Wednesday, 3 February 2010

Is ISO/IEC 38500 The Cinderella at the IT Governance Ball?

I like ISO 38500.  I like it very much indeed.

Which is why I find it so hard to understand why it has been met with such deafening silence in the UK.

  • Is it because COBIT is already so well established?
  • Is it because people are not aware that it exists?
  • Is it because people are unsure how to respond to it?

A survey is now open to 6th March to assess the market for ISO 38500 If you can, please identify that you came across the survey from this blog.

Why do I like it so much?

I honestly believe that the standard has a lot to offer organisations, especially those that have not already been driven down the governance route in reaction to external requirements.

I believe that whilst we often talk about ITSM addressing the concerns of the corner office the truth is we rarely actively engage senior business management in delivering IT. Good IT Governance, with a focus on the interests of stakeholders can make a real difference to the relationship between IT and the business.

The benefits of good governance  obviously extend beyond ITSM, it is also a sign of effective portfolio, programme and project management.

What is so great about ISO 38500 is that it can get people, and I include the business, not just IT, to realise just what their responsibilities are for ensuring IT is effective and efficient in supporting the organization. And the standard is, of course, very clear that the responsibility for IT rests at director level.

I'll end this post with a specific example of how I've seen an idea inspired by the standard make a difference even in an organisation that has yet to decide whether to adopt it wholesale. 

They thought they had good project reviews, they had even adopted the concept of gateway reviews that were led by the business, but what they discovered when they compared their approach to the standard was they were only judging each project by its own internal criteria. 

In effect they were only assessing if the project was on track and within budget. What looking at the standard made them realise was that they were not asking if the project was still aligned to corporate objectives, and that compromises being made within the projects were contrary to the Principles of the standard. 

For instance short cuts were being taken over the acquisition of change related hardware and services that threatened to contravene the financial limits for needing to re-tender the entire project.


  1. James

    Having been involved with 38500 as an ISACA rep with Standards Australia and now in ISO from its inception i support your comments. The challenge we have is to have the board recognise that they have to govern IT as part of enterprise govenance and that is not just ensuring IT is well managed but that business is engaged with IT to gain the required outcomes. 38500 is good start.

    There will be an Australian Standard As/NZ 8016 in a similar form to 38500 coming out soon. It will focus on projects involving investment in IT coming out soon. I will be interested in your views when it comes.


  2. Max,

    I'll be more than happy to comment on AS/NZ 8016.

    Something that struck me is I would rather do an elevator pitch on IS0 38500 than on COBIT and ValIT. In IT we often have such a brief window to capture the board's attention.

  3. Steve Romero, IT Governance Evangelist5 February 2010 at 17:23

    If ISO 38500 is Cinderella, then the Board/BizLeaders must be the Prince. If I am following your analogy correctly...Where is the glass slipper? Maybe the better question is, Who is the Glass Slipper?

    In the 3+ years that I have been globally evangelizing the power and promise of IT Governance I have experienced two inevitable problems:
    - A pervasive misunderstanding of the IT Governance discipline
    - An even-more-pervasive misunderstanding of who is responsible for IT Governance.

    The worse thing about my beloved IT Governance are the first two letters: "IT." The name helps perpetuate the misconception that IT Governance is a function of IT or the CIO - when in fact IT Governance is a function of the business.

    So I would love to have the Glass Slipper to place on the foot of the Board of Directors - or even on the foot of Business Leadership. I don't have it. Upon reflection, I guess I have been acting as a surrogate-glass-slipper as I travel around the globe desperately trying to communicate the message and spirit of your post. That makes you, and likely your readers, surrogates as well.

    Please let me know when you find the glass slipper. There are many feet out there that need to recognize the fit.

    Steve Romero, IT Governance Evangelist

  4. There is no such thing as "IT Governance", only "Governance of IT", which is why the standard is carefully called "Corporate governance of information technology".

    it could have been called "Corporate governance of absolutely bloody anything" but rumour has it that since it was created by an IT committee, they weren't allowed to do that.

  5. Rob,

    You aren't suggesting that there might be turf wars within ISO are you ;-)

    I agree, governance is governance in the same way that management is management. We put the IT word in front of either of them and they seem to lose their normal meaning.

  6. Steve,

    Yes I think that's right, and if Cinders does go to the ball it will have to be because the prince invites her himself, because the ugly sisters won't take her. Now who are the ugly sisters?

    I would see the glass slipper as the compelling reason why this approach to governance is required - the problem it solves. I'm still not convinced that attempts to define the problem have hit the right note yet to resonate with the proper audience for the standard.

  7. A comment in two parts. This is part one...

    James, that anecdote is a fabulous illustration of the power of ISO 38500.

    The “elevator pitch”: ISO 38500 gives the board and executive management a framework through which to control risk and maximise value of established and future use of IT. This ties nicely to your anecdote.

