Why Your IT Governance is Failing: 4 Counter-Intuitive Truths from ISO 20000-1

It is a recurring nightmare for many organizations: a critical IT service collapses, the recovery window is closing, and a room full of highly paid experts are staring at each other in silence. Everyone is "working on it," but no one is certain who has the final authority to make the high-stakes calls. In the heat of a crisis, the gap between a job title and actual accountability becomes a chasm that swallows up time, money, and reputation.

This lack of clarity isn't just a management headache; it is a fundamental governance failure. In the world of ISO/IEC 20000-1:2018, Clause 5.3 serves as the "antidote to vagueness." It mandates that roles, responsibilities, and authorities are not merely suggestions—they must be assigned, communicated, and deeply understood.

As a Lead Auditor, I have seen countless organizations fail their audits not because they lacked talent, but because their governance was built on sand. To move beyond "paper-only" compliance, Top Management must understand that governance is about the mechanics of authority, not the comfort of a job description. Here are four counter-intuitive truths that separate high-performing IT Service Management Systems (ITSMS) from those destined for a Major Nonconformity.

1. Compliance is a Translation Layer, Not a Document

Many organizations treat ISO 20000-1 as a filing exercise. They believe that having a signed policy satisfies the auditor. They are wrong. Clause 5.3 is the "translation layer" that converts the high-level leadership commitment of Clause 5.1 and the strategic policy of Clause 5.2 into operational reality.

Top Management "buy-in" is professionally useless if it isn't operationalized. Without the explicit assignment and communication of roles, your policies are nothing more than expensive wallpapers. Clause 5.3 demands that roles are not just named, but that individuals understand their specific power and their limits. If your staff cannot articulate their authority, your governance layer does not exist.

Audit Rule: "Who is accountable when an IT service or process fails—and do they have the authority to act?"

If you cannot answer that question instantly with a single name, you have a systemic failure.

2. Stop Confusing Service Owners with Process Owners

A primary driver of "ambiguous ownership" and subsequent audit nonconformity is the failure to distinguish between service and process ownership. From an audit perspective, every single in-scope service and every required ITSM process must have a named owner. Omissions here are not minor oversights; they are direct nonconformities.

• Service Owners (The "What"):
• Accountability: End-to-end delivery of a specific IT service.
• Focus: Outcomes, value, and performance against Service Level Agreements (SLAs).
• Metric: Customer satisfaction and continual service improvement.
• Process Owners (The "How"):
• Accountability: Design and effectiveness of a specific process (e.g., Change or Incident Management).
• Focus: Capability, control, and consistent implementation across the entire organization.
• Metric: Process compliance and execution quality.

Mixing these roles causes "ownership drift," where everyone is responsible for everything, but no one is accountable for the actual results.

3. The "Single Accountable" Rule in RACI

To satisfy Clause 5.3, organizations frequently deploy a RACI matrix (Responsible, Accountable, Consulted, Informed). However, the effectiveness of this tool is often sabotaged by a refusal to make hard choices.

The Audit Rule is absolute: Only one role can be Accountable for any given activity.

While you may have a dozen people "Responsible" for executing tasks, "Accountability" represents the ultimate ownership of the outcome. In my experience, "shared accountability" is the fastest way to earn a Red Flag during a governance audit. It is a polite way of saying no one is actually in charge. For an auditor, accountability must be explicit, not assumed. If your governance charts show multiple names sharing the "A," your decision-making hierarchy is broken, and your ITSMS is at risk.

4. Authority Trumps Job Titles

On paper, a job description might look impeccable. However, as an auditor, I look for Interview-Based Evidence and Observed Behavior rather than formal titles. A Major Nonconformity Indicator is when decision-making happens outside the defined governance structures, regardless of what the "official" chart says.

We don't just look for your documents; we look for hard evidence of leadership involvement. This includes:

• Formal role appointments explicitly approved and signed by Top Management.
• Documented management participation in Service Reviews and Change Advisory Board (CAB) meetings.
• Escalation records that prove Top Management actually made a decision.

During an audit, I will ask your operational staff: "What authority do you have to make changes?" and more importantly, "Can you give an example of a leadership decision?" If they cannot answer, your documentation is a fiction.

Lead Auditor Best Practice: "Focus on behavior, not job titles."

The Forward-Looking Conclusion

Vague accountability is not just a risk; it is a Major Nonconformity Indicator that invalidates your entire governance framework. When roles are undefined, decisions are delayed, improvement initiatives stall, and services inevitably degrade. Clause 5.3 is the high-impact requirement that ensures your organization has the structural integrity to survive a crisis.

If you want to know if you are truly compliant, don't look at your manuals. Ask yourself: If your most critical IT service went down right now, does the person accountable actually have the demonstrated authority to fix the root cause, or are they just holding a title?

Share This Article

Found this useful? Share it with your network: