an it governance program
DESCRIPTION
A program description of an IT governance methodology for large and small programs where COBIT or ITIL may not be in your plans. More at www.sqpegconsulting.com, Square Peg Consulting John Goodpasture, PMPTRANSCRIPT
An IT Governance ProgramAn IT Governance Program
June 2008
2
IT Governance – Definition, Purpose, and ScopeIT Governance – Definition, Purpose, and Scope
Governance Meaning and Intent
Definition
IT Governance is a management program executed by IT and business managers that:
– empowers those managers to action,
– endows their decision-making rights, and
– provides accountability for changes to IT systems and capabilities
PurposeGovernance is intended to maximize the business value of IT investments, and to minimize the risks to business performance from changes to IT systems and capabilities
ScopeThe governance program provides a policy and management framework, a protocol for exercising decision rights, and an accountability regimen
Related Programs
SOx and ISMS governance are dotted-line to IT Governance.
Application
To Whom governance applies:
– All managers and practitioners proposing, approving, or making changes to IT systems and capabilities
When governance applies:
– All lifecycle stages: requirements & design, implementation, maintenance, retirement
3
IT Governance ‘community’IT Governance ‘community’
• The ‘community’ governed consists of the resources, systems, and capabilities assigned to the corporate enterprise, as well those exclusively in the business units and subsidiaries
• The governance regimen recognizes that business units and subsidiary operations are likely to acquire and maintain capabilities that are not supported directly by IT
–Limited governance is ‘limited to’ utilization of enterprise assets, like computers, connectivity to the enterprise networks and systems, adherence to enterprise information security protocols, and adherence to vendor licensing and product distribution policies
4
IT Governance – PolicyIT Governance – Policy
Policy component
Meaning and Intent
Charter
• IT Governance should be chartered and endorsed by the Chairman and CEO
• Policies should be jointly approved, as appropriate, with division chiefs and business unit managers
Framework
• Similar to ISMS, IT Governance should have a policy library of governing documents
• Dependencies with ISMS, SOx, and IT Policies should be identified and managed in a policy cross-reference
Deployment
• A communications and deployment plan should be developed and implemented
• Policies should be on-line available from the intranet
Compliance• Compliance measurement and accountability should be actively managed
5
IT Governance – PolicyIT Governance – Policy
Policy component
Meaning and Intent
Shared Assets
To maximize their business value applications, systems, infrastructure, and data are to be shared among business units
– Stand-alone exceptions are allowable with approval
– Stand-alone renegades are to be actively discouraged
Governance for shared assets
The policy objectives are to drive outcomes that:– Enable business efficiencies to address the marketplace and
customer communities
– Mitigate performance and compliance risks,
– Reduce the cost of business unit interoperability and functional coordination,
– Provide for disaster recovery, ensure integrity, protect confidentiality, and
– Assure reliability and availability of business systems
6
Management framework for governanceManagement framework for governance
Management objectives
• Tie IT investment to business value and results• Codify decision-making rights• Manage risks that affect business performance and accountability• Provide accountability of IT value-add
Management domains affecting governance
• Planning and Organization– Align IT goals with business goals; develop actionable strategy– Align project portfolio and resources with strategy
• Acquisition and Implementation– Manage changes in IT systems and capabilities– Manage projects, and risk to business performance
• Delivery and Support – Manage post-project lifecycle for governance compliance
• Monitoring– Dash-boards for on-going activity– Scorecards for results– Benchmarks for direction and industry alignment
7
Management teams and team missionsManagement teams and team missions
• Executive team– Provide approval & oversight of strategic projects
– Provide oversight of IT scorecard and benchmarks
• IT Business Council (aka Change control Board)– Implement a change approval process
– Mitigate risks reported on project dash-boards
– Report scorecard results
• IT Management Team– Implement approved changes
• Project and work-package methods
– Provide Process Relationship Facilitators [aka Business-IT liaison]• Interpret IT policy & procedure at business unit level
• Architecture Guidance Group– Recommend strategic technologies, standards, migrations and upgrades
• Capital approval committee– Approve capital requests
– Apply financial measures: ROI, ROA, EVA
8
Governance at three levelsGovernance at three levels
• Governance is made applicable according to the impact and complexity of the initiatives
Enterprise initiatives measured by fit to strategic plan, governed by a Level 2 Business Case, and reported to the Executive Team on a project scorecard
Technical or Functional fix initiatives affecting specific interfaces, reports, performance, or functionality of systems or applications with approved capability, as reported on ASRs
Process & Performance initiatives affecting one or more business units, supported by a Level 1 business case, measured by fit to business unit scorecard, and reported to IT Business Council on a scorecard
Enterprise strategic goals
Technical or Functional measured inputs, outputs, and function
Process & Performance at the business unit scorecard
9
Decision Rights for IT governanceDecision Rights for IT governance• Policy: Decisions are made the lowest level unless the rights are specifically
enumerated at a designated management level– Decided at the Strategic Impact level:
• Changed or new functionality, interoperability with 3rd parties, or infrastructure that will have a material impact on business operations
• Require capital approvals over $X; exceed approved expense budgets by $X
– Decided at the Process or Performance level• Cross-functional changes or changes which have cross-functional dependencies, otherwise
not of strategic impact, and within planned budget limits, with expense budget exceeding $Y
– Decided at the Technical or Functional Fix level• Fixes to otherwise approved function and infrastructure, or new, with expense budget <$Y• Infrastructure changes and upgrades not of strategic impact, and within planned budget
limits
10
Decision making Process for change approvalDecision making Process for change approval
• Strategic Impact decisions require:– Level 1 & 2 Business Case & Project Plan with Scorecard of end-state
business value• Strategic impact project could emerge from an ASR
– Executive sponsor who accepts the benefits responsibility
11
Decision making Process for change approvalDecision making Process for change approval
• Process & Performance decisions require:– Level 1 & 2 Business Case & Project Plan with Scorecard of end-state business value
• Likely begins with a problem report
– Business sign-off in lieu of Executive sponsor
12
Decision making Process for change approvalDecision making Process for change approval
• Technical or Functional Fix decisions require a Level 2 project plan supported by a business case
13
Principles that guide IT decision-makingPrinciples that guide IT decision-making
• Management principles to be embodied in decision-making• Efficiency : most productive and economical use of resources.