    Why has ISO 38500 underwhelmed to date? I see four elements of the problem:

    1 ISO 38500 involves a massive paradigm shift – everything that precedes it focuses on the internal-to-IT-department aspects of IT supply. ISO 38500 includes that, but extends the focus to the whole-of-business question of demand, or usage. It’s like motor cars – lots of manufacturers today build great cars, but lots of ordinary drivers still crash them. Fabulous supply does not necessarily mean great demand/usage.

    2 Most of what the IT industry calls “IT Governance” is actually IT Management. Boards do governance, not management, so when people come to the board telling them that they have to get involved in what they clearly recognise as management process, they quite rightly turn their backs. Taking the glass slipper metaphor a new way – too many so called experts are handing the board a Wellington boot and calling it a glass slipper. The board members won’t get involved in the Wellington boot level of the business, and nor should they.

    3 ISO 38500 is aimed at business leaders, but most of the people who talk about it are talking to IT people. I’m as guilty on that as anybody, but I have to make a living and so much of my effort necessarily goes to those who will pay – and they are predominantly IT folk looking for a better answer.

    4 ISO 38500 doesn’t come with a nice packaged implementation kit of detailed installation instructions. Instead, it comes with a raft of challenges, and those who use it have to think. Thinking is hard and too many who look at ISO 38500 fail to see the power in its simple principles. When I wrote Waltzing with the Elephant, I was amazed to discover for myself just how far those principles can be taken to put new perspective on old problems. In an A4 book, the principles ran to 8 pages on responsibility, 26 on strategy (which I prefer to call planning), 22 on acquisition, 30 on performance, 14 on conformance, and 10 on human behaviour. That’s on top of another 40 pages discussing the Evaluate-Direct-Monitor governance cycle. Even then, there remains enormous scope for further exploration.

    As I travel the world explaining ISO 38500, I encounter many people who change their views from start to end of session. At the start, they have read the standard, but have not worked out how to apply it. At the end, they understand that it is not intended to be applied as a process model, which is essentially what applies to COBIT and ITIL. Rather they understand that it is intended to guide analysis and design, enabling development of a whole-of-organization approach to governance of IT that fits its culture, capabilities and needs.

    And as I watch through the lens provided by the Internet the antics of others “evangelising” ISO 38500, I lament that in almost every case, they deliver a thin veneer of ISO 38500 on top of a COBIT lesson. And I lament that, to my knowledge, none of them have taken the time to either think deeply and write a book on the standard, or to read my book.

    Please see part two...

  8. A comment in two parts. This is part two...

    Max Shanahan is right – the challenge is to get the board understanding that they are ultimately responsible, and that ISO 38500 is first and foremost for them. We will NEVER achieve this while people keep linking ISO 38500 to COBIT and other supply-side frameworks, and we will never achieve it while we continue to confuse the related but distinctly different concepts of governance and management.

    Steve Romero laments the fault in the term “IT Governance” – that it starts with “IT”. But Steve’s blog is called “The IT Governance Evangelist” – so why does he lament a fault that he himself perpetrates? And it’s not just “IT”. Read his blog to see that Steve uses the word “Governance” with gay abandon – in many contexts where he is actually talking about management (e.g. I list "Outsourcing Services" as an essential Governance process. in The tendency of many well meaning “evangelists” who come from the IT world to use the word “governance” when they are talking about management tasks is one of the key contributors to confusion and resistance from the boardroom. I’ve seen people from CA evangelising “IT Governance”. My conclusion: They don’t get ISO 38500 and they don’t understand the fundamental distinction between governance and management. They are still pushing supply side governance and integrally (at least at the last event I attended) using that to push their products. Now those products may well be fine in their context, but they are most definitely not governance products. They are products that help build the management systems which in turn should be overseen by an effective governance regime. In other words, they are Wellington Boots!

    How do we solve these problems? One thing that would help would be for the entire IT industry to get the message straight and deliver consistent perspective on governance of IT, using ISO 38500 as the foundation. Another is to engage those business leaders who do get it, and exploit their experience and connections to build a wider community of business leaders who understand. They are both big asks!

  9. Mark,

    I don't think I have ever spent so much time reading such a short document as many times as I have reading ISO 38500. As you say it requires the application of thought.

    I'm interested in your view that people are too eager to layer it on top of COBIT. Much as I admire COBIT, and after all I come from an audit background, I think I agree with you.

    I suspect you are right that they are different kinds of thing, and to confuse them would be a category mistake.

    I don't believe you can reconstruct the standard and/or governance from the ground up by conglomerating individual activities and controls. I think we should have learnt that from the reality of most SOX programmes.

    That poses a dilemma though. I believe the standard needs to be presented in a way that makes it concrete for the stakeholders, but in doing that there is a danger that we weaken it. I can already see in my mind's eye how some organizations will reduce adherence to the standard to the production of posters of corporate good intentions.