It Governance Inf5890 v2013

IINF5890
Current
approaches to
IT governance
Lars Groth
INF5890 IT governance Lars Groth 1

2
VoltramPAX MIC Mac
MQ
Magnus
722 Pokus
7/23
Bøker
Lars Groth
FCP
Haakon V
811 Hokus
BaltAX
MQ
003 Ka
Harald VII
322 Abra
NT
Båt og motor
ata o/l Olav V 211 Og

RPC
Oscar II 511 Tull

PPT
MQ
xls
702 Dans
Xxl Antoinette
655 Sang
766 Marie
IMS/DC
IT governance
899 Ede
Sang
MQ RPC
Louis XVI
VTRAN
RPC
Le Dauphin.
517 Pen
Nips o
Delter
Louis XIV
APPC
780 Pokemon Elisabeth I.

922 Ren
XML
Web og wap
Fillete
Klump Bredbånd
Jane Seymour
Nips
MQ
671 West wing Anne Boleyn Lusete

Class
Henrik IIX Lappete

Weboffice Fleipe
CTlib/
ADO
INF5890
Hele rekka
Blip
MQ
425 PORT
Complexity in the IT portfolio: DnB
1478 Beat fat

Lax.
HP
FD
Law
566Tull
Blip
DocsOpen 788 Tøys

Motorveien
NT
OnDemand(014) Oppvask
XML
XML/MQ
gw
FD
Base camp Potetskr

APPC
USB Blueray
BBS WS
BBS
GUL
SOAP
Documents Nyttnytt
Onlipaper
DHL
ADO
PDP LIS Mye ovid

Osv
Highway MQ Alt annet
Frans LOKE
APPC
(SMD)
DNT
NL
PM / AML 123
Client MQ Investr
Tost)
Aftenposten Lån.
RPC
Sikkerhet
PD DBS
DN
NAV
Finansavisen Tjenester
MQ
NT
FD Merva Produkter
APPC
CROP
FD
Reskontro SPR Kontoer
Forf.reg. STG
Kundert
FD SML
KGS
RTS
Bil&fly
DIB
MQ
Mottak FF
El.skr.
Governance takes time and energy –
is it worth it?
Good IT governance pays, because
IT is expensive
IT is pervasive
New IT technologies bombard enterprises with new business
opportunities
IT governance is critical to organizational learning about IT value
IT value depends on more than good technology
Senior management has limited bandwidth
Leading enterprises govern IT differently

Basically, it is quite simple:
It si about making sure that information technology
provides the best possible support for the
enterprise in delivering what it is there to deliver
Then it is about managing that technology in a
prudent and professional way, just as any other
asset class
“Good IT governance isn’t rocket science, but it

requires discipline and commitment.
– Craig Symons, Forrester Research

First traces in 1962 og 63
Ph. M. Thurston: ”Who Should Control Information

Systems?”
– Harvard Business Review, November-december 1962
J. T. Garrity: ”Top Management and Computer Profits”

– Harvard Business Review, July-August 1963

Most people point to Venkatraman:
L. Loh og N. Venkatraman:
– Diffusion of Information Technology Outsourcing: Influence Sources and
the Kodak Effect, Information Systems Research, 4, 1992
J. C. Henderson og Venkatraman:
– Strategic alignment: Leveraging information technology for transforming
organizations, IBM Systems Journal, 1, 1993

1993

Michael Holm Larsen,
Mogens Kühn Pedersen
og Kim Viborg Andersen:
IT Governance: Reviewing
17 IT Governance Tools
and Analysing the Case of
Novozymes A/S
Proceedings of the 39th

Hawaii International
Conference on System
Sciences - 2006

Frameworks for governance
Partial or incidental Comprehensive
ITIL COBIT
Six Sigma ASL/BiSL
CMM/CMMI IT Governance Review
IT Due Diligence IT Governance Assessment
IT Service CMM IT Governance Checklist
SOX ITGAP (IT Governance Assessment
SAS70 Process) Model
SysTrust
IT Audit ISO 38500 IT Governance Standard
ISO / IEC 27002 (tidl. ISO
17799)
PRINCE 2

Relevant Norwegian laws
- there are many!
Generally, they fall into three classes:

– Laws that apply to all enterprises, public and
private
– Laws applying to public enterprises and public
administration only
– Laws applying to specific sectors or industries
The relevant provisions in these laws

mainly regulate matters such as:
– Information storage
– Information safeguarding
– Information access
– Information use, incl. universal design
– Public access to information
– Copyright, intellectual property

Some examples:
Laws applying to all enterprises
– Act relating to the processing of personal data (Personopplysningsloven)
– Act relating to copyright in literary, scientific and artistic works, etc. (Åndsverksloven)
– Act relating to a prohibition against discrimination on the basis of disability (Diskriminerings-
og tilgjengelighetsloven)
Laws applying to public enterprises and public administration

