IT Governance Best Practice Guide Final June 2007
IT Governance Best Practice Guide Final June 2007
IT Governance Best Practice Guide Final June 2007
IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
The effective use of information technology is now an accepted organisational imperative - for
all businesses, across all sectors - and the primary motivation; improved communications and
commercial effectiveness. The swift pace of change in these technologies has consigned many
established best practice approaches to the past. Today's IT decision makers and business
managers face uncertainty - characterised by a lack of relevant, practical, advice and standards
to guide them through this new business revolution.
Recognising the lack of available best practice guidance, the National Computing Centre has
created the Best Practice Series to capture and define best practice across the key aspects of
successful business.
All title are available from NCC see the website for further details www.ncc.co.uk
1
IT Governance Developing a Successful Governance Strategy
Foreword
For organisational investment in IT to deliver full value, it is recognised that IT has to be fully aligned to business strategies
and direction, key risks have to be identified and controlled, and legislative and regulatory compliance demonstrated. IT
Governance covers this and more, and in light of recent corporate failures, scandals and failure, enjoys a higher profile today
than ever before.
Back in 2003, IMPACT launched an IT Governance Specialist Development Group (SDG) to identify the issues that need to be
addressed and to share and further develop the practical approaches to IT governance used in their organisations.
Over the past two years, heads of IT governance from Abbey, Aon, Avis, Barclays, BOC, DfES, Eli Lilly, Learning & Skills
Council, Legal & General, NOMS, Royal Mail and TUI Group have examined what they identified as the key topics and, with
the guidance of IT governance expert Gary Hardy, have defined the good practices captured in this guide.
For further information on the IMPACT Programme, its Professional Development Programme and the IT Governance and
CobiT Specialist Development Group, please contact Elisabetta Bucciarelli on 0207 842 7900 or email elisabetta.bucciarelli@
impact-sharing.com. The IMPACT Programme is a division of the National Computing Centre.
IT Governance
Developing a successful governance strategy
A Best Practice Guide for decision makers in IT
Published by
The National Computing Centre
Oxford House
Oxford Road
Manchester
M1 7ED
Website: www.ncc.co.uk
Tel: 0161 242 2121
Fax: 0161 242 2499
ISBN: 0-85012-877-8
All rights reserved: no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise without either the prior written permission of the authors and Publisher or as
permitted by the Copyright, Designs and Patents Act 1988. Enquiries for such permissions should be made to the Publisher.
Disclaimer
Every care has been taken by the authors, and by the National Computing Centre, and associated working groups, in the preparation of this
publication, but no liability whatsoever can be accepted by the authors or by National Computing Centre, or associated NCC working groups,
for actions taken based on information contained in this document.
2
Contents
1 IT Governance – The Business Case . . . . . . . . . . . 4 7 Supplier Governance . . . . . . . . . . . . . . . . . . . . . . . . 37
1.1 W h y i s I T Governance important? . . . . . . . . . . 5 7.1 Why is supplier governance important? . . . . . . 3 7
1.2 W h a t d o e s IT Governance cover? . . . . . . . . . . 6 7.2 The customer ’s role . . . . . . . . . . . . . . . . . . . 38
1.3 W h a t a r e t he benefits? . . . . . . . . . . . . . . . . . 6 7.3 How best to select a supplier . . . . . . . . . . . . . 4 0
1.4 W h a t i s I T Governance best practice? . . . . . . . 7 7.4 The customer/supplier relationship . . . . . . . . . 4 0
7.5 Service management techniques and SLAS . . . 4 1
2 Performance Measurement . . . . . . . . . . . . . . . . . . 9 7.6 The supplier/outsourcing governance lifecyc l e . 4 2
2.1 W h y i s p e r f ormance measurement important? . 9
2.2 W h a t d o e s performance measurement cover? . 10 8 IT & Audit Working Together and Using CobiT . . . . . 43
2.3 W h o a r e t h e stakeholders and what are 8.1 Introduction to CobiT . . . . . . . . . . . . . . . . . . 43
t h e i r r e q u i r ements? . . . . . . . . . . . . . . . . . . . . 11 8.2 How is CobiT being used? . . . . . . . . . . . . . . . 4 4
2.4 W h a t s h o u l d we measure? . . . . . . . . . . . . . . . 12 8.3 What are the roles of IT and audit for
2.5 W h a t i s b e st practice? . . . . . . . . . . . . . . . . . . 12 IT Governance? . . . . . . . . . . . . . . . . . . . . . . 4 5
8.4 How can IT and internal audit work better
3 Implementation Roadmap . . . . . . . . . . . . . . . . . . . 14 together? . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5
3.1 G o a l s a n d success criteria . . . . . . . . . . . . . . . 14
3.2 H o w t o g e t started . . . . . . . . . . . . . . . . . . . . 15 9 Information Security Governance . . . . . . . . . . . . . . 48
3.3 W h o n e e d s to be involved and what are their 9.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 8
r o l e s a n d r esponsibilities? . . . . . . . . . . . . . . . 16 9.2 What is information security? . . . . . . . . . . . . . 4 9
9.3 Where to focus . . . . . . . . . . . . . . . . . . . . . . . 5 0
4 Communication Strategy & Culture . . . . . . . . . . . . . 18 9.4 Roles and responsibilities . . . . . . . . . . . . . . . 5 0
4.1 W h o d o w e need to influence? . . . . . . . . . . . . 18 9.5 Action planning and best practice . . . . . . . . . . 5 2
4.2 W h a t a r e t he key messages? . . . . . . . . . . . . . 19
4.3 C o m m u n i c a tion best practices . . . . . . . . . . . . 20 10 Legal & Regulatory Aspects of IT Governance . . . . . 53
4.4 D e v e l o p i n g an influencing strategy . . . . . . . . . 20 10.1 Legal and regulatory factors affecting
4.5 C h a n g e r o a dmap . . . . . . . . . . . . . . . . . . . . . 22 IT Governance . . . . . . . . . . . . . . . . . . . . . . . 5 3
10.2 Roles and responsibilities . . . . . . . . . . . . . . . 5 4
5 Capability Maturity & Assessment . . . . . . . . . . . . . . 23 10.3 Best approach to compliance . . . . . . . . . . . . . 5 5
5.1 W h y I T c a p ability is important . . . . . . . . . . . . 23 10.4 What IT has to do . . . . . . . . . . . . . . . . . . . . . 5 6
5.2 H o w t o m e asure IT capability . . . . . . . . . . . . . 24 10.5 Dealing with third parties . . . . . . . . . . . . . . . . 5 8
5.3 S e t t i n g m a t urity targets and considering 10.6 Critical success factors . . . . . . . . . . . . . . . . . 5 9
i m p r o v e m e nts . . . . . . . . . . . . . . . . . . . . . . . . 25
5.4 R o a d m a p f or sustaining the approach . . . . . . . 25 11 Architecture Governance . . . . . . . . . . . . . . . . . . . . 60
5.5 S e l f a s s e s sment tool . . . . . . . . . . . . . . . . . . . 26 11.1 Why is architecture governance important? . . . 6 0
11.2 What are the objectives of architecture
6 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . 28 governance? . . . . . . . . . . . . . . . . . . . . . . . . 61
6.1 W h a t a r e t he risks? . . . . . . . . . . . . . . . . . . . . 28
6.2 W h a t i s t h e best approach for risk analysis 12 Managing the IT Investment . . . . . . . . . . . . . . . . . . 63
a n d m a n a g ement? . . . . . . . . . . . . . . . . . . . . 29 12.1 Why is managing the IT investment importan t ? 63
6.3 U s i n g s t a n dards and best practices – 12.2 Portfolio management . . . . . . . . . . . . . . . . . . 6 4
i s c e r t i f i c a t ion useful? . . . . . . . . . . . . . . . . . . 30 12.3 Benefits management . . . . . . . . . . . . . . . . . . 6 5
6.4 W h a t a r e t he roles of management, staff 12.4 Measuring investment performance . . . . . . . . 65
a n d a u d i t o r s? . . . . . . . . . . . . . . . . . . . . . . . . 31 12.5 Improve value delivery and ROI . . . . . . . . . . . 6 6
6.5 W h o n e e d s to be competent? . . . . . . . . . . . . . 31 12.6 Measuring and controlling IT operational cos t s 66
6.6 W h a t c o m p etence is required? . . . . . . . . . . . . 32 12.7 Project risk management . . . . . . . . . . . . . . . . 6 6
6.7 H o w t o o b t ain, develop, retain and verify
c o m p e t e n c e . . . . . . . . . . . . . . . . . . . . . . . . . 33 13 Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.8 W h e n t o s o urce competence from outside . . . . 35
6.9 K e y l e a r n i n g points . . . . . . . . . . . . . . . . . . . . 35
3
IT Governance Developing a Successful Governance Strategy
1 IT Governance –
The Business Case
1.1 Why is IT Governance important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.2 What does IT Governance cover? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
1.3 What are the benefits? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
1.4 What is IT Governance best practice? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
The guide focuses on 12 key topics selected by the group because of their importance to effective IT governance:
The business case – The organisation needs to understand the value proposition
Performance measurement – Is the ship “on course”?
Implementation roadmap – How to start – What path to follow
Communications – How to explain the objectives and change the culture
Capability assessment – Finding out the true current state of IT governance
Risk management – What risks exist and how to make sure they are dealt with
Supplier governance – External parties play a big role and must be included
IT and audit working together – How to co-operate for a common goal
Information security – A key topic in today’s networked environment
Legal and regulatory aspects –Compliance is a global concern
Architectures – The foundation for effective technical solutions
Managing investments – Ensuring value is delivered and benefits realised
Implementation of this guidance, or indeed any IT best practice, should be consistent with your organisation’s management
style and the way your organisation deals with risk management and delivery of IT value. Please share these ideas with your
business users, external service providers, and auditors, since to realise their full value, all stakeholders of IT services should
be involved.
All analysts currently agree that probably the biggest risk and concern to top management today is failing to align IT to real
business needs, and a failure to deliver, or be seen to be delivering, value to the business. Since IT can have such a dramatic
effect on business performance and competitiveness, a failure to manage IT effectively can have a very serious impact on the
business as a whole.
Corporate Governance generally has taken on even greater significance. It is being recognised that IT has a pivotal role to play
in improving corporate governance practices, because critical business processes are usually automated and directors rely on
information provided by IT systems for their decision making. With the growth of direct connection between organisations and
their suppliers and customers, and more and more focus on how IT can be used to add value to business strategy, the need
to effectively manage IT resources and avoid IT failures and poor performance has never been greater.
The current climate of cost reduction and budget restriction has resulted in new norm – there is an expectation that IT
resources should always be used as efficiently as possible and that steps are taken to organise these IT resources ready for
the next cycle of growth and new IT developments. A key aspect of these factors is the increasing use of third party service
providers and the need to manage these suppliers properly to avoid costly and damaging service failures.
This briefing provides a high level set of business arguments for IT Governance. It also explains how an IT Governance
initiative can enable business and IT executives to:
Be sure that that they are aware of all IT related risks likely to have an impact on
their organisation;
Know how to improve the management processes within IT to manage these risks;
Ensure there are manageable relationships with suppliers, service providers and
with the business (customers);
Ensure there is a transparent and understandable communication of these IT
activities and management processes to satisfy the Board and other interested
stakeholders.
4
IT Governance – The Business Case
1
IT Governance covers the culture, organisation, policies and practices that provide this kind of oversight and transparency of
IT – IT Governance is part of a wider Corporate Governance activity but with its own specific focus. The benefits of good IT
risk management, oversight and clear communication not only reduce the cost and damage caused by IT failures – but also
engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services.
IMPACT’s IT Governance Special Interest Group (SIG) has examined these trends and found that the following issues drive
the need for IT Governance:
Stakeholders include:
Top level business leaders such as the Board, Executive, non-Execs, and especially
heads of Finance, Operations and IT.
Those that have a responsibility for investor and public relations.
I n t e r n a l and external auditors and regulato r s .
M i d d l e l evel business and IT management .
K e y b u siness partners and suppliers.
S h a r e h olders.
C u s t o m ers.
5
IT Governance Developing a Successful Governance Strategy
IT Governance is not just an IT issue or only of interest to the IT function. In its broadest sense it is a part of the overall
governance of an entity, but with a specific focus on improving the management and control of Information Technology for the
benefit of the primary stakeholders. Ultimately it is the responsibility of the Board of Directors to ensure that IT along with other
critical activities is adequately governed. Although the principles are not new, actual implementation requires new thinking
because of the special nature of IT.
IT Governance spans the culture, organisation, policy and practices that provide for IT management and control across
1:
five key areas
Alignment – Provide for strategic direction of IT and the alignment of IT and the
business with respect to services and projects.
