What does IT governance mean to us?

There has been a lot of really good discussion and follow-up commentary around my IT governance posting from last week and so I wanted to provide a little more detail around what we mean we talk about IT governance.  For us, IT governance is a very simple concept with far-reaching implications that impacts everything we think about as examine the framework to update MOF.  Which is why our definition of IT governance has become our mission statement.  So, what does IT governance mean to us?  Quite simply, it is:

"Ensuring that IT does the right thing at the right time for the right reasons."

So, if we drill into that a bit more, we feel IT governance is comprised of 4 concepts:

  • Compliance: putting the checkpoints and controls in place to enable IT to answer the following questions:
    • Security - Is our environment patched, protected, and secure?
    • Privacy - Are we properly handling customer, partner, and HR data?
    • Regulatory - Are we in compliance with all required government regulations?
  • Meeting management objectives: Is IT able to meet and articulate their response to management objectives around:
    • Operations: Availability and capacity targets?
    • Performance: Are SLA targets defined and being met?
    • Financial: Does IT understand the cost of delivering a service?
  • Risk: Are we managing the various types of risk proactively and within tolerance levels as defined by management?  Is Risk Management properly driving policy?
    • Technological, reputational, operational, financial, regulatory
  • Audit: Do we have the means in place to assess the above?

We believe that all of these concepts are foundational to the success of a lifecycle framework and grow logically out of the existing MOF Process Model and MOF Risk Management Methodology.  They simply require a new level of articulation and specification in order to ensure their performance.  So, given the above, you may wonder how would we describe the SMFs in this new framework?

The SMFs are a series of tasks and activities supported by checkpoints and controls that assist IT in figuring out:

  • WHAT is the right thing to do?
  • WHEN is the right time to do it (in the context of the lifecycle)?
  • HOW do I get it done?

I've also attached a very short Power Point presentation that describes the above that you are welcome to download.  Thank you to everyone who has commented, provided input, and joined us in the discussion of how to make a better framework.  Please click on Comments below and continue to share your thoughts.

Thanks,

 

Jason Osborne

Frameworks PM

MOF Update - Governance definition.ppt

Comments

  • Anonymous
    January 01, 2003
    DavidB:  First, thanks for sharing your thoughts!  Now, to try to answer a few of your questions in no particular order.
  • One of the things that we have heard loud and clear from many sources is that we need to clearly articulate how Microsoft products, tools, soultions, and technologies can enable the framework and processes.  We intend to provide that guidance.  In fact, we bagan moving MOF in that general direction with the release of Windows Vista Service Life-Cycle Management (WV-SLM).  WV-SLM presents a service management approach, built on MOF, for a desktop environment with specific ties to a wide variety of Microsoft technologies and freely available Solution Acclerators.  If you have a chance at some point, please take a look at it and let me know if this solves some of the problems you describe above.
  • Also, it is not our intention to reinvent the wheel.  One of our design goals is to leverage and point to existing IP wherever it makes sense and as you say, fill in the blanks where we need to.
  • As for articulating the value to the business, please take a look at the IT Business Planning post I just made to get an idea of how we hope to enable IT pros to do just that. -Jason
  • Anonymous
    January 01, 2003
    Stefan, There is a MOF Foundation level certification, endorsed by Microsoft and offered by EXIN.  The certification can be found at Prometric learning centers, online at http://www.exin.org/, and through accredited training partners.  If you have any additional questions, please use the Contact me form on this site to e-mail me. -Jason Osborne

  • Anonymous
    January 01, 2003
    Can we say it differently? You cannot manage what you cannot control, and you cannot control what you cannot measure, and you cannot measure what is not defined. :)

  • Anonymous
    August 17, 2007
    The comment has been removed

  • Anonymous
    August 17, 2007
    Shouldn't part of meeting management's objectives include service definition?  Well-defined services are necessary for effective and efficient service management processes.  The following set of statements comes to mind.

  • What is not Defined cannot be Controlled!
  • What is not Controlled cannot be Measured!
  • What is not Measured cannot be Improved! Per ITIL v3's definition, a service is a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.  The delivered value can be created via applications, processes, functions, or various combinations of all three.
  • Anonymous
    April 16, 2008
    Is there any kind of official certification for MOF or SMF?