– Act relating to procedure in cases concerning the public administration (Forvaltningsloven),
(especially §15)
– Act relating to public access to documents in the public administration (Offentlighetsloven)(a
new EU-directive is underway)
– Act relating to Protective Security Services (Sikkerhetsloven)
– Act relating to archives (Arkivloven) and Act relating to the legal deposit of generally
available documents with regulations (Pliktavleveringsloven)
– Act relating to public procurement (Lov om offentlige anskaffelser)
– Regulations relating to ICT standards (Forskrift om IKT-standarder)
– Local government act (Kommuneloven)
Sector laws
– Act relating to health personnel etc. (Helsepersonelloven)
– Act relating to municipal health and care services etc. (Helse- og omsorgstjenesteloven)
– Act on personal health data filing systems and the processing of personal health data
(Helseregisterloven)

COBIT
Control Objectives for Information and Related Technology
A framework developed by ISACA (Information Systems Audit and

Control Association), which was founded in 1967
First version launched in 1996, present version (5.0) published 2012
In 1998, ISACA established IT Governance Institute to start research
on governance
ISACA offers certification in four areas, including governance:
– Certified Information Systems Auditor (CISA)
– Certified Information Security Manager (CISM)
– Certified in the Governance of Enterprise IT (CGEIT)
– Certified in Risk and Information Systems Control (CRISC)

COBIT 5: Now One Complete Business Framework for
Governance of Enterprise IT
Evolution of scope IT Governance
Val IT 2.0
Management (2008)
Control
Risk IT
(2009)
Audit
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5
1996 1998 2000 2005/7 2012
An business framework from ISACA, at www.isaca.org/cobit

© 2012 ISACA® All rights reserved.

Main document
Summer 2012

”Information is a key resource
for all enterprises, and
throughout the whole
information life cycle there is a
huge dependency on
technology.”
Information and related
technologies are pervasive in
enterprises and they need to
be governed and managed in a
holistic manner, taking in the
full end-to-end business and IT
functional areas of
responsibility.”
– CobiT5, Executive Summary

COBIT5: Enabling a Holistic Approach
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

The difference between governance and
management
• Governance ensures that stakeholders needs, conditions and options are

evaluated to determine balanced, agreed-on enterprise objectives to be achieved;
setting direction through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives (PBRM).
23
2. Covering the Enterprise COBIT 5 addresses the
governance and management
End-to-end of information and related
technology from an
enterprisewide, end-to-end
perspective.
This means that COBIT 5:
– Integrates governance of
enterprise IT into enterprise
governance.
– That is, the governance
system for enterprise IT
proposed by COBIT 5
integrates seamlessly in any
governance system. COBIT 5
aligns with the latest views on
governance.

Comprehensive
COBIT
ASL/BiSL
IT Governance Review
IT Governance Assessment
IT Governance Checklist
ITGAP (IT Governance Assessment
Process) Model
ISO 38500 IT Governance

Standard

This book draws on a considerable number of
studies at CISR
(Center for Information Systems Research ved MIT Sloan School of Management)
A study from 2001-2003 of 256 enterprises from North

and South America, Asia and Europe
40 case studies from USA and Europe from 1999 to 2003
One study of 30 IT managers from 2001
An exploratory study of IT governance from 1998-99
An examination of IT governance arrangements in 24
Fortune 100 firms in 2000

Governance of IT:
”Specifying the decision rights and accountability framework to
encourage desirable behavior in the use of IT”
To govern is to determine who decides what. Three questions
must be addressed:
1. What decisions must be made to ensure effective

management and use of IT?
2. Who should make these decisions?
3. How will these decisions be made and monitored?
The authors assert that the research presented in the book

shows that the enterprises with the best technology utilization
achieves up to 40% better return on their IT investmenst than
their competitors

IT:
One of the
six key
assets

What decisions must be made?
1. IT principles
– What is the enterprise’s desired operating model?
– How will IT support it?
– How will IT be funded?
2. IT architecture
– What are the needs for integration and standardization – and can they be fulfilled?
3. IT infrastructure
– What is going to be included in the shared platforms and services?
• Hardware and system software
• IT skills and knowledge
• Shared services like network and shared databases
• Shared applications
4. Business application needs

– What is needed, what to buy and what to develop? Particularely important when:
• Application needs challenge the establishes architecture
• Parallel projects with overlapping specifications results in solutions that do not work
together, or parallel storage of data
5. Investment and prioritization

– How much to spend, what to spend it on, who pays, and how to reconcile the needs of
the different IT constituencies

What decisions must be made?
1. IT principles
– What is the enterprise’s desired operating model?
– How will IT support it?
– How will IT be funded?
2. IT architecture
– What are the needs for integration and standardization – and can they be fulfilled?
3. IT infrastructure
– What is going to be included in the shared platforms and services?
• Hardware and system software
• IT skills and knowledge
• Shared services like network and shared databases
• Shared applications
4. Business application needs

– What is needed, what to buy and what to develop? Particularely important when:
• Application needs challenge the establishes architecture
• Parallel projects with overlapping specifications results in solutions that do not work
together, or parallel storage of data
5. Investment and prioritization

– How much to spend, what to spend it on, who pays, and how to reconcile the needs of
the different IT constituencies

”The best predictor of IT governance
performance is the percentage of
managers in leadership positions who
can accurately describe IT governance.”

