Exploring IT governance frameworks and best practices.

Exploring IT governance frameworks and best practices.

Advancement in technology is improving business processes and requires organizations to prepare for new and emerging ones. In respect of that, any organization which decides to migrate to a new technology will usually re-evaluate its existing Information Technology (IT) systems and processes to identify the areas for improvement. The re-evaluation exercise is done within the framework of what is known as IT governance. IT governance (ITG) enables an organization to align its business strategy with IT infrastructure and the environment in which it operates. IT governance (ITG) looks at the processes that will ensure the effective and efficient use of IT to enable an organization to achieve its goals.

Why your Company needs IT Governance?

 Generally, Information Technology Governance (ITG) helps businesses to obtain the following benefits:

  • Ensures realization of return on IT investment
  • Improves transparency of IT costs.
  • Better responsiveness to market changes and opportunities.
  • Enhances an organization’s image.
  • To comply with certain corporate governance or public listing rules or (regulatory, legislation, contractual) obligations
  • Ensures appropriate implementation and operation of IT assets.
  • Provides an assurance of business continuity and sustainability

IT Governance Frameworks

IT governance provides a formal framework that ensures the alignment of an organization’s IT investments and business strategy. An IT governance framework must enable an organization to manage its IT risks effectively and ensure that activities associated with information and technology are aligned with their overall business objectives. There are six most commonly used IT governance frameworks, each with its underlying principles and requirements. This is a brief of the overall frameworks.

  1. ISO/IEC 27000

The International Organization for Standardization(ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization.                                                                                                ISO/IEC 27000 is the standard for Information Security Management. This standard ensures that organizations have the right policies to ensure that appropriate privacy, confidentiality, and security exist around IT and cybersecurity services.

  1. ISO 38500

ISO 38500 is the international standard for the corporate governance of information technology. This standard generally applies to the governance and the management processes and decisions related to an organization’s current and future use of IT. It is also applicable to public and private companies and not-for-profit organizations of all sizes. This standard guides key stakeholders including Board of Directors, executive management and IT professionals on the organization’s effective and acceptable use of information technology.


Control Objectives for Information and Related Technology (COBIT) is a detailed framework of globally accepted practices, models, and analytics tools designed for governance and management of enterprise IT. It aims to help organizations meet regulatory and risk management requirements and align IT strategy to the goals of the wider business. COBIT has 34 high-level control objectives grouped into four domains of planning and organization, acquisition and implementation, delivery and support, and monitoring.


The Capability Maturity Model Integration (CMMI) model is a set of global best practices that drives business performance through building and benchmarking key capabilities. It helps organizations to operationalize process improvement and develop practices that decrease risks in service, product, and software development. While CMMI was initially tailored for software development activities, the latest versions can be applied to hardware-software, and end-to-end service development. The model enables organizations to measure, build, and improve capabilities to improve overall performance and outpace competition in a continually evolving business environment.


ITIL is standalone term and the best practice framework that enables IT departments to support the business effectively, efficiently, and safely. One of the main objectives of ITIL is to help businesses to build a stable IT environment that allows for growth, scale and change. ITIL focusses on integrating IT into the overall business structure by creating an environment to streamline processes and identifying opportunities to improve efficiency. It is basically anchored on seven guiding principles which covers organizational change management, communication, measurement and metrics.

  1. Factor Analysis of Information Risk (FAIR)

Factor Analysis of Information Risk is a governance model that helps organizations quantify risk. The focus is on cyber security and operational risk to support more well-informed decision-making. It aims to provide organizations with the standards and best practices to measure, manage and report on information risk from the business perspective.

IT Governance Best Practices

You can first establish an effective strategy which must be supported by relevant management tools to measure and value the performance or effectiveness of information systems. Best practices involve the following:

  1. Form a Committee of Key Stakeholders

Implementing an information governance plan requires collaboration between business units and key stakeholders. Given its impact on who can access what information and how data is managed, effective governance structure requires a committee of shareholders, Board of Directors, management and employees. This will clearly distinguish between management and governance activities and structures. This way, key stakeholder with such defined roles or responsibilities are empowered to meet them. In effect, such a committee will satisfy stakeholder needs and generate value from the use of information and technology. 

  1. Identify Specific Requirements

Every organization has its unique business and compliance requirements and must, therefore. adhere to such industry-specific regulations. In the early planning stages, an organization’s information governance stakeholders must identify its specific requirements and tailor them to the enterprise’s needs by using a set of design factors as parameters to customize and prioritize its components. Indeed, it must be noted that not all organizations have need for the same sets of data access rules and retention policies.

3.Include Policy Details in Standard Operating Procedures

The use of IT systems must comply with all legal and regulatory requirements, and ensure the appropriate supporting policies are well-managed and enforced. Effective information governance requires content management professionals to define processes and procedures for business users to follow. IT policies, practices, and decisions must also demonstrate respect for human behaviors’. A compliance officer must enforce the rules and hold users who fail to follow procedures accountable.

4.Define Reports and Monitor Compliance

Once an organization has its content policies in place, it must outline specific alerts or triggers and reports to maintain visibility of end-user policy compliance. These reports and alerts may contain lists of policy violations by a user, sensitive content creation, content deletion, or sharing of confidential data to third-parties. The information governance plan should also include instructions on how to handle these incidents.

  1. Monitor & Review Strategy

Organization must be dynamic and consider the effect of changes to any of its design factors. For instance, if an organization enters a new line of business, it should update its information governance plan accordingly while the information governance team should review its policies and make any necessary changes.

IT Governance Software

IT governance software helps to operationalize any of the established frameworks. IT Governance software must serve as a tool to simplify and automate management processes. For instance, a Project Portfolio Management (PPM) software enables key stakeholders a view of IT as a portfolio of investments that can be measured in terms of strategic value to the business. A good IT governance framework empowers those stakeholders with the responsibility to evaluate the quality and the security of the software. Another valuable tool that also falls into the ambit of governance software is a software that helps businesses with regulatory compliance. Thus, governance and regulatory compliance both require suitable documentation and agreed-upon accounting controls for IT (Information Technology).


IT governance provides organizations with the appropriate structure to effectively manage IT business and technology projects. It’s vital for an organization to have processes that bring key stakeholders together to discuss their technology needs and how they fit within the organization’s strategic goals. The process should be defined and transparent with a consideration for factors such as risk, organization security, and operational impact. The more formal the process, the better and more cost-effective the results will be.

Bernard is a Chartered Accountant with over 14 years of professional and industry experience in Financial Services Sector and Management Consultancy. He is the Managing Partner of J.S Morlu (Ghana) an international consulting firm providing Accounting, Tax, Auditing, IT Solutions and Business Advisory Services to both private businesses and government.


Original Source: B&FT