– Throughput, cost, schedule, cost of quality
• Effectiveness: doing the right thing the right way – Achievements, quality fit, mission accomplishment
• Confidentiality :protection of sensitive information from unauthorized disclosure.
• Integrity : accuracy, validity, and completeness of information
• Availability : information being present and accessible, and safeguarding necessary resources and associated capabilities.
• Compliance : meeting the requirements of laws, regulations and contractual arrangements
• Reliability : dependable integrity
14
Governance MeasurementsGovernance Measurements
• Input – An input measure evaluates what resources or activities are required to achieve
an objective, such as the number of employees certified to implement a system.
• Output – An output measure describes the level of work or services provided to achieve
an objective, such as number of help desk responses, or number of reports created.
• Outcome – Outcome measures describe the actual results of a system or program. These
generally relate to the intended purpose of the system or program, such as “to improve
organizational effectiveness.” Outcome measures can often summarize the results of
many actions into one defining statement. Of course, outcome measures may be harder to
define if they draw from a number of different sources of assessment (i.e. system
performance and customer satisfaction).
• Lag measures – These are measures that typically measure accomplishments after
completion. A lag measure is characterized by terminology such as project completed on
a specific date, customer satisfaction is 4.5 on a scale of 5 in a survey.
• Lead measures – These are performance drivers that typically measure progress toward
outcomes. A lead measure might be the level of traffic on the supply status web site. Increased usage might indicate that customers and dealers are using the system regularly and might foreshadow improved visibility of supply status.
15
Policy LibraryPolicy Library
• Adapt a policy library from proven industry models– Coordinate with ISMS and IT policies libraries
• Three prominent industry models on governance in IS systems– CoBIT: “Control Objectives for Information and related Technology”
• Published by IT Governance Institute at www.isaca.org• Model has 5 focus areas and 34 IT processes
– COSO: Committee of Sponsoring Organizations of the Treadway Commission
• Preferred model for SOx compliance – Securities and Exchange Commission endorsed
• Main focus is on financial controls with IT as a tool
– ITIL: The Information Technology Infrastructure Library(ITIL) • Sponsored by government of the United Kingdom
– runs a close second to CoBIT in the United States.
• It offers eight sets of management procedures in eight books: – service delivery, service support, service management– ICT infrastructure management, software asset management– business perspective, security management and application management.
16
Appendix: to-do listAppendix: to-do list
17
Appendix: ITIL frameworkAppendix: ITIL framework
• Background on the ITIL FrameworkDeveloped in the 1980s by the United Kingdom's Central Computer and Telecommunications Agency (CCTA) after realizing a lack of a methodical approach to the IT infrastructure, ITIL has since permeated Europe's business and service sector. The CCTA, now called the OGC (Office of Government Commerce), continues to work with ITIL by continuously enhancing it as well as creating new programs.
• ITIL V3 is not a standard, but it is supported by a standard (ISO 20000) and a certification scheme from the International Standards Organization (ISO).
Recently, however, global companies have begun importing the useful framework into their businesses in the U.S. and have been pleased with the results and feedback. The ITIL framework, generally referred to as a set of best practices for managing information technology services, ensures that companies have a system for meeting or anticipating a customer's needs. The most recent revision of the methodology, ITIL V3, was released in June 2007 and has steadily grown in popularity with U.S. companies.
The Usefulness of the ITIL CycleThe ITIL V3 cycle, fed by Business Value, consists of Service Strategy, which spurs Service Operation, Service Design, and Service Transition. Encompassing the cycle is the Continual Service Improvement element. Many U.S. businesses working with the ITIL framework now understand the usefulness of the framework and how it can help manage business solutions and keep track of customer service.
Service Strategy, sometimes referred to as the hub of ITIL V3, is used to establish a plan for providing customer service. From this point, three sets of processes work to turn these plans into action. Service Design develops and creates services to bolster the plan, and includes purchasing appropriate software or systems and tailoring them to the company's specific needs. When this new system of software is ready to use, Service Transition ensures that it is implemented correctly by performing control checks or tests. Service Operation processes requests from a company's customer base and addresses failures in the system. The largest part of ITIL is Continual Service Improvement, which is the process that constantly monitors and regulates services in addition to making improvements if needed.
• Extracted from: ITIL V3 ArrivesAlan Koch , [email protected]