P. 1
IT Governance Best Practice Guide Final June 2007

IT Governance Best Practice Guide Final June 2007

|Views: 168|Likes:
Published by amojm1

More info:

Published by: amojm1 on Nov 24, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/07/2011

pdf

text

original

Sections

  • 1 IT Governance – The Business Case
  • 1.1 Why is IT Governance important?
  • 1.2 What does IT Governance cover?
  • 1.3 What are the benefts?
  • 1.4 What is IT Governance best practice?
  • 2 Performance Measurement
  • 2.1 Why is performance measurement important?
  • 2.2 What does performance measurement cover?
  • 2.4 What should we measure?
  • 2.5 What is best practice?
  • 3 Implementation Roadmap
  • 4 Communication Strategy & Culture
  • 4.1 Who do we need to infuence?
  • 4.2 What are the key messages?
  • 4.3 Communication best practices
  • 4.4 Developing an infuencing strategy
  • 4.5 Change roadmap
  • 5 Capability Maturity Assessment
  • 5.1 Why IT capability is important
  • 5.2 How to measure IT capability
  • 5.4 Roadmap for sustaining the approach
  • 5.5 Self-assessment tool
  • 6.5 Who needs to be competent?
  • 6.6 What competence is required?
  • 6.8 When to source competence from outside
  • 6.9 Key learning points
  • 7 Supplier Governance
  • 7.1 Why is Supplier Governance important?
  • 7.2 The customer’s role
  • 7.3 How best to select a supplier
  • 7.4 The customer/supplier relationship
  • 7.5 Service management techniques and SLAs
  • 7.6 The supplier/outsourcing governance lifecycle
  • 8.1 Introduction to CobiT
  • 8.2 How is CobiT being used?
  • 9 Information Security Governance
  • 9.1 Background
  • 9.2 What is information security?
  • 9.3 Where to focus
  • 9.4 Roles and Responsibilities
  • 9.5 Action planning and best practice
  • 10.2 Roles and Responsibilities
  • 10.3 Best approach to compliance
  • 10.4 What IT has to do
  • 10.5 Dealing with third parties
  • 10.6 Critical success factors
  • 11 Architecture Governance
  • 11.1 Why is Architecture Governance important?
  • 12 Managing the IT investment
  • 12.1 Why is managing the IT investment important?
  • 12.2 Portfolio management
  • 12.3 Benefts management
  • 12.4 Measuring investment performance
  • 12.5 Improving value delivery and ROI
  • 12.6 Measuring and controlling IT operational costs
  • 12.7 Project risk management

NATIONAL COMPUTING CENTRE

IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT

THE UK’S LEADING PROVIDER OF EXPERT SERVICES FOR IT PROFESSIONALS

M

IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
The effective use of information technology is now an accepted organisational imperative - for all businesses, across all sectors - and the primary motivation; improved communications and commercial effectiveness. The swift pace of change in these technologies has consigned many established best practice approaches to the past. Today's IT decision makers and business managers face uncertainty - characterised by a lack of relevant, practical, advice and standards to guide them through this new business revolution. Recognising the lack of available best practice guidance, the National Computing Centre has created the Best Practice Series to capture and define best practice across the key aspects of successful business.

Other Titles in the NCC Best Practice series: IT Skills - Recruitment and Retention The New UK Data Protection Law Open Source - the UK opportunity Intellectual Property Rights - protecting your intellectual assets Aligning IT with Business Strategy Enterprise Architecture - understanding the bigger picture IT Governance - developing a successful governance strategy Security Management - implementing ISO 27000 ISBN 0-85012-867-6 ISBN 0-85012-868-4 ISBN 0-85012-874-9 ISBN 0-85012-872-2 ISBN 0-85012-889-7 ISBN 0-85012-884-6 ISBN 0-85012-897-8 ISBN 0-85012-885-4

All title are available from NCC see the website for further details www.ncc.co.uk

The National Computing Centre - generating best practice

IT Governance
Developing a Successful Governance Strategy
A Best Practice Guide for Decision Makers in IT

1

Eli Lilly. or associated NCC working groups. Over the past two years. Designs and Patents Act 1988. photocopying. and associated working groups. and in light of recent corporate failures. in the preparation of this publication. and legislative and regulatory compliance demonstrated. heads of IT governance from Abbey.bucciarelli@ impact-sharing. electronic. Enquiries for such permissions should be made to the Publisher. The IMPACT Programme International Press Centre 76 Shoe Lane London EC4A 3JB IT Governance Developing a successful governance strategy A Best Practice Guide for decision makers in IT Published by The National Computing Centre Oxford House Oxford Road Manchester M1 7ED Website: www. Royal Mail and TUI Group have examined what they identified as the key topics and. IT Governance covers this and more. Learning & Skills Council. or transmitted in any form or by any means. Aon. Back in 2003. please contact Elisabetta Bucciarelli on 0207 842 7900 or email elisabetta. stored in a retrieval system. scandals and failure.IT Governance Developing a Successful Governance Strategy Foreword For organisational investment in IT to deliver full value. The IMPACT Programme is a division of the National Computing Centre.ncc. 2 . All trademarks acknowledged. for actions taken based on information contained in this document. DfES. Legal & General. NOMS.co. enjoys a higher profile today than ever before. IMPACT launched an IT Governance Specialist Development Group (SDG) to identify the issues that need to be addressed and to share and further develop the practical approaches to IT governance used in their organisations. BOC.uk Tel: 0161 242 2121 Fax: 0161 242 2499 First published November 2005 Copyright © National Computing Centre 2005 ISBN: 0-85012-877-8 British Cataloguing in Publication A CIP catalogue record for this book is available from the British Library Printed and bound in the UK All rights reserved: no part of this publication may be reproduced. mechanical. key risks have to be identified and controlled. Avis. but no liability whatsoever can be accepted by the authors or by National Computing Centre. its Professional Development Programme and the IT Governance and CobiT Specialist Development Group. with the guidance of IT governance expert Gary Hardy. it is recognised that IT has to be fully aligned to business strategies and direction. Disclaimer Every care has been taken by the authors. For further information on the IMPACT Programme. and by the National Computing Centre.com. Barclays. recording or otherwise without either the prior written permission of the authors and Publisher or as permitted by the Copyright. have defined the good practices captured in this guide.

