Featured Product
This Week in Quality Digest Live
Quality Insider Features
Dustin Poppendieck
We need to ensure that the formaldehyde concentrations measured by manufacturers and labs are accurate
Heather Thompson
Want to be part of FDA’s SaMD precertification program? Get your QMS up to par.
Matt Kunkel
Positive steps toward data security
Jennifer Chu
Its extendable appendage can meander through tight spaces and then lift heavy loads
Standards under development seek to make AI practical for more settings

More Features

Quality Insider News
High-speed Microstar platform takes advantage of infinite positioning and autonomous measuring of the Renishaw system
Serving as a Baldrige examiner—an unparalleled professional development experience
Facilitates complete automation of the additive manufacturing process chain
Floor symbols and decals create a SMART floor environment, adding visual organization to any environment
Awards to be presented March 24, 2020, at the Quest for Excellence Conference, in National Harbor, MD
Leader in workplace productivity introduces document automation product
Performs quick and efficient inspections of cylindrical gear tooth profiles in a production environment
Three sculptures selected: Auguste Rodin’s Hanako and Head of Balzac, and Julio González’s Mask: Reclining Head
High-accuracy measurements at all test loads up to 0.5%

More News

Bipin Roy

Quality Insider

IT Governance and Compliance

Are they worth the trouble?

Published: Monday, July 23, 2007 - 21:00

Story update 11/1/2010: We had the incorrect author shown for this story. The author is Bipin Roy.


Welcome to the information technology world of governance boards, compliance councils, Sarbanes Oxley, and audit committees that continually invent stringent rules and regulations to make the daily job of an IT manager harder than ever before. It’s scary to visualize all these new regulatory bodies chiming in to see whether you’re doing the right thing!

What is good governance?

Good governance is the ability of an organization to steer itself into the future and is influenced by complex relationships among all its stakeholders. A governance model can only be as successful as the level at which its stakeholders allow themselves to be governed.

Before the IT industry matured, the rules of the game were very different. Compared to those times, the current scenario looks like overkill. Now a software-development manager may think, “Come on! Let’s just do our jobs and get out of here. Why should I bother about all these councils and rules trying to ensure that my job is done correctly? This is my job! What does a corporate scandal somewhere have to do with my project and my team? Give me a break!”

Typically, IT managers will try to do their job as they always did and then map project work into any new processes with which they need to be compliant. Here, the key term is “need,” rather than “want.” How many people want to be compliant with all the rules in the IT world? Not many, because everyone has deadlines to meet, customer relationships to take care of, and things to do to get the next promotion. How much value does a project manager see in being compliant with all the regulations and processes from the standpoint of project execution and delivery? Before we answer, let’s look at the evolution of the IT industry and project management.

The good old days

The 1950s to the 1970s were halcyon days—developers just had to churn out code and tell their managers when they were finished testing. The IT industry had little structure then, deliverables were done within accepted timelines, and processes seemed to work. IT remained aloof from other industry segments such as manufacturing, where everybody was quality-obsessed. The rules of the game were different for IT, and all that changed with time.

With bigger teams collaborating with one another around the world, there arose a need for better project-management techniques, and soon there were managers trying to run big projects within structured paradigms. In recent decades, because of the growth of the IT industry globally and the ever-increasing salaries of IT personnel, more and more people have been drawn to IT, including from other disciplines. This is especially true for developing economies, where IT salaries were enormously higher than those in manufacturing and older industries. The spiraling influence of IT and its invasion of other industrial segments made it part of daily corporate life. Soon there were big IT projects underway in all the major corporations, and IT became a competitive differentiator in the world of business.

Nearing the millennium, Y2K had corporations anticipating disaster on a fixed deadline, and outsourcing became a new way of developing software that helped companies mitigate rising labor costs and opened new avenues for fostering innovation. This was a turning point for IT, and many large software companies headquartered in Asia blossomed by resolving the business issues of companies spread around the globe. The way of doing business was transformed, and, to ensure high quality in software development, we saw global acceptance of capability maturity models (CMM) and, later, capability maturity model integration (CMMi).

