whitepaper practical information technology governance

Practical

Information

Technology

Governance

Creating an Environment for Business Driven

Effective IT Management, Decision Making

and Operations

Alan McSweeney

Practical Information Technology Governance

Contents IT Governance as a Means to an End ...............................................................3 Benefits of IT Governance................................................................................3 IT Governance Drivers and Principles ..............................................................5 IT Governance and Best Practice Standards.....................................................6 IT Governance Architecture Framework ..........................................................6 Implementing Effective IT Governance............................................................7 IT Governance with COBIT.............................................................................8 COBIT Domain and Process Structure .........................................................8 COBIT Information Measurement Criteria ...................................................9 COBIT Process Goals and Metrics.................................................................9

Implementing IT Governance ........................................................................ 11 Lessons Learned From Implementing IT Governance..................................... 11

63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. Underlying the idea of IT Governance is the concept of IT and business alignment. Implementing IT Governance is good for both the organisation and for IT. It ensures that IT delivers value and that the value of IT is understood. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives. COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks. Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. Some “quick wins” from IT Governance can be achieved by implementing the following:

• Ensure that IT project priorities are based on business priorities

• Audit existing IT processes and modify to ensure they are effective

• Ensure that IT projects are lead by the business and strongly supported by IT

• Developing an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value

• Implementing a standard process for or determining the business value (both financial and non-financial) and risk of IT-enabled business investments

• Create an IT Strategy Committee with business involvement


IT Governance as a Means to an End IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. IT Governance can be seen as one more non-value adding overhead that is part of the ever increasing compliance overhead imposed on organisations. There can be a real reluctance to considering IT Governance programmes because of “compliance fatigue” associated with the many compliance requirements that have arisen in the past years. However the adoption of appropriate and relevant IT Governance will yield real business benefits. Appropriate is the key word here: there are no prizes for excessive controls. Information Technology is investment-intensive. Change is both common and frequent. The speed with which an organisation correctly adopts innovation and deployment is critical in developing and maintaining competitive advantage. The core function of IT is to serve the business. Alignment of IT with organisational goals and objectives and the management of IT to serve and support the business in its pursuit of success all require clear governance. Conversely, this also needs a business that is engaged with IT.

In making a decision to implement an IT Governance framework, it is important to be practical and realistic. Appropriate governance is what is

required and governance for a reason rather than for its own sake.

Benefits of IT Governance Underlying the idea of IT Governance is the concept of IT and business alignment. The linkage of IT with business objectives remains a key issue for IT management. The implementation of IT Governance is designed to deliver real benefits:

• Better IT to business alignment built on a business focus

• Improved maintenance and operations planning

• Establishment of data and information standards

• Management view of what IT does and increased visibility of IT spending

• Clear ownership and responsibilities, based on process orientation

• General acceptability with third parties and regulators

• Shared understanding amongst all stakeholders based on a common language

• Fulfilment of the governance requirements for the IT control environment

• A comprehensive IT Governance model for managing all IT resources IT Governance fits into an increasingly crowded landscape of corporate governance, regulation and compliance rules and standards.

How would you rate your organisation’s maturity level on IT Governance?

Source: IT Governance Global Status Report—2008

How would you describe the fit or alignment between your corporate governance practices and IT Governance practices?



However there are tangible financial advantages to implementing IT Governance. Analyses and comparisons demonstrate that companies with effective IT Governance have profits that are 20% higher than similar companies without an IT Governance framework. IT Governance assists IT meet the expectations placed on it by business by:

• Delivering quality IT solutions on time and on budget

• Employing and exploiting IT to deliver business value

• Leveraging IT to increase efficiency and productivity while managing IT risks

There are two aspects to IT controls: 1. IT must implement internal controls around how it operates 2. The systems IT provides to the business and the underlying business

processes these systems implement must be controlled – these are controls external to IT

IT is impacted by business requirements as IT drives the business process and manages the information that such governance seeks to control. IT is at the core of most complex businesses. IT is required to manage itself more effectively and reliably in order to respond to these requirements. The twin drivers of increasing complexity and the need for greater cost controls will exert continuous pressure on IT operations and make using best practice frameworks to implementing governance solutions the only real answer available.

Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business

strategy and objectives.

How would you describe the level of engagement by business management in the governance of IT-enabled business initiatives?


How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy?