. . . . . . . .9 W h a t a r e t he risks? . . . . . . . . . . . . . . . 5 2 . . . . . . .6 12. . . . . . . . . . . . . . . . . . . 14 W h o n e e d s to be involved and what are their r o l e s a n d r esponsibilities? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 . . . . . . . . . . . . . . . . . . . . . . 20 C h a n g e r o a dmap . . . . . . . . . . . .3 8. . . . . . . . . . . . . . . . . . . .1 12. . . . . . . . . . . . . . . .5 10. . 7 . . 14 .1 6. . . . 20 D e v e l o p i n g an influencing strategy . . . . . . . . . . . . . .3 12. . . . . . . . . . . . 28 11 Architecture Governance 11. . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5 3 Implementation Roadmap 3.5 12. . . . . . 5 9 . . 6 6 . . . . retain and verify c o m p e t e n c e . . . . . . . . . . . . . . . . . . . . . . . .1 11. . .2 9. . . . . . . . . . . . . . . . . . . . .Contents 1 IT Governance – The Business Case 1. . . . . . . .2 5. 5 6 Dealing with third parties . . . . .2 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3 Roles and responsibilities . . . . . . . . . . . . . staff a n d a u d i t o r s? . . 4 0 The customer/supplier relationship . 5 8 Critical success factors . . . . . . . . . . . . . . . . 28 W h a t i s t h e best approach for risk analysis a n d m a n a g ement? . . 5 5 What IT has to do . . . .5 6. . . . . . . . . . . . .5 7. . . 23 . . .5 . . . . . . . . . . . . . . . . 63 63 6 Risk Management 6. . . . . . . . . 24 S e t t i n g m a t urity targets and considering i m p r o v e m e nts . . . . . . . 4 9 Where to focus . . . . . . . . . . . . . . . . . . . . . 35 12 Managing the IT Investment 12. . .4 9. . . .2 Legal and regulatory factors affecting IT Governance . . . . 31 W h a t c o m p etence is required? . . 26 . . . . . .1 10. . . . . . . . . . . 32 H o w t o o b t ain. . . . . . . . .3 H o w t o g e t started G o a l s a n d success criteria . . . . . . 61 . . . . . . . . . . . . . . . . . . . . . . . 3 7 The customer ’s role How best to select a supplier . . . . . . . . . . . . . . . . .4 5. . . . . 16 9 Information Security Governance 9. . . . . . . .2 3. . . . . . . . . . . 4 8 What is information security? . .2 12. . .6 . . . . . . . . .8 6. . . . 30 W h a t a r e t he roles of management. . . . . . . . 6 0 What are the objectives of architecture . . . . . .6 6. . . . . 25 R o a d m a p f or sustaining the approach . . . . . . . . . .1 4.3 6. . . . . . . . . . . .7 Why is managing the IT investment importan t ? Portfolio management . . . . . .5 . . . . . . . . . .1 3. . . . . . . . . . . .1 1.4 W h a t a r e t he benefits? . .3 2. . 33 W h e n t o s o urce competence from outside . 6 5 Measuring investment performance . 4 1 The supplier/outsourcing governance lifecyc l e . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4 Communication Strategy & Culture 4. . . . . . . . 10. . .2 7. . .1 9. . . . . .2 1. . . . . . . . . . . . . . . . 18 W h a t a r e t he key messages? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 .4 6. . .3 9. . . . . . . . . . . .7 6. . . . . . . 4 5 How can IT and internal audit work better together? .3 7. . . . . . . . 11 W h a t s h o u l d we measure? . . . . . . . . . . . . . 65 66 Improve value delivery and ROI . . 35 K e y l e a r n i n g points . . . 4 2 .4 12. 5 W h a t d o e s IT Governance cover? . . . . . . . . . . . .1 2. . . . . . . . . . . . . . 6 4 Benefits management . . 4 7 Supplier Governance 7. . . . . . . . . .5 W h y i s p e r f ormance measurement important? W h a t d o e s performance measurement cover? W h o a r e t h e stakeholders and what are 8 IT & Audit Working Together and Using CobiT 8. . . 12 W h a t i s b e st practice? . .4 7. . . . develop. . . . . . 29 U s i n g s t a n dards and best practices – i s c e r t i f i c a t ion useful? . .4 2. . . . . 4 0 Service management techniques and SLAS . . . . . . . . . . . . . . . . 10 Why is supplier governance important? . .3 5. . . . . . . . . . . . . . . . 9 . 15 How is CobiT being used? . . . . 43 2 Performance Measurement 2. . .2 governance? Why is architecture governance important? .4 10. . . . .1 8. . . . . . . . . 43 t h e i r r e q u i r ements? . . . . .2 8. . . . . . . . . . . . . . . . . . . . 60 10. . . . . . . . . . . . . . . . . . . . . . . 4 4 IT Governance? .3 10. . . . . . . . . . . 6 . . . . . . . 5 4 Best approach to compliance . . . . . . . . .3 1. . . . . .5 . . . . .4 Introduction to CobiT What are the roles of IT and audit for . . . . . . . . . . . . . . . . . . 67 13 Success Factors 3 . . . . . 5 0 Roles and responsibilities . . . . .2 4. . . 31 W h o n e e d s to be competent? . . . . . . . . . . . . . . . . . . 38 W h y i s I T Governance important? . 25 S e l f a s s e s sment tool . . . . . . .6 5 Capability Maturity & Assessment 5. . . . . . . 6 W h a t i s I T Governance best practice? . . . . . 22 10 Legal & Regulatory Aspects of IT Governance . . . . . . . . . . . . .1 5.1 7.3 4. . . . . .4 4. 6 6 Measuring and controlling IT operational cos t s Project risk management . . . . . . . . 19 C o m m u n i c a tion best practices . 37 . . . 48 Background . . . . . . 23 W h y I T c a p ability is important H o w t o m e asure IT capability . . . . . . . . . . . . . . . .2 6. . . . . . . 5 0 Action planning and best practice . . . . . . . . . . . . . . . . . . . . . . . 18 W h o d o w e need to influence? . . . . . . . . . .

