alignment of enterprise governance and it governance prof. dr. wim van grembergen university of...
TRANSCRIPT
Alignment of Enterprise Governance and IT Governance
Prof. dr. Wim Van Grembergen
University of Antwerp (UFSIA)University of Leuven (KUL)
2
Agenda
Enterprise Governance
IT Governance
IT Governance Definition
IT Governance Mechanisms
IT Balanced Scorecard
COBIT
IT Balanced Scorecard and COBIT
Management Guidelines (COBIT)
Information Technology Infrastructure Library (ITIL)
Organizational Structures
Enterprise Governance through the Balanced Scorecard
3
Enterprise Governance
“Corporate Governance deals with the ways in whichsuppliers of finance assure themselves of getting areturn on their investment”
(Shleifer and Vishny, 1997)
How do suppliers of finance get managers to returnsome of the profits to them?
1.
2. How do suppliers of finance make sure that managersdo not steal the capital they supply invest in bad projects?
3. How do suppliers of finance control managers?
Concrete Corporate Governance questions:
4
IT Governance
IT Governance questions:
How does top management get their CIO and IT organization to return some business value them?1.
2. How does top management make sure that their CIOand IT organization do not steal the capital they supplyor invest in bad projects?
3. How does top management control their CIO andIT organization?
5
IT Governance Definition
Definition of IT Governance:
“The organized capacity to control the formulation and implementation of IT strategy and guide to proper direction for the purposeof achieving competitive advantages for the corporation”
(Ministry of International Trade and Industry, 1999)
2001 Prof. dr. W. Van Grembergen ã 5
6
IT Governance Mechanisms
Balanced Scorecard COBIT Management Guidelines (COBIT) Information Technology Infrastructure
Library (ITIL) Organisational Structures ...
7
Corporate Contribution
How does the managementview the IT department?
IT Balanced Scorecard
User Orientation
How do the users viewthe IT department?
Mission
To be the preferred supplierof IS and to exploit businessopportunities maximallythrough IT
Objectives
preferred supplier
partnership with users
user satisfaction
Mission
To obtain a reasonable business contribution of investments in IT
Objectives
control of IT expenses
business value of new IT projects
business value of the IT function
2001 Prof. dr. W. Van Grembergen ã 7
8
Future Orientation
Is IT positioned to meetfuture challenges
Operational Excellence
How effective are theIT processes?
IT Balanced Scorecard
Mission
Efficiently deliver IT productsand IT services
Objectives
efficient software development
efficient computer operations
efficient help desk function
Mission
Develop opportunities to answer future challenges
Objectives
permanent training and education of IT personnel
expertise of IT personnel
research into emerging information technology
age of application portfolio
2001 Prof. dr. W. Van Grembergen ã
9
COBIT
1. Planning &Organization
Domain
2. Acquisition &Implementation
Domain
3. Delivery &SupportDomain
4. MonitoringDomain
4 domains and 34 processes:
COBIT is a framework for Governance, Control and Auditfor Information and Related Technology developed by ISACA (Information Systems Audit and Control Association)
10
- Define a strategic IT plan
- Define the information architecture
- Determine the technological direction
- Define the IT organization and relationships
- Manage the IT investment
- Communicate management aims and direction
- Manage human resources
- Ensure compliance with external requirements
- Assess risks
- Manage projects
- Manage quality
COBIT
* 34 IT process
1. Planning & Organization Domain
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11
ProcessDomain
2001 Prof. dr. W. Van Grembergen ã 10
11
- Identify solutions
- Acquire and maintain application software
- Acquire and maintain technology architecture
- Develop and maintain IT procedures
- Install and accredit systems
- Manage changes
COBIT
* 34 IT process
2. Acquisition & Implementation
A11
A12
A13
A14
A15
A16
ProcessDomain
2001 Prof. dr. W. Van Grembergen ã 11
12
