IT Governance Maturity Model
0 - Nonexistent
Management processes do not exist
There is no senior management oversight of IT-related activities to ensure that the enterprise’s IT goals add value to the organization and to ensure that IT-related risks are appropriately managed.
1 - Initial/Ad Hoc
Proccesses are ad hoc and disorganized
The concept of IT governance does not exist formally and oversight is based mostly on management’s consideration of IT-related issues on a case-by-case basis. The governance of IT depends on the initiative and experience of the IT management team, with limited input from the rest of the organization. Upper management is involved only when there are major problems or successes. The measurement of IT performance is typically limited to technical measures and only within the IT function.
2 - Repeatable but Intuitive
Processes follow a regular, repeatable pattern
At this stage, regular governance practices such as review meetings, creation of performance reports, and investigation into problems take place, but rely mostly on the initiative of the IT management team, with voluntary or co-opted participation by key business stakeholders, depending on current IT projects and priorities. There is a realization that a more formalized oversight structure for IT projects is required. The structure must include shared management responsibility between top management and project teams. Problems identified are tackled on a subjective basis with teams formed as necessary to undertake improvements.
3 - Defined Processes
Processes are documented and communicated
An organizational and process framework has been defined for oversight and management of IT activities and is being introduced to the organization as the basis for IT governance. The board has issued guidance, which has been developed into specific procedures for management when covering key governance activities. These include regular target-setting, reviews of performance, assessments of capability against planned needs, and project planning and funding for any necessary IT improvements. Previous informal but successful practices have been institutionalized and the techniques followed are relatively simple and unsophisticated.
4 - Managed and Measurable
Processes are monitored and measured for productivity
Target-setting has developed to a fairly sophisticated stage with relationships between outcomes and goals in business terms, and IT process improvement measures are now well understood. Real results have been communicated to management in the form of a balanced scorecard. The enterprise’s management team is now working together for the common goal of maximizing delivery and managing risks. There have been regular assessments of IT capabilities and reviews of projects that have shown measurable long term improvements of IT's performance. Relationships among the IT operations department, its users in the business community, and external service providers are now based on service definitions and service agreements.
5 - Optimized
Best Practices are followed and automated
The IT governance practices have developed into a sophisticated approach using effective and efficient techniques. There is true transparency of IT activities and the board feels in control of the IT strategy. IT activities have been optimally directed toward real business priorities, and the value being delivered to the enterprise can be measured. Steps will be taken on a timely basis to correct significant deviations or problems. The balanced scorecard approach has evolved into one that is focused on the most important measures relevant to the enterprise’s overall business strategy. The effort spent on risk management (and on IT management activities in general) has been streamlined through an adoption of standardized and, where possible, automated processes. The practice of continuous improvement of IT capability is embedded in the culture and this includes regular external benchmarking and independent audits which provide positive assurance to management. Overall, the cost of IT is monitored effectively and the organization is able to achieve optimal IT spending through continuous internal improvements, the effective outsourcing of selected services and optimum negotiation with vendors. When dealing with external business partners or service providers, the IT organization is able to demonstrate first-class performance and demand best practices from others.