. . . . . . . Ensure there is a transparent and understandable communication of these IT activities and management processes to satisfy the Board and other interested stakeholders. . . since to realise their full value. . . or be seen to be delivering. . . . . Ensure there are manageable relationships with suppliers. . . . external service providers. . . . .6 1. . . . . . . . . . . . . . . . . . . . . value to the business. . and a failure to deliver. . . . . . . . . . . . . . . .6 1. . . . . service providers and with the business (customers). . . and auditors. . . The current climate of cost reduction and budget restriction has resulted in new norm – there is an expectation that IT resources should always be used as efficiently as possible and that steps are taken to organise these IT resources ready for the next cycle of growth and new IT developments. . . . . should be consistent with your organisation’s management style and the way your organisation deals with risk management and delivery of IT value. . . All analysts currently agree that probably the biggest risk and concern to top management today is failing to align IT to real business needs. . .3 What are the benefits? . . . . . . . . . . . the need to effectively manage IT resources and avoid IT failures and poor performance has never been greater. . . . . . . . . . . . or indeed any IT best practice. . . . . . . . . . . . . . Since IT can have such a dramatic effect on business performance and competitiveness. . . . . . . . . . . With the growth of direct connection between organisations and their suppliers and customers. .5 1. It also explains how an IT Governance initiative can enable business and IT executives to: Be sure that that they are aware of all IT related risks likely to have an impact on their organisation. . This briefing provides a high level set of business arguments for IT Governance. . .IT Governance Developing a Successful Governance Strategy 1 IT Governance – The Business Case 1. . . . . . . . . . .4 What is IT Governance best practice? . . . . .7 The guide focuses on 12 key topics selected by the group because of their importance to effective IT governance: The business case – The organisation needs to understand the value proposition Performance measurement – Is the ship “on course”? Implementation roadmap – How to start – What path to follow Communications – How to explain the objectives and change the culture Capability assessment – Finding out the true current state of IT governance Risk management – What risks exist and how to make sure they are dealt with Supplier governance – External parties play a big role and must be included IT and audit working together – How to co-operate for a common goal Information security – A key topic in today’s networked environment Legal and regulatory aspects –Compliance is a global concern Architectures – The foundation for effective technical solutions Managing investments – Ensuring value is delivered and benefits realised Implementation of this guidance. . . A key aspect of these factors is the increasing use of third party service providers and the need to manage these suppliers properly to avoid costly and damaging service failures. . . . . . a failure to manage IT effectively can have a very serious impact on the business as a whole. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Why is IT Governance important? . . . . . . . Know how to improve the management processes within IT to manage these risks. Please share these ideas with your business users. . . . . because critical business processes are usually automated and directors rely on information provided by IT systems for their decision making. . . . . . . . It is being recognised that IT has a pivotal role to play in improving corporate governance practices. . . . . . . . . . . . . . . . . . . . . 4 . . . Corporate Governance generally has taken on even greater significance. all stakeholders of IT services should be involved. .2 What does IT Governance cover? . . . and more and more focus on how IT can be used to add value to business strategy. . . . . . . . . . . .

T h e r e i s a g r o w i n g r e a l i s a t i o n t h a t m o r e management commitment is needed to i m p r o v e t h e m a n a g e m e n t a n d c o n t r o l o f I T activities. Organisations need to obtain a better und e r s t a n d i n g o f t h e v a l u e d e l i v e r e d b y I T. C u s t o m ers. There is a potentially widening gap betwee n w h a t I T d e p a r t m e n t s t h i n k t h e b u s i n e s s requires and what the business thinks the I T d e p a r t m e n t i s a b l e t o d e l i v e r. teamwork and confidence in the use of IT itself and the people trusted with IT services. Operations and IT. Managem e n t ’s a w a r e n e s s o f I T r e l a t e d r i sk s h a s i n c r e a s e d . people. policies and practices that provide this kind of oversight and transparency of IT – IT Governance is part of a wider Corporate Governance activity but with its own specific focus. 5 . Concerns they typically have include: Av a i l a b i lity. security and continuity of IT services. Because organisations are relying more a n d m o r e o n I T. IMPACT’s IT Governance Special Interest Group (SIG) has examined these trends and found that the following issues drive the need for IT Governance: There is a general lack of accountabil i t y a n d n o t e n o u g h s h a r e d o w n e r s h i p and cla rity of responsibilities for IT ser v i c e s a n d p r o j e c t s . Costs an d m e a s u r a b l e r e t u r n s o n i n v e s t m e n t s .IT Governance – The Business Case 1 IT Governance covers the culture. Top management wants to understand “h o w i s m y o r g a n i s a t i o n d o i n g w i t h I T i n comparison with other peer groups?” Management needs to understand whethe r t h e i n f r a s t r u c t u r e u n d e r p i n n i n g t o d a y ’s and tomorrow’s IT (technology. the need t o a p p l y s o u n d m a n a g e m e n t d i s c i p l i n e s and controls is even greater. Quality a n d r e l i a b i l i t y o f s e r v i c e – n o e m barrassments. this can lead to reluctance to take ris k s a n d a f a i l u r e t o s e i z e t e c h n o l o g y opportunities. K e y b u siness partners and suppliers. p r o c e s s e s ) i s c a p a b l e o f s u p p o r t i n g expecte d business needs. T h e c o m m u n i c a t i o n between customers (IT users) and provide r s h a s t o i m p r o v e a n d b e b a s e d o n j o i n t accountability for IT initiatives. m a n a g e m e n t n e e d s t o b e more aware of critical IT risks and whethe r t h e y a r e b e i n g m a n a g e d . Executive. And finally. IT not ap p e a r i n g t o r e s p o n d t o t h e r e a l n eeds of the business. There is a f o c u s o n I T c o s t s i n a l l o r g a n i s a t i o n s . oversight and clear communication not only reduce the cost and damage caused by IT failures – but also engenders greater trust. S h a r e h olders. The benefits of good IT risk management. both internally and from external suppliers . Those that have a responsibility for investor and public relations. F u r t h e r m o r e . non-Execs. if there is a lack of clarity and transparen c y w h e n t a k i n g s i g n i f i c a n t I T d e c i s i o n s . there is a realisation that bec a u s e I T i s c o m p l e x a n d h a s i t s o w n f a s t changing and unique conditions. “Governance” generally has taken o n e v e n g r e a t e r s i g n i f i c a n c e . I n t e r n a l and external auditors and regulato r s . I T has a pivotal role to play in improving corporat e g o v e r n a n c e p r a c t i c e s . Stakeholders include: Top level business leaders such as the Board. Identific a t i o n a n d m a n a g e m e n t o f I T r e l a t e d r i s k s t o t h e b u s i n e s s . M e a s u r e s a r e r e q u i r e d i n b u s i n e s s ( t h e customer ’s) terms to achieve this end. organisation. and especially heads of Finance.1 Why is IT Governance important? IT Governance has become very topical for a number of reasons: In the w a k e o f E n r o n a n d o t h e r c o r p o r a t e scandals. M i d d l e l evel business and IT management . 1.

