For several years now “Governance” has been a buzz word, used to point out any deficiency of communication and arbitration of IT investment. I suggest here a simple check list that anyone could use as a foundation to create an IT Governance Handbook.
“IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.”
“COBIT 4.0 – IT Governance Institute”
Rules & Principles
• How do we categorize projects & investments? Investment limits in line with corporate policies?
• How do we prioritize projects? What are the criteria?
• How do we approve projects? How do we revise projects? How do we stop projects?
• Project ownerships – Roles & Responsibility of IT within project?
• Frequency of review of priorities?
• How do we measure ROI & quality of service?
• How do we evaluate effective ROI & quality of service?
• What are the guidelines in term of risk management? Categorization of risks and required escalation?
• How IT contributes to business performance? Does management has a full understanding of it?
Body of Controls
• List of all Body of Controls
• Mission & accountability?
• Participants? Special Guest?
• Meeting agenda and organization?
• Frequency of meetings
• Critical reporting controlled & issued by & from this body?
• How & what do we communicate to the rest of the organization?
Organizations & Relationship
• Roles & Responsibilities of IT (What is covered and not covered)? Functionally and on a support point of view (Role of Key Users)
• Roles & Responsibility of Management
• How the organization is mapped to the business organization?
• What are the guidelines to an efficient communication of critical information within the organization regarding IT related matters? How do escalate issues?
Mechanisms to review proper alignment of IT & Business
• How do we ensure proper alignment?
• How do we revise priorities?
• How do we ensure that optimized resource allocation is performed?
• How do we maximize return on investment?
• How do we ensure that the strategy and tactical are properly communicated & understood by the organization?
• General guidelines to monitor & evaluate & Communicate IT performance?
• Define properly source of risks and how they are evaluated?
• How often do we revaluate risks?
• An up to date list of critical risks identified for the organization by category?
• How do we define business exposure?
• Define overall business exposure
• Define the way to address risks according to their total impact ratios? Define company’s appetite for risk.
• Define mitigation plans
• How these plans are approved?
• How these plans are monitored?
• How the impact is revised?
• How do we improve discipline of pro-active risk management?
• Clearly define ownership of risk and management responsibility to identify and address risks.
• How do we report risks?
• How do we ensure proper training of latest policies and procedures to management?
Far away from me to be exhaustive, therefore I welcome any input that could enrich this proposal.