I was describing to a colleague the course I teach at IU the other day. The course is called IT Governance, Risk and Controls (IT GRC). Even to those of us in the industry this topic can be confusing. As I described the course and the topics we cover, my colleague turned to me and said “…so basically you teach them how to manage technology better, right?” While I agreed with him in principle, his comment gave me pause as to the differences between managing and governing. Traditionally I describe the purpose of my course simply as teaching my students how to control outcomes. You could certainly make that claim with management, right? So, what is the real difference between management and governance? I made a list of what management and governance really means to me.
To manage is to…
- Be responsible for the execution of a task(s) or the tasks of others
- Oversee day-to-day operations
- Make decisions and escalate decisions beyond your authority appropriately
- Direct the activities of others and evaluate their performance of those activities
- Consume and optimize utilization of resources
- Execute the strategy and vision of upper management
To govern is to…
- Be accountable for results and outcomes of tasks
- Review performance metrics and reports summarizing day-to-day operations
- Ensure the right decisions are made by the right people and empower others to make decisions
- Evaluate how others are directing the activities of others
- Allocate resources
- Oversee the execution of the strategy and vision
Managers = Doers
Governors = Reviewers
Now, of course there is a lot of overlap between both concepts, but in general, there is a clear distinction that managers are doers, operators and executors of a defined strategy and approach. Governors are those who ensure that managers execute according to the strategy and approach. Governance is the origin of the accountability for doing what is expected.
The idea of governance is especially critical in today’s IT environment. Most businesses are less of an environment and more of an ecosystem of connected environments. Historically, IT departments used to have control over every aspect of technology. Every bit and byte was within reach and under their control. Today, that is simply not the case! The lines of traditional IT are blurry, and what once was a technology-controlled enterprise is now dictated by Marketing, Finance, Sales, Engineering and other functional business areas.
Some IT organizations find this paradigm shift empowering as it allows them to focus on innovation, shifts the burden of operating the technology and gets IT closer to their internal and external customers. The best IT organizations get as close to the business as possible and act as enablers and change agents.
On the other side are the companies that struggle to let go of the old notions of running IT. They are comfortable with operating the technology and operational aspects of the environment. Hey, I don’t blame them; change is never easy but sometimes it is necessary in order to stay relevant and innovate.
I am seeing more and more companies shift from doers to reviewers; from operators of the environment to governors of the ecosystem. I believe the disciplines of IT Governance, Risk and Controls are critical in today’s rapidly changing IT environment…even if can be hard to define and differentiate from management, at times.