Mid-sized companies usually start talking about IT governance after something expensive happens.
A system goes down. A project slips. A vendor overpromises. The board asks where the money went, and nobody gives a straight answer.
I do not think of governance as paperwork.
I think of it as a business decision system.
Who decides?
Based on what facts?
What risk is acceptable?
What gets funded?
What gets delayed?
Who owns the outcome?
The cost of weak discipline is real. ITIC found that each hour of downtime costs over $300,000 for over 90% of mid-size and large enterprises. You do not need many bad hours before the conversation gets serious.
For years, the split between “the business” and “IT” has annoyed me. My paycheck always had the same company name as everyone else’s. Technology spend is business spend. The governance model needs to reflect that.
Why Governance Matters More Now
Technology is more expensive. The number of vendors keeps growing. Security risk never goes away. AI is making promises faster than most companies can evaluate them.
In a mid-sized organization, all of that lands on a relatively small leadership team. Usually, that team does not have a deep internal CIO bench.
The data lines up with what I see. An ISACA study study found that more than 90% of senior business leaders associate strong technology governance with better business outcomes, while 69% said they still needed a clearer link between business objectives and IT goals.
That gap matters.
If the leadership team cannot explain why a project exists, who owns it, and what line of the P&L should improve, then the company is reacting to technology. It is not governing it.
This is even more important in the mid-market because many of these businesses are privately held. Owners have skin in the game. They feel every dollar of waste, every delay, and every bad decision.
Deloitte reported that 78% of CIOs saw alignment to business strategy as essential to success. I agree. If the technical architecture is in conflict with the value chain, the business pays for it. Always.
Start with Financials First
When I walk into a company, I start with one question.
How do you actually make money?
That question cuts through a lot of noise. It forces the conversation away from tools and back to the business model.
At Narrative Group, we look at how money is spent on IT, how capital is deployed, and how technology is supporting the business.
Then we split the picture in two.
First, we look at the primary value chain. How does the company create value? Where are the delays? Where is productivity weak? Where are costs higher than they should be?
Second, we look at the supporting functions: finance, HR, reporting, service, compliance, and technology itself. These functions shape the cost structure of the whole company, so they need just as much discipline.
Then I want to map the flows. Who is talking to whom? How often? Under what business rules? Draw it out. The picture tells a thousand words.
I also like site visits. A lot.
Show me the day in the life. Walk me through the store, the plant, the office, the branch. When you do that, you see visual clutter, workarounds, physical bottlenecks, and undocumented processes breaking down.
That is where governance stops being theory and starts becoming useful.
What governance should actually decide
Separate the foundation from the value layer
I often tell leaders that IT is effectively two departments.
One runs the boring foundational functions. The other should help the business grow.
The first layer covers infrastructure, networks, devices, cybersecurity, uptime, and collaboration tools. These are commodity capabilities. They still matter a great deal. If people cannot connect to the network, if meeting rooms barely work, or if laptops are unstable, every strategic discussion gets dragged back into basic service failure.
We see this all the time at Narrative Group. In one client situation, employees were moving between six offices and could not reliably connect to the network. The meeting rooms barely worked. We assessed the environment, replaced core network gear, refreshed outdated servers, and put devices onto a lifecycle plan. The landscape became more stable. That created credibility. Then the wider business process conversation could move forward.
I saw the same principle at scale in corporate. At Loblaw, standardizing infrastructure and introducing infrastructure-as-software principles cut provisioning from six weeks to one day. That is what boring foundational governance can do when it is done well.
The second layer is where technology should drive value: workflow, data, automation, analytics, and customer experience. This is where technology should amplify people and improve the economics of the business.
These two layers need different governance.
Foundational work needs standardization, service discipline, and cost control. Value-driving work needs prioritization, pilots, executive ownership, and measurable outcomes.
Decide where you are truly different
Most mid-sized organizations also need a harder conversation:
Where are you actually different?
I use a simple lens. Some processes create a competitive advantage. Some only need to be at the point of parity with the market. Some are commodities.
You should govern them differently because they create different kinds of value.
Leaders often overestimate how unique their internal processes are. In retail, for example, core functions like master data management and e-commerce processes are basically the same from one retailer to another. Treating every process as special usually creates expensive customization and long-term complexity.
That is why I push hard for vanilla software in commodity areas. Standard software brings built-in security, scale, robustness, and performance. It also forces leaders to specifically and ruthlessly figure out where they are different.
In most businesses, what makes the company unique is the people, not the technology. So take the pieces that do not represent competitive advantage and treat them like commodities. In many cases, that means outsourcing foundational support so internal technology talent can focus on the things that actually drive enterprise value.
Be careful with false savings. I have seen companies cut license costs and shift the expense into manual labor. The software budget looks better for a quarter or two, but the business slows down. Innovation slows down. The culture gets stuck.
