Marc H.,
Too Long; Didn't Read
IT governance is not COBIT and not ISO 38500. It is the answer to four simple questions: Who decides what in your IT, who bears responsibility, do expenditures align with objectives, and how do you maintain oversight? For SMEs, three building blocks are enough: clear decision rights on half a page, business owners for critical systems, and a one-page dashboard instead of 25-page reports.
IT governance sounds more complicated than it is. Really.
If the term makes you think of multi-day workshops, COBIT certifications, and steering committees that meet every three months and still decide nothing, you’re in good company. Most IT managers in SMEs react that way. And that is exactly why many companies with 50 to 500 employees have no IT governance at all.
That’s a shame. Because at its core, it’s about something very simple: clarity about who makes which decisions in your IT organization. And this clarity is missing more often than you might think.
Let’s build this step by step.
Step 1: Understand what it is really about
Forget frameworks. Forget ISO 38500. Forget everything that sounds like certification.
IT governance answers four questions. Four. Not forty.
Who decides on IT investments? In other words: Who approves a new tool? Who authorizes a platform change? Who says yes or no to the ERP upgrade?
Who is accountable when something goes wrong? Not technical responsibility. Business responsibility. If the CRM is down for two days, who decides what has priority?
How do you ensure IT spending aligns with business goals? In other words: Are you investing in things that help the business? Or is every department buying whatever comes to mind?
How do you get transparency without getting lost in reporting? You need an overview. But not a 25-page quarterly report that no one reads.
If you can answer these four questions, you have IT governance. No paperwork, no certificates. Just clarity.
Step 2: Recognize the problem behind the problem
In our IT audit, governance gaps do not appear as a side note. They are usually the root cause of everything else that is not working.
The typical pattern looks like this: No one knows exactly who decides on IT spending. So somehow everyone decides. Sales buys a new SaaS tool because the budget threshold of CHF 5,000 is not exceeded. IT finds out two months later when onboarding gets stuck. The CTO is surprised at year-end as to why SaaS costs have increased by 30 percent again.
This is shadow IT as a governance symptom. And shadow IT almost always emerges where official paths are missing or too slow.
The other side is just as problematic. If every small software request needs four signatures and takes three weeks, people will just get their own tools. Governance that is too restrictive is ignored just as much as no governance at all.
Step 3: Build three simple structures
You don’t need a 200-line RACI document. You need three things.
Decision rights on half a page
Write down who is allowed to decide what. For a company with 200 employees, three levels are usually enough.
Operational IT decisions: day-to-day business, configurations, tool selection within the defined budget. IT decides this itself. No escalation process, no approval form. Clear mandate, clear budget, done.
Tactical decisions: new systems, larger projects, supplier changes. Here, a structured conversation between IT management and executive management is enough. No steering committee. One conversation with a clear basis for decision-making.
Strategic decisions: transformation projects, major investments, platform changes. These belong to executive management. With a business rationale, not a technology pitch.
Sounds obvious? Ask three colleagues from three different departments who approves the budget for the next ERP extension. You will get three different answers.
Business owners for critical systems
For every important system, you need a person from the business who is accountable. Not the IT person who operates it. The person who depends on it the most.
If the ERP fails, IT will of course handle the technical solution. But the business owner from logistics says: "We need this by 2:00 PM, otherwise 30 shipments won’t go out." That is the difference between "IT will solve this at some point" and a clear priority.
This step is uncomfortable. Naming responsibility means someone is also reachable when things are not running smoothly. That is exactly why it is often avoided. And exactly why it is so important.
A dashboard instead of a report
The most common governance trap: the quarterly IT report with 25 pages of slides requested by executive management, but that no one really reads. The governance meeting lasts 90 minutes and ends without clear decisions.
What works instead: a one-page dashboard with five to seven metrics. Project status (green, yellow, red plus one sentence of explanation). IT costs vs. budget. Open security risks. That’s it.
In addition, a monthly 30-minute conversation between IT management and executive management. No big presentation. A structured conversation based on the same numbers.
(We helped one customer replace their quarterly 40-slide report with an A4 dashboard. Decision quality increased, not decreased.)
Step 4: Understand the connection to good IT decisions
Poor IT decisions rarely result from technical ignorance. They happen because no one knows who actually decides, based on which criteria, and with which information.
A vendor gives a demo. Everyone is enthusiastic. But who gives the green light? Based on which criteria? Who checks whether the new tool fits the existing systems? Who calculates the total cost over three years?
IT governance provides a framework for these questions. Not through bureaucracy, but through clarity. And in practice, that is the difference between a company that uses IT as a tool and one that slips into an avoidable IT project debacle every few years.
Step 5: Start small (and stick with it)
The biggest risk in any governance initiative: wanting too much at once. Decision rules, escalation paths, portfolio management, risk catalog, Architecture Review Board. All sensible. But for an SME that is just getting started, this is the surest way to make the whole thing fail.
Start with the three problems that hurt the most. Usually these are: unclear budget approvals for IT investments, missing ownership definitions for critical systems, and insufficient transparency on IT costs for executive management.
Solve that. In six to eight weeks. With simple documents and a few structured conversations. Then you look at what is needed next. This is not abandoning a framework. It is a different entry point that actually works.
The next step
Tomorrow morning, before the day gets going: take 15 minutes and write down on half a page who makes operational, tactical, and strategic IT decisions in your company. No perfect solution, no RACI matrix. Just write down how it is today. You will notice that in some places it is surprisingly unclear. And those very places are your starting point for pragmatic IT governance.
If you need support with this, in building the decision structures or in answering what the next step after the minimum should look like, get in touch with us. We do this regularly with companies of your size.