- Define service levels- Manage third-party services- Manage performance and capacity- Ensure continuous service- Ensure systems security- Identify and attribute costs- Educate and train users- Assist and advise IT customers- Manage the configuration- Manage problems and incidents- Manage data- Manage facilities- Manage operations
COBIT
* 34 IT process
3. Delivery & Support
DS1DS2DS3DS4DS5DS6DS7DS8DS9DS10DS11DS12DS13
ProcessDomain
2001 Prof. dr. W. Van Grembergen ã 12
13
- Monitor the processes
- Assess internal control adequacy
- Obtain independent assurance
- Provide for independent audit
COBIT
* 34 IT process
4. Monitoring
M1
M2
M3
M4
ProcessDomain
2001 Prof. dr. W. Van Grembergen ã 13
14
IT Balanced Scorecard and COBIT
ITDevelopment
BSC
ITOperational
BSC
BusinessBSC
ITStrategic
BSC
Acquisition & Implementation
Delivery & Support
Planning &Organization
Monitoring
15
Management Guidelines (COBIT)
For each of the 34 IT Processes:
Critical Success Factors Key Goal Indicators
(outcome measures) Key Performance Indicators
(performance drivers) Maturity Model
16
Management Guidelines (COBIT)
Critical Success Factors (1)
The planning process provides for a prioritisation scheme for the business objectives and quantifies, where possible, the business requirements
Management buy-in and support is enabled by a documented methodology for the IT strategy development, the support of validated data and a structured, transparent decision-making process
The IT strategic plan clearly states a risk position, such as leading edge or road-tested, innovator or follower, and the required balance between time-to-market, cost of ownership and service quality
Define a Strategic Information Technology Plan
17
Management Guidelines (COBIT)
Critical Success Factors (2)
All assumptions of the strategic plan have been challenged and tested
The processes, services and functions needed for the outcome are defined, but are flexible and changeable, with a transparent change control process
A reality check of the strategy by a third party has been conducted to increase objectivity and is repeated at appropriate times
IT strategic planning is translated into roadmaps and migration strategies
Define a Strategic Information Technology Plan
18
Management Guidelines (COBIT)
Key Goal Indicators
Percent of IT and business strategic plans that are aligned and cascaded into long- and short-range plans leading to individual responsibilities
Percent of business units that have clear, understood and current IT capabilities
Management survey determines clear link between responsibilities and the business and IT strategic goals
Percent of business units using strategic technology covered in the IT strategic plan
Percent of IT budget championed by business owners Acceptable and reasonable number of outstanding IT
projects
Define a Strategic Information Technology Plan
19
Management Guidelines (COBIT)
Key Performance Indicators Currency of IT capabilities assessment (number of
months since last update) Age of IT strategic plan (number of months since last
update) Percent of participant satisfaction with the IT strategic
planning process Time lag between change in the IT strategic plans and
changes to operating plans Index of participants involved in strategic IT plan
development, based on size of effort, ratio of involvement of business owners to IT staff and number of key participants
Index of quality of the plan, including timelines of development effort, adherence to structured approach and completeness of plan
Define a Strategic Information Technology Plan
20
Management Guidelines (COBIT)
0 Non-existentIT strategic planning is not performed. There is no management
awareness that IT strategic planning is needed to support business goals.
1 Initial / Ad hocThe need for IT strategic planning is known by IT management,
but there is no structured decision process in place. IT strategic planning is performed on an as needed basis in response to a specific business requirement and results are therefore sporadic and inconsistent. IT strategic planning is occasionally discussed at IT management meetings, but not at business management meetings. The alignment of business requirements, applications and technology takes place reactively, driven by vendor offerings, rather than by an organisation-wide strategy. The strategic risk position is identified informally on a project-by-project basis.
