. You might find that you have redundancies, misuse of resources, or worse, a waste of valuable resource, time and effort. I was talking this week with a colleague and mentor of mine on this subject, and he gave me some great advice, “Ideally, board and committee groups, roles and members should be managed in a system in a manner similar to assignment groups in leading service platforms. Using a common system provides opportunities to inventory groups, relationships, manage charters, meetings agendas and minutes. And, cascade objectives, decisions and hierarchical escalations when needed.” -John E. Jasinski https://www.linkedin.com/in/johnejasinski/
Charter EVERY decision-making body in your organization so its members understand their role in governance.
The goals for the organizational structures include having proper mandates, well-defined operating principles and application of good practices. The outcome of proper organizational structures should include a number of good activities and decisions. At a minimum, each of your governing bodies should identify:
- Name, purpose statement and goals
- Operating principles—The practical arrangements regarding how the structure will operate, such as frequency of meetings, documentation and housekeeping rules
- Composition/membership—Structures have members, who are internal or external stakeholders and their roles
- Span of control—The boundaries of the organizational structure’s decision rights
- Level of authority/decision rights—The decisions that the structure is authorized to take
- Delegation of authority—The structure can delegate (a subset of) its decision rights to other structures reporting to it
- Escalation procedures—The escalation path for a structure describes the required actions in case of problems in making decisions.
Periodically assess the value contribution to each governing body.
Ad hoc committees are OK, but you should be clear on their charters. There is a lifecycle to a committee and the charter should clearly identify when their value contribution is complete. An organizational structure has a life cycle. It is created, exists, is adjusted, and finally can be disbanded when its value is no longer demonstrated.
Assess the maturity level of your organizational structures.
Don’t get into the antiquated thinking that only processes can be assessed. Organizational structures are key components of your governance components and can be assessed. If you don’t buy that, check out my blog on assessing policy frameworks here. Stay tuned. I have some examples on how to do this in an upcoming blog.
As always, your thoughts and opinions are welcome.
COBIT 2019 Governance and Management Objectives Domains
Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.
COBIT Governance and Management Objectives link to Processes.
This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.
Getting from the COBIT “Core” to a tailored governance system
One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.
As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.
What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.
Linking the COBIT2019 Core to a tailored system.
Design Factors and Focus Areas
In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.
Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:
- Enterprise strategy
- Enterprise goals
- Risk profile
- I&T-related issues
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model for IT
- IT implementation methods
- Technology adoption strategy
- Enterprise size
- Future factors
If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.
Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.
Impact of Design Factors.
A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:
- Small and medium enterprises
- Cybersecurity
- Digital transformation
- Cloud computing
- Privacy
- DevOps
As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.
Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.
Workflow for designing a tailored governance system
COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.
Steps to creating a tailored governance system using the COBIT Design Guide.
By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.
Linking the Design Guide and Implementation Guides
The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.
In case you are not familiar with this, the COBIT implementation roadmap looks like this:
The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).
The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.
COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.
The Design Guide and Implementation Guide have a very distinct relationship and specific uses.
Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:
COBIT Design and Implementation Guide Relationships.
You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.
Using tools to assist in designing your new governance system
Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:
- Introduction and instructions
- A canvas tab that consolidates results including target capability levels
- One tab for each design factor
- Summary tabs that graphically represent the outcomes of steps 2 and 3
- Mapping tables for design factors
I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.
Closing and suggestions
We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.
As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.