Although the principles are not new. R i s k M a n a ge m e n t – A s c e r t a i n t h a t p r o c e s s e s a r e i n p l a c e t o e n s u r e t h a t r i s k s have been adequately managed. I T p o r t f o l i o ( p r o j e c t s a n d s e r v i c e s ) . E n s u r e t h e r e i s an adequate IT capabil i t y a n d i n f r a s t r u c t u r e t o s u p p o r t c u r r e n t a n d e x p e c t e d f u t u r e business requirements. Return on Investment/Stakeholder Value Improved understanding o f o v e r a l l I T c o s t s a n d t h e i r i n p u t t o R O I c a s e s . IT Governance spans the culture. It is important therefore. i . IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules.2 What does IT Governance cover? IT Governance is a relatively new concept as a defined discipline and is still evolving. Responsiveness and nimbleness to changing conditions. Compliance to legal. but with a specific focus on improving the management and control of Information Technology for the benefit of the primary stakeholders. d e l i v e r y o f p r o m i s e d b u s i n e s s v a l u e ) . Va l u e D e l i ve r y – Confirm that the IT/Business organisation is designed to d r i v e m a x i m u m b u s i n e ss value from IT. The IMPACT IT Governance SIG has identified the following main areas of benefit likely to arise from good IT Governance: Transparency and Accountability Improved transparency o f I T c o s t s . Include assessment of the risk aspects of IT investments. R e v i e w t h e m e a s u r e m e n t o f I T p e r f o r m a n c e a n d t h e contribution of IT to the b u s i n e s s ( i . Improved contribution t o stakeholder returns. . to begin with as good a definition as possible of the potential benefits from such an initiative to help build a viable business case. Oversee the delivery of value by IT to the b u s i n e s s . and support the increasing legal and regulatory requirements of Corporate Governance. a n d a s s e s s ROI.c u t t i n g w i t h a n a b i l i t y t o r e a s o n f o r i n v e s t m e n t . Ultimately it is the responsibility of the Board of Directors to ensure that IT along with other critical activities is adequately governed. regulatory and contractual requirements. the IT Governance Institute®. The expected benefits can then become the project success criteria and be subsequently monitored.3 What are the benefits? Investments are likely to be needed to improve and develop the IT Governance areas that need attention. It requires a commitment from the top of the organisation to instil a better way of dealing with the management and control of IT. Board Briefing on IT Governance. Perfor mance Measu r e m e n t – Ve r i f y s t r a t e g i c c o m p l i a n c e . 2nd Edition. I T p r o c e s s .l e v e l d i r e c t i o n f o r s o u r c i n g a n d u s e o f I T resources. Clarified decision-mak i n g a c c o u n t a b i l i t i e s a n d d e f i n i t i o n o f u s e r a n d p r o v i d e r relationships. Resour ce Mana geme n t – P r o v i d e h i g h . 6 1. policy and practices that provide for IT management and control across 1: five key areas Alignment – Provide for strategic direction of IT and the alignment of IT and the business with respect to services and projects. IT Governance is not just an IT issue or only of interest to the IT function. Stakeholders allowed to see IT risk/returns. 1. e . Oversee the a g g r e g a t e f u n d i n g o f I T a t e n t e r p r i s e l e v e l . actual implementation requires new thinking because of the special nature of IT. In its broadest sense it is a part of the overall governance of an entity. Combining focused cos t . 1. IT Governance can be integrated within a wider Enterprise Governance approach. e . IT Governance is an ongoing activity that requires a continuous improvement mentality and responsiveness to the fast changing IT environment. a c h i e v e m e n t of strategic IT objectiv e s . organisation.IT Governance Developing a Successful Governance Strategy Capability and skills of human resources.

External Compliance Enables an integrated approach to meeting external legal and regulatory requirements. Top level commitment backed up by clear accountability is a necessity IT Gove r n a n c e needs a mandate and direction from Board/Executive level managem e n t i f i t i s t o s u c c e e d i n p r a c t i c e. cohesive view of IT Governance is needed across the enterprise based on a c o m m on language. Facilitat e j o i n t v e n t u r e s w i t h o t h e r c o m p a n i e s . A focus on performance improvement will l e a d t o a t t a i n m e n t o f b e s t p r a c t i c e s . Make su r e m a n a g e m e n t r e s p o n s i b i l i t i e s a nd accountabilities in the business as well as IT ha v e b e e n d e f i n e d . Facilitat e m o r e b u s i n e s s l i k e r e l a t i o n s h i p s w i t h k e y I T p a r t n e r s ( v e n d o r s a n d supplier s ) . A s h a r e d. Improve responsiveness to market challen g e s a n d o p p o r t u n i t i e s .4 What is IT Governance best practice? Experiences gained by IMPACT SIG members have identified a number of practical organisational and process issues that need to be addressed when implementing IT Governance. Enables IT participation in business strategy (which is then reflected in IT strategy) and vice versa. Position i n g o f I T a s a b u s i n e s s p a r t n e r ( a nd clarifying what sort of business partner IT is). 1. Increase ability to benchmark. I T w i l l n eed to develop a control model applicable to all business units/divisions. A c o m mittee approach is recommended for setting. This has enabled the Group to recommend the following best practices (critical success factors) when planning IT Governance initiatives: An enterprise wide approach should be adopted T h e b u s iness and IT must work together to define and control requirements. A c h i e v e a c o n s i s t e n t a p p r o a c h t o t a k i n g r isks. agreeing. a n d a d v e r t i s e t h a t t h e bar should be continuously raised. Increased transparency will raise the bar f o r p e r f o r m a n c e . and monitoring d i r e c t i o n/policy etc. An agreed IT Governance and control framework is required 7 . There sh o u l d b e a c l e a r u n d e r s t a n d i n g ( a n d a p p r o v a l ) b y s t a k e h o l d e r s o f w h a t i s within th e s c o p e o f I T G o v e r n a n c e . Avoid unnecessary expenditures – expe n d i t u r e s a r e d e m o n s t r a b l y m a t c h e d t o business goals.IT Governance – The Business Case 1 E n h a n c ement and protection of reputation and image. Opportunities and Partnerships Provide route to realise opportunities that might not receive attention or sponsor s h i p . Performance Improvement Achieve clear identification of whether an I T s e r v i c e o r p r o j e c t s u p p o r t s “ b u s i n e s s as usua l” or is intended to provide future a d d e d v a l u e .

