Many practitioners use these terms governance and management synonymously. While there is some overlap in practice, there are key differences between governance and management of information systems. For the highest-level stakeholders want to ensure the best use of IT within and organization. They want to ensure that they get the best “bang for the buck” so to speak, for their investment in technology. There is no use purchasing a new $100,000 technology, when a $25,000 will meet the same goals. In addition, stakeholders want to ensure the technological risks to the organization’s mission are addressed at an approximate level.
Governance is the collective set of practices and activities that when applied guide an organization to the fulfillment of its goals. Governance is overreaching covering an entire organization and filters down into every part of the organization. When applied to Information Technology Governance is founded in stakeholders objectives and aligning Information Technology with the overall organization’s mission and objective.
IT governance includes the key goals of value delivery, risk management, and resource optimization. The IT department’s goals do not automatically align with overall organizational goals. Direction needs to be provided to IT management from executive management. However, governance does not stop with providing direction, governance includes monitoring IT management to ensure that IT is adding value to the organization, that the best use of available resources while minimizing risk to an acceptable level. IT governance seeks to direct, evaluate, and monitor IT activities within an organization.
“Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.” – COBIT 5
Management is the application of governance into the organization's operations. The key activities in management of information technology include the entire lifecycle of technology, from needs analysis to disposal and everything in between. Generally, this means applying the overall organizational mission and objectives to the IT processes and activities. This increases the likelihood that IT goals and objectives actually cascades up or support the overall organizational mission and objectives.
Management of IT typically covers the entire lifecycle of technology. There are many forms of the IT lifecycle but they simplest covers Plan, Build, Run, and Monitor. Using a lifecycle ensures that we take into consideration the entire lifestyle including support.
“Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.” – COBIT 5
Good IT governance and good IT management should lead to alignment of IT with the overall organizational mission. A misaligned organization will suffer from inefficient at value creation, and risks will not be addressed. This will inhibit the organization from reaching it’ s overall goals and mission. The value of IT can be lost with inefficiencies and unaddressed IT risk could lead to critical failures. Over all this can lead to everything from increased operational cost to lawsuits.
It is important for organizations to consider IT governance when an organization starts the process of creating or reviewing current IT policies and procedures. What good are polices and procedures if they don’t aid in IT creating value for, and address IT risks to, the overall mission of the organization? Policies and procedures are put in place by management to ensure proper IT governance and management. As such the polices need to address, at a foundational level, the proper activities and practices for IT governance.
COBIT 5 Enabling Processes. ISACA, 2012
Cybersecurity Program Development for Business: The Essential Planning Guide. By Chris Moschovitis, 2018