04/05/2026
Between Control and Direction:
Reflections from Our First Online Class
A graduate student's honest account of navigating IS governance, strategy, and the unexpected questions that stayed with me long after the session ended.
"Are we doing things right — or are we doing the right things?" That single distinction, introduced in our very first session, quietly reframed everything I thought I knew about how organizations manage technology.
A first session that asked harder questions than I expected
I came into our first online class with a fairly straightforward assumption: that IS policy, governance, and strategy were roughly the same thing wearing different labels. Policy was the rulebook, governance was the enforcement mechanism, and strategy was the long-term plan. They overlapped so much in my mind that the distinction felt almost academic — the kind of taxonomic hairsplitting that academics love and practitioners ignore.
That assumption did not survive the first hour.
What struck me most about the session was not a single lecture point or framework — it was the way the discussion kept pulling me back to a tension I had never consciously named before: the tension between control and direction. Governance, we learned, is fundamentally about control. It asks whether the institution is doing things correctly, whether it is compliant, accountable, and aligned. Strategy, by contrast, is about direction. It asks whether the institution is pursuing the right goals in the first place. These are not the same question, and confusing them — as I had been doing — leads to a very distorted picture of how organizations actually make decisions about technology.
That clarity felt like a genuine revelation, and it set the tone for everything that followed.
Conceptual Encounter
Frameworks that finally made sense in context
I had encountered COBIT, ISO/IEC 38500, and TOGAF before — in passing, in other readings, in the kind of surface-level way where you recognize an acronym without really understanding what it does. The first session changed that relationship. For the first time, I saw these frameworks not as checklists or compliance tools but as conceptual architectures that reflect how serious organizations think about the relationship between IT and institutional purpose.
COBIT's distinction between governance and management landed particularly hard. The idea that governance operates at the level of evaluating, directing, and monitoring — rather than executing — was clarifying in a way I did not anticipate. It explained why governance decisions belong at the board level, not the IT department level. It explained why "governance failure" and "management failure" are genuinely different diagnoses requiring different remedies. And it helped me understand why, in so many Philippine institutions, governance concerns get conflated with operational concerns — because the structural distinction between the two has never been clearly drawn.
ISO/IEC 38500 added another layer. The fact that strategy appears as one of its core governance principles — not as a separate concern but as something governance is supposed to actively shape and guide — complicated my initial clean separation of the two concepts in a productive way. It suggested that the relationship between governance and strategy is not merely sequential (governance enables strategy) but bidirectional and ongoing. They continuously inform each other, and effective institutions know how to manage that conversation deliberately.
"Governance provides the structure within which strategy is developed — but strategy, in turn, reveals whether governance structures are still fit for purpose."
TOGAF, perhaps predictably, pushed back against the separation most forcefully. Its whole architecture is built around integration — showing how strategic objectives get translated into IT systems, and how governance mechanisms ensure consistency throughout that translation process. It does not treat governance and strategy as distinct domains to be studied separately and then assembled. It treats them as aspects of a single coherent activity: building an enterprise that actually works.
The Curriculum Question
Should these subjects be taught together or apart?
One of the most genuinely interesting discussions from the session — and one I am still thinking about — was the question of whether IS Policy and Governance and IS Policy and Strategy should be taught as separate courses or integrated into one. It sounds like a curriculum logistics question, but it is actually a question about how knowledge works and how it transfers to practice.
The case for separation is real. These are dense, complex domains. COBIT alone could occupy an entire semester if you took it seriously. Giving each subject its own dedicated space allows for depth, for proper engagement with the frameworks, for the kind of slow, careful understanding that graduate-level work demands. There is something to be said for being able to sit with governance as a concept without constantly having to triangulate it against strategic imperatives.
Key tension from the session
Separating the courses risks producing students who understand governance controls and strategic planning as isolated competencies — but struggle to exercise the integrative judgment that real IS decisions require. In practice, governance constraints shape what strategies are possible, and strategic goals reveal which governance structures need to change. Teaching these apart can inadvertently model a separation that does not exist in the organizations we will work in.
And yet, integration carries its own risks. Trying to do both deeply in a single course can easily result in doing neither well — a survey that touches everything but masters nothing. I have been in courses like that, and the experience is disorienting rather than illuminating.
My instinct, sharpened by the session, is that the answer depends less on the course structure than on the instructional design within it. Separation can work if both courses are deliberately coordinated — sharing case studies, building on each other's conceptual scaffolding, requiring students to synthesize across the boundary. Integration can work if it is organized around real-world decision scenarios rather than topic coverage. What cannot work, in either format, is treating these domains as genuinely independent when the evidence from every major framework says otherwise.