Va l u e D e l i ve r y – Confirm that the IT/Business organisation is designed to
d r i v e m a x i m u m b u s i n e ss value from IT. Oversee the delivery of value by IT to the
b u s i n e s s , a n d a s s e s s ROI.
R i s k M a n a ge m e n t – A s c e r t a i n t h a t p r o c e s s e s a r e i n p l a c e t o e n s u r e t h a t r i s k s
have been adequately managed. Include assessment of the risk aspects of IT
investments.
Resour ce Mana geme n t – P r o v i d e h i g h - l e v e l d i r e c t i o n f o r s o u r c i n g a n d u s e o f I T
resources. Oversee the a g g r e g a t e f u n d i n g o f I T a t e n t e r p r i s e l e v e l . E n s u r e t h e r e i s
an adequate IT capabil i t y a n d i n f r a s t r u c t u r e t o s u p p o r t c u r r e n t a n d e x p e c t e d f u t u r e
business requirements.
Perfor mance Measu r e m e n t – Ve r i f y s t r a t e g i c c o m p l i a n c e , i . e . a c h i e v e m e n t
of strategic IT objectiv e s . R e v i e w t h e m e a s u r e m e n t o f I T p e r f o r m a n c e a n d t h e
contribution of IT to the b u s i n e s s ( i . e . d e l i v e r y o f p r o m i s e d b u s i n e s s v a l u e ) .
IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules. It requires a commitment
from the top of the organisation to instil a better way of dealing with the management and control of IT. IT Governance is an
ongoing activity that requires a continuous improvement mentality and responsiveness to the fast changing IT environment.
IT Governance can be integrated within a wider Enterprise Governance approach, and support the increasing legal and
regulatory requirements of Corporate Governance.
Investments are likely to be needed to improve and develop the IT Governance areas that need attention. It is important
therefore, to begin with as good a definition as possible of the potential benefits from such an initiative to help build a viable
business case. The expected benefits can then become the project success criteria and be subsequently monitored.
The IMPACT IT Governance SIG has identified the following main areas of benefit likely to arise from good IT Governance:
Improved transparency o f I T c o s t s , I T p r o c e s s , I T p o r t f o l i o ( p r o j e c t s a n d s e r v i c e s ) .
Clarified decision-mak i n g a c c o u n t a b i l i t i e s a n d d e f i n i t i o n o f u s e r a n d p r o v i d e r
relationships.
Improved understanding o f o v e r a l l I T c o s t s a n d t h e i r i n p u t t o R O I c a s e s .
Combining focused cos t - c u t t i n g w i t h a n a b i l i t y t o r e a s o n f o r i n v e s t m e n t .
Stakeholders allowed to see IT risk/returns.
Improved contribution t o stakeholder returns.
Performance Improvement
External Compliance
Experiences gained by IMPACT SIG members have identified a number of practical organisational and process issues that
need to be addressed when implementing IT Governance. This has enabled the Group to recommend the following best
practices (critical success factors) when planning IT Governance initiatives:
7
IT Governance Developing a Successful Governance Strategy
Although it may generate challenges and pushback, and will require a consensus,
an agreed framework for defining IT processes and the controls required to manage
them must be defined for IT Governance to function effectively.
The processes for IT Governance need to be integrated with other enterprise wide
governance practices so that IT Governance does not become just an IT owned
process.
The framework needs to be supported by an effective communication and awareness
campaign so that objectives are understood and the practices are complied with.
I n c e n t i v e s s h o u l d b e c onsidered to motivate adherence to the framework.
P a y a t t e n t i o n t o d e v o l ve d d e c e n t r a l i s e d I T o r g a n i s a t i o n s t o e n s u r e a g o o d b a l a n c e
between centrally driven policy and locally implemented practices.
Av o i d t o o m u c h b u r e a u c r a c y.
Trust needs to be gained for the IT function (in house and/or external)
Creation of an IT sc o r e c a r d w i l l u n d e r p i n a n d r e i n f o r c e a c h i e v e m e n t o f I T
Governance objectives.
Creation of an initial se t o f m e a s u r e s c a n b e a v e r y g o o d w a y t o r a i s e a w a r e n e s s
and initiate an IT Gove r n a n c e p r o g r a m m e .
The measures used mu s t b e i n b u s i n e s s t e r m s a n d b e a p p r o v e d b y s t a k e h o l d e r s .
Focus on costs
8
Performance Measurement
2
2 Performance
Measurement
2.1 Why is performance measurement important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
2.2 What does performance measurement cover? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
2.3 Who are the stakeholders and what are their requirements? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
2.4 What should we measure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
2.5 What’s best practice? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
O ne of the greatest challenges faced by those trying to manage IT in today’s fast moving economy and complex technical
environment is knowing whether the “ship is on course” and being able to predict and anticipate failures before it is too
late. Like driving a car or steering a ship, good instruments are essential. The use of measures to help steer the IT function
has for many years been a challenge that few appear to have successfully addressed, which is why the expression “it’s like
driving a car with a blacked out windscreen and no instruments” is often used. If it is difficult for those literate in technology
and relatively close the IT function, then it is even worse for the end customer who finds technical jargon a smokescreen and
lack of information relevant to his business a major headache.
There is no doubt that a practical and effective way to measure IT performance is an essential part of any IT Governance
programme, just as transparency and reliability of financial results is a Corporate Governance necessity. Performance
management is important because it verifies the achievement of strategic IT objectives and provides for a review of IT
performance and the contribution of IT to the business (i.e. delivery of promised business value). It is also important in
providing a transparent assessment of IT’s capability and an early warning system for risks and pitfalls that might otherwise
have been missed. Performance measurement provides transparency of IT related costs, which increasingly account for a
very significant proportion of most organisations’ operating expenses.
Stakeholders play a key part in IT Governance, since at the heart of the governance responsibilities of setting strategy,
managing risks, allocating resources, delivering value and measuring performance, are the stakeholder values, which drive
the enterprise and IT strategy.
For performance measurement to be successful, it is important to understand who the stakeholders are and what their
specific requirements and drivers are so that the performance measurements will be meaningful to them. An IT Governance
best practice is the approval of measures by stakeholders. A performance measurement system is only effective if it serves
to communicate to all who need to know what is important and then motivates positive action and alignment to common
objectives. The measures are not an end in themselves but a means to take corrective action and to learn from real
experiences. Concise and understandable communication and clear accountabilities are therefore critical success factors if
measures are to be turned into effective actions.
Performance measurement is a key component of IT Governance. It verifies the achievement of strategic IT objectives and
provides for a review of IT performance and the contribution of IT to the business (i.e. delivery of promised business value).
2
Performance measurement supports the other key elements of IT Governance by:
Alignment – monitoring the strategic direction of IT and the alignment of IT and the
business.
Value Delivery – assessing whether the IT/Business organisation is providing
business value from IT and assessing ROI.
Risk Management – monitoring whether risks are being identified and managed and
measuring the cost and benefit of risk management investments.
Performance measures are required to ensure that the outcomes of IT activities are aligned to the customer’s goals. Internal IT
process measures are required to ensure that the processes are capable of delivering the intended outcomes cost-effectively.
Advanced performance measurement enables the measurement of key aspects of IT capability such as creativity and agility
(new ideas, speed of delivery and success of a change programme), development of new solutions, ability to operate reliable
and secure services in an increasingly demanding IT technical environment, and the development of human resources and
skills.
Performance measurement may also be a vital tool when assessing mergers and acquisitions to allow earlier insight into
IT strengths and gaps. The introduction of a performance measurement system focused on a few key measures can be an
excellent way to kick-start an IT Governance initiative, providing, perhaps for the first time, transparency of critical activities
and a way to bridge the communication gap between IT and its customers.
Effective performance measurement of IT will enable management and other stakeholders to know whether or not IT is
meeting its objectives. It provides a transparent and objective communication mechanism, as long as the measures are
understandable by both the customers and the service providers. The measures should address two aspects (The IT
Governance Institute’s CobiT Management Guidelines provides example metrics for all IT processes and explains the
difference between Goal Indicators (KGIs) and Process Indicators (KPIs)):
Outcome focused – is I T m e e t i n g t h e o b j e c t i v e s s e t b y t h e c u s t o m e r ?
Process focused – are t h e I T p r o c e s s e s o p e r a t i n g e f f e c t i v e l y a n d l i k e l y t o l e a d t o
the customer objectives b e i n g m e t ?
The IT Governance SIG recommends that performance measures meet the following requirements to be successful:
10
Performance Measurement
2
E a s y t o interpret (e.g. reporting should be visual using RAG or heat map techniques)
a n d p e r mit drilling down for more detail and examination of root causes. A scorecard
i s s o m etimes not appropriate, e.g. for project review and prioritisation or detailed
a n a l y s i s (where aggregation distorts or confuses)
Show tre n d s t o e n a b l e b a c k w a r d e x a m i n a t i o n a n d f o r w a r d e x t r a p o l a t i o n
Consolid a t e d f o r h i e r a r c h i c a l r e p o r t i n g
Support b e n c h m a r k i n g i n t e r n a l l y b e t w e e n peer groups and externally with best
practice
Integrate d i f p o s s i b l e w i t h a n y e x i s t i n g bu s i n e s s l e v e l p e r f o r m a n c e m e a s u r e m e n t
system
2.3 Who are the stakeholders and what are their requirements?
Stakeholders play a key part in IT Governance. At the heart of the governance responsibilities of setting strategy, managing
risks, allocating resources, delivering value and measuring performance, are the stakeholder values, which drive the enterprise
and IT strategy. For performance measurement to be successful, it is important to understand who the stakeholders are and
what their specific requirements and drivers are so that the performance measurements will be meaningful to them. An IT
Governance best practice is the approval of measures by stakeholders (IT Governance Institute – Board Briefing on IT
Governance).
For the purposes of performance measurement, we have classified stakeholders into three groups: investors, controllers and
deliverers/providers with specific measurement interests and requirements as follows:
Controllers – (internal and external audit, risk and compliance officers, finance, human resources, industry specific
regulators)
Interests – they monitor risk and compliance and have an interest in due process,
regulatory and legal requirements, evidence of governance and risk management,
amount of rework/repeat effort, and compliance with strategy
Re q u i r e m e n t s
- Financial – losses, investments in control improvements
- Customer – exceptions/breaches, risk management, compliance with legislation
and regulations
- Process – control effectiveness, compliance
- L e a r n i n g – r i s k i d e n t i f i c a t i o n , r i s k p r ev e n t i o n
Deliverers/Providers – (IT service and product suppliers, in-house and outsourced, contract and procurement management
and staff involved in IT delivery and support)
11
IT Governance Developing a Successful Governance Strategy
Audit weaknesses √ √
Figure 2.4
In general, performance measurement should support this classic control model (figure 2.5)
12
Performance Measurement
2
Enablers
Support a n d o w n e r s h i p o f p e r f o r m a n c e m e a s u r e m e n t b y S t a k e h o l d e r s
Measure s t h a t a r e a p p r o v e d b y a n d m e a n i n g f u l t o t h e S t a k e h o l d e r s
Measure s t h a t a l i g n w i t h a g r e e d I T o b j e c t ives
Measure s t h a t f o c u s o n p r o c e s s e s c r i t i c a l t o t h e s u c c e s s o f I T o b j e c t i v e s
Measure s t h a t a r e e a s y t o c o l l e c t a n d u n d e r s t a n d
Ta r g e t s t h a t a r e c h a l l e n g i n g b u t a l s o a c h i evable
Measures that are balanced e.g. based on the Balanced Scorecard technique
Measurement reports and scorecards that a r e e a s y t o i n t e r p r e t , w i t h e x p l a n a t i o n s
of exceptions
Where possible, measures should be autom a t e d
Inhibitors
3
Figure 2.5
13
IT Governance Developing a Successful Governance Strategy
3 Implementation
Roadmap
3.1 What are the goals and success criteria? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
3.2 How to get started – the key initial activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
3.3 Who needs to be involved and what are their roles and responsibilities? . . . . . . . . . . . . . . . . . . . . . . . . . . .16
T his chapter describes an “Implementation Roadmap” for activating an effective IT Governance programme to deliver the
above benefits, and is based on the practical implementation experiences gained by the IMPACT IT Governance SIG
members.
The roadmap begins with establishing clear goals and objectives in order to align effort with the real needs of the enterprise,
to manage expectations, and to ensure continual focus. The roadmap then consists of activities to get started, followed by
the key implementation tasks with suggested roles and responsibilities. IT Governance is an ongoing task and therefore this
roadmap is only the initial phase of what needs to become an iterative sustainable approach.
A generic set of initial objectives has been identified by the SIG and is shown in Figure 3.1. Figure 3.1.1 suggests some
success criteria for this initial phase of IT Governance.