8 . a n d t h e I T D i r e c t o r a c t i n g a s a b r i d g e b e t w e e n t h e b u s i n e s s a n d I T. an agreed framework for defining IT processes and the controls required to manage them must be defined for IT Governance to function effectively. joint workshops. Av o i d t o o m u c h b u r e a u c r a c y.IT Governance Developing a Successful Governance Strategy Although it may generate challenges and pushback. Creation of an initial se t o f m e a s u r e s c a n b e a v e r y g o o d w a y t o r a i s e a w a r e n e s s and initiate an IT Gove r n a n c e p r o g r a m m e . T h e s e w i l l h e l p t o g a i n support for improvemen t i n i t i a t i v e s . Trust needs to be gained for the IT function (in house and/or external) For IT Governance to work the suppliers of IT services and know-how need to be s e e n a s p r o f e s s i o n a l . The framework needs to be supported by an effective communication and awareness campaign so that objectives are understood and the practices are complied with. e x p e r t a n d a l i g n e d t o c u s t o m e r r e q u i r e m e n t s . Measurement systems will ensure objectives are owned and monitored Creation of an IT sc o r e c a r d w i l l u n d e r p i n a n d r e i n f o r c e a c h i e v e m e n t o f I T Governance objectives. P a y a t t e n t i o n t o d e v o l ve d d e c e n t r a l i s e d I T o r g a n i s a t i o n s t o e n s u r e a g o o d b a l a n c e between centrally driven policy and locally implemented practices. and will require a consensus. I n c e n t i v e s s h o u l d b e c onsidered to motivate adherence to the framework. The measures used mu s t b e i n b u s i n e s s t e r m s a n d b e a p p r o v e d b y s t a k e h o l d e r s . Focus on costs It is likely that there w i l l b e o p p o r t u n i t i e s t o m a k e f i n a n c i a l s a v i n g s a s a consequence of implem e n t i n g i m p r o v e d I T G o v e r n a n c e . Tr u s t h a s t o b e developed by whatever means including awareness programmes. The processes for IT Governance need to be integrated with other enterprise wide governance practices so that IT Governance does not become just an IT owned process.

. . . delivery of promised business value). . . . A performance measurement system is only effective if it serves to communicate to all who need to know what is important and then motivates positive action and alignment to common objectives. . . . .11 2. . . . . . . . . .1 Why is performance measurement important? “Teams that don’t keep score are only practising. . . . . . then it is even worse for the end customer who finds technical jargon a smokescreen and lack of information relevant to his business a major headache. . . . . . . . . . . . it is important to understand who the stakeholders are and what their specific requirements and drivers are so that the performance measurements will be meaningful to them. . . . . . . . . . . . just as transparency and reliability of financial results is a Corporate Governance necessity. Value Delivery – assessing whether the IT/Business organisation is providing business value from IT and assessing ROI. 2nd Edition. . . . . . . . . . . . For performance measurement to be successful. . . . . . . . It verifies the achievement of strategic IT objectives and provides for a review of IT performance and the contribution of IT to the business (i. . . . . which drive the enterprise and IT strategy. . . you can’t manage it” 2. President Milliken & Company Performance measurement is a key component of IT Governance. Performance management is important because it verifies the achievement of strategic IT objectives and provides for a review of IT performance and the contribution of IT to the business (i. . . . . .10 2. .9 2. . . . . . . . .4 What should we measure? . . . The use of measures to help steer the IT function has for many years been a challenge that few appear to have successfully addressed. managing risks. . . Stakeholders play a key part in IT Governance. . . . . .12 2. . . There is no doubt that a practical and effective way to measure IT performance is an essential part of any IT Governance programme. . Performance measurement supports the other key elements of IT Governance by: Alignment – monitoring the strategic direction of IT and the alignment of IT and the business. . . good instruments are essential. . .12 ne of the greatest challenges faced by those trying to manage IT in today’s fast moving economy and complex technical environment is knowing whether the “ship is on course” and being able to predict and anticipate failures before it is too late. . . .3 Who are the stakeholders and what are their requirements? . . . delivering value and measuring performance. . . which increasingly account for a very significant proportion of most organisations’ operating expenses. . . are the stakeholder values. . . . . . . The measures are not an end in themselves but a means to take corrective action and to learn from real experiences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . since at the heart of the governance responsibilities of setting strategy. . . . . Risk Management – monitoring whether risks are being identified and managed and measuring the cost and benefit of risk management investments. . . . . . . . . . . allocating resources. . . delivery of promised business value). . . . . . . . . . .Performance Measurement 2 O Performance Measurement 2 2. . . . . . . . . . . . . . . . . . . . . . Like driving a car or steering a ship. . . . . . . . . . . .1 Why is performance measurement important? . . . . . . . . . . An IT Governance best practice is the approval of measures by stakeholders. . . . . . . . . . . . If it is difficult for those literate in technology and relatively close the IT function. . .” Tom Malone. Board Briefing on IT Governance. . . . Performance measurement provides transparency of IT related costs. . . .e. . . . . 2 2. . . . . 9 . . . . . . the IT Governance Institute®. .e. Concise and understandable communication and clear accountabilities are therefore critical success factors if measures are to be turned into effective actions. . . It is also important in providing a transparent assessment of IT’s capability and an early warning system for risks and pitfalls that might otherwise have been missed. . .2 What does performance measurement cover? . which is why the expression “it’s like driving a car with a blacked out windscreen and no instruments” is often used. . . . . .5 What’s best practice? . . . . . . . . “If you can’t measure it. .