Maturity Model
21
Management Guidelines (COBIT)
2 Repeatable but IntuitiveIT strategic planning is understood by IT management, but is not
documented. IT strategic planning is performed by IT management, but only shared with business management on an as needed basis. Updating of the IT strategic plan occurs only in response to requests by management and there is no proactive process for identifying those IT and business developments that require updates to the plan. Strategic decisions are driven on a project-by-project basis, without consistency with an overall organisation strategy. The risks and user benefits of major strategic decisions are being recognised, but their definition is intuitive.
Maturity Model
22
Management Guidelines (COBIT)
3 Defined ProcessA policy defines when and how to perform IT strategic planning. IT
strategic planning follows a structured approach, which is documented and known to all staff. The IT planning process is reasonably sound and ensures that appropriate planning is likely to be performed. However, discretion is given to individual managers with respect to implementation of the process and there are no procedures to examine the process on a regular basis. The overall IT strategy includes a consistent definition of risks that the organisation is willing to take as an innovator or follower. The IT financial, technical and human resources strategies increasingly drive the acquisition of new products and technologies.
Maturity Model
23
Management Guidelines (COBIT)
4 Managed and MeasurableIT strategic planning is standard practice and exceptions would be
noticed by management. IT strategic planning is a defined management function with senior level responsibilities. With respect to the IT strategic planning process, management is able to monitor it, make informed decisions based on it and measure its effectiveness. Both short-range and long-range IT planning occurs and is cascaded down into the organisation, with updates done as needed. The IT strategy and organisation-wide strategy are increasingly becoming more co-ordinated by addressing business processes and value-added capabilities through business process re-engineering. There is a well-defined process for balancing the internal and external resources required in system development and operations. Benchmarking against industry norms and competitors is becoming increasingly formalised.
Maturity Model
24
Management Guidelines (COBIT)
5 OptimisedIT strategic planning is a documented, living process, is
continuously considered in business goal setting and results in discernible business value through investments in IT. Risk and value added considerations are continuously updated in the IT strategic planning process. There is an IT strategic planning function that is integral to the business planning function. Realistic long-range IT plans are developed and constantly being updated to reflect changing technology and business-related developments. Shore-range IT plans contain project task milestones and deliverables, which are continuously monitored and updated, as changes occur. Benchmarking against well-understood and reliable industry norms is a well-defined process and is integrated with the strategy formulating process. The IT organisation identifies and leverages new technology developments to drive the creation of new business capabilities and improve the competitive advantage of the organisation.
Maturity Model
25
Information Technology Infrastructure Library (ITIL)
Comprehensive description of the processes involved in management IT infrastructures
(e.g. DRP, Helpdesk) = Best practices Has become a de facto IT standard in
Europe
26
Organisational structures
IT steering committees Business/IT alignment processes Implementation processes ...
27
Financialperspective
* increase net income
Customer perspective
* individual relationships* new distribution channels
Internalperspective
* customer relationship management* electronic distribution channels and call centers
Innovationperspective
* teach employees to use the new approaches
Enterprise Governance through the Balanced Scorecard
* Bank example of cascade of scorecards
Business Balanced Scorecard
2001 Prof. dr. W. Van Grembergen ã 27
28
Enterprise Governance through the Balanced Scorecard
* Bank example of cascade of scorecards
IT Strategic Balanced Scorecard
Corporatecontribution
* higher business value
Userperspective
* internal users* external users (consumers and business)
Internalperspective
* business intelligence technology* website technology
Innovationperspective
* teach IT professionals and business users to use the new approaches* research into emerging technologies
2001 Prof. dr. W. Van Grembergen ã 28
29
* Bank example of cascade of scorecards
IT Development Balanced Scorecard
Enterprise Governance through the Balanced Scorecard
Corporateperspective
* new, better and faster development processes* development with new technologies
User perspective
* user interfaces for external users
Operationalexcellence
* rapid development* website development* data warehouse development* data mining development
FutureOrientation
* training and education of IT staff in emerging technologies
2001 Prof. dr. W. Van Grembergen ã 29