One company used an old tool called Mail Manager to save emails into SharePoint so it could avoid Microsoft license costs. Later, when it was time to deal with Windows 11, that shortcut complicated the upgrade path. Cheap decisions have a habit of coming back around.
The same goes for low-cost custom software. If students, temporary contractors, or short-term developers build critical tools because they seem inexpensive, you may be planting a ticking time bomb. It works until the company grows. Then the hidden risk shows up.
The Three Models I See Work
Mid-sized companies do not need a committee for every noun in the organization.
They do need a model that fits the business.
Centralized executive governance
For a company with one core business model and a limited internal IT bench, centralized executive governance is usually the right place to start.
Keep the forum small:
- CEO or COO
- CFO
- the business executive who owns the outcome
- a technology leader, whether internal or fractional
That is enough.
This model works because it forces one queue, one investment logic, and one accountability path. Every initiative should have a sponsor with skin in the game, a clear owner, and a defined financial or risk outcome. If that is missing, the project is not ready.
This is also where many mid-sized organizations benefit from outside leadership. At Narrative Group, we often step in as a fractional CIO, CTO, or even as the effective IT department for a smaller mid-sized business. The goal is not to add ceremony. The goal is to add decision quality.
When I helped introduce an IT strategy, a roadmap, and governance at Loblaw, it aligned more than $300 million in capital spend to the enterprise strategy. That was governance with teeth: clear priorities, clear ownership, and a clear link to the business.
One more point here: if your Head of IT spends every day firefighting, they will miss the meetings where the real money decisions get made. Tactical heroics feel helpful in the moment. They usually make spending worse over time.
Portfolio governance
As companies grow, one big queue stops working.
This is where portfolio governance helps.
Once we do the discovery work, the chaos usually organizes into three, four, or five themes. Maybe operational productivity. Maybe customer growth. Maybe platform stability. Maybe data quality. Maybe compliance and risk.
Once the work is grouped that way, leaders can manage it as a set of programs instead of a pile of unrelated requests.
I used this kind of model at Shoppers Drug Mart. Project Symphony moved the organization to a portfolio-based matrix structure, with specialized resources embedded into each portfolio. Productivity improved 40% year over year, measured against total invested capital. The improvement came from clearer decision-making and better structure.
Portfolio governance also helps you balance quick wins with longer-range value. You want some low-hanging fruit because it builds momentum and credibility. You also need larger initiatives that move the business model forward. Governance should make room for both.
It also gives you a way to phase decisions. In one current advisory situation involving a payment platform with PCI, GDPR, and PIPEDA issues, the payment platform is not the first area of scope to address. A more important scope comes first. Then the payment work comes back into sequence.
Good governance lets you phase the work without losing control of the risk.
Federated governance
If your business is multi-site, acquisition-heavy, or operationally diverse, you need some federated governance.
The center should hold the guardrails. Local teams should shape execution where the business model truly differs.
The center should govern cybersecurity, core architecture, enterprise data, major vendor standards, and the rules for investment. Local leaders should have room to adjust workflows where geography, service model, or customer delivery actually changes the operating reality.
You can see this clearly in retail fulfillment. If you are shipping from a distribution center, the model is one thing. If you are picking from stores for click-and-collect or direct delivery, the model is different. Inventory has to be visible by location. The website has to talk to the right material management system. If you have not mapped those flows, you are guessing.
Federated governance also matters when business users want to build their own automations. I am open to citizen developer models. They just need guardrails. Business users need training. They need to build as an extension of IT. And if the process starts with unstructured email, fix that first. Do not build a fragile automation chain on top of a bad input.
Execution is where governance proves itself
Make risk, testing, and reporting visible
Whatever model you choose, four things have to stay tight:
- money
- ownership
- risk
- follow-through
Start with money. If a project cannot be tied to revenue, margin, productivity, risk reduction, or working capacity, it should not move forward. I want to know what line on the P&L should change.
A lot of leaders are surprised by how technology value shows up. Sometimes the win is not cutting jobs. Sometimes the win is slowing the rate of hiring because employees can do more. That is still a positive shift in the P&L. It creates room to grow without piling on labor.
I measure productivity with the client’s own metrics. If a task takes 20 hours today and five hours tomorrow, that is real. If you run a fixed-price business and use less labor to deliver the same work, the margin improvement is real. In one transformation we delivered, moving to a predictable evergreen model reduced IT spend from 3.5% of revenue to 2% while improving reliability and future readiness.
At Narrative Group, we track IT spend against revenue and expenses, the ratio of IT labor to non-labor cost, and overall service levels. What gets measured gets managed. Leaders need to see the contribution technology is making year over year.