Managers taking courses at MIT answers
a question about the IT governance arrangements in their enterprise:
”What IT governance?”
”Anarchy!”
”Depends on the amount of money involved.”
”Let me ask my CIO.”
”The business units make all the strategic decisions.”
”Joint decision making between the business unit heads
and the central IT group.”
”Senior management lays down the law.”
My IT folks manage those things.”

The basic IT governance arrangements
Business monarchy
– Senior management decides
IT monarchy
– IT managers decide
Feudalism
– A few strong middle managers dominate – managers for
processes, products or regions
Federalism
– Decisions are taken jointly by senior and business unit managers
Duopoly
– A two-party arrangement between the IT executives and a group of
business managers
Anarchy
– Groups and strong individuals on all levels make their own
decisons based on local needs

The governance matrix
IT Business
IT IT Infrastructure Application IT
Principles Architecture Strategies Needs Investments
Business
Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy
Don’t Know

The governance matrix
(Complete)
Business
IT IT IT Infrastructure Application IT
Input Decision Input Decision Input Decision Input Decision Input Decision
Business
Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy

Most common arrangements
Percent per decision type for 256 enterprises from 23 countries
Business
Business
Monarchy
0 27 0 6 0 7 1 12 1 30
IT Monarchy 1 18 20 73 10 59 0 8 0 9
Feudal 0 3 0 0 1 2 1 18 0 3
Federal 83 14 46 4 59 6 81 30 93 27
Duopoly 15 36 34 15 30 23 17 27 6 30
Anarchy 0 0 0 1 0 1 0 3 0 1
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
Fat red numbers: Most common arrangements for information input

Fat black numbers: Most common arrangements for decisions

Reasons for differences between enterprises:
Different goals, both strategic and regarding performance
– Growth, consolidation, innovation
– Private/public/not-for-profit
Different organizational structures or inadequate

organizational structure
Position on the learning curve for IT governance
Enterprise size and complexity
Regional and industrial differences

Where do public enterprises differ? Public/private
– Public value, not profit
– Great emphasis on efficiency (cost)
– Budget-based expenditure control as prime governance tool
– Higher degree of formalization
– Longer chains of command
– Often less focus on progress in projects
Differences in governance as seen in the research results:

– More business monarchies in all decisions except architectures
– Significantly fewer IT monarchies in all decisions
– More federal arrangements in all decisions except investments
– More federal arrangements for input to all decisions
– More duopolies for architecture

Mechanisms for implementing IT governance
We need to put in place decision-making

structures
We need formal alignment processes
We need to communicate about it

Common decision mechanisms under
different governance arrangements
Business Monarchy
– Senior managment committees
– Federal beslutningsstrukturer
IT Monarchy
– IT leadership committees
– Architecture committees
Duopolies
– IT council comprising business and IT executives
– Process teams with IT members
– Business/IT relationship managers

Alignment
Process for approval of investments
Process for architectural exceptions
Service Level Agreements
Chargeback arrangements
Tracking of projects and resources consumed
Formally tracking business value of IT

Communication
Senior management announcements
Formal committees
Office of CIO or office of IT governance
Portals
Work with nonconformists

Implementing IT governance
You will need mechanisms for
– decision-making
– alignment
– communication
Limit decision-making structures

Provide for overlapping membership in decision-making
structures
– It is exceedingly simpler to achieve alignment inside heads than between
heads
Implement mechanisms at multiple levels in the enterprise

– Local needs for standardization may vary
Clarify accountabililty

What will work best?
That which suites

YOU!
IT should contribute as
much as possible to the
realization of enterprise
goals....
....in a cost effective way.