Achieve a broad understanding of IT Governance issues and benefits across all stakeholders
Agree, publish and gain acceptance of an initial IT Governance framework, tools and processes
Completion of an initial gap analysis against best practice – to demonstrate where IT Governance is already in place
and to highlight areas of focus for the roadmap
Creation of a Project Initiation Document (PID) and/or Terms of Reference (ToR) that has the support of stakeholders
Creation of a Project Plan with definition and prioritisation of the initial ITG project deliverables
Identification and commitment of the resources required to deliver this initial project
Identification and sign-off of Key Performance Indicators and Critical Success Factors for this project
Documented estimated timescales and resource (£s and FTE) implications as well as expected ROI
Figure 3.1
14
Implementation Roadmap
3
Success criteria for the initial implementation phase “Done” √
Key stakeholders identified, engaged and actively involved
Key stakeholders contributing towards and able to explain and support the business case for ITG
Some initial ‘quick wins’ have been identified and implemented – to make governance “real”
An effective communication plan – who to, what, when etc. to overcome any barriers and to motivate change
Current key IT projects mapped against ITG plan, to look for easy fit/implications
Changes are sustainable and institutionalised, i.e. they become Business as Usual practices
Figure 3.1.1
Planning
These are recommended implementation planning activities together with some critical success factors:
Activities CSFs
• Identify champions √ Authoritative and articulate
- Stakeholders (including partners), Input providers, IT strategy committee champions
(council) members √ Available skills and
• Establish IT strategy committee (council) capabilities
• Identify IT “hotspots” in the organisation, and where governance could enable √ Well prepared business
‘hotspot’ resolution: cases approved by
- Strategy? Delivery? IT Cost? Architecture? stakeholders
- Where current approaches have not worked or caused serious failures √ Real opportunities for the
• Identify skill set and capabilities needed from people involved business to see the benefit of
• Identify existing good practice (‘pseudo governance’) or successes that could be participating
built on or shared √ Practical and useful
• Identify cost/benefit arguments – why do we need to do anything? governance approaches
• Identify inconsistencies in process/practice √ Effective and useful
• Identify opportunities for “rest of business” to get involved in IT measures
• Explore opportunity to adopt industry best practice model, or standards √ Expose the truth /whole
framework picture, warts and all, about
• Utilise external influences project success /failure,
• Create a measurement approach for an area or activity to expose actual evidence showing how governance can
of problems be helpful
• Do some gap analysis against industry best practice
15
IT Governance Developing a Successful Governance Strategy
Implementation
These are the recommended activities to start up the implementation roadmap, together with some critical success factors:
Activities CSFs
• Create a sound project structure √ Good project management
- Define scope (what is included/excluded) and deliverables (set the governance tone)
- Agree success criteria/quality criteria √ Expectations set correctly
- Set realistic timeframes √ Approved business case
- Allocate suitable resources and roles √ Manage IT like you manage
- Identify risks and a risk mitigation strategy the rest of the business
• Gain approval from Senior Management (the higher the better within the √ Convincing reference sites
Enterprise) √ Successful pilot
• Find reference site, or external examples to learn from √ Address quick wins first to
• Build communication plan to gain buy-in, and break down barriers demonstrate results and
- Who/what/how frequent/purpose realise benefits before
• Do a pilot activity (demonstrate the business case) to show how it would work and attempting any major
demonstrate potential benefits changes
• Follow a phased introduction, e.g.
- Focus on critical but easier to address areas
- Assess projects first
- Build up operational performance improvement progressively based on
prioritising maximum return for lowest cost
- Consider one business area first, others later
- Aim to establish some successes while learning how to be effective
3.3 Who needs to be involved and what are their roles and
responsibilities?
All three generic groups of stakeholders, and their interests, should be involved in an IT Governance initiative. A key
characteristic of any successful IT Governance initiative is the establishment of an enterprise-wide approach that clearly sets
out roles and responsibilities, emphasising that everyone has a part to play in enabling successful IT outcomes.
Figure 3.3: This timeline is generic and intended only to be an example – it is based on the SIG’s experience.
Thanks to Legal and General for the concept.
16
Implementation Roadmap
3
It may also be helpful to include an external, or internal, facilitator to provide an objective and neutral position.
The suggested generic roles and responsibilities of the three main groups are shown in Figure 3.3.1.
Figure 3.3.1
17
IT Governance Developing a Successful Governance Strategy
4 Communication
Strategy & Culture
4.1 Who do we need to influence? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
4.2 What are the key messages? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
4.3 Communication best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.4 Developing an influencing strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.5 Change roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
I T Governance and risk management is about improving the management and control of IT activities and enabling top
management to exercise proper oversight. To achieve this, better processes, controls, best practices and management
techniques are required. However all of these improvements will only have a chance of succeeding in a sustainable way if the
culture of the organisation is changed to drive and support the desired new management approach.
Effective communications are a key enabler of these changes, just as poor communications can create a legacy of
misunderstanding, lack of trust, and technical mystique and hype in many organisations. As we said earlier, if it is difficult for
those literate in technology and relatively close to the IT function, then it is even worse for the end customer who finds technical
jargon a smokescreen and lack of information relevant to his business a major headache. Communication and cultural
behaviour, based on appropriate influencing strategies are therefore key ingredients of any IT Governance improvement
programme. In order to best influence stakeholders, and communicate the major objectives and benefits of IT Governance
throughout the organisation, the right language must be used. Given the significance of IT both in terms of investment and
potential impact on the business – the risks of IT and of failing to exploit IT for strategic advantage must be stressed in
any communication about IT Governance. Wake-up calls are sometimes required at the highest levels. Stakeholders must
understand and feel responsible for safeguarding against IT risks.
Effective communications will ensure that “everyone is on the same page” – that key issues have been grasped, objectives
have been positively accepted by management and staff, and everyone understands their role. Every organisation will have its
own existing culture and choice of IT Governance approach that it wishes to adopt. The roadmap to follow for cultural change
and effective communication will therefore be unique to each organisation, however there may be common elements.
Identifying and gaining the support of key influencers of success and failure help enable successful communications
strategies. It is also vital to recognise the main stakeholders impacted by the change, identify why we want to influence a
particular stakeholder, and identify any resistance that needs to be overcome. Positive attitudes need to be promoted and
used to influence others.
All three generic groups of stakeholders, and their interests, should be involved in an IT Governance initiative. It is critical
to influence these groups positively so that they understand the objectives and benefits of IT Governance and are able to
communicate consistently to each other and within their groups (Figure 4.1).
18
Communication Strategy & Culture
4
Who needs to be influenced?
Investors Providers Controllers
• The Board • Project and change managers (IT and • Internal audit and external audit (due
• IT Council/Management Team Business) diligence)
• Senior business unit managers e.g. key • Programme managers • External regulators
customers of IT services • Business managers and users • Corporate governance coordinator
• Business Partners • Technical delivery and support teams • Risk managers
• External investors/shareholders – as part • Key players e.g. business sponsors, • Compliance – regulatory and internal
of corporate governance project champions • Finance/Project Managers/IT and
• Relationship managers and internal business managers – reviewers of
communications teams benefits/ROI
• Suppliers (especially outsourced service • Post investment appraisal/post project
providers) review teams
• Contract and procurement management
• Peripheral players/influencers/policy
owners e.g. HR, Facilities Management,
Legal
Key Messages
• Benefits of governance • Benefits of governance • Need for independent assessment and
• Why we need to do it • Why we need to change assurance
• Impact on the business strategy • Your role and responsibility • Relate to real business risks and impacts
• Commitment to support action plans • How you need to change • Work positively with management to
address control needs
Figure 4.1
Figure 4.2
19
IT Governance Developing a Successful Governance Strategy
a) The “downside” business risks associated with the use and function of IT, i.e. financial losses, damage to reputation,
loss of service etc.
b) The “upside” business risks of not exploiting IT effectively, i.e. loss of competitive advantage, inefficiencies, failure to
respond to changing markets etc.
Recommended approaches
If IT risks are not communicated effectively, and instead are surrounded by hype and complexity, then stakeholders will not
appreciate their real impact, take the issues seriously, or be motivated to insist on better controls. The following approaches
are recommended to ensure risks have been properly appreciated:
The strategy should identify opportunities for the active involvement of stakeholders in developing the governance approach,
planning and implementing IT management changes, and ideally building specific change objectives/targets into personal
performance plans. The stakeholders are likely themselves to be the targets of change and should be involved in discussing/
evolving responses to the change via collaborative workshops, focus groups etc.
20
Communication Strategy & Culture
4
Influencing style examples
Asserting Persuading Bridging Attracting
• Stating expectations of • Proposing new management • Involving the business in IT • Finding Common Ground by
improved IT Governance approaches, best practices, decision making, by breaking developing corporate mission
and consequences of not standards for IT activities, down technical barriers statements and policies
adopting the new control based on development and encouraging shared about IT Governance with
model workshops responsibility for IT outcomes support from the Board
• Evaluating current capability, • Reasoning that changes are • Listening to user feedback • Visioning by IT and the
risk management, delivery needed, by educating top about IT services and business developing shared
quality etc. and exposing management about the key encouraging suggestions via strategies and action plans,
unacceptable performance IT issues and the benefits satisfaction surveys backed up by measurable
• Creating incentives by IT Governance can provide, • Disclosing IT problems and and accountable objectives
setting clear IT Governance e.g. more ownership in the incidents seeking workable and targets
objectives, based on business of IT projects solutions instead of covering
business priorities, backed them up
up by the personal reward
scheme
Push Pull
Figure 4.4
The influencing strategies need to be designed to work in specific situations with the individual influence targets identified. The
following table shows four typical influencing styles, examples of the communications involved and the associated leadership
styles. It is important to select the most appropriate style taking into account who needs to be influenced and on what topic.
Identify a n o v e r a l l s p o n s o r a n d s t e e r i n g g r o u p w i t h s p e c i f i c t a s k s a n d r e s p o n s i b i l i t i e s
for lead i n g t h e c h a n g e
Ensure t h e r e i s a c o m p l e t e s t r u c t u r e o f c a s c a d e d s p o n s o r s h i p d o w n t o t e a m / l i n e
manager l e v e l
Identify c h a m p i o n s ( t h o s e h i g h o n i n t e r e s t a n d / o r i n f l u e n c e )
Use suc c e s s e s a s b e n c h m a r k s
D i s s e m in a t e a c r o s s t e a m s a n d s u p p o r t f o rmation of new teams
Figure 4.4.1 shows different change approaches that can be used. For IT Governance initiatives experience shows that
the best approach is incremental change evolving and adapting of current practices to a new collaborative IT management
approach.
Figure 4.4.1
21
IT Governance Developing a Successful Governance Strategy
The following techniques (Exploring Strategic, Change Veronica Hope-Hailey, Julia Balogun, Gerry Johnson, Kevan
Scholes, Cranfield University) can help guide the best path to follow, and can be used to assess how your organisational
culture and management style currently deals with the governance of its IT activities and what cultural style it desires. To
do this you must:
Cultural style and paradigms are formed from several characterictics which can generally be illustrated as shown in Figure
4.5.
Figure 4.5
Figure 4.5.1 illustrates some of the typical current and desired IT Governance behaviours found in many organisations
today.
Figure 4.5.1
22
Capability Maturity Assessment
5
5 Capability Maturity
Assessment
5.1 Why IT capability is important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
5.2 How to measure IT capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
5.3 Setting maturity targets and considering improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
5.4 Roadmap for sustaining the approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
5.5 Self-assessment tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
M onitoring and assessing the adequacy of IT Resources (people, applications, technology, facilities, data) to ensure
that they are capable of supporting the current and proposed IT strategy is a key aspect of IT Governance. In many
organisations board level management have a very unclear view of their IT capability, and find it very difficult to understand
the technical and organisational IT environment upon which they increasingly depend. Often inadequacies only manifest
themselves when projects fail, costs spiral, operational systems crash, or service providers fail to deliver the value promised.
To exercise sufficient governance and oversight, senior management should insist on objective and regular assessments of
their internal and externally provided IT services to ensure any inadequate capabilities are exposed before serious problems
occur, and then take the necessary action to rectify weaknesses. In recent years, surveys and assessments carried out around
the world have shown that in general IT capabilities have not kept pace with increasing IT complexities and the growing
demands for reliable, secure and flexible services. Cost control and reducing inefficiencies are also important reasons for
reviewing technical and organisational capability.
Improving the maturity of IT capability both reduces risks and increases efficiency – cost saving is
often a justification.
Capability Maturity Modelling (CMM) techniques (CMM was created by the Software Engineering Institute with Carnegie
Mellon) are increasingly being adopted by many organisations for assessing IT capability. This technique focuses on the
IT management processes that control IT resources, and assessments usually reveal significant weaknesses and an IT
capability disproportionate to the high dependency organisations have on their IT service providers. Using the CMM scale it is
rare to find even a defined (level 3) process in many organisations.
