In this series I have been listing the key items required to enable a governance approach in an IT organization and explaining each of them. On the first part of this blog series we talked about identifying all relevant stakeholders and their needs, define clear goals and build a policy framework, and set the right culture and enforce the desired behavior in individuals.

The key steps that we will discuss today are perhaps the most critical ones—not the ones that are more important than others; all of them are equally important, but how painful it is for many, many organizations the lack of these three, particularly the first one:

4. Get IT Top Management’s commitment.

Being committed is not the same thing as being involved. The parodic analogy of the eggs with bacon has become somewhat common in this subject area. If you have eggs with bacon for breakfast, two animals had to be involved: a hen and a pig. The pig, however, was more than involved; he was committed so you could have your breakfast. IT Governance (or any other IT initiative) is breakfast, and top management loves being involved all the time. They are generally enthusiastic about adopting new approaches, they seem to motivate and push people to embrace the change, and in a positive scenario they provide all the resources (eggs) lower management levels need. But oh, how things change when their stakes are considered in the light of IT Governance (yes, because Governance is also about transforming the way top management does things, for the sake of business value creation).

Doing (or trying to do, rather said) IT Governance without having top management’s commitment is like trying to grow a tree from the branches instead of from the root. Organizational culture cannot be changed if top management’s culture is not transformed first. No policy enforcement can be made if the leaders do not walk the talk.

It is definitive; no IT Governance initiative will work organization wide if top management is not committed to it. Sounds easy, right? Yet there’s so much to do to get this item checked, especially in those cases where IT Governance is triggered at a lower organizational level. The initiators will have to convince top managers of the need to change (the business case, which will be discussed later on, is a great tool to achieve this), and no improvement will be sustained if the highest level in the chain loses the momentum. This can only occur when those individuals occupying the highest positions are really committed.

Find a sponsor—someone who recognizes the need to act and who can clearly communicate the urgency to others, empowering them to act—or if you are a top manager, be the sponsor! Support the change, enable it, enforce it, demonstrate the benefits and convince others of the need to act.

5. Develop mature IT processes.

These days IT organizations are already very used to work with processes; most of their management and operation is based on them. Yet these processes fail to deliver value to the business. Why is that? Because processes are operational; they lack of those features that make them proactive more than reactive, seeking the welfare of the business (instead of IT’s) at all times. This is maturity. Processes are not only meant to be a set of activities for shaping and organizing what IT does; IT (Service Management) processes are meant to deliver value to the business, and this will not happen unless processes are mature.

What does it mean for a process to be mature? The process includes proactive activities for continually optimizing it. All the outputs provided by the process are continuously analyzed, and decisions are made based upon these reviews. Process owners adapt the process as customer needs evolve, making it an agile process. Technology advancements are used to automate what is relevant. Variations in the process are controlled, alignment of process goals with business goals is constantly pursued, and process innovation is a constant priority.

Are your organization’s IT Service Management processes really mature, or are they rather just a bureaucratic set of activities that the business even complains about? Do you carry out periodic maturity assessments on your processes? COBIT, by the way, provides a systematic approach to perform process maturity assessments.

6. Define clear roles, accountabilities and responsibilities.

No organization can work without a structure, that’s for sure, but no IT Governance can be executed if clear roles and responsibilities are not defined, moreover separated. It is very common to see top managers without real authority in their organizations. Employee power overrides the policies and direction set by their leadership, and this only promotes resistance to change. No enforcement can occur if there are no clear and well-delimited organizational structures, with a crystal-clear separation of governance from management.

Management is the organizational level that plans activities ahead, and instructs and aligns all kinds of operational levels to achieve a specific purpose through the execution of activities. But there should be a higher level that tells management in which direction operational levels are to be guided. That should be the governance-related roles.

Can you identify which are the management and governance levels at your organization? Do you think there’s clear enough segregation of authorities and a correct allocation of responsibilities that makes IT Governance possible?