IT Governance for Small and Medium Business

man looking at a wall

IT Governance for Small and Medium Business

Pick up any literature or media since the start of the twenty-first century, and you are guaranteed to read an article on the global recession, or see the term ‘Glocalization’. More interestingly, look a little deeper and your research is likely to find fingers being pointed at a multitude of large national and international enterprises as those primarily responsible for contributing to this global economic downturn, which has characterized the first one and a half decades of this new millennium. So what does the future hold and where does one look to for global growth and recovery? Enter the world of Small and Medium-sized Enterprise (SMME)…

You may be one of the many who is surprised to learn that SMMEs are exactly that, the future. It’s true, SMMEs are being hailed as “the world’s most concentrated, booming and innovative engine for world trade and growth”. From London to New York, to Johannesburg to Stockholm, countries around the globe are recognizing the increasing role SMMEs are fulfilling in driving economic growth, job creation, social integration, innovation, and importantly, poverty alleviation. What is perhaps largely understated is that over 90% of all global enterprises are SMMEs, making them the dominant size of organization, and the single biggest contributor to national gross domestic product (GDP) in almost every country on the planet.

With this burgeoning SMME sector comes not only opportunities and challenges, but responsibility. Enterprises of all sizes from all corners of the globe are facing mounting pressure relating to accountability, transparency, disclosure, and ethics, leading to the rapid rise in importance of corporate governance. For SMMEs though, this is particularly significant. Most SMMEs do not have the resources, capacity or capability to implement effective corporate governance into their organizations and, it must be said, many do not have the awareness of or appetite for it either. This aversion is often fuelled by the litany of other issues that plague the operation of SMMEs, which draw the focus and attention of the enterprises valuable resources. Although, it is also true that the typical SMME does not have the critical components of Corporate Governance either, like a Board of Directors, Corporate Financial Reporting, or External and Internal Audit.

SMMEs are naturally hindered by challenges, such as access to finance, limited credit, reduced market access, high operating and transaction costs, insufficient skills, and critically, minimal utilization of information and technology due to (un)affordability. The latter is of particular consequence given the exponentially ascending importance and value of information technology (IT) to an organization, especially in a globalized economic environment.  And no more so than to an SMME. Yet, with limited resources, SMMEs are inherently hampered in being able to derive maximum value from their Enterprise IT.  So, being restricted and constrained, is there a means for SMMEs to create and sustain value from IT in their organizations? The answer is comfortingly ‘yes’ – IT Governance.

Whenever I think of IT Governance, I immediately turn to COBIT 5, the business framework for the Governance and Management of Enterprise IT. For the SMME, IT Governance, and specifically COBIT 5, represents and provides a way to maximize value from their investments in IT. Indeed, the primary focus of IT Governance in COBIT 5 is value creation, achieved by realizing benefits, and optimizing risks and resources. The IT function of the stereotypical SMME ranges from a small team down to a ‘one-man-band’ where the IT resource(s) perform many other tasks of which but one is related to IT. IT tasks tend to be very technically oriented with little evidence of management or governance in place.

Without dedicated IT Management and often not even an IT Help Desk in place, SMMEs are commonly at a disadvantage when contemplating how to go about investing, managing and governing their Enterprise IT.  Many are not even aware of IT Governance or frameworks and how it can be used to improve IT business performance, and are rather reputed for poor IT spends, security, resource and risk management, even in the age of globalization and the information (and technology) economy. And sadly, so many still today believe that IT Governance and COBIT 5 are the domain of ‘big business’, reserved for the large enterprise sector and not available, affordable and practical for the SMME. Fortunately this is most definitely not the case.

On the contrary, many of the benefits which can be realized by SMMEs from their Enterprise IT are as a consequence of their size as opposed to it being a barrier – like flexibility, adaptability, responsiveness, competitive advantage… SMMEs find it difficult to set IT Goals, implement IT processes and practices, and measure their IT performance, and again this is where IT Governance and the COBIT 5 business framework is able to help.

It really is a misperception that IT governance is only relevant to large organizations, when in reality it is an equally if not more essential ingredient for the SMME. SMMEs are in my opinion, even more dependent on IT Governance for the success of their business, as they seek to exploit any opportunities to create value and competitive advantage for the business, many of which come from the application of IT in their organization. IT Governance is there to ensure that IT in the enterprise continuously delivers benefits whilst balancing risk and costs, in other words value creation.

The Evaluate Direct Monitor (EDM) domain within the (IT) Governance area of COBIT 5 focuses squarely on value creation, with processes to ensure that:

  • Requirements for the governance of Enterprise IT are in place to achieve the enterprise’s mission, goals and objectives
  • Value contribution to the business from IT investments is optimized at acceptable
  • costs
  • Risk to enterprise value from the use of IT is identified and managed
  • Necessary IT-related capabilities are available to support enterprise objectives  effectively at optimal cost
  • Enterprise IT performance and conformance measurement is in place

All of the above are without doubt important, if not mission critical for any SMME.

So, we can easily conclude that as SMMEs are essential to the future of the global economy, so too is IT Governance critical to the SMME. COBIT 5 is not by any stretch of the imagination only for the large Enterprise sector, multi-national powerhouses, JSE listed or Fortune 500 companies. Not only is COBIT 5 Technology agnostic by design, it is Enterprise agnostic too, equally valuable and applicable to profits and not-for-profits, large, medium and small enterprises. It isn’t a framework which needs to be wholly and fully implemented at one time; it is structured and flexible, enabling organizations in the SMME sector to select the domains, processes, practices and/or activities most appropriate and important to their operation, current strategic objectives and enterprise goals – and in line with the budgets and resources at their disposal.

Technology, Market, Regulatory and all the other external environmental factors which apply to large organizations, are relevant to SMMEs. And like big business, SMMEs should have an (IT) Governance objective of value creation, focused on realizing maximum benefits, with minimal risk and optimal use of resources, from their investment in IT. COBIT 5 provides SMMEs in any industry, with a comprehensive framework and supporting collateral for achieving effective and efficient governance and management of Enterprise IT. If I were an SMME looking for a single, integrated solution to my IT Governance problem, and seeking to create as much value as possible through the use of IT, I would look no further than COBIT 5 and all it has to offer.

For information on COBIT 5 please visit You can also get ISACAs free to download COBIT 5 Toolkit here at

To find out more about IT Governance for small and medium business visit the white paper by Mike Lane >>