Management should insist on objective and transparent assessments, and carry out these analyses as part of any due
diligence review, or request third party certifications when considering outsourcing or during mergers and acquisitions.
Agreement then must be reached regarding where and how to address inadequacies, by either investing in the internal
infrastructure or seeking externally provided outsourced resources, or accepting the risks.
Boards need to address appropriate investments in infrastructure and capabilities by ensuring that:
23
IT Governance Developing a Successful Governance Strategy
Boards needs to ensure that IT resources are used and managed wisely by ensuring that:
IT assets are complex to manage and continually change due to the nature of technology, and changing business
requirements. Effective management of the lifecycle of hardware, software licences, service contracts, and permanent and
contracted human resources is a critical success factor in not only optimising the IT cost base, but also for managing changes,
minimising service incidents, and assuring a reliable quality of service.
Of all the IT assets, human resources represent the biggest part of the cost base and on a unit basis the one most likely
to increase. Identifying and anticipating the required core competencies in the workforce is essential. When these are
understood, an effective recruitment, retention and training programme is necessary to ensure that the organisation has the
skills to utilise IT effectively to achieve the stated objectives.”8
The measurement of IT capability should be an objective assessment oriented towards business requirements. This will
ensure that the current “as-is” and required “to-be” capabilities are realistic and measurable enabling any gaps to be identified
and a plan to be drawn up to rectify any shortcomings.
The Capability Maturity Model (CMM) approach first developed by the Software Engineering Institute for measuring software
delivery capability is increasingly being adopted as the basis for assessing overall IT capability. This model provides a
standard scale for assessing the maturity of any IT process on a five-point scale (figure 5.2).
Set Scope
Select a reference model based on standards and best practices most suitable
f o r y o u r b u s i n e s s , e . g . C o b i T, I T I L , S E I - C C M , S i x S i g m a , I S O 9 0 0 0 / 9 0 0 1 , P M B O K
– perhaps considering weighting measures
Use an acceptable measurement methodology agreed with the stakeholders which
is defined and transparent
Set a baseline in the context of 1 and 2 above and present the current state
assessment using a scale or rating system
Set reasonable objectives for the targeted level of capability
Define measures which relate both to “the journey” as well as the “end goal” (e.g.
the KPIs and KGIs recommended by CobiT)
Ensure simplicity and fl e x i b i l i t y
Limit the number of m e a s u r e s , m i n i m i s e m e a s u r e m e n t o v e r h e a d , a n d a v o i d
information overload
24
Capability Maturity Assessment
5
E m b e d measures into business as usual processes
Ensure s t a f f h a v e a d e q u a t e s k i l l s , t r a i n i n g a n d t o o l s
Create a r e p e a t a b l e p r o c e s s a n d a g r e e f r e q u e n c y o f r e p o r t i n g
Where p o s s i b l e a u t o m a t e m e a s u r e m e n t a nd reporting
Assess a c h i e v e m e n t a g a i n s t t a r g e t s a l o n g s i d e o t h e r b u s i n e s s a s u s u a l t a r g e t s
Figure 5.2
1. Understa n d t h e e n v i r o n m e n t
2. Establis h c a p a b i l i t y i m p r o v e m e n t f r a m e w o r k
3. Set real i s t i c t a r g e t s a n d r e s p o n d t o e n v i r o n m e n t c h a n g e s
4. Identify g a p s – p r i o r i t i s e i m p r o v e m e n t s
5. Propose a c h i e v a b l e s o l u t i o n s
The following practices are recommended to help ensure the process is sustainable
A r t i c u l a t e c u r r e n t c a p a b i l i t i e s i n r e l a t i o n t o an adopted framework
S e t c u r re n t l e v e l s o f c a p a b i l i t y i n t h e c o n t ext of external comparisons
25
IT Governance Developing a Successful Governance Strategy
State the effect on the business of the current IT capability state of affairs. Describe
the ramifications of NOT improving capability e.g. additional costs or risks,
inability to realise opportunities, late or non-delivery of the strategic development
programme, redundant effort
Describe the benefits of implementing improvements in specific areas
Describe the projected effect on the business after delivery of enhancements
26
Capability Maturity Assessment
5
Importance
Repeatable
Optimised
Managed
Defined
Ad hoc
IT Process/Maturity
Planning & Organisation
PO1 Define a Strategic Information Technology Plan H
PO2 Define the Information Architecture M
PO3 Determine the Technology Direction M
PO4 Define the IT Organisation and Relationships M
PO5 Manage the Investment in Information Technology M
PO6 Communicate Management Aims and Direction L
PO7 Manage Human Resources L
PO8 Ensure Compliance with External Requirements M
PO9 Assess Risks M
PO10 Manage Projects L
PO11 Manage Quality L
Acquisition & Implementation
AI1 Identify Solutions L
AI2 Acquire and Maintain Application Software M
AI3 Acquire and Maintain Technology Architecture M
AI4 Develop and Maintain Information Technology Procedures M
AI5 Install and Accredit Systems L
AI6 Manage Changes M
Delivery & Support
DS1 Define Service Levels M
DS2 Manage Third-Party Services H
DS3 Manage Performance and Capacity M
DS4 Ensure Continuous Service L
DS5 Ensure Systems Security M
DS6 Identify and Allocate Costs L
DS7 Educate and Train Users L
DS8 Assist and Advise Information Technology Customers L
DS9 Manage the Configuration M
DS10 Manage Problems and Incidents H
DS11 Manage Data H
DS12 Manage Facilities L
DS13 Manage Operations M
Monitoring
M1 Monitor the Process M
M2 Assess Internal Control Adequacy M
M3 Obtain Independent Assurance M
M4 Provide for Independent Audit M
Figure 5.5
27
IT Governance Developing a Successful Governance Strategy
6 Risk
Management
6.1 What are the risks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
6.2 What is the best approach for risk analysis and management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
6.3 How can standards and best practices be used – is certification useful? . . . . . . . . . . . . . . . . . . . . . . . . . . .30
6.4 What are the roles of management, staff and auditors? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
6.5 Who needs to be competent? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
6.6 What competence is required? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
6.7 How to obtain, develop, retain and verify competence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
6.8 When to source competence from outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
6.9 Key learning points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
T he management of risks is a cornerstone of IT Governance, ensuring that the strategic objectives of the business are
not jeopardised by IT failures. IT related risks are increasingly a Board level issue as the impact on the business of
an IT failure, be it an operational crash, security breach or a failed project, can have devastating consequences. However,
managing IT risks and exercising proper governance is a challenging experience for business managers faced with technical
complexity, a dependence on an increasing number of service providers, and limited reliable risk monitoring information. As a
consequence, management are often concerned whether risks are being cost effectively addressed, and they need assurance
that risks are under control.
The universal need to demonstrate good enterprise governance to shareholders and customers is the driver for increased risk
management activities in large organisations. Enterprise risk comes in many varieties, not only financial risk. Regulators are
specifically concerned about operational and systemic risk, within which technology risk and information security issues are
prominent. The Bank for International Settlements, for example, supports that view because all major past risk issues studied
in the financial industry were caused by breakdowns in internal control, oversight and IT. Infrastructure protection initiatives in
the US and the UK point to the utter dependence of all enterprises on IT infrastructures and the vulnerability to new technology
risks. The first recommendation these initiatives make is for risk awareness of senior corporate officers.
Ascertaining that there is transparency about the significant risks to the enterprise
and clarifying the risk-taking or risk-avoidance policies of the enterprise.
Being aware that the final responsibility for risk management rests with the board
so, when delegating to executive management, making sure the constraints of that
delegation are communicated and clearly understood.
Being conscious that the system of internal control put in place to manage risks
often has the capacity to generate cost-efficiency.
Considering that a transparent and proactive risk management approach can create
competitive advantage that can be exploited.
Insisting that risk management is embedded in the operation of the enterprise,
responds quickly to changing risks and reports immediately to appropriate levels of
management, supported by agreed principles of escalation (what to report, when,
where and how).
We must be conscious though that risk taking is an essential element of business today. Success will come to those
organisations that identify and manage risks most effectively. Risk is as much about failing to grasp an opportunity as it is
about doing something badly or incorrectly.
Business specific risk (e.g. Operational risk of orders not being received)
28
Risk Management
6
Generic common IT risk (e.g. IT availability risk)
Specific IT risk (e.g. Denial of service attack on Internet customer order system)
Business risks are affected by the business environment (management style, culture, risk appetite, industry sector factors
such as competition, reputation etc., national and international regulations). IT risks can be similarly affected.
There is no single accepted set of generic IT risk definitions, but these headings can be used as a guide (Taken from a
global study by the Economist Intelligence Unit in 2002):
Investme n t o r e x p e n s e r i s k
Access o r s e c u r i t y r i s k
Integrity r i s k
Relevan c e r i s k
Availabil i t y r i s k
Infrastructure risk
Project ownership risk
The OGC’s M_o_R framework visualises four levels of risks in a pyramid with appropriate escalation to higher levels for
significant risks (Figure 6.1).
Figure 6.1
For IT to be effectively governed, top management must be able to recognise IT risks and ensure that significant risks are
managed. Significance of an IT risk is based on the combination of impact (what effect the risk would have on the organisation
if it occurred) and likelihood (the probability of the risk occurring). Because of the complexity and fast changing nature of IT,
education and awareness is essential to ensure risks are recognised – not just at the top management level but at all levels
throughout the organisation. It is increasingly common for a dedicated risk management function to be established or for
external advice to be obtained on a regular basis to ensure that risks are monitored and the rest of the organisation is kept
informed. Maintenance of a risk catalogue or risk register can be helpful to ensure that a thorough review of all IT related risks
takes place on a periodic basis and for providing assurance to management that risks are being addressed.
6.2 What is the best approach for risk analysis and management?
Risk management consists of two main elements:
Risk Analysis
R i s k M an a g e m e n t
Having defined risk appetite and identified risk exposure, strategies for managing risk can be set and responsibilities
clarified. Dependent on the type of risk and its significance to the business, management and the board may choose to:
29
IT Governance Developing a Successful Governance Strategy
The following framework for managing risk in Figure 6.2 is suggested by the OGC (OGC Risk Management Framework
www.ogc.gov.uk).
Figure 6.2
The analysis of IT risks can be very time-consuming and there is a danger of “analysis paralysis”. To ensure effective
and timely identification of risk, management workshops involving knowledgeable and interested representatives from the
business, IT, audit and, if necessary external advisors, can help to rapidly pinpoint key risks requiring attention, as well as
prioritising risk management actions. It is also important to identify the benefits of managing a risk as they can help to justify
the business case for taking action. Benefits can include financial savings such as reduced losses and improved efficiencies
as well as intangibles such as improved reputation and image.
Risk management checklists are useful for raising awareness and reminding everyone of typical risk related issues. Regular
self-assessments, internal audits and external audits/assessments are also helpful to ensure objectivity, and a thorough
approach. For technical areas such as Internet security, the advice of an expert is likely to be required to ensure any technical
vulnerabilities have been identified.
The best practices adopted have, however, to be consistent with the risk management framework and be appropriate for the
organisation, and be integrated with other methods and practices that are being used. Standards and best practices are not a
panacea and their effectiveness will depend on how they have been actually implemented and kept up to date. They are most
useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming
“shelf-ware”, change enablement is required, so that management and staff understand what to do, how to do it, and why it is
important. For risk management to be effective, the use of a common language and a standardised approach oriented towards
real business requirements is best – making sure everyone follows the same set of objectives, issues and priorities.
Benchmarking is another very useful way to compare how risk management is being addressed within the organisation in
relation to best practice, industry peer groups and other organisations. Conformance to generally accepted standards and
practices can be very helpful when managing risks relating to outsourced services and third party suppliers. Certification
30
Risk Management
6
against a standard may be important for helping to establish trust with trading partners, or for raising significance within
the organisation. However, there is a danger that acquiring a certificate becomes more important as a marketing tool, than
operating effective management itself. Certification may also only mean conformance with a baseline and may in itself not
be sufficient to address all the risks in the organisation. In the IT environment there is no specific standard relating to risk
management, but there are standards and best practices covering specific areas. Of these CobiT, ISO17799, ITIL, ISO9000,
PMBOK and Prince2 are the most widely used.
Auditors can provide initial momentum by highlighting to senior management inadequate risk management practices or
specific risks that are not being adequately addressed. Audit should also align audits with key business risks and known areas
of weakness, and provide independent assurance to management, make sure that appropriate risk management plans are in
place and are being followed in all key areas or provide improvement recommendations.
