Responsibility

Evaluate

•Options for assigning responsibilities.

•The competence of those given operational decision-making responsibilities, with a preference for these to be business managers supported by IT specialists.

Direct

•That strategies are followed according to assigned responsibilities.

•That required information is received.

Monitor

•The establishment of appropriate IT governance mechanisms.

•The acknowledgement and understanding of responsibilities by those that hold them.

•The actual performance of those with responsibilities.

Strategy

Evaluate

•Developments in IT and business processes to ensure business alignment.

•IT activities to ensure improvements and developments align with the organisation’s objectives and satisfy key stakeholder requirements.

•Opportunities to apply best practices.

•To ensure that appropriate risk assessments and risk analysis are carried out (to appropriate international standards).

Direct

•The preparation of strategies and policies that ensure organisational benefit from IT.

•Submission of proposals for innovative use of IT that enable the business to compete and perform better.

Monitor

•The progress of approved IT proposals to ensure they achieve required objectives in required time frames using the resources actually allocated.

•That IT is actually achieving ‘its intended benefits’.

Acquisition

Evaluate

•Options for IT to realise business objectives, balancing risk, reward and value for money.

Direct

•That IT assets are appropriately and suitably documented, and with adequate capability to manage the acquired assets.

•Supply arrangements (internal and external) to meet the organisation’s business needs.

•The development of a shared understanding of intent between the organisation and its suppliers in any acquisition.

Monitor

•That IT investments produce the required capabilities.

•The extent to which the organisation and suppliers maintain the shared understanding of intent.

Performance

Evaluate

•Management’s proposed means for ensuring that IT will support business processes, with the required capability and capacity, taking into account assessed risks and the continuing normal operation of the organisation.

•Risks arising from IT activities.

•Risks to the integrity of the information and protection of information assets, intellectual property and organisational memory.

•Options for assuring effective, timely decisions about the use of IT.

•The effectiveness and performance of the IT governance framework.

Direct

•The allocation of sufficient resources to ensure that IT meets its agreed objectives.

•That correct, up-to-date and secure data is available to support the business.

Monitor

•The extent to which IT actually does support the business.

•The extent to which prioritisation of IT resources actually matches organisational objectives.

•The extent to which IT policies are properly applied and followed.

Conformance

Evaluate

•Regularly the extent to which IT meets the requirements of all applicable regulations, laws, contracts and so on, and conforms with applicable policies and standards.

•The extent to which the organisation conforms to its own IT governance framework.

Direct

•IT management to ‘establish mechanisms’ and provide regular and routine reports on IT conformance with its obligations.

•To ensure the creation, maintenance and observance of policies and procedures that ensure conformance with those obligations.

•To ensure that staff are professionally developed (e.g. qualifications) and follow guidelines for professional behaviour and development.

•To ensure that all IT actions are ethical (this is about governance, after all).

Monitor

•Internal reporting and IT audit so that reviews are timely, comprehensive, suitable and complete.

•To ensure that all IT activities support the organisation in achieving its full range of obligations, including data protection and privacy, environmental impact, knowledge management and preservation of organisational memory.

Human behaviour

Evaluate

•IT activities to ensure that human behaviours are identified and considered.

Direct

•That IT activities are consistent with human behaviour, which should be obvious but is not always so.

•That there is an effective IT whistle-blowing regime in place, such that risks or concerns from anywhere in the organisation can be drawn to the governing body’s attention.

Monitor

•That appropriate attention is given to human behaviour.

•That work practices are “consistent with the appropriate use of IT”.