Risk also needs a permanent seat at the table. In the ISACA research, only 21% were briefed on technology risk at every leadership meeting in the ISACA research. Only about 33% assessed technology-related risks monthly or more often. Same study showed that only 55% believed leadership was doing everything possible to safeguard digital assets. That is too loose for the current environment.
The board does not need a tour of tools. It needs a short, readable view of spend, uptime, cyber exposure, delivery status, and value realized. If the reporting is full of jargon, leadership confidence drops.
Earn trust on the front line
Execution is also where consultants get exposed.
The biggest lie people sell is that a major rollout will be flawless. It will not. Large-scale change always comes with some pain. Good governance reduces the pain and controls the risk.
I was involved in a large-scale loyalty rollout that had to be delayed by three to four months because the performance testing at scale was not where it needed to be. In a lab, a solution can look fine. In the real world, with millions of users hitting the same endpoint, the truth shows up quickly. The delay was frustrating. It was still the right decision.
Self-checkout is another clean example. The business case sounds simple. You use less space and reduce labor pressure. When the rubber hits the road, the real issue is interventions. If scans fail, pricing data is wrong, or the user experience is clumsy, staff gets pulled back in to rescue the process.
At Shoppers Drug Mart, the self-checkout experience was simple and user-friendly, and that allowed the pilot to scale to hundreds of stores. At Loblaw, the intervention rate was so high that the front end had to be rewritten.
Same broad idea. Very different execution.
Governance should catch those differences before the business scales the investment.
People matter just as much as testing. Store managers, supervisors, and service leaders often see the problems first. Listen to them. Ask what they are experiencing. Ask where the process breaks. Ask what the technology is doing to their day.
When people take the risk of showing you the problem, you have to follow through.
Talk is cheap. Actions speak volumes.
Sometimes the lesson has to be sharper. I have coached an overwhelmed IT leader to let an unmanaged production change fail so the business would finally adopt proper change control and risk discipline. Pain gets attention. Leaders need enough information to make decisions, and then they need to own those decisions.
AI Needs Tighter Governance, Not Looser
Anything related to AI can quickly become an operational mess if leaders chase the hype.
I am optimistic about AI in long-running workflows, data quality, master data management, and decision support. I am cautious about using it as a shortcut for discipline.
AI is a very good liar. It does not know what it does not know.
You cannot just codify broken business processes and expect a good result. Start with the boring foundational functions. Document the process. Clean up the business rules. Clean up the data. Then test where AI can remove tedious work.
We are doing projects where that approach is working. In one case, automation reduced an e-commerce product setup cycle from one person taking three weeks down to four hours. That is real productivity. It creates capacity and lets people move into higher-value work.
Governance around AI also has to include human oversight, security, and training. AI makes that gap more dangerous.
Where I Would Start
Some leaders ask whether they need a formal framework such as COBIT.
Frameworks can help. They give you vocabulary and structure. They do not remove the need for judgment.
ISACA reported that 28% of organizations had adopted COBIT, while roughly 20% used no formal governance framework at all. A lot of companies are still improvising. The acronym alone will not solve the problem. You still need a way to make decisions, assign ownership, and measure outcomes.
For most mid-sized organizations, my advice is simple:
- start more centralized than you think
- standardize more than you want to
- stay current
- avoid leading-edge and bleeding-edge temptation
- add portfolio discipline as complexity grows
- federate only where the business model truly requires local variation
I founded Narrative Group because I wanted to make top-tier enterprise advice accessible to mid-sized companies. They deserve the same quality of thinking that large enterprises get, without the drag and without people talking in ambiguity.
If you want a final test, ask the leadership team one question:
How do you actually make money?
Then follow the money, map the value chain, and govern technology around that reality.
Innovation is making the operation of a business model elegant. Good governance is how you create the conditions for that elegance.
Frequently Asked Questions
How often should the executive board review technology and cyber risks?
At minimum, monthly. Many boards treat technology risk as an annual audit exercise. Waiting a whole quarter to review cyber exposure leaves your P&L unprotected. Risk needs a permanent, recurring seat at the executive table.
Should a governance framework prioritize external hacks or internal security threats?
Govern both equally. While external breaches make headlines, internal gaps are equally dangerous. Strong governance standardizes external firewalls and internal data discipline.
Do mid-market companies need a full-time CIO to enforce IT governance?
Not always. What they do need is executive ownership, clear decision rights, and enough leadership capacity to connect technology choices to business outcomes.
How can a governance model control vendor sprawl and rising software costs?
By forcing a single investment logic. Every new tool or vendor should have a clear business case, ownership, and measurable value before it is approved.
What IT metrics should CFOs demand at leadership meetings?
Focus on the metrics that connect technology to business performance: spend against revenue and operating expense, labor versus non-labor mix, uptime, downtime, delivery performance, and key risk indicators.