Allocate r e s p o n s i b i l i t y a t a s e n i o r l e v e l f o r m a n a g i n g k e y r i s k s
Ensure t h a t e v e r y r i s k h a s a n o w n e r ; t h e r e may be separate owners for the actions
to mitiga t e t h e r i s k s
Ensure a n y o n e a l l o c a t e d o w n e r s h i p h a s t h e a u t h o r i t y t o t a k e o n t h e r e s p o n s i b i l i t y
and that t h e y a r e a w a r e t h a t t h e y a r e t h e d e s i g n a t e d o w n e r
Adopt a m e c h a n i s m f o r r e p o r t i n g i s s u e s – u l t i m a t e l y t o t h e i n d i v i d u a l w h o h a s t o
retain o v e r a l l r e s p o n s i b i l i t y
Most IT Governance initiatives begin with the establishment of an IT Governance project team and the appointment of an IT
Governance project manager. The team is likely to be made up of people with some existing skills and relevant experiences,
sometimes supported by external advisors, but usually even these teams will require training to improve their competence in
IT Governance concepts and implementation approaches.
Over time the project team will become the specialists, guiding and mentoring all role players. For IT Governance to be
successful and sustainable, skills must be transferred from the specialists to the rest of the organisation.
31
IT Governance Developing a Successful Governance Strategy
Figure 6.6
32
Risk Management
6
Suppliers/business partners People related IT Governance skills:
• Integrate any own existing or planned governance practices with - Understanding of roles
customer - Understanding of competencies required
• Support and contribute to customer’s governance approach - Understanding of sources of expertise
• Agree service definitions, incentives, measures and contracts/ Delivery management skills:
agreements - Familiarity with best practices
Training and Development - Understanding of IT processes, how they should be controlled,
• Ensure adequate education and communication and how to monitor performance
HR function - Knowledge of corporate standards and policies affecting IT
• Incorporate governance principles into induction and performance - Ability to provide cost estimates
measurement process - Engagement and project management
Core team
• Define plan and deliverables
• Organise team and roles (architects, senior responsible officer,
facilitator, project manager, process owners)
• Undertake core tasks
• Report progress to plan
Figure 6.6.1
Figure 6.6.2
Recruitment
When considering who to place in IT Governance lead positions, especially when creating an initial project team, staff in a
number of existing positions may be excellent candidates. The IMPACT IT Governance SIG members have found that the
following roles often provide people who would be effective in IT Governance roles.
Auditors
Project M a n a g e r s
Risk Ma n a g e r s
Busines s A n a l y s t s
Infrastructure Management
Procurement/Contract Management
IS Strategy – alignment with the business
Quality Management
Business Relationship Management
Programme Managers
However, there is a need for breadth of business and IT knowledge rather than too narrow a specialisation.
33
IT Governance Developing a Successful Governance Strategy
Developing Skills
Demonstrating commitment by senior management for the importance of IT Governance and the value of being competent,
removing cultural barriers and improving communications are all critical success factors for improving competence.
Suggested techniques for improving skills by each group of role players are shown below:
Investors
Providers
Formalise documentatio n o f g o v e r n a n c e , s t a n d a r d s a n d b e s t p r a c t i c e s
When training, focus on s p e c i a l i s e d a n d r e l e v a n t a r e a s
Organise internal event s t o r a i s e a w a r e n e s s
Rotate involvement in governance meetings to improve understanding
Use the results of assessments and maturity modelling to raise awareness
of governance issues, gaps in capability, and impact on the business of IT
weaknesses
Ensure management and control of IT is taken seriously
Manage the transfer of s k i l l s f r o m t h e s p e c i a l i s t s t o t h e o r g a n i s a t i o n
1. Training
2. Establish an environme n t w h i c h f o s t e r s g o v e r n a n c e
3. Roll out the processes a n d s k i l l s
4. Measure compliance wi t h s t a n d a r d s a n d r e i n f o r c e
Controllers
Skills development is o f t e n m o r e a b o u t l e a r n i n g o n t h e j o b t h a n a b o u t t r a i n i n g
courses
Understand the business, how IT affects the business, the IT related business risks,
and why IT needs to be controlled
Focus on Professional training in IT Governance and consider certification in
relevant skills
Maintain continuing professional development
Consider `soft` skills training to improve communication and influencing skills
Retention of Skills
The most effective way to retain IT Governance skills is by establishing standards and practices within the organisation
rather than only within individuals. This reduces reliance on key individuals and ensures sustainable processes are put into
place. In addition:
At all levels there will be a need to refresh skills continually because of the
changing nature of IT
S k i l l s t r a n s f e r s h o u l d a lways be encouraged, especially from experts to operational
staff
P r o v i d e r s m u s t b e v a l ued for their governance skills and encouraged to invest in
t h e m . T h i s i s e s p e c i a l l y true of external service providers.
Induction training is required for new joiners, especially those holding key positions
in controller functions.
34
Risk Management
6
If there is institutionalised, sustained implementation of IT governance then the environment will support continual skills
growth.
Verifying Skills
The best way to verify competence is to include governance skills in the appraisal process. This should be based on
performance on the job:
Clear jo b o b j e c t i v e s a n d r o l e d e f i n i t i o n f o r I T G o v e r n a n c e
IT Gove r n a n c e c o m p e t e n c i e s r e q u i r e d f o r r o l e
Review o f c o m p e t e n c y p e r f o r m a n c e
In addition, surveys can be carried out periodically to measure the level of awareness in key competencies. This technique can
also be a valuable awareness raising and reinforcing technique. Another approach to verifying competence is to measure the
maturity of IT Processes, focusing on competency aspects. The chart below shows generically how this could be done based
on guidance from CobiT’s Management Guidelines (Figure 6.7).
Figure 6.7
When it i s m o r e c o s t - e f f e c t i v e t o o u t s o u r c e s k i l l s t h a t a r e n o t a v a i l a b l e i n - h o u s e
W h e n o u t s i d e i n p u t o f e x p e r t i s e i s b e n e f i cial in its own right
However, if implementation of IT Governance is to be successful and sustainable, competence will have to be developed
within the organisation, since management of IT must be owned within the organisation. In many organisations where all or
significant parts of the IT service have been outsourced, responsibility and competence for controlling use of these services
should still be retained internally. It is essential to retain sufficient skills internally to be able to sustain the business – and to
understand and manage what is being outsourced.
Skills optimisation
Governance skills are normally found at the top level, but are typically not
understood in the context of IT
T h e a p p o i n t m e n t o f a n I T G o v e r n a n c e m a nager and team should not be permanent
b e c a u s e g o v e r n a n c e p r a c t i c e s h o u l d b e c ome business as usual
35
IT Governance Developing a Successful Governance Strategy
1. Specialised training
2. Establish an environment which fosters governance
3. Roll out the processes and skills
4. Measure compliance with standards and re-enforce
36
Supplier Governance
7
7 Supplier
Governance
7.1 Why is Supplier Governance important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
7.2 The customer’s role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
7.3 How best to select a supplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
7.4 The customer/supplier relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
7.5 Service management techniques and SLAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
7.6 The supplier/outsourcing governance lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
E very organisation relies on numerous suppliers to support their business and IT strategy. It is not unusual for external
organisations to provide critical IT infrastructure (such as telecommunications networks, hosted data centres, and
software applications) used by critical business processes, and increasingly the trend is to outsource significant parts of the
internal IT function.
Effective governance of IT suppliers is therefore a key component of IT Governance, to make sure that risks are managed
and value is delivered from the investment in supplier products and services. Most organisations are highly dependent on
a limited number of key suppliers, and so governance should be focused on those relationships with the greatest risk and
investment. For supplier governance to be effective the role of the customer is crucial. The customer should take ownership of
the whole transaction from defining requirements and selection all the way through to engagement, operation and termination.
Even when the bulk of IT is outsourced, several key functions should be retained because they supply continuity for clients
of IT, provide for the oversight of the outsourcer, are highly specific to the way the business operates, and are strategic to the
organisation. To some extent, the mix will vary with the reason(s) for outsourcing and which functions have been outsourced.
However, all organisations will need to retain some expertise in strategic functions, such as project oversight, architecture,
planning, vendor management, and security.
One of the best ways to establish effective supplier governance is to focus on the relationship
Try to create a win/win partnership so that both parties are motivated for success – beating down the supplier is generally
seen as poor practice, while cooperation, considered openness and mutuality of benefit defines the basis for better working
relationships.
Underpinning the customer/supplier relationship should be formal service level agreements which define objectives and
measures in customer relevant terms, managed according to service management best practices such as ITIL.
Most organisations are highly dependent on a limited number of key suppliers, and so governance should to be focused
on those relationships with the greatest risk and investment. The outsourcing of a function or service is likely to be a major
37
IT Governance Developing a Successful Governance Strategy
strategic decision which should be governed carefully. Outsourcing is also a huge global commercial business opportunity for
the service providers who will compete fiercely for market share. In such a complex technical and commercial situation, proper
governance is crucial to help avoid potential service failures and large financial losses.
Buyer's
multi-buyer
environment
Poor cultural
3%
fit 5%
Unclear buyer
Provider's poor expectations
performance 8% 23%
Poor
communication
11%
Misaligned
Other 11% interests
15%
Not mutually
beneficial 11% Poor Governance
13%
If the relationship is critical in support of the customer’s business strategy (which will be the case if significant outsourcing
is planned, or if critical infrastructure needs to be supported), then the customer’s role in ensuring effective governance will
be particularly important and should address:
38
Supplier Governance
7
D i s c i p l i ne over managing the transaction and transparency of the results
Indepen d e n c e f r o m t h e s u p p l i e r
Accounta b i l i t y a n d r e s p o n s i b i l i t y f o r k e y de c i s i o n s
Increasi n g s t a k e h o l d e r v a l u e ( b o t h i n t e r n al and for the supplier)
Key gov e r n a n c e s t e p s a t e a c h s t a g e , b e s t d e f i n e d i n a g o v e r n a n c e s c h e d u l e i n
the con t r a c t , a n d i n a s h a r e d p r o c e d u r e m a n u a l w h e r e k e y r e s p o n s i b i l i t i e s a n d
escalati o n p r o c e d u r e s a r e d e f i n e d .
Organisation
F o c u s on w h a t ’s c r i t i c a l
Have the right capability to manage IT suppliers
Ensure there are clear roles and respon s i b i l i t i e s o n t h e c u s t o m e r ’s s i d e o f t h e
relationship
Ensure there is an Executive level sponsor w h o w i l l b e r e s p o n s i b l e a n d a c c o u n t a b l e
for all s ignificant decisions regarding key s u p p l i e r s
Commit long-term
Establis h relationships at multiple levels
Organise suppliers according to criticality a n d r o l e s
Technical
Project Approach
2. Take ownership and define and obtain agreement for all measures
39
IT Governance Developing a Successful Governance Strategy
5. Customer should:
P r o v i d e c u s t o m e r s a t i s faction measurement data
Consider benchmarking to other organisations and other services
Even when the bulk of IT is outsourced, several key functions should be retained because they supply continuity for clients
of IT, provide for the oversight of the outsourcer, are highly specific to the way the business operates, and are strategic to the
organisation. To some extent, the mix will vary with the reason for outsourcing. However, all organisations will need to retain
some expertise in strategic functions.
Make sure each party understands its role. Figure 7.4 summarises how IMPACT SIG members believe each group of
stakeholders should focus in the customer/supplier relationship.
40
Supplier Governance
7
Party Stakeholder Focus
Define outsourcing and procurement strategy
Define supplier governance framework
Provide supplier with strategic direction
Investors Approve contracts and any changes
Consider future business requirements
Define business objectives
Evaluate performance
Specify architecture
Define business requirements
Customer Providers Manage relationship
Manage projects
Monitor service
Verify financial ROI
Manage contract
Assess and monitor risk
Controllers Ensure legal/regulatory compliance
Perform financial analysis
Ensure supplier service audit
Establish security policy
Define business objectives
Protect supplier and customer investments
Investors Commit resources for delivery
Define service strategy
Define governance framework
Supplier Define services
Providers Define service levels
Monitor service quality
Measure financial performance
Controllers Monitor risk management
Manage contracts
Figure 7.4
41
IT Governance Developing a Successful Governance Strategy
Figure 7.5
Figure 7.6
42
IT & Audit Working Together & Using CobiT
8
T he growing interest in IT Governance and increasing pressure to deal with regulatory compliance (e.g. Sarbanes Oxley),
and a continuing focus on security, has made IT management much more involved in risk management and control
activities. There is therefore a need for IT management to work more closely with IT auditors.
For many years there have been barriers between auditors (both internal and external) and auditees (IT functions and
business units). This can be due to communication gaps, hidden checklists, and a failure to collaborate on control assessment
and control improvement. A more effective approach requires better recognition of one another’s role and alignment to a
mutually accepted and understood control framework, so that everyone is “on the same page”.
