From Strategy to Delivery… to a Full Stop?
Over the last two weeks, we laid the groundwork:
- In Week 1, we made the case for modern ITSM as the connective tissue between IT and business value.
- In Week 2, we introduced the Service Value System, your blueprint for turning ideas into outcomes across teams, tools, and frameworks.
But here’s the rub: even with strategy in place and value streams mapped, progress often grinds to a halt at the first sign of governance.
Approvals pile up, accountability blurs, developers get frustrated, and compliance gets nervous. And suddenly, that fast-moving idea is stuck in a spreadsheet, waiting for a signature.
This week, we’re tackling the most misunderstood part of service management:
Governance that moves with you … not against you.
We’ll show how good governance can accelerate delivery, reduce risk, and bring clarity to the chaos, without becoming a bureaucratic bottleneck.
Because real governance isn’t a blocker, it’s a business enabler.
The Problem with Traditional Governance
Governance is meant to bring clarity, confidence, and direction. But in too many organizations, it does the opposite.
Instead of accelerating execution with smart checks and balances, traditional governance often manifests as a wall of friction: slow-moving, paperwork-heavy, and disconnected from the real pace of work.
Where It Goes Wrong
1. Governance Becomes an Exercise in Delay
- Change requests are routed through a weekly CAB that hasn’t adapted since 2010
- Endless rounds of approvals from people who don’t own the risk or understand the context
- Projects that “pause for compliance” for weeks with no real feedback loop
By the time you get a green light, the opportunity that sparked the change is already gone.
2. No One Knows Who Owns What
In many organizations, governance creates more ambiguity, not less. When approval flows involve four vice presidents, two directors, and a committee, accountability diffuses to the point of invisibility.
Teams don’t know who makes the final call, and approvers don’t understand the service impact. Suddenly, everything important has no clear owner, but plenty of people to slow it down.
3. Risk Aversion Becomes the Default Culture
Traditional governance tends to treat all changes as dangerous, which leads to excessive caution, bloated controls, and blanket policies that make no distinction between a zero-downtime patch and a core system overhaul.
Instead of enabling informed, proactive decisions, governance becomes a way to avoid blame. That’s when people start gaming the system: classifying risky changes as “standard” or launching in the shadows to dodge delays.
4. Micromanagement Masquerading as Oversight
When governance is poorly defined, it often devolves into micromanagement:
- Leaders are asking for updates on every change
- Duplicate approval chains “just in case”
- Meetings to prepare for meetings that exist to get sign-off
These are signs of a governance system that lacks trust, clarity, or both.
How to Tell You’re Doing Governance Wrong
- The service desk waits longer for approvals than for the fix itself
- Your dev team avoids the change process whenever possible
- Your CAB becomes a bottleneck, not a business enabler
- You find out about major releases only after they hit production
- People spend more time managing status reports than managing outcomes
Governance isn’t supposed to be a brake. It’s supposed to be a steering wheel.
It should give you control at speed, not force you to pull over and file a ticket every time you hit the gas.
What Governance Really Means in ITSM and ITIL 4
Governance has a reputation problem.
Say the word and most people picture rigid oversight, endless approvals, or senior execs far removed from the work making decisions in a vacuum. But that’s not governance, that’s bureaucracy.
In modern ITSM, and especially in ITIL 4, governance is something far more powerful:
Strategic oversight that enables consistent, informed decisions in alignment with business goals, risk appetite, and accountability.
In plain English? It makes sure the right people make the right calls for the right reasons, without slowing everyone else down.
Governance vs. Management: Know the Line
A lot of confusion comes from treating governance and management like they’re interchangeable. They’re not.
- Governance sets direction: it defines policies, clarifies accountabilities, and ensures that organizational objectives are being pursued responsibly.
- Management executes on that direction: it plans, builds, delivers, and improves services within the defined policies and constraints.
In the ITIL 4 Service Value System, governance acts as the bridge between strategic intent and operational execution.
Think of it like this:
- Governance asks: “Are we doing the right things in the right way, for the right outcomes?”
- Management asks: “How do we get this done effectively, today?”
You need both. But when governance starts doing management’s job, or vice versa, everything starts to unravel.
ITIL 4: Governance at the Heart of the System
In ITIL 4, governance is one of the five core components of the Service Value System (SVS) – right up there with practices, the value chain, continual improvement, and guiding principles.
That’s deliberate. Governance isn’t a supporting character. It’s a central actor ensuring that:
- Business objectives are clear
- Roles and responsibilities are known
- Risk is acknowledged and addressed
- Policy is applied with context, not control for control’s sake
This approach recognizes that governance must scale with complexity, from a two-person DevOps team launching a microservice to a global organization managing vendor sprawl and regulatory scrutiny.
Connecting Risk Tolerance to Tech Execution
Every business has a risk tolerance, whether it’s formally documented or just baked into culture. Governance exists to translate that tolerance into decisions, policies, and boundaries that teams can operate within.
For example:
- In a fintech startup, governance may allow rapid deployments with light approvals, as long as rollback plans are tested and monitored.
- In a healthcare enterprise, that same deployment may require layered approvals, security assessments, and user testing before go-live.
Neither is wrong. The key is consistency and clarity.