IT Governance Drivers and Principles 63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. The drivers of IT Governance include:

• The search for competitive advantage through more effective use of information and IT

• The need to align technology projects with strategic organisational goals, ensuring they deliver planned value through greater project governance

• Operational risk management and the proliferation of threats (internal and external) to information and IT

• The governance requirements of various compliance obligations

• Increasing regulatory compliance and information and privacy legislation

IT Governance is important for all organisations. Those without an IT Governance strategy face risks; those with one perform better. In the current corporate governance environment, where the value and importance of information assets are sizeable, core governance principles must be extended to information and IT. These principles include establishing strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management and reporting to shareholders on their stewardship of the organisation. The IT function must be aligned to the larger organisation. A lack of openness within IT is simply not consistent with the expectation of pro-activity and governance transparency. IT Governance should be focussed on four key areas, divided into two groups:

Goals of IT Governance

1. IT Value Delivery: focus on optimising cost and the value of IT 2. Risk Management: focus on safeguarding IT assets, disaster

recovery and continuity of operations Means to Achieve IT Governance Goals

3. IT Strategic Alignment: focus on aligning IT with the business and collaborative solutions

4. Performance Measurement: focus on tracking project delivery and monitoring delivery of IT services.

How would you describe the fit or alignment between your corporate governance practices and IT Governance practices?


How important do you consider IT to be to the successful delivery of the business strategy or vision?



IT Governance and Best Practice Standards In translating IT Governance from theory to practice, there are a number of IT best practice frameworks and standards such as Control Objectives for Information and related Technology (COBIT), ISO17799, IT Infrastructure Library (ITIL), Capability Maturity Model (CMM) available to assist IT functions to help them improve their accountability, governance and management. COBIT is designed as a high-level umbrella framework and it works very well with other lower-level frameworks like ITIL and ISO27002 which focus on specific aspects of IT Governance. Clearly the structure of IT Governance depends on the IT structure and focus of the organisation.

Business can obtain a value from the implementation of appropriate best practice frameworks through the reduction of the number of ad-hoc

processes. This brings discipline to IT activities and improves accountability.

IT Governance Architecture Framework This framework depicts how strategy, governance structures and performance goals are synchronised. The “Whats” link overall strategy, governance structures and performance goals so they are aligned and drive an organisation to achieve its vision or steer in the strategic direction in which they are trying to move.

How regularly does your IT department inform the business about potential business opportunities enabled by new technologies?


To what extent does your IT department understand and support the business user needs?



The “Hows” translate the theory into practice:

• The organisation’s strategy defines the behaviours required.

• The organisation’s governance arrangements are implemented through its governance processes.

• The organisation’s performance goals are measured through appropriate metrics.

Implementing Effective IT Governance Control Objectives for Information and related Technology (COBIT) has been referred to earlier in this paper. COBIT has become the de facto framework for the management of Information Technology standards and processes. COBIT aims to be different from other quality and governance approaches in two key ways:

1. It is an IT Governance framework and supporting set of tools that IT can use to bridge the gap between control requirements, technical issues and business risks

2. It provides a detailed implementation structure and toolset that translates the framework theory into a practical and achievable deliverables

Like all governance standards and methodologies, their implementation can be long and painful. Implementation of and adherence to these compliance standards can seem to represent wasted effort as it does not add value to the business. COBIT removes at least some of the pain and reduces the execution time by going some way towards translating general principles to realisable specifics. Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly.

How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy?


Rate the relative importance of IT-related problems based on impact and severity, frequency of occurrence, improvement or disimprovement and priority for resolution in the next 12 months.



The framework can be customised and simplified to suit the requirements of the organisation. In order to deliver and be seen to deliver quick wins from IT Governance, the following areas should be given attention:

• Ensure that IT project and service priorities are based on business priorities

• Audit existing IT processes and modify to ensure they are effective

• Ensure that IT projects are lead by the business and strongly supported by IT

• Develop an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value

• Implement a standard process for determining the business value (both financial and non-financial) and risk of IT-enabled business investments

• Create an IT Strategy Committee with business involvement COBIT has a broad coverage and a business focus. It seeks to ensure that IT delivers what the business needs. COBIT focuses on the “what” rather than on the “how”. It is a control and management framework, linking IT practices to business requirements. COBIT is based on the principle that to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to manage and control IT resources using a structured set of processes to deliver the required information services. COBIT is integrated with other standards and thus can become an umbrella framework for IT Governance:

• It assists in understanding and managing the risks and benefits associated with IT

• The process structure of COBIT and its business-oriented approach provides an end-to-end view of IT

COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks.

