There is a slight difference of opinion between a pure "governance" approach to IT and the IT governance approach espoused by COBIT. In this series of blog posts I’ll be adopting the definition of Broadbent & Weill 2003 for IT Governance:
IT Governance is about who is entitled to make major decisions, who has input and who is accountable for implementing those decisions. IT governance is different from IT Management.
Whereas I would contend that the approach under COBIT (alack and alas – managed by the IT Governance Institute) is not really about this true governance framework. COBIT (Control OBjectives for IT) is about the control framework, identifying the maturity of IT processes, and who has what responsibilities in its role (using RACI charts – Responsible, Accountable, Consulted, Informed). COBIT identifies the controls that should be put in place around IT, and some of its processes do in fact call for processes that support the kind of governance brought forward by Broadbent & Weill 2003, but in essence it is a framework for advising how to manage the business of IT. IT Governance in this sense is more a concern of a board – the body that says "to address our requirements for corporate governance, thou shalt implement COBIT" – rather than IT managers – the body that implements COBIT.Â
I do think that there is a distinct difference between IT Governance from the point of view of the Board, and IT Governance as put forward by COBIT. This doesn’t mean that COBIT is not useful – on the contrary, COBIT is exceptionally useful. However COBIT is by its nature focussed on the business of IT and is just… different.
Next week: does IT Governance really matter? WIIFTB (What’s In It For The Board)?