Governance versus management

Reposted, original on the “IT Governance, the Kapteyn’s view” blog on Computerworld UK in March 2010

Amongst specialists you can find a heating debate over the use of the term governance, the difference between governance and management and how these two fields of expertise interact. Is this just a highly theoretical discussion between different areas of expertise engaged in a “turf war” or is there more to it?

On the one hand Governance is “sexy” and seems to have a high “hype” value. As a result everything seems to be about governance these days, SOA Governance, Security Governance, Architectural Governance. I even read about Data Governance recently. On further investigation most of the times I can find no difference with what used to be called management. It seems these days we govern instead of manage but still end up doing exactly the same thing. Management and Governance, they are just words so if we, as society, decide that what used to be called management now can also be called governance so be it, why should anybody care?

But there is also the other hand, governance already was a subject of interest and expertise before the name got “stolen” to cover everything under the sun. So what is the classical expertise we call governance? Is this just something for the self-proclaimed elite that used the term to distinguish themselves from those involved with “ordinary” management? If so it would be understandable that governance experts grind their teeth when they see they are thrown back into general population since everybody governs these days. However that would just be marketing at work: If you hold a position in a highly attractive market, competition is sure to try and enter. If you have no clearly distinctive offer compared to these new entries, sorry I hope you enjoyed it while it lasted. So this is basically a challenge to the governance expert, show the distinction in a manner clearly understood by your audience. After all it is the audience that is the ultimate judge and jury!

I recently became a member of the ISO JTC1 WG6. For most people that probably does not ring a bell so let me explain. ISO is the global organization that establishes and maintains standards on a variety of topics for instance the ISO 9000 (Quality management systems), ISO 27000 (Information security management systems), ISO 20000 (IT Service Management). One of the newer standards is the ISO 38500 Standard concerning Corporate Governance of IT. Within the ISO Organization the ISO JTC1 WG6 is the committee responsible for the maintenance and ongoing development of the ISO 38500 Standard. The standard interprets the term governance in the classical sense and as a result those involved with the maintenance and continued development of the standard can be categorized in general as governance experts in the classical sense.

As you can imagine the difference between (IT) Governance and (IT) Management is a topic of discussion. I had conversations about this subject with a variety of people (including Mark Toomey, prominent member of the ISO JTC1 WG6). This resulted in the following (personal) view. To manage and to govern are both verbs and the difference between them becomes clear if you start asking questions like who, why and what. Governing is done by (the board of) directors who steer operational managers towards the long term strategic goals by establishing guidelines, principles and direction. Managing is done by the managers who translate these long-term goals, guiding principles and general directions into tactical and operational tasks and targets for their subordinates. As mentioned this is my personal short interpretation. For more in debt “food for thought” I can recommend reading “Waltzing with the Elephant” from Mark Toomey. In this book Mark explores the need for organizations to effectively govern their use of information technology. Although I do not always agree with the author (sorry Mark) the book did help me organize my thoughts and further shape my opinion. Which, in the end, is highly aligned with the ideas described by Mark.

To bring the difference alive you might think of the Volvo Ocean Race. If you are unfamiliar with this event the Volvo Ocean Race is a race around the globe for sailing yachts. The race is divided in a number of legs each taking a number of days or even weeks to complete. The boats compete for each leg and between legs they have limited time to repair/ improve or otherwise change the boat, team, equipment, etc. before they start on the next leg. For the participating teams the race starts long before the starting signal for the first leg. Years in advance the campaign starts by finding the sponsors (and thus resources), designing, building and testing the boat, sails and other equipment. The boat captain is engaged and the team selected. Steering and directing all these activities to ensure there is a Yacht and team willing and able to meet the campaign goals (usually the goal is winning the race) can be seen as Campaign Governance. Once the leg starts the boat captain takes over, using the equipment, knowledge, experience and processes at his disposal he manages the boat towards the target set for the leg. In the course of this action he also needs to ensure he measures and captures performance and control data so the shore crew can identify opportunities for improvement. Once the boat finishes the leg, during the days until the start of the next leg, the governance body sets priority for the repairs, changes and improvements so the boat is best suited for the next leg. Based on the prior performance and changed conditions the tasks and targets for the next leg might need adjustment to ensure the best change to meet the overall goal (winning the race).

In this example the split between governance and management is suggested as preparation versus operation or on the water versus on shore activities. As a skeptic will immediately point out it is not as simple as that. For instance activities like training of the crew during preparation or actual boat building are not considered Governance activities. This is the source of the problem, though most experts will acknowledge there is a difference in the who, what, why and where for governance versus management the boarders are far from clear. The ISO 38500 Standards suggests that governance activities are performed by directors of the organization but also states that in smaller organizations the role of director might be combined with the (higher) management roles. This would mean that governance and management tasks, targets and activities would be performed by one and the same person and would be hard to distinguish in day-to-day practice. It is important to recognize the one cannot effectively exist without the other. For Governance rules and guidelines to be of practical use the management systems needs to translate them into the operational tasks and targets fit for day-to-day use. On the other hand any management systems needs the broad guidelines and direction to give it general aim and focus and set the boundaries for the system. So within the larger organizational design the Governance and Management systems are usually highly aligned and even integrated so the distinction between them can become hard to reckognize.

When I read my own prior articles in the blog “IT Governance: The Kapteyn’s view” (Repost note: All articles have been reposted on the blog: “Governance, Risk, Security and Compliance for the Information Domain”) I find that I as well cover topics that according to the theory are management topics even though the Blog name suggests Governance. So I find I myself am crossing the “boarder” just as easily. Still my justification is that the audience I write the blog for are those interested in Governance related topics. For those steering (governing) the IT domain it is important to have a basic understanding of the issues at management level as well.

This brings me to another question: Why would you want to maintain the distinction between governance and management? As we have seen these fields of expertise are so closely connected that it is often hard to recognize when we cross over from one to the other. When you take one step back however and look at the nature of those who govern versus those who manage there is in general a clear difference in the nature, issues, problems, interests, tasks and targets and sometimes even language of a director responsible for governing the organization and for instance a team manager responsible for setting and achieving operational team targets. Too often those who offer solutions for either field of expertise fail to recognize the distinction and approach their audience in a completely inappropriate manner. Undoubtedly I have made (and probably will make) this mistake from time to time. But then again I am a firm believer in the concept of continues improvement. To better oneself one must be willing to accept mistakes, as long as you learn from them and improve over time! For me the bottom-line would be: Know who your audience is and understand the difference in language, perspective and interests of the different audience groups you are addressing. To identify the different audience groups I find it useful to distinguish between Governance and Management.