When companies speak about digitalization, they have to mention IT governance in the same breath. As a critical success factor in businesses, IT is subject to constantly expanding regulations and laws, such as GDPR. Although companies have to comply with such regulations under all circumstances, not all take this topic seriously enough.
We interviewed expert David Wiegandt, Head of Application Specialists Cloud at EASY Software. He has been inspiring customers to use EASY ApiOmat since 2016, helping them to implement innovations in a quick, agile and scalable manner.
The topic of IT governance is omnipresent in David Wiegandt’s daily work. He shared his most important insights with us.
Why is IT Governance important for companies?
In principle, governance is always crucial. It means that companies comply with the current legal situation and know all the rules they have to follow. In other words, governance is not an optional extra.
For IT, a variety of requirements arise from the regulatory framework. For example, how you have to process certain business transactions or operate digital platforms in a technically and legally compliant manner.
IT governance must deal with how a company complies with these regulations, such as MaRisk, BAIT and the IT Security Act, in order to still be able to optimally achieve business goals. It provides the framework parameters to which IT management must adhere.
What does successful IT Governance look like in a company?
Like pretty much everything else at the moment, IT is in a state of transition. There is a trend away from the classical waterfall model towards agile development methods. These require a great deal of flexibility, putting IT governance, which often comes with rigid rules, to the test.
Successful IT governance creates a healthy balance between rules and flexibility. It leaves enough breathing space to ensure that the guidelines are actually implemented and not ignored at the first opportunity.
Effective IT governance stands out because of the clear division of tasks and responsibilities. It is not a task for middle management, but for a CIO, risk management, or a whole team of CEO, CIO and COO.
In an ideal case, IT governance officers are well versed in the company’s objectives and involved in management decisions. They have the necessary authority to enforce governance policies in the organization. All departments should be pulling in the same direction.
What are the biggest challenges in IT Governance at the moment?
A misunderstanding that I often see concerns who is in charge of implementing the guidelines in day-to-day operations. IT governance only provides the framework, not detailed guidance on how to implement it. This is the responsibility of the IT management – the colleagues who are responsible for operating the applications.
The biggest challenge I see is that IT governance in companies is too rigid. Of course, it has to set guidelines, but it also has to take into account that the demands placed on the company are constantly evolving. If everything is regulated too strictly, this inhibits innovation and prevents you from adopting agile development techniques.
This often means that a specialist department wants to implement an idea, but is put off by IT. The decision-making processes are too long and the project does not progress. In the end, the specialist department simply purchases a tool from an external service provider using its own budget. Now they have a solution, but it is usually difficult to integrate it into the existing IT, resulting in bitterness between the IT and specialist departments.
Rigid IT governance creates a kind of shadow IT. By contrast, agile IT governance offers many opportunities. It must facilitate ongoing communication with specialist departments and create a high degree of flexibility without undermining the framework parameters.
How can IT Governance promote agile and innovative behavior without getting in the way?
Every rule that is introduced in a company fundamentally inhibits innovative behavior. It is a daily balancing act between legal compliance and the ability to innovate.
IT governance must keep guidelines flexible and create both freedom and opportunities for innovation. The point is not to close any avenues and not to miss out on supporting the company’s goals while still incorporating control mechanisms.
This can look like introducing a kind of playground with different applications detached from central decision-making processes. Teams can let off steam here, pursue new ideas and develop innovative tools. If this results in a concrete, usable solution, you can migrate it into standard processes later on.
It’s also important to look at the role of individual employees. Nowadays, companies want talented individuals who think for themselves and explore new solutions. Such people no longer want to work according to a set pattern, but rather want to participate. Proactively empowered with the necessary IT governance knowledge, employees can develop ideas that directly comply with the important framework conditions. If they understand and take the risks into account, solutions can be implemented much faster later on.
What mistakes do companies make when it comes to IT Governance? And how can they avoid them?
One problem that I often notice is the lack of separation between IT governance and IT management. The market often treats them as one and the same thing. Although they fundamentally pursue the same goal, the approach is different. IT governance is a management task and specifies which guidelines IT management has to follow. It focuses on the implementation of such guidelines and applies the necessary tools. There must be an understanding of who does what.
Another sticking point is that the IT governance strategy must always fit the company’s goals and contribute to them in the best possible way. If this is not the case, friction points quickly arise. For example, a company wants to create more customer contacts and set up an online portal for this purpose. However, the governance guidelines state that there should be as few external contacts as possible. This does not match up and just causes chaos and resentment.
A third error I observe is that governance guidelines are written without first looking at real-life practice. After all, you must not disregard the human element. In particular, coordinating the interaction between the individual departments is a mammoth task. The challenge is to establish open, transparent communication so that guidelines can adapt to constantly changing requirements.
Is there anything else that companies should definitely know about IT Governance?
IT governance is complex and many topics are intertwined. Above all, it is crucial to create a balance in all matters so that you can react to changes in a flexible manner and the company’s goals and willingness to innovate are not jeopardized.