Governance is both a concept and a set of specific actions an organization takes to ensure compliance with its policies, processes, standards, and guidelines. The goal is to meet business requirements; however, the focus of governance is ensuring everyone is following established rules. What is assumed in governance is that these business objectives were well understood and baked into the rules. Thus, by following the rules, you achieve these business goals. Good governance should include a good understanding of the business, so when enforcement of a rule doesn’t make sense, adjustments to the governance process can take place.
Governance in the real sense is much more than a concept. An organization puts formal processes in place and creates committees to act as gateways. These are tangible acts that collectively define the governance structure of an organization. Governance is a collection of checkpoints that perform either a quality control (QC) or quality assurance (QA) function. In this context, if the governance body must approve an action, then it’s a QA function. If the governance body reviews actions after the fact, then it’s a QC function. This distinction is critical in understanding how controls are managed. These terms are often misunderstood:
Think of this from the perspective of the forest and the trees. When you think about QA, think about looking at each tree to see if its healthy. In contrast, when you think about QC, you check to see if the forest is healthy.
Governance includes a series of oversight processes and committees. Collectively, governance ensures accountability, monitors activity, and records what is going on. What is also implied is that the governance structure will take action when the rules are ignored or not properly applied.