Teams shouldn’t have to guess:
- “Can we deploy this ourselves?”
- “Does this change need security review?”
- “Who signs off if something goes wrong?”
Good governance answers those questions up front, and trusts the team to execute.
Governance doesn’t mean “ask permission.” It means “know the boundaries, and move fast within them.”
This modern view of governance replaces micromanagement with empowerment, and replaces ambiguity with confidence.
Modern Governance in Practice
Modern governance isn’t about enforcing control. It’s about enabling responsible autonomy at scale.
Done right, governance is invisible to most of the organization, not because it’s absent, but because it’s embedded, contextual, and frictionless. Here’s how you bring that to life.
1. Adaptive, Risk-Based Approvals
One-size-fits-all governance is dead. In its place: risk-based models that adapt governance to the situation, not the other way around.
Framework to implement: Tiered Change Model
- Standard changes: pre-authorized, low-risk, repeatable (e.g., patching, non-prod changes)
- Normal changes: evaluated based on risk profile and impact (e.g., feature rollouts)
- Emergency changes: fast-tracked with post-implementation review
How to make it work:
- Define risk scoring criteria: impact, likelihood, customer visibility, data sensitivity
- Automate approvals for low-risk changes through policy and workflows
- Build decision trees or service-based rules into your change platform (e.g., ServiceNow, Jira SM)
If your governance model treats “update homepage banner” and “push changes to a payment gateway” the same … it’s time to evolve.
2. Delegation of Authority with Clear Boundaries
True empowerment doesn’t mean “do whatever you want.” It means knowing what you can do confidently without escalation.
Framework to implement: RACI with Autonomy Zones
- Responsible: Who executes
- Accountable: Who owns outcomes
- Consulted: Who provides input
- Informed: Who needs to know
Overlay this with “decision domains”:
- Budget thresholds
- Security exceptions
- Deployment approvals
- Vendor selection
How to make it work:
- Publish a decision matrix: who can decide what, at what level of risk or cost
- Equip team leads and product owners with guidelines they can act on
- Empower decentralized teams (e.g., DevOps squads) to self-govern within approved bounds
When in doubt: the best governance reduces “ask permission” culture and replaces it with “act responsibly within guardrails.”
3. Real-Time Reporting Over Quarterly PDFs
Static reports are useless in fast-moving environments. Governance needs live data, not lagging indicators.
Framework to implement: Real-Time Governance Dashboards
- Change success/failure rates
- Incident trends by service
- SLA/SLO compliance
- Policy violations
- Risk register updates
How to make it work:
- Integrate tooling (CI/CD, monitoring, ITSM) into your governance platform
- Set up automatic alerts for out-of-bound events (e.g., “3 failed changes this week on the same service”)
- Use this data to inform governance decisions and board-level oversight
You can’t govern what you can’t see. And what you see too late doesn’t help anyone.
4. Include DevOps, Agile, and SRE Roles in Governance
Governance isn’t a top-down activity anymore, it’s multi-directional and collaborative.
Framework to implement: Cross-Functional Governance Forums
Create a working group that includes:
- Product Owners
- DevOps leads
- Service managers
- InfoSec
- Architecture
- SREs or reliability engineers
How to make it work:
- Review governance policies together, not just in siloed steering committees
- Use retrospectives and postmortems to refine governance (e.g., “Why did this approval delay delivery?”)
- Empower teams to propose changes to the governance model itself
If governance doesn’t include the people it impacts, it will be bypassed or broken. Sometimes both.
Bringing It All Together
Modern governance is:
- Context-aware, not command-and-control
- Real-time, not rearview
- Collaborative, not hierarchical
- Built-in, not bolted on
Done well, it gives teams clarity without compromise, freedom with accountability, and speed with safety.
Coming Up Next: The Service Value Chain in Action
You’ve got strategy. You’ve got governance. Now it’s time to make the machine move.
Next week, we break down the Service Value Chain, the true engine of ITIL 4, and show how each part (Plan, Engage, Design & Transition, Obtain/Build, Deliver & Support, Improve) works together to turn intent into execution.
Think of it as your relay race for value delivery, and we’re here to make sure no one drops the baton between DevOps, support, infrastructure, and the business.
Spoiler: when each handoff is clear, aligned, and purposeful… that’s when IT stops being a function and starts becoming a force.
Final Thought
Governance gets a bad rap … and honestly, it earned it.
For too long, it meant bottlenecks, binders, and approvals that moved at the speed of fax machines.
But in modern organizations, governance doesn’t live in a binder. It lives in your Jira workflow, your change pipeline, your SLO dashboards, and your retrospectives.
Great governance feels less like red tape and more like lane markers on a racetrack, keeping teams aligned, confident, and moving fast without spinning out.
Because the goal isn’t to approve less. It’s to ask better questions, earlier, and let smart teams do smart things, without waiting on Tuesday’s CAB.
So here’s to building governance that’s trusted, embedded, and… dare we say, appreciated.
- Share this with your product, security, and ops leaders. Governance affects everyone, not just the policy people.
- Reflect with your team: What’s one part of your delivery process slowed down by approvals that no longer make sense?
- Follow along: Next week we bring the value chain to life, and finally answer why “Engage” matters just as much as “Deploy.”
Let’s make governance work for the business, not against it.
