This section provides a brief overview of the ideas that underpin system governance. These ideas help explain why the processes are as they are, and may be useful when preparing briefing sessions in system governance.
System governance recognises that many of the problems of IT can be traced back to the qualities and characteristics of the IT systems themselves. Out of date, badly maintained, poorly documented, badly designed, non-compliant systems severely impact day-to-day IT service, and greatly increase the cost of change. A large part of every IT budget is spent managing and fixing these issues.
When considered in isolation, it is relatively easy to fix one problem on one system. It is much harder to address all of the problems on all of the systems all of the time. System governance provides a framework for this. It provides the information needed to measure and monitor IT, and make balanced, prioritised, justified, fact-based proposals to improve IT.
System governance is based on a body of management-level information about IT. To make this possible, system governance divides the IT into discrete systems, where each system represents a unit of IT management.
To help the management process, system governance translates management objectives into criteria. These gather information about the qualities and characteristics of IT systems. They do not provide a detailed view, or a design view, but just the information required to make management decisions on the systems.
Each criterion is carefully worded, and has a series of carefully worded grades.
Each criterion has a weighting, which represents the priority attached to the management objective that it represents. Each grade is associated with a score, which represents the percentage of the weighting that a system will achieve by selecting the grade.
Every system is assessed against every criterion, at least to an agreed level of coverage. Each criterion requires both a textual response, and the selection a grade. The combination of textual response and grade means that answers are both readable and objective.
The same criteria are used for all assessments. This enforces consistency, and removes the need to reconsider criteria in every case. Obviously not all criteria apply in all cases, and the grading allows for a reasoned “not applicable” response.
Assessments are verified by checking them with the system owner or other authority. This checks that the responses are factually correct.
Assessments can also be validated. This checks that the textual response answers the criterion fully, and that the grade is justified by the textual response. Validation ensures that assessments are consistent and reliable. Validation does not check that the response is factually correct, but does mean that factual verification is meaningful. (Without validation, checking the textual response would be meaningless because it might not have answered the question and the grade might be incorrect.)
Each criterion has answer criteria which specify what the response and grading must look like to be considered valid.
The grading is used with the weighting and scoring scheme to calculate a score for each system. This provides a general indication of priorities, and can be used to monitor trends.
Further analysis of grades can be used to trigger specific management actions. For example, the combination of sensitive data and unsecure system should trigger an improvement in security.
The analysis can be extended to look across the entire portfolio of IT systems. This identifies systems and criteria that are priorities for improvement.
The analysis can be used to calculate a notional value of improvements. This is not a guaranteed return, but it is a rational and defendable estimate of the monetary value of the improvement.
System governance is not a one-off activity. Once initial coverage of systems and criteria has been achieved, all new and changed systems require assessment. Unchanged systems should be reassessed every year. An annual review that analyses assessments of all systems identifies which topics and which systems require action to meet management objectives.
System governance criteria are not static, and are typically revised at every annual review. For example, system governance may be initiated with compliance to organisational policy as the priority. Once this is largely achieved, additional criteria may be defined to achieve operational cost saving, and these given higher priority. In this way, system governance changes and evolves as management objectives change and evolve.
System governance works because it provides a handle by which management can get to grips with broad set of objectives across multiple systems. It lets management consider all the issues on all the systems all of the time, and direct the right interventions to the right systems at the right time. It encourages consistency of action, and follow-through. It moves management away from anecdote and advocacy, and encourages a more objective, fact-based, transparent and justifiable approach.