Measuring the value of governance is a daunting challenge shared by IT Governance practitioners.  Yet, without empirical evidence, it is difficult to prove strategic business advantage.

At best, most folks can only show IT cost savings or cost avoidance--which perpetuates the perception that IT is a cost-center or overhead, as opposed to a strategic asset they should leverage for competitive advantage.

I was reminded of this issue by this message I saw on an ITG forum I belong to. I've changed the content just a bit from the original:

"I'm probably the nearest thing we have to a local IT governance evangelist and we've been working on improving controls for several years.

There is no question in my mind that we are doing things "better" from a control perspective. Good account management, change control and so on are now part of the regular modus operandi. That being said, I'd be really hard-pressed to prove to our CEO that there have been material benefits to the organization.

I may be wrong but I doubt that many companies have the level of sophistication with respect to metrics for example, to be able to say; ‘see, we used have 3 failures per 10 changes, now through better governance we have 1'.

Yes, we can say that we have reduced the risks because we now process employee terminations in 24 hours instead of say a week (example only) but let's not kid ourselves - that has little value in the eyes of most CEOs. .

I know what we have done is good for the organization and I believe in what we have done but demonstrating that in a meaningful way to a CEO...I'm not sure I could do that."

I feel his pain!

There is no doubt that capturing metrics takes time and resources.  And in most cases, the most drastic improvements have taken place since a point in time when metrics were not captured at all--meaning that your most significant success cannot be measured. 

When compelling metrics are not available, the key to showing value to the business is to speak to stakeholders in terms they understand and value--and talking about reducing errors per change isn't going to do it.

If you are faced with the same issue, my following edited contribution to the ITG forum may help:

"Below is a cheat-sheet I use to make the connection between IT Governance and enterprise success. It is a list I culled over 4 years ago from ITGI collateral and I use it still today. The challenge (MAJOR challenge) is to make the connection between the operational level metrics associated with controls and the talking points in the list below. You will note that these talking points align with the principles of IT Governance. The idea here is to elevate your metrics to this level of discussion with Executive Management.

The process for collecting and aggregating task level metrics to these higher-level measures requires an organization that has implemented a very sophisticated performance management and the associated metrics and measures systems. Many IT organizations report on these elements, but they can't 'prove the math.' Good luck!"

1) To Show That IT is Aligned with the Business

• Show how IT supports the Enterprise strategy (show how the future IT supports the future Enterprise)
• Show how IT Operations are aligned with current Enterprise operations

Possible talking points

Show how IT:

• Delivers against the strategy
• Balances investments between systems that support the enterprise as is, and transforms the enterprise to create an infrastructure that enables the business to grow
• Adds value to products and services
• Improves customer satisfaction and customer retention
• Assists in competitive positioning
• Contains costs and improves administrative efficiency
• Increases managerial effectiveness

2) To Show that IT is Delivering Appropriate Value to the Business

• Show how IT delivers appropriate quality on-time and within budget
• Show how actual cost and return on investment is managed

Possible talking points

Show how IT:

• Is fit for purpose, meeting business requirements
• Flexible to adopt to future requirements
• Provides required throughput and response times
• Enables ease of use, resiliency and security
• Provides integrity, accuracy and currency of information

3) To Show That IT is Appropriately Managing Risk

• Show how IT manages Risks

Possible talking points

Show how IT:

• Mitigates risk by implementing controls (e.g. Risk Management Systems, Audit controls, acquiring and deploying security technology to protect the infrastructure, Business Continuity Planning, Disaster Recovery, etc.)
• Transfers risk by sharing risk with partners or transfers risk to insurance coverage
• Accepts risk by formally acknowledging that the risk exists and it is being monitored

4) To Show That IT is Appropriately Managing Resources

• Show how IT optimizes the infrastructure
• Show how IT optimizes human resources

Possible talking points

Show how IT:

• Manages system procurement
• Benefits from service procurement
• Manages the lifecycle of hardware, software licenses and services contracts
• Applies appropriate methods and adequate skills to manage and support IT Projects and Systems
• Improves workforce planning, recruiting and workforce retention
• Provides IT education and development

5) To Show That IT is Appropriately Managing Performance

• Show how IT measures performance (balanced scorecard, metrics and measures, etc.)

Possible talking points

Show how IT:

• Establishes and measures financial objectives
• Maps financial objectives to customer requirements and needs
• Measures process performance, effectiveness, efficiency and criticality to the business
• Addresses innovation requirements and future needs
• Determines how business executives and users view the IT department