internal and learning dimensions (The Balanced Scorecard. development of new solutions. and control and improvement within the process. Performance measurement may also be a vital tool when assessing mergers and acquisitions to allow earlier insight into IT strengths and gaps. providing. An IT performance measurement system should help to: F o c u s o n t h e c u s t o m e r to increase customer satisfaction Improve processes so problems are anticipated and prevented Understand and reduce costs E n c o u r a g e a n d f a c i l i t ate change by obtaining facts about current state. the aggregate funding of IT at enterprise level. The measures should address two aspects (The IT Governance Institute’s CobiT Management Guidelines provides example metrics for all IT processes and explains the difference between Goal Indicators (KGIs) and Process Indicators (KPIs)): Outcome focused – is I T m e e t i n g t h e o b j e c t i v e s s e t b y t h e c u s t o m e r ? Process focused – are t h e I T p r o c e s s e s o p e r a t i n g e f f e c t i v e l y a n d l i k e l y t o l e a d t o the customer objectives b e i n g m e t ? The IT Governance SIG recommends that performance measures meet the following requirements to be successful: Defined using a com m o n l a n g u a g e a p p r o p r i a t e a n d u n d e r s t a n d a b l e f o r t h e audience Approved by the stakeh o l d e r s In keeping with the cult u r e a n d s t y l e o f t h e o r g a n i s a t i o n Based on targets derived from IT’s objectives Contain a mix of objective and subjective measures Flexible and responsive to changing priorities and requirements Based on easy to collec t a c t u a l m e a s u r e m e n t r e s u l t s Include both positive m e a s u r e s ( t o m o t i v a t e ) a n d n e g a t i v e m e a s u r e s ( t o c o r r e c t ) Balanced. perhaps for the first time. Performance measures are required to ensure that the outcomes of IT activities are aligned to the customer’s goals. desired s t a t e a n d t h e g a p t h a t needs to be met Set realistic benchmarks for comparison Effective performance measurement of IT will enable management and other stakeholders to know whether or not IT is meeting its objectives. i. and improving the organisation (Vital Signs. by Steven M. The Balance Scorecard is recommended as an ef fective approach providing financial. Kaplan & Norton) Limited in number and focused only on priority areas but sufficient to support decision making (passes the “so-what?” test) 10 .IT Governance Developing a Successful Governance Strategy Resource Management – measuring the effectiveness of sourcing and use of IT resources. as long as the measures are understandable by both the customers and the service providers. speed of delivery and success of a change programme). and the development of human resources and skills. customer. It provides a transparent and objective communication mechanism. They communicate what’s important throughout the organisation: strategy from top management down. The measures tell people what and how they’re doing as part of the whole. ability to operate reliable and secure services in an increasingly demanding IT technical environment. transparency of critical activities and a way to bridge the communication gap between IT and its customers. process results from the lower levels up. Hronec). and measuring IT capability and infrastructure compared to current and expected future business requirements.e.2 What does performance measurement cover? Performance measures are the “vital signs” of an organisation. Internal IT process measures are required to ensure that the processes are capable of delivering the intended outcomes cost-effectively. The introduction of a performance measurement system focused on a few key measures can be an excellent way to kick-start an IT Governance initiative. 2. They quantify how well the activities within a process or the outputs of a process achieve a specific goal. Only with a consistent view of the “vital signs” can everyone work toward implementing the strategy. Advanced performance measurement enables the measurement of key aspects of IT capability such as creativity and agility (new ideas. measuring more than just financial results. achieving the goals.

g .g. are the stakeholder values. for project review and prioritisation or detailed a n a l y s i s (where aggregation distorts or confuses) Show tre n d s t o e n a b l e b a c k w a r d e x a m i n a t i o n a n d f o r w a r d e x t r a p o l a t i o n Consolid a t e d f o r h i e r a r c h i c a l r e p o r t i n g Support b e n c h m a r k i n g i n t e r n a l l y b e t w e e n peer groups and externally with best practice Integrate d i f p o s s i b l e w i t h a n y e x i s t i n g bu s i n e s s l e v e l p e r f o r m a n c e m e a s u r e m e n t system 2. skill profile. risk and compliance officers. and compliance with strategy Re q u i r e m e n t s Financial – losses. risk management. evidence of governance and risk management. For performance measurement to be successful. human resources. resource short fall. s u r v e y responses. s a t i s f a c t i o n f e e d b a c k e . and deliver in an efficient a n d e f f e c t i v e w a y. performance exceptions. s t r a t e g i c o b j e c t i v e s v. e. At the heart of the governance responsibilities of setting strategy. For the purposes of performance measurement. reporting should be visual using RAG or heat map techniques) a n d p e r mit drilling down for more detail and examination of root causes. we have classified stakeholders into three groups: investors. contract and procurement management and staff involved in IT delivery and support) Interests – they need to meet customer expectations. b u d g e t . compliance L e a r n i n g – r i s k i d e n t i f i c a t i o n . controllers and deliverers/providers with specific measurement interests and requirements as follows: Investors – (business management. finance. p r o d u c t i v i t y. e f f e c t i v e n e s s o f d e a l i n g with business churn 11 .g. managing risks. customer retention and gr o w t h s t a t i s t i c s . which drive the enterprise and IT strategy.Performance Measurement 2 E a s y t o interpret (e. r i s k p r ev e n t i o n Deliverers/Providers – (IT service and product suppliers. allocating resources. A scorecard i s s o m etimes not appropriate. An IT Governance best practice is the approval of measures by stakeholders (IT Governance Institute – Board Briefing on IT Governance). regulatory and legal requirements. c o s t a l l o c a t i o n / r e c o v e r y. training and development Controllers – (internal and external audit. c o s t v. s e r v i c e credits. delivering value and measuring performance. in-house and outsourced. investments in control improvements Customer – exceptions/breaches. transformation capability and tactical agility Lear ning – attrition. industry specific regulators) Interests – they monitor risk and compliance and have an interest in due process. business partners and IT management) I n t e r e s t s – t h e y p r o v i d e t h e f u n d i n g a n d want to see a return on their investment a n d a l i g n m e n t w i t h t h e i r s t r a t e g i c o b j e c t i ves Re q u i r e m e n t s F i n a n c i a l – R O I . cost optimisation Customer – performance against SL A s . b e n e f i t s r e a l i s a t i o n C u s t o m e r – s u r v e y s a n d f e e d b a c k ( su b j e c t i v e a s w e l l a s o b j e c t i v e ) .3 Who are the stakeholders and what are their requirements? Stakeholders play a key part in IT Governance. it is important to understand who the stakeholders are and what their specific requirements and drivers are so that the performance measurements will be meaningful to them. p r e s e r v i n g a n d e n h a n c i n g r e p u t a t i o n Requir ements Financial – operational and project c o s t s . retention. compliance with legislation and regulations Process – control effectiveness. amount of rework/repeat effort. a c t u a l p r o j e c t s / a c t i v i t i e s Process – capability benchmark.

