Shady ASIn an era where technology underpins virtually every business process, the governance of IT is no longer a concern solely for the IT department. It is a board-level responsibility with direct implications for risk management, regulatory compliance, strategic execution, and shareholder value. Yet many organisations still treat IT governance as an afterthought — a bureaucratic exercise rather than a strategic capability. The cost of this neglect is measurable: misaligned IT investments, regulatory penalties, security breaches, and technology projects that fail to deliver business value.
The European regulatory environment has made IT governance urgently relevant. The NIS2 directive, transposed into national legislation by October 2024, holds management bodies personally liable for cybersecurity governance. DORA, applicable from January 2025, requires financial institutions to implement comprehensive ICT risk management frameworks. GDPR continues to demand robust data governance. Collectively, these regulations create a compliance imperative that only structured IT governance can address — with non-compliance penalties reaching up to 10 million euros or 2% of annual revenue under NIS2.
Understanding IT governance frameworks
Three complementary frameworks provide the foundation for effective IT governance. COBIT 2019, developed by ISACA, offers a comprehensive governance and management framework for enterprise information and technology. Its strength lies in its governance design factors, which allow organisations to tailor their governance system based on enterprise strategy, threat landscape, organisational maturity, compliance requirements, and risk tolerance. COBIT 2019 distinguishes between governance objectives (the board's responsibility to evaluate, direct, and monitor) and management objectives (management's responsibility to plan, build, deliver, and monitor), providing clarity on roles and accountability.
ITIL 4 complements COBIT by providing operational discipline through its service value system. ITIL 4 modernised its predecessor with a focus on value co-creation, guiding principles (such as start where you are, progress iteratively, and think and work holistically), a service value chain, and 34 management practices organised across general management, service management, and technical management. Where COBIT answers 'what should we govern?' ITIL 4 answers 'how do we manage IT services effectively?'
ISO/IEC 38500 operates at the board level, defining the governance/management boundary through an Evaluate-Direct-Monitor oversight cycle. It establishes six principles for good IT governance: responsibility, strategy, acquisition, performance, conformance, and human behaviour. The standard is deliberately high-level, designed to be used by directors and executives who need to understand their governance obligations without getting lost in operational detail. A layered approach — ISO 38500 for board engagement, COBIT for strategic direction, ITIL for operational execution — creates a comprehensive governance architecture.
Aligning IT with business strategy
The primary purpose of IT governance is to ensure that IT investments and activities are aligned with business objectives and deliver measurable value. This sounds straightforward but is notoriously difficult in practice. Research consistently shows that a significant proportion of IT projects fail to meet their original objectives, with misalignment between IT and business strategy cited as a primary cause.
Effective alignment requires structural mechanisms: an IT strategy committee at board level, a regular cadence of business-IT alignment reviews, and portfolio management practices that evaluate IT investments against strategic objectives. The balanced scorecard approach, adapted for IT, provides a useful framework: financial metrics (IT cost as percentage of revenue, ROI on IT investments), customer metrics (user satisfaction, service availability), internal process metrics (project delivery performance, incident resolution times), and learning and growth metrics (skills development, innovation capacity).
IT portfolio management treats the organisation's technology investments as a portfolio to be actively managed, much like a financial investment portfolio. Each investment is categorised (run the business, grow the business, transform the business), evaluated for strategic fit and risk, and regularly reviewed for continued relevance. This discipline prevents the common problem of IT budgets being consumed by legacy maintenance at the expense of innovation and strategic investment.
Risk management and compliance
IT risk management is a core governance function that has gained urgency with the evolving regulatory landscape. NIS2 specifies that management bodies at essential and important entities are responsible for approving cybersecurity measures and overseeing compliance — individuals may be held personally liable for failures. DORA requires management to oversee and be responsible for implementing the ICT risk management framework, with five lines of action: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.
A mature IT risk management practice integrates with enterprise risk management and covers technology risks (system failures, obsolescence), cyber risks (threats, vulnerabilities), operational risks (process failures, human error), compliance risks (regulatory changes, audit findings), and strategic risks (technology disruption, vendor dependency). Risk registers, risk appetite statements, and regular risk assessments provide the governance structures needed to make informed decisions about risk acceptance, mitigation, transfer, or avoidance.
GDPR compliance requires data governance capabilities — data classification, retention policies, data subject rights management, and data protection impact assessments — that depend on underlying IT governance structures. Organisations without clear data ownership, documented data flows, and systematic data quality management inevitably struggle with GDPR compliance. IT governance provides the foundation upon which effective data governance is built.
IT budgeting and cost transparency
One of the most tangible benefits of IT governance is cost transparency. Many organisations struggle to answer fundamental questions: How much do we spend on IT? What do we get for that investment? How does our spending compare to peers? Without governance structures, IT costs are often opaque, fragmented across business units, and difficult to benchmark.
Technology Business Management (TBM) provides a framework for IT financial management that maps IT costs to business services and capabilities. By allocating costs from infrastructure through application towers to business-facing services, TBM enables conversations about the cost of IT in business terms rather than technology terms. This transparency empowers business leaders to make informed trade-off decisions and enables IT to demonstrate value rather than defend budgets.
Effective IT budgeting under a governance framework typically follows a three-horizon model: Horizon 1 (run) covers the cost of maintaining existing systems and services; Horizon 2 (grow) funds enhancements and incremental improvements; Horizon 3 (transform) invests in innovation and strategic transformation. Governance ensures an appropriate balance across these horizons, preventing the common trap where run costs crowd out strategic investment.
Governance structures and operating model
Effective IT governance requires formal structures. An IT steering committee, comprising senior business and IT leaders, provides the forum for strategic decision-making, investment prioritisation, and performance review. A clear RACI matrix (Responsible, Accountable, Consulted, Informed) for key IT decisions — architecture standards, vendor selection, security policy, project prioritisation — eliminates ambiguity and ensures decisions are made at the appropriate level.
The CIO or IT director serves as the executive accountable for IT governance, but governance is not a solo responsibility. Architecture review boards ensure technical decisions align with standards and strategy. Change advisory boards manage the risk of changes to production environments. Security governance committees oversee the organisation's cybersecurity posture. Each of these bodies operates within a defined mandate, with clear escalation paths and decision rights.
For SMEs that may lack the scale for multiple governance committees, a streamlined model is appropriate. A single IT governance board meeting monthly, with a standing agenda covering strategy alignment, risk review, investment portfolio, and performance metrics, can provide the essential governance functions. The key is not the number of committees but the discipline of regular, structured oversight with clear accountability.
How Shady AS can help
At Shady AS SRL, we help organisations in Brussels and across Europe establish IT governance frameworks that are practical, proportionate, and aligned with their business context. Whether you need to implement COBIT 2019 for comprehensive governance, adopt ITIL 4 practices for service management excellence, or establish board-level governance aligned with ISO 38500, our consultants bring the expertise to design and implement governance structures that deliver real value.
With NIS2, DORA, and GDPR creating a complex compliance landscape, our governance advisory services help you build the structures and processes that satisfy regulatory requirements while enabling strategic agility. From IT governance assessments and roadmap development to hands-on implementation of governance frameworks, steering committees, and reporting mechanisms, we partner with you at every step. Contact Shady AS SRL today to discuss how structured IT governance can transform your technology investment from a cost centre into a strategic competitive advantage.