CobiT is an IT Control and Governance Framework that is increasingly being adopted by organisations around the world as
a common reference model for IT Control. CobiT has historically been mostly used by IT auditors but the trend now is for IT
management to use CobiT as a basis for IT process ownership, a reference model for good controls and as a way to integrate
other best practices under one “umbrella” aligned to business needs. More advanced users make use of CobiT’s maturity
modelling and metrics to measure performance and drive improvement initiatives.
As a consequence, many IT functions and IT service providers are adopting CobiT as part of their operational control
framework.
In order to provide the information that the organisation needs to achieve its objectives, IT resources
need to be managed by a set of naturally grouped processes.
The Framework continues with a set of 34 high-level Control Objectives, one for each of the IT processes, grouped into four
domains: planning and organisation, acquisition and implementation, delivery and support, and monitoring. This structure
covers all aspects of information and the technology that supports it. By addressing these 34 high-level control objectives, the
business process owner can ensure that an adequate control system is provided for the IT environment.
IT Governance guidance is also provided in the CobiT framework. IT Governance provides the structure that links IT processes,
IT resources and information to enterprise strategies and objectives. IT Governance integrates optimal ways of planning and
organising, acquiring and implementing, delivering and supporting, and monitoring IT performance. IT Governance enables
the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining
competitive advantage.
In addition, corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT
processes against CobiT’s 318 recommended detailed control objectives to provide management assurance and/or advice
for improvement.
43
IT Governance Developing a Successful Governance Strategy
The Management Guidelines further enhances and enables enterprise management to deal more effectively with the needs
and requirements of IT governance. The guidelines are action oriented and generic and provide management direction for
getting the enterprise’s information and related processes under control, for monitoring achievement of organisational goals,
for monitoring performance within each IT process and for benchmarking organisational achievement. CobiT’s Management
Guidelines are generic and action oriented for the purpose of answering the following types of management questions: How
far should we go, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical
success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare?”
(CobiT Framework 2000, www.itgi.org)
ISACA recognised in the early 1990’s that auditors, who had their own checklists for assessing IT controls, were talking a
different language to business managers and IT practitioners. In response to this communication gap, CobiT was created as
an IT control framework for business managers, IT managers and auditors, based on a generic set of IT processes meaningful
to IT people. The best practices in CobiT are a common approach to good IT control – implemented by business and IT
managers, and assessed on the same basis by auditors. Over the years CobiT has been developed as an open standard and
is now increasingly being adopted as the control model for implementing and demonstrating effective IT Governance.
Today, as every organisation tries to deliver value from IT while managing an increasingly complex range of IT related risks,
the effective use of best practices can help to avoid re-inventing wheels, optimise use of scarce IT resources, and reduce
the occurrence of major IT risks such as:
Project failures
Wa s t e d i n v e s t m e n t s
Security breaches
System crashes
Failures by service providers to understand and meet customer requirements
Due to its high level and broad coverage, and because it has been based on many existing practices, CobiT is often referred
to as the “integrator”, bringing disparate practices under one “umbrella” and just as importantly, helping to link these various
IT practices to business requirements.
The maturity modelling and metrics concepts within CobiT are probably the most popular for IT managers, providing an easy
and powerful technique for positioning IT control gaps in the context of business requirements. The profiles and scorecards
that results are a powerful tool for communicating with senior management and demonstrating the reality of current IT
capability in relation to what the business might have expected.
As organisations have adopted the CobiT approach, it has driven the professional Audit firms to follow similar approaches,
and to integrate CobiT into their internal proprietary methodologies. This has helped to break down communication barriers
and improve the mutual understanding of IT controls. There is also a trend among service providers to use CobiT and other
best practices to improve their market image and quality of service. This is also helping to improve communication of control
issues and make it easier to manage and audit IT activities against a commonly accepted basis. Because CobiT is open and
independent of any specific vendor all parties can use it freely. It is not a “standard” as such but a “best practice” framework
and set of guidance materials to be tailored for each specific situation.
There is currently a great deal of focus on the Sarbanes-Oxley Act in the US, and the reporting requirements that this
legislation requires for Company Directors. Many companies are using CobiT as the framework for reporting the status of IT
systems and controls, and consequently a massive CobiT-based controls documentation effort is underway. While Sarbanes-
Oxley has been very useful for putting IT governance and control on the Board’s agenda, there is a danger that the effort will
be limited to a documentation exercise to achieve compliance. The real value from any control evaluation, especially when
based on CobiT, is the identification of control gaps and the implementation of a sustainable improvement programme. There
44
IT & Audit Working Together & Using CobiT
8
is an analogy with the Y2K experience in that Sarbanes-Oxley should not be a one off exercise but an ongoing programme for
improving management control and establishing governance.
Role of IT Audit
IT Gove r n a n c e i s a m a n a g e m e n t r e s ponsibility, and therefore not the sole
respons i b i l i t y o f a n A u d i t f u n c t i o n . T h e A udit function should remain independent,
but this c a n p r o v i d e a n e x c e l l e n t p o s i t i on to influence and recommend change.
Indepen d e n c e s h o u l d n o t i n h i b i t p r o v i s i o n of advice, so long as management take
full resp o n s i b i l i t y a n d a c c o u n t a b i l i t y f o r i mplementation and operation of controls.
Taking r e s p o n s i b i l i t y f o r e n a b l i n g a n I T Governance initiative or for initiating
governa n c e p r o j e c t s s h o u l d n o t c o m p r o m i se Audit.
IT Gove r n a n c e r e q u i r e s m a n a g e m e n t c o m m i t m e n t a n d o w n e r s h i p w i t h i n I T a n d t h e
busines s i n o r d e r t o m a k e i t h a p p e n . A u d i t c a n t h e n d e t e r m i n e i f i t i s h a p p e n i n g , a n d
provide a s s u r a n c e t o t h e b o a r d .
When re v i e w i n g G o v e r n a n c e , A u d i t m u s t d o m o r e t h a n j u s t i d e n t i f y p r o b l e m s . T h e y
need to i d e n t i f y r o o t c a u s e s a n d m a k e c o n s t r u c t i v e r e c o m m e n d a t i o n s .
A u d i t c a n t e s t c o n t r o l s e s p e c i a l l y w h e re control is critical and assurance is
r e q u i r e d . B u t i n c r e a s i n g l y t h e r e i s a t r e n d for IT to “test themselves” by performing
self-assessments.
Audit can play a part in setting standards, and providing control criteria and control
b e n c h ma r k s , p a r t i c u l a r l y i n r e s p e c t o f e x t e r n a l r e g u l a t i o n .
Given the speed of IT change and the hig h c o s t o f d e v e l o p m e n t p r o j e c t s , i t m a k e s
sense to involve auditors in projects. To b e e f f e c t i v e a u d i t o r s m u s t :
- Be credible and confident to gain the r e s p e c t o f I T
- Not wait until the end of a phase to c r i t i q u e – b u t g i v e p r o - a c t i v e g u i d a n c e o n
what should be done
Role of IT
IT has to be responsible for changing t h e c u l t u r e o f t h e I T o r g a n i s a t i o n , f o r
managing the IT processes, and adopting a f o c u s o n c o n t r o l s .
IT professionals often have a poor underst a n d i n g o f w h a t c o n t r o l s a r e a n d w h y t h e y
are needed. Education in control principles m a y b e n e e d e d , a n d a u d i t c a n h e l p w i t h
this by working together with IT, and by p r o v i d i n g t r a i n i n g , w o r k s h o p s a n d s t a f f
secondments.
A common framework and understanding i s n e e d e d i n o r d e r t o e n s u r e t h a t I T
Management is exercising IT Governance . U s i n g a c o m m o n f r a m e w o r k f o r c o n t r o l
such as CobiT, will help to ensure that eve r y o n e i s “ o n t h e s a m e p a g e ” .
The CIO and Head of Internal Audit should w o r k t o g e t h e r t o d r i v e c h a n g e .
IT should take a lead on governance; audi t c a n “ s o w t h e s e e d s ” .
If IT (as so often) is in `fire fighting` mode it is harder for them to drive
governance.
Executive management may point to historic data as showing no problems- so
why should they worry about governance ? However, the problems can usually be
identified by IT digging into process failures – e.g. project delay and excess cost.
IT management have to be confident of their position to draw attention to internal
weaknesses.
45
IT Governance Developing a Successful Governance Strategy
Figure 8.5
The methods used vary from formal schemes, perhaps based on IIA (Institute of Internal Auditors) or Internal Audit
guidance to less formal approaches. All approaches can provide value e.g.:
Q u e s t i o n n a i r e s – b a s ed o n p o l i c y ( e . g . s e c u r i t y ) H o w d o y o u c o n s i d e r y o u h a v e
addressed each objective?
S e l f c e r t i f i c a t i o n b y m anagement e.g. Sarbanes-Oxley
Face-to-face interviews and workshops
Pre-defined checklists
46
IT & Audit Working Together & Using CobiT
8
The effectiveness of a self-assessment depends on the quality, objectivity, skill and experience of the people performing the
review. Using an alternative means of checking to supplement the questionnaire can help as can obtaining Internal audit input
in an educating/reviewing role.
47
IT Governance Developing a Successful Governance Strategy
9 Information
Security
Governance
9.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
9.2 What is information security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
9.3 Where to focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
9.4 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
9.5 Action planning and best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
E xecutive management has a responsibility to ensure that the organisation provides all users with a secure information
systems environment. Sound security is fundamental to achieving this assurance.
Information systems can generate many direct and indirect benefits, and as many direct and indirect risks. These risks
have led to a gap between the need to protect systems and the degree of protection applied. Although awareness of these
security issues has increased significantly at board levels, most senior business managers are uncertain about actions they
should take and rely heavily on technical advisors. Proper governance of security, like any other aspect of IT, requires top
management to be more involved in setting direction and overseeing the management of risk. Faced with the fear of unknown
risks, and uncertainty regarding the effectiveness of existing controls, top management naturally wonder where to focus
attention and set priorities. A risk assessment is usually the best place to start. A complimentary approach is to focus on
establishing a security baseline irrespective of the risks – i.e. ensure that all the basic measures are in place.
Managing investments in the implementation and operation of controls is critical, since security can be an expensive and
time-consuming task, and experience has shown that large sums of money can be wasted on ineffective or inadequately
implemented technical solutions. However, proving security ROI can be difficult since actual reductions in losses or incidents
must be shown, and it is sometimes impossible to know if a risk has been prevented.
There is no doubt though, that the easiest way to demonstrate cash return is by showing the cost of incidents and wherever
possible this should be done even if the examples are based on assumptions rather than actual figures. Increasingly, the
benefits of good security are being recognised by management who understand that security is needed to enable e-business
and that a reputation for good security can enhance customer loyalty, sales and ultimately share price. These benefits should
be considered when building the business case for security investments. Given that IT security is a specialised topic and there
is a shortage of skills, organisations will often seek support from third parties. Information security specialists can play a key
role although governance and final decision-making must remain in-house.
9.1 Background
“In a global information society, where information travels through cyberspace on a routine basis, the significance of
information is widely accepted. In addition, information and the information systems and communications that deliver the
information are truly pervasive throughout organisations—from the user’s platform to local and wide area networks to servers
to mainframe computers. Accordingly, executive management has a responsibility to ensure that the organisation provides all
users with a secure information systems environment. Furthermore, there is a need for organisations to protect themselves
against the risks inherent with the use of information systems while simultaneously recognising the benefits that can accrue
from having secure information systems. Thus, as dependence on information systems increases, security is universally
recognised as a pervasive, critically needed, quality.” (International Federation of Accounts (IFAC) Statement on Managing
Security of Information 1998)
Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated
information security can add real value to the organisation by contributing to interaction with trading partners, closer customer
relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process
electronic transactions and generate trust.” 5
The view of the IMPACT IT Governance SIG is that Information security concerns have increased due to:
5. Information Security Governance: Guidance for Boards of Directors and Executive Management, the IT Governance Institute®.
48
Information Security Governance
9
Te c h n i c al complexity
Hackers a n d v i r u s s p r e a d e r s
Increasi n g e a s e o f u s e , a n d t h e a c c e s s i b i l i t y o f I T s y s t e m s
Anywher e / a n y t i m e a c c e s s
Although awareness of these security issues has increased significantly at board levels, most senior business managers are
uncertain about actions they should take and rely heavily on technical advisors. Proper governance of security, like any other
aspect of IT, requires top management to be more involved in setting direction and overseeing the management of risk.
It is essential therefore for executive management to understand why information security is important and take action to
ensure that:
The imp o r t a n c e o f i n f o r m a t i o n s e c u r i t y i s c o m m u n i c a t e d t o a l l a n d t h a t a p o l i c y
exists to u n d e r p i n a c t i v i t i e s i n a c h a n g i n g e n v i r o n m e n t .