5) 12 .4 What should we measure? The ownership of measures and accountability for achieving targets should be clear. performance measurement should support this classic control model (figure 2. e. time and budget) Overall financial performance (costs v. Since the Interest Group is not primarily focused on performance measurement techniques we are not attempting to provide best practice guidance on measurement methods and/or tools. measures should be formalised in Service Level Agreements (SLAs) based on service descriptions written in a language and using terms meaningful to the customer. Furthermore. readiness for new requirements. time to market for new initiatives 2. To support IT Governance the following top fifteen areas to measure are recommended.4) Area Business & IT alignment Major project delivery performance (objectives. measurement of customer-focused outcomes. For third party service providers an SLA should form part of the contractual agreement so that performance measurement can be backed up with contractual recourse in the event of performance failure.g.5 What is best practice? Experiences gained by the IMPACT SIG members have identified a number of enablers and inhibitors that will assist in the achievement of Performance Measurement best practices when supporting IT Governance. It should therefore also be clear whose responsibility collection is. with an indication of who has a primary interest and therefore who should approve the measures (figure 2. ownership and the collection of measurement data will not always be an IT responsibility.IT Governance Developing a Successful Governance Strategy Process – internal improvement in efficiency and risk reduction. internal v.g.4 √ √ √ √ 2. outsource decision support Learning – capability to deliver. Where appropriate. budgets) ROI for IT investments (business benefit) Status of critical risks Performance with respect to reliability and availability of critical services Complaints (QOS) and customer perception Number of significant reactive fixes to errors SLA performance by third parties Relationships with suppliers (quality & value) Capability e. process maturity HR measures for people involved in IT activities Internal and external benchmarks Audit weaknesses Business continuity status Investors √ √ √ √ √ √ √ Controllers Providers √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Figure 2. In general.

p r o d u c t i v e behaviour (cf. based on the Balanced Scorecard technique Measurement reports and scorecards that a r e e a s y t o i n t e r p r e t . 13 . measures should be autom a t e d 2 Inhibitors Too much focus on technical measures ( e s p e c i a l l y i f t h e y a r e n o t a l i g n e d t o I T objectives) Lack of ownership and accountability Measures which are not straightforward to i n t e r p r e t o r e n c o u r a g e c o u n t e r. National Health Waiting Lis t t a r g e t s ) Measures which are expensive to collect or not focused on priority areas Too many measures obscuring relevant and important information Figure 2.5 3 3. w i t h e x p l a n a t i o n s of exceptions Where possible. 2nd Edition.Performance Measurement Enablers Support a n d o w n e r s h i p o f p e r f o r m a n c e m e a s u r e m e n t b y S t a k e h o l d e r s Measure s t h a t a r e a p p r o v e d b y a n d m e a n i n g f u l t o t h e S t a k e h o l d e r s Measure s t h a t a l i g n w i t h a g r e e d I T o b j e c t ives Measure s t h a t f o c u s o n p r o c e s s e s c r i t i c a l t o t h e s u c c e s s o f I T o b j e c t i v e s Measure s t h a t a r e e a s y t o c o l l e c t a n d u n d e r s t a n d Ta r g e t s t h a t a r e c h a l l e n g i n g b u t a l s o a c h i evable Measures that are balanced e. the IT Governance Institute®. Board Briefing on IT Governance.g.

. . . . . . . . . . The roadmap is an iterative lifecycle that begins with an initial phase to define overall goals and to gain the support and commitment of top management which then leads to the ongoing effective governance of IT activities. . . . . . . .2 How to get started – the key initial activities .15 3. . . . The roadmap begins with establishing clear goals and objectives in order to align effort with the real needs of the enterprise. . . . 3. . . . .1. . . . . . . . . IT Governance is an ongoing task and therefore this roadmap is only the initial phase of what needs to become an iterative sustainable approach. . . . Typical objectives of the initial implementation phase Define the meaning of governance in your organisation and where/if IT Governance fits Identify any organisational/environmental/cultural constraints and enablers Achieve a broad understanding of IT Governance issues and benefits across all stakeholders Agree.IT Governance Developing a Successful Governance Strategy 3 T Implementation Roadmap 3.1 “Agreed” √ 14 . . . . . . . . followed by the key implementation tasks with suggested roles and responsibilities. tools and processes Completion of an initial gap analysis against best practice – to demonstrate where IT Governance is already in place and to highlight areas of focus for the roadmap Creation of a Project Initiation Document (PID) and/or Terms of Reference (ToR) that has the support of stakeholders Creation of a Project Plan with definition and prioritisation of the initial ITG project deliverables Identification and commitment of the resources required to deliver this initial project Identification and sign-off of Key Performance Indicators and Critical Success Factors for this project Documented estimated timescales and resource (£s and FTE) implications as well as expected ROI Alignment of the ITG Initiative with business objectives/strategy Figure 3. . . . . . . . .16 his chapter describes an “Implementation Roadmap” for activating an effective IT Governance programme to deliver the above benefits. The roadmap then consists of activities to get started. . . . . . . . . . . . . . . . . . Figure 3. . . . . . . . publish and gain acceptance of an initial IT Governance framework. .1 What are the goals and success criteria? .1 suggests some success criteria for this initial phase of IT Governance. . . to manage expectations. . . and is based on the practical implementation experiences gained by the IMPACT IT Governance SIG members. . . .3 Who needs to be involved and what are their roles and responsibilities? .14 3. . . . . . . . . . . . . . . . . . A generic set of initial objectives has been identified by the SIG and is shown in Figure 3. . . . .1. . . . . . . .1 What are the goals and success criteria? Implementing IT Governance for many organisations will mean major changes. . . . . . . . . . . . . It is important therefore to not only have highlevel sponsorship but also the active involvement of key stakeholders. . . and to ensure continual focus. . .

i.Where current approaches have not worked or caused serious failures Identify skill set and capabilities needed from people involved Identify existing good practice (‘pseudo governance’) or successes that could be built on or shared Identify cost/benefit arguments – why do we need to do anything? Identify inconsistencies in process/practice Identify opportunities for “rest of business” to get involved in IT Explore opportunity to adopt industry best practice model. based on analysis of the current environment. warts and all. they become Business as Usual practices Figure 3. followed by implementation itself. Planning These are recommended implementation planning activities together with some critical success factors: Activities • Identify champions . to look for easy fit/implications Changes are sustainable and institutionalised. about project success /failure.1 “Done” √ 3.Implementation Roadmap 3 Success criteria for the initial implementation phase Key stakeholders identified. activation consists of two steps – planning. and gained support.Stakeholders (including partners). Input providers.e.1. engaged and actively involved Key stakeholders contributing towards and able to explain and support the business case for ITG Stakeholders have an understanding of the expectations of the IT Governance initiative Some initial ‘quick wins’ have been identified and implemented – to make governance “real” Acceptance of the published IT Governance framework by those responsible for implementation An effective communication plan – who to. to overcome any barriers and to motivate change Current key IT projects mapped against ITG plan. or standards framework Utilise external influences Create a measurement approach for an area or activity to expose actual evidence of problems Do some gap analysis against industry best practice CSFs √ √ √ Authoritative and articulate champions Available skills and capabilities Well prepared business cases approved by stakeholders Real opportunities for the business to see the benefit of participating Practical and useful governance approaches Effective and useful measures Expose the truth /whole picture. showing how governance can be helpful • • √ • • • • • • • • • √ √ √ 15 . when etc. what. and where governance could enable ‘hotspot’ resolution: .Strategy? Delivery? IT Cost? Architecture? .2 How to get started – the key initial activities Having set the goals. IT strategy committee (council) members Establish IT strategy committee (council) Identify IT “hotspots” in the organisation.