IT Governance with COBIT

COBIT Domain and Process Structure The COBIT process model of four domains contains processes that manage the IT resources to deliver information to the business according to business and governance requirements. Each of the processes contains a set of objectives.

When implemented, the governance Processes within the Domains can be regarded as an engine to deliver information and fulfil objectives.

On a scale from 1, not at all serious, to 3, very serious, rate the severity of problems experienced?


Has the situation regarding these problems deteriorated, stayed the same or improved during the past 12 months?



The implementation of these COBIT processes within the toolset is divided into four parts: 1. High-level control objectives – this is a process summary identifying

business requirement being satisfied, focus, achievement and measurement principles

2. Detailed process-specific control objectives 3. Process inputs and outputs, responsibilities, goals and metrics. 4. Process maturity model Each of these processes consists of a number of specific control objectives. It is COBIT’s execution-oriented template approach and structure makes it useful and implementable.

COBIT Information Measurement Criteria COBIT defines criteria to measure how the information delivered by the processes meets business objectives.

Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner

Efficiency Concerned with the provision of the information through the optimal use of resources

Confidentiality Concerned with the protection of sensitive information from unauthorised disclosure

Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations

Availability Relates to the information being available when required by the business process now and in the future

Compliance Deals with complying with laws, regulations and contractual arrangements

Reliability Relates to the provision of appropriate information for the workforce of the organisation

COBIT Process Goals and Metrics

Which of any of the following practices does your organisation’s current approach to IT Governance include?


Have you implemented, are you in the process of implementing or are you considering implementing improved IT Governance practices?



Each process has three sets of goals measured by corresponding sets of metrics: Goals Metrics Activity Goals Key Performance Indicators Process Goals Process Key Goal Indicators IT Goals

Delivery Measured

By IT Key Goal Indicators

In addition to the process-specific control objectives, COBIT includes a set of generic process controls that are applied to all processes. Control Description PC1 Process Owner

Assign an owner for each COBIT process such that responsibility is clear.

PC2 Repeatability

Define each COBIT process such that it is repeatable.

PC3 Goals and Objectives

Establish clear goals and objectives for each COBIT process for effective execution.

PC4 Roles and Responsibilities

Define unambiguous roles, activities and responsibilities for each COBIT process for efficient execution.

PC5 Process Performance

Measure the performance of each COBIT process against its goals.

PC6 Policy, Plans and Procedures

Document, review, keep up to date, sign off on and communicate to all involved parties any policy, plan or procedure that drives a COBIT process.

COBIT includes a set of generic application control groups and detailed controls that are applied to all processes:

• Data Origination/Authorisation Controls

• Data Input Controls

• Data Processing Controls

• Data Output Controls

• Boundary Controls

Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more

exactly.

How valuable do you think COBIT is in your IT Governance efforts/initiatives?


Which IT-related investment principles deliver the greatest value to the organisation?



Implementing IT Governance Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. The roadmap to implementing IT Governance consists of the following general phases and activities:

Implementing IT Governance should be treated like any other project.

Lessons Learned From Implementing IT Governance The lessons learned from implementing IT Governance relate to avoiding the all too common problems associated with business and IT being disconnected:

• Management see a value from investments made in IT and see that IT is an investment rather than a cost.

• IT is no longer seen as a barrier to implementing new strategies. IT becomes a strategic enabler rather than being seen as restricting the ability of the business to respond to new opportunities.

• IT decision-making mechanism is open and transparent rather than slow, cumbersome and not apparent.

• Management understand and appreciate how IT is governed within the organisation.

• IT projects are completed on time and on budget and deliver on the committed benefits. Good project management is part of good IT Governance.

Implementing IT Governance is good for both the organisation and for IT. Governance ensures that IT delivers value and that the value of IT is

understood.

Which of the following IT-related investment principles applies or is planned to be applied in your organisation?


What do you see as the greatest obstacles/constraints to organisations adopting the IT-related investment?


Which of the following measures have you implemented, or are you in the process of implementing, to improve IT management and governance?



For more information, please contact:

[email protected]