Governance and good decisions

First, let me say it’s good to be back writing here again after a few weeks. Subscribers have kindly asked if I have been ok. In fact, things have been quite disrupted in my work. I was stuck in a hurricane, had some travel with very limited connectivity and also a couple of spells of illness which were unpleasant and I still don’t have any hearing in my right ear - so a little ways to go to be back to normal. Meanwhile, let’s get back to writing …

In an earlier blog, I described how security and privacy are closely related, interdependent, but also quite different. The relationship between those two fields is also somewhat one-sided. Good security is essential to good privacy (but not the other way) even though it is no guarantee.

A rather similar relationship holds between governance and compliance. No matter what laws or regulations you wish to comply with, you will find good governance is essential to compliance, but not a guarantee.

Compliance is a big enough topic on its own - let’s write about that more on another day. Here, I would like to discuss governance and first, let’s say something which has proven to be controversial.

Governance is not about making the right decisions, it’s about making decisions the right way.

Think about a local planning application - local governance - perhaps for a new city building. There should be studies conducted, experts engaged, plans drawn up, public meetings and consultations, reviews and finally pricing, tenders, bids and construction. All this lengthy process ensures the decision is properly made with background research, contrary views taken into account and no corrupt practices in the contracting steps. It does not guarantee that you will like the final design, or that in practice it will be a better building. However, the decision is well governed.

It is really tempting, along the way, to think that a well-governed process will lead to better results. It may do so, but not necessarily.

You can look down this telescope from the other side, too: from the results back to the operations. Just because you have the results you want, does not mean the process is well governed. Given the importance of both governance and intention to compliance (especially regulatory compliance) this can be a dangerous mistake to make.

IT governance

So, in IT governance and data governance, we’re driving for a good decision-making process. The quality of the final decision will depend on the standard of research, the insight and intelligence of those proposing a solution and the skill with which it is implemented. There’s a lot to go wrong there! The quality of the governance, in contrast, depends primarily on the integrity of the process and, yes, the integrity of those defining and implementing it.

In Jill Dyché’s excellent book, The New IT she observes …

The problem isn’t the lack of governance abilities as much as it is the failure to know what to govern.

Elsewhere in the book, Jill makes the point that many claimed examples of good IT governance are actually examples of good prioritization, competency development and modernization. This is entirely fair in my experience and the mistake arises from that very confusion I described at the start, between good outcomes and good processes.

Policy and oversight

There are many ways to break down governance into useful categories of actions. Personally, I start with two broad areas: policy making (what are the rules?) and oversight (are the rules followed?)

It is useful to separate these two because there may be quite different skills and practices involved in each area. Specifying a policy requires a really sound understanding of the regulations involved, which are relevant and which are out of scope and how they may impact the business. Implementing (and overseeing) the execution of the policy requires a deep knowledge of the technologies and practices used every day in the work of the organization. These skills may come together, but often you need to build a team of several to make it work.

I find that separating out the areas of policy and oversight makes it easier to identify those skills - and that team - and start the governance process.

In the future we’ll come back to this, especially to the question of compliance. And we will explore patterns of governance: top-down and bottom-up. It’s a major topic in today’s IT and data practices and one I am frequently asked about.