New Organizational Structure Required for an Effective IT Governance Program With Strong Security


New Organizational Structure Required for an Effective IT Governance Program With Strong Security

Wednesday, March 30th, 2016 - 10:16
Wednesday, March 30, 2016 - 10:01
After agencies put an appropriate governance environment in place, they can implement a new and more secure approach to IT.

This consists of a definition of IT Governance communicated throughout the agency, and the establishment of a new organizational structure to ensure the IT Governance Program is effective and continuously improved. Continuing with the Veterans Affairs Department (VA) example discussed in the previous blog, below is the definition VA developed and a generic discussion of the organizational structure that VA adopted. The VA model provides an excellent example for agencies to consider as they implement IT governance. (Read my first blog on this topic.)

VA defined IT Governance as:  “A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”  This definition addresses the key issues of risks and value which are two major components of IT Governance – the other major components is resource optimization.  And all of this is done to ensure stakeholder needs are being met, the most important of which to the VA is caring for the nation’s veterans, their widows and dependents, in an effective and secure manner.  The definition was rolled out to all staff at VA to ensure that all had a common vision of IT Governance.  Next VA developed the organizational structure (boards) necessary to ensure that the IT Governance program was effectively implemented within the department.

Below is the VA organization chart, for context.

 VA Structure


Below is a generic description of the IT Governance boards depicted above.

Executive Board

The Executive Board performs the following functions:

  • Serves as the Senior Board
  • Approves department-wide IT Strategy
  • Decides the overall level of IT spending and priorities
  • Establishes funding targets across lines of business in accordance with the Department’s Strategic Plan, congressional or other mandates, etc.
  • Assesses strategies, program initiatives and risk identification/reduction activities to ensure improved:
    • Service to stakeholders
    • IT system and data security
    • Resource management
  • Provides recourse for issues unresolved by the ITLB

Strategic Management Council (SMC)

Chaired by the Deputy Secretary, the SMC serves as the senior board making decisions related to IT strategy and technology and assures the formulation of:

  • Budgets
  • Strategic planning and policy processes
  • Resource optimization
  • Capital asset, planning and investment
  • Risk management
  • Legislation

The SMC provides business recourse for issues unresolved by the ITLB.  It meets at least quarterly and more frequently during the early stages of IT Governance implementation. The SMC is the strategic, priority setting, oversight and issue resolution board for IT matters within the department.

IT Leadership Board (ITLB)

The ITLB is chaired by the Deputy Secretary and includes the Chief Information Officer, deputy under secretaries along with other key staff as determined by each assistant secretary. The ITLB represents the IT services, strategies, principles, governance and resources that support business organizations across the department. Specifically, the ITLB performs the following functions:

  • Serves as the primary IT strategy and technology board
  • Recommends the IT spending levels
  • Oversees IT resources and program execution
  • Oversees the coordination and performance of IT services and support services
  • Oversees IT system and data security
  • Oversees departmental privacy
  • Makes decisions on BNTI and PLTI issues and recommendations
  • Resolves disputes within IT Governance

Budgeting and Near Term Issues (BNTI) Board

The BNTI Board represents the business units and their needs/requirements for IT investments and monitors the fulfillment of those needs.  Specifically, the BNTI Board performs the following functions:

  • Develops the detailed budget documents supporting future year budget formulation and current year execution
  • Monitors budget and technical performance execution-to-plan and makes recommendations for reallocation or reprogramming as warranted for ITLB consideration (mid-year review)
  • Monitors performance such as service level agreements and other metrics
  • Utilizes IT costing models and methodologies for validating execution year budget recommendations
  • Enforces technical/information security and privacy standards throughout the budgeting process
  • Addresses near term issues, as required

Programming and Long Term Issues (PLTI) Board

The PLTI Board recommends the overall department-wide priorities for IT related business solutions and defines IT service offerings, infrastructure and technology architecture/standards; and is critical to assuring standardization, interoperability, security, privacy, reliability and flexibility of the IT infrastructure.  Specifically, the PLTI Board performs the following functions:

  • Develops weighting criteria and prioritization methodology for long-term multi-year IT programming
  • Utilizes ITLB-approved weighted criteria, develops future year IT program/project priorities consistent with the department’s enterprise architecture, IT strategy, strategic goals, lines of business priorities, and previous year funding allocation
  • Develops options and recommendations for program/project “cut-line” based on fiscal reality, prior year execution, IT’s ability to execute, etc.
  • Utilizes IT costing models and methodologies for validating future year budget recommendations
  • Evaluates business cases and priorities, including required supporting infrastructure
  • Evaluates adherence to technical/information security and privacy standards
  • Conducts milestone reviews
  • Identifies IT services and required funding for future service level agreements and other metrics
  • Recommends technology strategy and enabling technology initiatives and priorities
  • Addresses long term issues, as required
  • Ensures that security, privacy and risk management are integrated within the IT Governance program --  thereby ensuring that stakeholder needs are met, in an effective and secure manner

Finally, the department established a continuous improvement process for evaluating the IT Governance transformation, not only to gauge prior progress toward a final department-wide vision, but to ensure that IT is being effectively deployed to support all those working or being served by the department in a secure manner  This approach provides a model for agencies to adapt in their own journey for IT Governance maturity.