IT Governance

Governance, Generally Speaking

Governance is a term sometimes used to generally the executive decision-making process in and organization.  For example, “We have a great governance process. The executive leadership committee meets every month to review new project requests.”  Health IT Governance lags behind other industries, therefore this general idea of governance may be a little more common in Healthcare.    Managed Healthcare says good governance best practices will help you answer yes to all of the questions:

  • Are our IT strategies, processes, and initiatives consistently aligned with the overarching strategies of our entire enterprise?
  • Are we investing in the right IT projects at the right time-not too soon, not too late-to ensure that our organization is well-served?
  • Are all key organizational stakeholders consistently and properly informed regarding our IT efforts?
  • Are we sufficiently staffed with high-quality talent-or do we have rapid enough access to external resources-to meet our current and future IT demands?
  • Are we consistently meeting our IT time, budget, and quality standards?
  • Are our internal clients and users satisfied with our IT service and results?
  • Are the details of our IT strategy properly tethered and aligned with the details of our strategic plan?

Doing all of this stuff right sounds legendarily difficult.  Like Jeff Bezos, Bill Gates, Jack Welch level of difficult.  There is no doubt that it is crazy difficult if your governance relies on your executive instinct, and “sets the tenor, tone, and execution”  of your operations.  The concept of governance as a chain of smart people is a little old-timey.  If you manage with rubrics, instead, you will have consistent reproducible outcomes.  When the outcome is not what you want, you can adjust the rubric and look for improvements.

HealthCatalyst encourages governance through a suite of data driven decision tools and key process measures that you can use to assess your governance decision rubrics.  It is hard to argue with them, provided you are generating the data you need for this elite-level decision-making.

(Capital G) Governance

Kim Lindros from CIO describes governance as:

“a formal framework that provides a structure for organizations to ensure that IT investments support business objectives”.


According to the Information Systems Audit and Control Association (ISACA), IT governance is fundamentally concerned about two things: IT’s delivery of value to the business and mitigation of IT risks. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained.

This leads to the five main focus areas for IT governance, all driven by stakeholder value:

  • Value delivery
  • Risk management
  • Strategic alignment
  • Resource management
  • Performance measurement

Governance Frameworks


COBIT is sufficiently generic and fits nicely within organizations of all types. The power of COBIT is in its breadth of tools for linking IT to business functions.

Risk IT Framework

Get an end-to-end, comprehensive view of risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.

ITIL – Information Technology Infrastructure Library

ITIL is a de facto standard and guideline for establishing IT service management (ITSM) processes. It is great for reinforcing best practices, tasks, and other services.

Capability Maturity Model Integration (CMMI)

Take a risk-based approach to measuring and managing security risks in the context of your business mission and strategy. Use this unique cybersecurity risk assessment framework to simplify your security gap analysis.

Business Model for Information Security (BMIS)

Address the complexity of security from a systems perspective. Challenge your conventional thinking by creating an environment where security can be managed holistically, allowing actual risks to be addressed.

Which Framework Should You Use?

Most of these frameworks have tools that will help you determine how your IT department is functioning overall, what key metrics management needs,  and what return IT is giving back to the business from its investments.

COBIT is mainly for risk, ITIL helps to streamline service and operations.  Although CMMI was originally intended for software development,  it has grown to also support service delivery, purchasing and other activities.

Consider your corporate culture when deciding on a framework. Does a particular framework or model seem like a natural fit for your organization? Does it resonate with your stakeholders?

Because many frameworks have strengths in complementary areas, you don’t have to choose only one framework. For example, COBIT and ITIL complement one another in that COBIT often explains why something is done or needed where ITIL provides the “how.” Alternatively, you could use CMMI for your software production, and ITIL for service delivery.