T h e o w n e r s h i p a n d r e s p o n s i b i l i t y f o r i n f ormation security is accepted by senior
m a n a g em e n t i n t h e b u s i n e s s a s w e l l a s i n IT.
Everyone understands that security will not be satisfied simply by the appointment
of a security manager – the security function is there to assist management and
security is ultimately the responsibility of everyone.
Any shortage of skilled resource in this ar e a i s a d d r e s s e d , a s i t m a y b e i m p o s s i b l e
to retain all the necessary skills and funct i o n s i n - h o u s e .
Responsibility for any security aspects of c o r p o r a t e c o m p l i a n c e i s a c c e p t e d b y t h e
Board.
“Security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, “valuable
assets” are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic
medium. The information must be protected against harm from threats leading to different types of vulnerabilities such as
loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional
damage. The objective of information security is “protecting the interests of those relying on information, and the systems and
communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.
Policy Development The security objective and core principles provide a framework for the first critical step for any
organisation – developing a security policy.
Roles & Responsibilities For security to be effective, it is imperative that individual roles, responsibilities, and authority
are clearly communicated and understood by all.
Design Once a policy has been approved by the governing body of the organisation and related roles
and responsibilities assigned, it is necessary to develop a security and control framework that
consists of standards, measures, practices, and procedures.
Implementation Once the design of the security standards, measures, practices, and procedures has been
approved, the solution should be implemented on a timely basis, and then maintained.
Monitoring Monitoring measures need to be established to detect and ensure correction of security
breaches, such that all actual and suspected breaches are promptly identified, investigated,
and acted upon, and to ensure ongoing compliance with policy, standards, and minimum
acceptable security practices.
Awareness, Training, & Awareness of the need to protect information, training in the skills needed to operate
Education information systems securely, and education in security measures and practices are of critical
importance for the success of an organisation’s security program.
Figure 9.2
49
IT Governance Developing a Successful Governance Strategy
According to the IFAC guidance, the major activities associated with Information Security management relate to the items in
Figure 9.2.
It will be helpful if the risk assessment can be converted to a financial value derived from the impact – even if this is only
approximate and based on rough estimates or scales – since decisions to improve security will usually be made based on
financial parameters.
A complimentary approach is to focus on establishing a security baseline irrespective of the risks – i.e. ensure that all the
basic measures are in place. This can be based on standard guidance such as the ISO17799 (www.iso.org) standard or freely
available guidance such as the CobiT Security Baseline (www.itgi.org). A key element of this approach is to create security
within the infrastructure, rather than on a piecemeal basis.
“Too often information security has been dealt with as a technology issue only, with little consideration given to enterprise
priorities and requirements. Responsibility for governing and managing the improvement of security has consequently been
limited to operational and technical managers.
However, for information security to be properly addressed, greater involvement of boards of directors, executive management
and business process owners is required. For information security to be properly implemented, skilled resources such as
information systems auditors, security professionals and technology providers need to be utilised. All interested parties should
be involved in the process.” 6
Specific roles:
A Forum or Council should be established to set policy, ensure that consensus is reached on where security investments
should be made, and for approving and overseeing execution of the risk management plan. The Forum should share
knowledge of IT and risks, be focused on business objectives not technical solutions and include representatives from key
business units, IT, internal audit and outsource suppliers. It should report into a governance board (or group IT board).
An IT Security Manager should be in place as an advisor to management and the project owner of security action plan.
However, care must be taken to avoid implying that security has now been dealt with by hiring such a person (when it is
everyone’s responsibility) or that this role relieves top management of their overall governance responsibilities. The role can
be part time and is often supported by external advisors. It is often part of a Risk Management function.
An Operational Team will be needed to maintain and monitor security processes and operate administrative procedures.
This is usually a technical function and it is increasingly being outsourced.
The Audit Function plays a key independent role in monitoring and assessing the adequacy of security within the
organisation.
A useful approach to improving the understanding, awareness and ownership of security within the business is to appoint
Information Security Coordinators.
It is critical to influence the Investors, Providers & Controllers positively so that they understand the objectives and
benefits of IT Governance and are able to communicate consistently to each other and within their groups. The table below
6. Information Security Governance: Guidance for Boards of Directors and Executive Management, the IT Governance Institute®.
50
Information Security Governance
9
summarises how IMPACT SIG members believe each group of stakeholders should focus on their security responsibilities
(Figure 9.4).
Figure 9.4
51
IT Governance Developing a Successful Governance Strategy
52
Legal & Regulatory Aspects of IT Governance
10
10 Legal &
Regulatory
Aspects of IT
Governance
10.1 Legal and regulatory factors affecting IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
10.2 Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
10.3 Best approach to compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
10.4 What IT has to do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
10.5 Dealing with third parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
10.6 Critical success factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
I n recent years there has been a general increase in the number of regulations affecting the use of IT and also the number
of situations where legal measures need to be considered. This is due to the need to guard against a wide range of new IT
related risks and from a general increase in corporate regulations.
The impact of not taking sufficient care over legal or regulatory requirements can be considerable including:
Loss of reputation
Inability to trade
Financial penalties and losses
Loss of competitive advantage
Loss of opportunity
On the other hand the benefit of complying with regulatory requirements and using legal measures to protect commercial
interests can be considerable, including:
There are a wide range of laws and regulations, some specific to industry sectors that can have an impact on IT. Every
organisation must identify the specific regulations affecting them and respond accordingly, and ensure that the roles and
responsibilities for understanding legal and regulatory matters are properly defined for each group of stakeholder so that each
group can apply its specific expertise effectively. External advice must be sought whenever the issues are sufficiently risky
or complex.
Every organisation relies on a growing number of third parties for support of IT services. From a legal and regulatory
perspective this means that there is potentially a complex hierarchy of responsibilities that combine to meet the legal and
regulatory needs of the customer. Ultimately it is the customer’s responsibility to ensure that all the right controls are in place
with any third party that is relied upon for legal and regulatory compliance.
53
IT Governance Developing a Successful Governance Strategy
What might appear to be an initial regulatory burden can become an opportunity to transform to better
managed practices if the rules are used positively and applied productively. Corporate regulations like
the Sarbanes-Oxley Act can be just a minimalist compliance procedure with no potential benefit to the
business or be used as an opportunity to invest in better IT controls. Compliance with IT-related legal and
regulatory requirements and the effective use of legal contracts are clearly part of the effective control and
oversight of IT activities by senior management and therefore key aspects of IT Governance.
There are a wide range of laws and regulations, some specific to industry sectors, that can have an impact
on IT. Every organisation must identify the specific regulations affecting them and respond accordingly.
The IMPACT SIG has identified the following areas that ought to be considered:
Organisations should therefore ensure that the roles and responsibilities for understanding legal and
regulatory matters are properly defined for each group of stakeholder so that each group can apply its
specific expertise effectively. External advice must be sought whenever the issues are sufficiently risky
or complex.
54
Legal & Regulatory Aspects of IT Governance
10
Who needs to be involved?
Table 10.2
In practice, it is recommended that a framework for dealing with legal and regulatory issues be established. Because
IT is fast changing and new regulations are also emerging, any such framework must be flexible and responsive to new
requirements.
55
IT Governance Developing a Successful Governance Strategy
Figure 10.3
Figure 10.3 illustrates a common problem when new regulatory requirements are imposed. To be effectively handled the
decisions concerning the regulation should be taken at the level at which business objectives are set and within the group or
business risk framework. This is the necessary level at which priorities can be determined and the standards framework can
be applied.
However, as illustrated, a special programme is frequently set up outside the remit of existing standards and governance in
the hope that the new regulatory environment can be incorporated. This is usually unsuccessful or inefficient because outside
of existing governance it is very difficult to allocate and establish responsibilities for monitoring and testing. Similarly, there
can be no clear prioritisation or co-ordination among different regulatory requirements. Conversely, when the left-hand route
is followed and a new regulation comes into force, it is possible to identify where there are already procedures in place that
enable the new requirements to be met.
For complex IT environments, the importance of the framework is emphasised by the need to understand which standards
affect which systems. Then it becomes possible to address all the relevant systems when standards have to change:
56
Legal & Regulatory Aspects of IT Governance
10
Figure 10.4
In addition, due to the very significant cost of IT investments, and the complexity of customer and supplier relationships,
legal contracts for IT services are being given much more careful attention. These contracts in turn demand greater controls
be demonstrated by the parties to the contract, over many issues such as security, intellectual property, service availability,
ownership of deliverables, support of products etc.
As a consequence, IT service providers, vendors, and internal IT functions are all realising that they must be better organised
from a control and compliance perspective. It is only a relatively recent realisation that IT related controls should be
documented and monitored by IT functions, increasingly driven by regulatory pressure.
Business objectives and processes should drive the system of internal control and therefore the documentation process. The
flow should be:
For an efficient and effective compliance process, the documentation should be in a language that auditors would use, and
therefore it is best to work with the audit community and adopt a common language and approach such as CobiT.
IT functions increasingly need to be more involved in legal and regulatory requirements and should:
Work wi t h t h e b u s i n e s s u s e r s a n d r i s k m a n a g e m e n t g r o u p s t o i d e n t i f y c r i t i c a l
systems a n d c o m p l i a n c e p r i o r i t i e s .
Docume n t a r c h i t e c t u r e s s o t h a t t h e o v e r a l l e n v i r o n m e n t i s u n d e r s t o o d o n a
continuo u s b a s i s .
Define p r o c e s s e s i n I T i n a l o g i c a l w e l l o r dered fashion, meaningful to auditors and
managem e n t ( e . g . b a s e d o n C o b i T ) .
Appoint p r o c e s s o w n e r s s o t h e r e i s a c c o u n t a b i l i t y a n d r e s p o n s i b i l i t y.
Understa n d c o n t r o l c o n c e p t s , t h e n e e d f o r I T c o n t r o l s , a n d h o w t h e y r e l a t e t o
busines s l e v e l c o n t r o l s .
D o c u m e n t t h e s e p r o c e s s e s a n d c o n t r o l s ( e specially for compliance critical systems),
a n d m a i n t a i n t h e d o c u m e n t a t i o n a s c h a n g es occur.
57
IT Governance Developing a Successful Governance Strategy
Conversely, service providers have their own corporate governance agenda, combined with the pressures of their business
models – usually to provide a better service at a lower cost than the customer had previously experienced:
The outsourcer or provider may not ensure full coverage of legal and regulatory requirements:
In order for both sides to be clear on responsibilities it is essential that sufficient in-house capability is retained. Most
organisations actually get more rigour when they outsource but most contracts are built around existing operations with all
their limitations. The onus should be on the provider to spell out the risks – but the provider will not improve controls unless
paid to do so, or can see a commercial benefit in making the necessary investment.
Legally there is a standard reasonable expectation of basic service, and ultimately it is a question of negligence if controls
were not operated properly.
The provider is unlikely to provide a higher level of control in specific situations (such as security) than the client had originally
operated himself – but must have nevertheless an adequate set of controls. Special requirements such as vulnerability testing
will not normally be seen as part of a contract unless formally requested and paid for.
58
Legal & Regulatory Aspects of IT Governance
10
10.6 Critical success factors
The IMPACT SIG identified the following success factors to enable effective ongoing legal and regulatory compliance and
proper control of legal contracts:
59
IT Governance Developing a Successful Governance Strategy
11 Architecture
Governance
11.1 Why is Architecture Governance important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
11.2 What are the objectives of Architecture Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
G iven the complexity and fast-changing nature of IT, architectures are important for defining technical direction, captured
in a formal design that will support evolution and change, based on generally accepted standards as well as specific
design standards. Architecture governance is therefore to do with ensuring that the principles of architectures are properly
applied to the design and maintenance of information systems, meeting technical design standards as well as the business
purpose and strategic objectives for IT.
There are generally three overall end goals with respect to architecture governance:
Business and IT Alignment (fit for purpose)
Risk Management (reduced likelihood of design failures)
Resource Management (cost effectiveness and value for money)
The process of determining technological direction via an IT Architecture satisfies the business requirement to take advantage
of available and emerging technology to drive and make possible the business strategy. This is enabled by creation and
maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations and standards, of
what technology can offer in terms of products, services and delivery mechanisms. Given the significant amount of outsourcing
of IT services, the effective governance of architectures in these situations is a key consideration. The business strategy may
depend on an effective IT architecture, but who defines the architecture in the outsourced situation? The customer should
always take control of his own requirements including architectural decisions even if the provider offers existing solutions
and approaches. Senior management may assume that providers will develop technology to improve productivity – this is
not always the case. A capability for setting the direction for technology improvement should be retained in house and often
contracts will call for customers to control their own technical direction. Cost will usually be the driving factor in contractual
arrangements – who will pay for architectural upgrades?
