IT Governance, can it be more decentralized?
By ir. Pim Schouten
Departmental applications have been replaced by large, cross-departmental applications. Registrations are reused. Underlying infrastructure has been standardized or moved to the cloud. The control of this IT is detailed and mostly centralized. This way, the current stability can be ensured, and changes can be controlled (and compliance checkboxes can be ticked!). But are the primary processes still adequately supported? Do we still know centrally for whom and why we do things? Or do we let things slide?
IT organizations are control-oriented. Nothing wrong with that in itself. IT must always work, after all. And every event leads to a call for more control measures. But in increasing complexity, this focus on control leads to more and more requirements, quality gates, and controls in the daily operations that need to be overcome to achieve something. Even at the tactical and strategic levels, we become 'mature' with centralized portfolio processes, IT boards, and prescriptive architecture. Innovations are identified and evaluated, and risks have centralized management and decision-making. So focused on being 'in control,' the daily (change) needs of the user departments are quickly lost sight of. The route from request to realization has so many safeguards and control steps that we have lost the requester (and sometimes even their request) along the way.
Appropriate IT Governance for the organization?
In this situation, it's not surprising that agile is gaining so much ground. Small, autonomous teams with direct user alignment. Continuous delivery and adjustment close to the user. But agile working is not just common practice and requires something from people, processes, and technology. If agile is (still) a step too far, it becomes difficult. There is often a gap between central control and agile teams. Decentralization may submit requests. And wait...
A parallel: In organizations, I come across the most detailed mandate lists. Who is allowed to spend up to which amounts? Detailed to the last detail. Delegation of control. But when it comes to IT, it takes a little searching. But don't we have RACI tables? Yes, they describe who is responsible for what in the IT management processes. Activity-oriented. While controlling IT, making choices, is not activity but content-oriented.
Can't we introduce the 'mandate list' for IT? That we don't describe who is responsible for an activity but who can decide on what. Can we again focus on what can and should be chosen, done, and controlled decentral, without the involvement of central processes and functionaries? This requires a change of mind: From guarding to informing and presenting choices. From gatekeeper to facilitator. From testing to proactive guidelines. From restricting to creating decentralized decision-making space. From centrally executing to supporting decentralized execution. How can we optimize IT and IT processes in such a way that user departments get as much autonomy as possible without adding unnecessary risks and complexity to tomorrow's IT?
Will you take the first step?
Having a conversation with the decentralized stakeholders (the group for whom IT is actually intended) is a good first step. And maybe it's not such a bad idea to just write down who can decide on what. Together with that user representation, not centrally decided again. And aim to have moved 20% of the checkboxes from central to decentralized by next year!