IT governance has well-documented frameworks — COBIT for governance and management of enterprise IT, ISO/IEC 38500 for board-level direction, ITIL for service management practices that support governance, NIST for cybersecurity governance. Selecting among these frameworks is widely discussed and reasonably well-understood. What is less well-documented is the IT governance operating model that actually works in practice — how the framework is operationalised, who decides what, how decisions are made, and how governance outcomes are measured. The gap between framework adoption and operational governance is where most programmes struggle.
Decision Rights: The Foundation Most Programmes Skip
Effective IT governance is largely a matter of decision rights — who decides what, with what authority, accountable to whom. The Weill and Ross framework remains useful here: principles, architecture, infrastructure, application needs, and investment decisions each have appropriate decision-making patterns, and the patterns differ across organisations. The governance work is making the patterns explicit and using them consistently. Implementations that have an IT steering committee that "approves" projects without defined decision rights produce governance theatre — visible meetings without meaningful direction.
Committees That Add Value vs Committees That Consume Time
IT governance committees vary enormously in usefulness. The committees that add value have clear purpose (defined decision rights, specific topics they own), appropriate composition (the right people present with the authority to decide), and operational discipline (decisions actually get made, recorded, and implemented). The committees that consume time meet on schedule, hear status updates, raise concerns, and produce neither decisions nor follow-through. The difference between the two patterns is rarely the framework underneath; it is the operational discipline of the committee leadership.
The Three Levels of IT Governance That Actually Matter
Board level — fiduciary oversight of IT, evaluation of major investments, risk acceptance for material IT risk. Executive level — IT strategy, portfolio decisions, escalation resolution. Operational level — architecture review, change advisory, day-to-day decisions within delegated authority. Each level has appropriate scope; problems happen when the levels are not clearly separated. Boards that get drawn into operational decisions waste their time and the time of the people who should be deciding. Operational teams that have to escalate routine decisions to executive level produce slow IT delivery.
A useful diagnostic for an IT governance programme: identify a recent material IT decision. Trace who actually decided it, who was consulted, who was informed, who is accountable for the outcome. If the answer is murky — multiple people claim to have decided, several people feel uninformed, accountability for outcomes is unclear — the governance framework on paper is not the governance operating in practice. The remediation is rarely a new framework; it is clarifying the decision rights and consistently using them.
Measuring IT Governance Effectiveness
IT governance that does not measure its own outcomes drifts. Useful measures include time-to-decision for material IT proposals, alignment of IT investment with stated strategic priorities, frequency and resolution time for escalations, and audit/risk findings on IT governance specifically. These measures inform whether the governance framework is functioning. Programmes that measure activity (meetings held, papers reviewed, frameworks adopted) without measuring outcomes drift into ceremony.
Practical Components That Distinguish Working Programmes
- Documented decision rights mapped to specific decision types — who decides what
- Committees with clear purpose, appropriate composition, and operational discipline
- Three-level separation between board, executive, and operational governance
- Investment governance that links IT spend explicitly to strategic priorities
- Risk acceptance discipline that escalates appropriately and gets explicit acceptance
- Performance measurement against outcomes, not activity
- Integration with adjacent governance (financial governance, risk governance, security governance) rather than parallel operation