The group identified the following critical success factors for achieving architectural governance:
Ensure that the Architecture process and its governance is adequately funded
Ensure good communications among all the groups concerned
Align the architecture with the business strategy and the culture of the
organisation
Recognise that persuasion is always needed for compliance and that this can be
enhanced by active project involvement, technical consultancy, provision of readily-
available, cost-effective tool-kits and components
Share all artefacts with outsource providers
Given the complexity and fast-changing nature of IT, architectures are important for defining technical direction, captured in
a formal design that will support evolution and change, based on generally accepted standards as well as specific design
standards. There is an analogy with the original use of architectures for defining the design of buildings – providing the
blueprint that demonstrates what the end product should look like, that it is formed on a solid foundation, that it is built
according to defined design standards, and that it meets the purpose for which it was intended.
Architecture governance is therefore to do with ensuring that the principles of architectures are properly applied to the
design and maintenance of information systems, meeting technical design standards as well as the business purpose and
strategic objectives for IT. The IT Governance and Technical Architecture SIG members believe that in many organisations the
60
Architecture Governance
11
challenge is to commit to a properly funded and business driven architectural approach. Often it is treated as too technical an
activity, with inadequate or insufficiently skilled resources, and with limited business and top management direction.
The group assessed the maturity of Architectural activities based on the CobiT® maturity model (see Appendix). This
assesses maturity on a scale from 0 to 5. An analysis of the maturity level of the organisations represented showed the
following:
Current m a t u r i t y r a n g e d f r o m 1 + t o 4
- In larg e r o r g a n i s a t i o n s t h e r e w a s a s p r e a d ( e . g . f r o m 2 t o 4 ) a c r o s s t h e d i f f e r e n t
parts of t h e o r g a n i s a t i o n
- The lo w e s t m a t u r i t y w a s i n a b u s i n e s s w h e r e I T h a d r e c e n t l y b e e n o u t s o u r c e d
The mat u r i t y l e v e l a s p i r e d t o w a s b e t w e e n 3 + a n d 4
- No org a n i s a t i o n s a w l e v e l 5 a s n e c e s s a r y
The process of determining technological direction via an IT Architecture satisfies the business requirement to take advantage
of available and emerging technology to drive and make possible the business strategy. This is enabled by creation and
maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations and standards of
what technology can offer in terms of products, services and delivery mechanisms.
It considers:
Capabili t y o f c u r r e n t i n f r a s t r u c t u r e
M o n i t o r i n g t e c h n o l o g y d e v e l o p m e n t s v i a r eliable sources
Conducting proof-of-concepts
Risk, constraints and opportunities
Acquisit ion plans
Migration strategy and roadmaps
Vendor relationships
Independent technology reassessment
Hardware and software price/performance c h a n g e s
The group believe that measurement of these activities is difficult and may often rely on perception of trends.
The Open Group (www.opengroup.org) defines an Architecture Governance Framework which covers:
61
IT Governance Developing a Successful Governance Strategy
Governance processes
Policy management
Compliance assessments
D i s p e n s a t i o n p r o c e d u r es
Monitoring and reporting
B u s i n e s s c o n t r o l ( c o m p l i a n c e w i t h t h e o r g a n i s a t i o n ’s b u s i n e s s p o l i c i e s )
E n v i r o n m e n t m a n a g e m ent (the physical and logical repository management) and
g o v e r n a n c e e n v i r o n m e nt (administrative processes).
Given the significant amount of outsourcing of IT services, the effective governance of architectures in these situations is a
key consideration. The business strategy may depend on an effective IT architecture, but who defines the architecture in the
outsourced situation? The customer should always take control of his own requirements including architectural decisions
even if the provider offers existing solutions and approaches. Unfortunately, weaknesses and bad practices in outsourcing
arrangements can lead to architectural misunderstandings or restrictions that can be costly or damaging to business
performance. On the other hand the provider may enable a customer to adopt a proven, reliable architecture at much lower
cost and in much faster timescales than agreeing and developing a solution in house (for example hosting services).
Senior management may assume that providers will develop technology to improve productivity – this is not always the case.
A capability for setting the direction for technology improvement should be retained in house and often contracts will call for
customers to control their own technical direction. Cost will usually be the driving factor in contractual arrangements – who will
pay for architectural upgrades? Even when improvements are called for by the contract, they may not be provided.
62
Managing the IT Investment
12
12 Managing the IT
investment
12.1 Why is managing the IT investment important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
12.2 Portfolio management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
12.3 Benefits management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
12.4 Measuring investment performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
12.5 Improving value delivery and ROI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
12.6 Measuring and controlling IT operational costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
12.7 Project risk managment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
E nsuring that value is obtained from investment in information technology is an essential component of IT governance.
No investment, whether IT-related or not, should be undertaken without full knowledge of the expected cost and the
anticipated return. Expected return should always be related to risk as, given the higher likelihood of failure, high-risk projects
should always have an anticipation of a higher return. Ensuring that the right projects are approved in the first place implies
a need for accurate predictive costing of the total project across its lifetime and robust predictions of the potential return,
including quantification of the direct and indirect benefits. To ensure that the total process works and becomes part of the
culture of the organisation, it is essential to establish proper tracking mechanisms to determine the actual value delivered and
enable accountability.
Given the volatility of a portfolio of IT-related business projects, it is essential to embed active portfolio management into the
organisation to maximise value creation and minimise the risk of value destruction. As with any aspect of IT governance, the
process needs visibility, leadership and commitment from the top.
20% of all expenditure on IT is wasted7, representing, on a global basis, annual value destruction of US$500bn according
to a 2002 Gartner paper (Gartner, ‘The Elusive Business Value of IT’, August 2002). It is then no surprise that there is an
increasing demand from boards and executive management for generally accepted guidelines for investment decision-making
and benefit realisation. While particularly applicable to IT-enabled business investments, where IT is a means to an end, the
need is equally applicable to all investment decisions. In the case of IT, the ‘’end” is to contribute to the process of value
creation in the enterprise.
IT-enabled business investments, when managed well within an effective governance framework, provide organisations
with significant opportunities to create value. Without effective governance and good management, they provide an equally
significant opportunity to destroy value. Horror stories abound around the value destruction suffered by major organisations
through the failed implementation of IT enabled business investments. Nike reportedly lost more than US$200m through
difficulties experienced in implementing its supply chain software, failures in IT enabled logistics systems at MFI and
Sainsbury in the UK led to multi-million pound write-offs, profit warnings and erosion of share price. Other organisations have
suffered in a similar fashion.
On the other hand, many successful organisations have created value through selection of the right investments, and
successfully managing them through implementation to realising the expected value. Examples include IBM who reportedly
was able to save more than US$12bn over two years by linking disparate pieces of its supply chain and thereby reducing
inventory levels, and Southwest Airlines who were able to reduce procurement costs and increase service levels through their
supply chain transformation project.
The message is clear. IT-enabled business investments can bring huge rewards with the right governance and management
processes and full commitment from all management levels. The process for managing IT investments can be summarised
as developing, implementing, operating and maintaining financial controls over IT investments and expenditures in line with
the IT strategic and tactical plans. Essential elements in this process are benefit and cost justification, budget ownership and
accountability and control of actual spending. The process should enable the effective and efficient use of IT resources and
provides transparency and accountability into the benefit realisation, total cost of ownership and return on investment of IT.
Portfolio management is needed to balance and prioritise between new projects and the operating costs of existing systems.
It can lead to possible savings on operating costs – e.g. via outsourcing or establishing shared services. Real portfolio
management implies a group at the top with an overview of priorities and what is needed – otherwise decisions will be based
on relationships and sometimes “who shouts loudest” rather than an objective analysis. Portfolio management should focus on
the total ongoing commitment not only the cost of the initial implementation. Managing portfolios can be difficult and requires
sound business judgment as well as disciplined management otherwise projects that may be significant to the business may
be overlooked or missed in the detailed management processes. For example, projects that are significant to aligning with the
business strategy or small initiatives that are critical opportunities may be overlooked. Like all governance activities decisions
made at the top level regarding the portfolio investment approach must be communicated down to individual programmes and
projects and be monitored.
Portfolio Monitoring
Having created an investment portfolio approach, and approved individual investment programmes, there is a need to monitor
(post sign-off) all active programmes, just as one would a financial investment portfolio of for example, equities or properties.
Costs need to be monitored as well as cost reduction in business areas and revenue generating potential in the business.
The portfolio should also be monitored to ensure continuous alignment with strategic business drivers which may be changing
with time and with risk factors – both internal to projects and externally. Projects can be very hard to stop, although it is a good
practice to review projects on a regular basis and cancel those that are not likely to deliver value. It is recommended that a
project office be established working at the programme level, monitoring standards, targets and deliverables. It can be difficult
to find and keep the appropriate people in place for this kind of work. Experience has shown that it can be effective to use
bright, temporary people or contractors who will also be more likely to give objective assessments.
64
Managing the IT Investment
12
Acquisition programmes and procurement projects in the UK central civil government are subject to OGC Gateway Reviews.
The OGC Gateway Process examines a programme or project at critical stages in its lifecycle to provide assurance that
it can progress successfully to the next stage; the process is based on well-proven techniques that lead to more effective
delivery of benefits together with more predictable costs and outcomes. It is designed to be applied to delivery programmes
and procurement projects, including those that procure IT-enabled business change. The OGC Gateway Process provides
assurance and support for Senior Responsible Owners (SROs) in discharging their responsibilities to achieve their business
aims. For more guidance refer to www.ogc.gov.uk.
The IMPACT IT Governance SIG members believe that seldom does true benefit monitoring take place. Business sponsors
should manage benefits but usually they do not. This may be because of job movement in the business, or because the
business owner of change is often not the operational owner of the benefits. The main reason though is probably a lack of
willingness for the senior business sponsor to take ownership and accountability for monitoring benefits. Investment oversight
and the drive to apply discipline to the monitoring process should be directed by the IT Council or management team via a
standard process.
Figure 12.4
65
IT Governance Developing a Successful Governance Strategy
learnt from analysing why projects are successful or not successful. Setting actual targets and metrics should be driven by the
stakeholders who should also approve and monitor them.
66
Success Factors
13
13 Success
Factors
Focus on the following success factors:
Treat IT governance initiatives as a project not a ‘one-off ’ step. The goal is to make
governance “business as usual”.
Obtain top management buy-in and ownership. This needs to be based on the
principles of best managing the IT investment.
Remember that implementation involves cultural change as well as new processes.
Make sure you enable and motivate these changes.
Manage expectations. In most enterprises, achieving successful oversight of IT
takes some time and will involve continuous improvement.
67
M
NATIONAL COMPUTING CENTRE
IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
Throughout the past five years, we have witnessed unparalleled corporate scandals and
failures in global businesses. The result; heightened focus on corporate governance, stricter
regulations and new directors’ responsibilities, all adding to the pressure on IT Directors and
CIOs. They must now demonstrate to auditors that IT systems which support financial reporting,
as well as monitor and manage business performance are based on sound management
systems and controls.
Against this background, it has never been more important to ensure your organisation
governs the use of IT properly. With corporate governance on every boardroom agenda -
and increasing scrutiny of IT’s performance - IT governance has become a hot topic around
the world. For some many businesses, IT governance initiatives are already transforming the
way their organisations take responsibility for IT. For others, it is a challenge just knowing National Computing Centre
where to start. Oxford House,
Oxford Road,
Recognising the challenges faced by CIOs in establishing effective IT governance, the NCCs Manchester M1 7ED
IMPACT Programme launched an IT Governance Special Interest Group (SIG). Its aim was
Tel: 0161 242 2121
to identify not just the issues that need to be addressed, but also practical approaches for
Fax: 0161 242 2499
organisations to follow. Over the past two years, heads of IT governance from Abbey, Aon,
Avis, Barclays, BOC, DfES, Eli Lilly, Learning & Skills Council, Legal & General, Marsh, NOMS,
Royal Mail, and TUI Group examined the key challenges. They shared successful approaches
and defined best practice.
This IT Governance Best Practice Guide is a comprehensive insight of the principles and
practices that the group put together. It is presented in a form that should help you to
The IMPACT Programme
understand better how to guide successful IT governance initiatives and make effective
International Press Centre,
management and control of IT resources “business as usual”.
76 Shoe Lane,
London EC4A 3JB
This Guide forms part of the NCC ‘Best Practice’ Guides series and is intended to be of
practical use for decision makers in IT. This guidance is achieved through industry consensus, Tel: 0207 842 7900
managed by NCC, across the broadest range of professionals and experts. Fax: 0207 842 7979
ISBN 0-85012-897-8
£35.00 NCC Members
£50.00 Non NCC Members