How to assess IT governance?
Cost-effectiveness in use Calculating Governance Performance Score
of IT
Effectiveness in use of IT Importance Not important Very important
Governance outcome 1 2 3 4 5
for asset utilization Cost-effective use of IT
Effective use of IT for growth
Effectiveness in use of IT Effective use of IT for asset utilization
for growth Effective use of IT for business flexibility
Achievements Not succesful Very successful

Effectiveness in use of IT Success measure 1 2 3 4 5
for business flexibility Cost-effective use of IT
Effective use of IT for growth
Effective use of IT for asset utilization
Effective use of IT for business flexibility
Governance Performance Score:

Max score: 100 Min score: 20

Accumulated answers from ITLED-courses
(69 answers)
%

Seven characteristics of top governance
performers
1. More managers in leadership positions could describe IT
governance
2. Greater engagement and knowledge on the part of senior
management
3. More direct involvement of the senior leaders in IT governance
4. Clearer business objectives for IT investment
5. More differentiated business strategies
6. Fever renegade and more formally approved exceptions
7. Fever changes in governance

Governance arrangements:
The best and worst performers
Percent per decision type
Business
Business
Monarchy
0 27 0 6 0 7 1 12 1 30
IT Monarchy 1 18 20 73 10 59 0 8 0 9
Feudal 0 3 0 0 1 2 1 18 0 3
Federal 83 14 46 4 59 6 81 30 93 27
Duopoly 15 36 34 15 30 23 17 27 6 30
Anarchy 0 0 0 1 0 1 0 3 0 1
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

Symptoms of ineffective governance
Senior management senses low value from IT investments
IT is often a barrier to implementing new strategies
The mechanisms to make IT decisions are slow or contradictory
Senior management cannot explain IT governance
Projects often run late and over budget
Senior management sees outsourcing as a quick fix to IT problems
Governance changes frequently

What can you do?
Map out the present governance onto
both diagrams (framework and
governance matrix)
Compare the two and ask how well the
objectives on the Design Framework
are achieved by the governance
arrangements matrix – how can
governance be improved?
Audit the IT governance mechanisms:
– How many are active?
– Are they effective both independently and
jointly?

What can you do?
Discuss the framework in a
senior management
meeting – especially the top
boxes left and right – then
design the matrix that fits
the conclusions
Lead the change by using

the «to be» versions of the
Design Framework and
the matrix

1. Actively design governance Top ten
2. Know when to redesign leadership
3. Involve senior managers principles of IT
4. Make choices governance
5. Clarify the exception-handling process
6. Provide the right incentives
7. Assign ownership an accountability for IT governance
8. Design governance at multiple organization levels
9. Provide transparency and education
10. Implement common mechanisms across the six key assets

It Governance Inf5890 v2013

Uploaded by

Copyright:

Available Formats

It Governance Inf5890 v2013

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

It Governance Inf5890 v2013

Uploaded by

Copyright:

Available Formats

IINF5890

INF5890 IT governance Lars Groth 1

ata o/l Olav V 211 Og

Oscar II 511 Tull

780 Pokemon Elisabeth I.

671 West wing Anne Boleyn Lusete

Henrik IIX Lappete

1478 Beat fat

DocsOpen 788 Tøys

Base camp Potetskr

PDP LIS Mye ovid

INF5890 IT governance Lars Groth 5

“Good IT governance isn’t rocket science, but it

INF5890 IT governance Lars Groth 6

Ph. M. Thurston: ”Who Should Control Information

J. T. Garrity: ”Top Management and Computer Profits”

INF5890 IT governance Lars Groth 8

INF5890 IT governance Lars Groth 9

INF5890 IT governance Lars Groth 10

Proceedings of the 39th

INF5890 IT governance Lars Groth 11

INF5890 IT governance Lars Groth 12

Generally, they fall into three classes:

The relevant provisions in these laws

INF5890 IT governance Lars Groth 13

Laws applying to public enterprises and public administration

INF5890 IT governance Lars Groth 14

A framework developed by ISACA (Information Systems Audit and

INF5890 IT governance Lars Groth 16

Evolution of scope IT Governance

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5

1996 1998 2000 2005/7 2012

An business framework from ISACA, at www.isaca.org/cobit

INF5890 IT governance Lars Groth 17

INF5890 IT governance Lars Groth 18

– CobiT5, Executive Summary

INF5890 IT governance Lars Groth 20

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

INF5890 IT governance Lars Groth 22

• Governance ensures that stakeholders needs, conditions and options are

INF5890 IT governance Lars Groth 24

ISO 38500 IT Governance

INF5890 IT governance Lars Groth 25

A study from 2001-2003 of 256 enterprises from North

INF5890 IT governance Lars Groth 26

1. What decisions must be made to ensure effective

The authors assert that the research presented in the book

INF5890 IT governance Lars Groth 27

INF5890 IT governance Lars Groth 28

4. Business application needs

5. Investment and prioritization

INF5890 IT governance Lars Groth 30

4. Business application needs

5. Investment and prioritization

INF5890 IT governance Lars Groth 31

INF5890 IT governance Lars Groth 33

INF5890 IT governance Lars Groth 34

INF5890 IT governance Lars Groth 35

INF5890 IT governance Lars Groth 36