Vendors with the best qualifications had an advantage over competitors for new projects, and software methodologies that could provide a competitive edge became must-haves for many companies. The companies with the best governance models thrived in these new circumstances by adapting to their environment and building good governance bodies that enabled them to be more successful. They did this by clearly linking their strategic objectives to measurable goals through well-defined processes. Compliance levels were continuously monitored to ensure excellence in execution.

In the changed world of software creation and maintenance, the factory model was adopted to cater to scale, different processes and methods came into being, and the perceived value of governance skyrocketed. Business processes soon had IT as one of its main implementers. The growing significance of IT governance also mandated effective compliance mechanisms. From administrative, legal, and management standpoints, IT governance and compliance became important practices in the industry and helped rake in more revenue for the top players.

Here are some essentials of good governance models:

  • Simplicity (achieved through fewer, well-orchestrated systems)
  • Adaptability of systems to changes in their operating environments. Exceptions are captured to make the governance model more holistic.
  • User friendliness. The model must integrate human considerations, because without internal support new initiatives are unlikely to succeed.
  • Strict mapping of processes with organizational objectives. The governance model chosen must align with the overall company culture or effective compliance won’t happen.
  • Transparency. The model should be chosen based on consent and should foster learning within its ranks without overkill.
  • Enterprisewide embrace of a standard set of tools and technologies.


Better compliance levels will result in rapid return on investment, simpler reconciliation, automatic or better audit trail mechanisms, reduced expenditures, improved data quality and accuracy, reduced rework, lower risks, and more informed decision-making structures within the organization.

How much compliance is enough?

As the IT industry has matured, good corporate governance standards have evolved into a yardstick to measure corporate performance. Still, one can do the basics for execution with little regard for strict compliance. If this is the case, what’s the real value derived from 100-percent compliance? Recent studies suggest that organizations with good governance structures enjoy a higher return—up to 20 percent—on assets than companies with weaker governance. For a company to achieve all the essentials of good governance standards, individual projects have to follow the adopted processes religiously.

Are so many checkpoints really necessary?

The corporate scandals involving Enron and WorldCom suggest stricter controls and compliance levels to ensure accountability, to build stakeholder trust, and to pursue customer satisfaction. The very existence of corporations can be jeopardized if effective control mechanisms aren’t in place. It’s a question of credibility. As an IT manager, if you can point out the project status at any given moment through effective IT processes, or with the aid of documentation that clearly captures the accountability of decisions and progress made, you can believe that you’re in safe harbor from a compliance standpoint. For IT managers, this translates to understanding where the control checkpoints are or should be, and ensuring compliance within disparate systems in terms of business process implementation, data sharing, and stakeholder management.

Identifying the right model in your organizational context is critical to ensuring compliance (please refer to the suggested governance criteria mentioned before in this article). Otherwise, your people will always find ways to work around the system and so defeat the purpose of building a better governance structure.

Most of the top-performing corporations in the world boast about good governance boards and compliance levels achieved through robust business and IT processes. Many factors have contributed to each company’s success story, and the contributions of effective corporate governance, transparency, and compliance are critical. Varying degrees of control and compliance levels are applicable, depending on the industry. For instance, it’s extremely difficult to employ metrics to understand the status and effectiveness of decisions for nonprofits involved in community development, and yet successful organizations have built better governance models in this sector.

In conclusion, good governance will definitely accelerate your company’s success, if success is thought of as a journey rather than a destination. Good governance has definite value and is a safer bet than merely hoping that your projects will end up successful. To the individual investor and to the public, corporations with good governance and verified compliance levels have aura of trustworthiness that can eventually affect the bottom line. Corporate governance and effective compliance are necessary for 21st-century corporations.


About The Author

Bipin Roy’s picture

Bipin Roy

Bipin Roy Lekshmanan is a certified project management professional with 11 years of experience in information technology. He manages projects and does program management for the Indian IT outsourcing giant Wipro Technologies and is based in the United States. He's also a member of the Project Management Institute exam development committee, U.S. chapter.