Focus on critical but easier to address areas .Consider one business area first. 3. should be involved in an IT Governance initiative.Identify risks and a risk mitigation strategy Gain approval from Senior Management (the higher the better within the Enterprise) Find reference site. Thanks to Legal and General for the concept. and their interests. emphasising that everyone has a part to play in enabling successful IT outcomes.Assess projects first . A key characteristic of any successful IT Governance initiative is the establishment of an enterprise-wide approach that clearly sets out roles and responsibilities. 16 . .Set realistic timeframes . and break down barriers .3: This timeline is generic and intended only to be an example – it is based on the SIG’s experience.Agree success criteria/quality criteria .Build up operational performance improvement progressively based on prioritising maximum return for lowest cost . together with some critical success factors: Activities • Create a sound project structure . others later .IT Governance Developing a Successful Governance Strategy Implementation These are the recommended activities to start up the implementation roadmap.Aim to establish some successes while learning how to be effective CSFs √ √ √ √ √ √ √ Good project management (set the governance tone) Expectations set correctly Approved business case Manage IT like you manage the rest of the business Convincing reference sites Successful pilot Address quick wins first to demonstrate results and realise benefits before attempting any major changes • • • • • All three generic groups of stakeholders.Who/what/how frequent/purpose Do a pilot activity (demonstrate the business case) to show how it would work and demonstrate potential benefits Follow a phased introduction.3 Who needs to be involved and what are their roles and responsibilities? Figure 3.Define scope (what is included/excluded) and deliverables .g.Allocate suitable resources and roles . or external examples to learn from Build communication plan to gain buy-in. e.

incentives.Implementation Roadmap It may also be helpful to include an external. facilitator to provide an objective and neutral position. facilitator. provide advice Compliance officers • Ensure that IT complies with policy. business partners and project sponsors • Implement organisation and necessary infrastructure • Take ownership of requirements • Champion and collaborate in IT governance activities • Ensure business strategy and objectives are set and communicated and aligned with IT • Assess business risks and impacts • Establish reporting processes meaningful to stakeholders • Communicate any business concerns in a balanced and reasoned way • Provide project champions. monitor risks.1 Controllers Internal and External Audit • Scope audits in coordination with governance strategy • Provide assurance on the control over IT • Provide assurance on the control over the IT performance management system Risk Management • Ensure that new risks are timely identified. creating the seeds of change User representatives • Take responsibility for Quality Assurance programme (design and output) • Regularly check actual results against original (or changed) goals • Provide service feedback to providers Providers IT management (internal and external). laws and regulations Finance • Advise on and monitor IT costs and benefits • Provide support for management information reporting • Incorporate governance requirements into purchasing/contract process 17 .3. making available additional resources if required • Insist on and seek measurable benefit realisation • Coordinate overseas/satellite parts of the enterprise to ensure their interests and constraints have been considered • Create organisation and structure to ensure board involvement in the governance process – by forming committees. 3 Investors Management board (authority to make things happen) • Give direction backed up with adequate support and sponsorship • Balance requirements with available resources. project manager. or internal.3. identify concerns • Assess IT capability.1. process owners) • Undertake core tasks • Report progress to plan Figure 3. correct deviations Business and IT senior managers. senior responsible officer. identify gaps • Initiate a continuous improvement programme • Develop business cases for improvements • Design and implement solutions • Commit skilled resources • Establish performance measurement system • Report to senior management • Respond to QA feedback from customers Suppliers/business partners • Integrate any own existing or planned governance practices with customer’s • Support and contribute to customer’s governance approach • Agree service definitions. with support from business management • Take ownership and set direction of IT Governance activities • Build and achieve a pilot business case IT management • Set IT objectives • Define IT governance and control framework • Identify critical IT processes • Assess risks. measures and contracts/agreements Training and Development • Ensure adequate education and communication HR function • Incorporate governance principles into induction and performance measurement process Core team • Define plan and deliverables • Organise team and roles (architects. The suggested generic roles and responsibilities of the three main groups are shown in Figure 3. establishing reporting processes • Monitor performance.

. . . . . . . . . . . . . It is critical to influence these groups positively so that they understand the objectives and benefits of IT Governance and are able to communicate consistently to each other and within their groups (Figure 4. . . . . .22 T Governance and risk management is about improving the management and control of IT activities and enabling top management to exercise proper oversight. . . . . . . . the right language must be used. . . . . if it is difficult for those literate in technology and relatively close to the IT function. . . . . . . . . . . however there may be common elements. . . . . . . . . .5 Change roadmap . . . . . the language used must be understandable. and their interests. . . . . . . . . . . . . . . . . . . . When considering who needs to be influenced for successful IT Governance. . . . . However all of these improvements will only have a chance of succeeding in a sustainable way if the culture of the organisation is changed to drive and support the desired new management approach. . In order to best influence stakeholders. . . and communicate the major objectives and benefits of IT Governance throughout the organisation.18 4. . . . . . . . . . . . . relevant to the intended audience. .20 4. . . . . . . Effective communications will ensure that “everyone is on the same page” – that key issues have been grasped. .20 4. . . . . . . . . . . . . . . . . . better processes. . .1 Who do we need to influence? A fundamental element of IT Governance is change. All three generic groups of stakeholders. . To achieve this. . . It is also vital to recognise the main stakeholders impacted by the change. . . . . . Effective communications are a key enabler of these changes. . . . . . . . . just as poor communications can create a legacy of misunderstanding. . lack of trust. . . . . . . 4. .1 Who do we need to influence? . . . . . . . . . . . . . . . . . . . and everyone understands their role. . should be involved in an IT Governance initiative. best practices and management techniques are required. . . . . . . Stakeholders must understand and feel responsible for safeguarding against IT risks. . . . . . . . . . . . . Communication and cultural behaviour. . . . . . . . . . . . .IT Governance Developing a Successful Governance Strategy 4 I Communication Strategy & Culture 4. . . . . . . . . . . . . . based on appropriate influencing strategies are therefore key ingredients of any IT Governance improvement programme. . . Whatever the topic is about. . . . . . . . . . . . . and technical mystique and hype in many organisations. . identify why we want to influence a particular stakeholder. Identifying and gaining the support of key influencers of success and failure help enable successful communications strategies. . .3 Communication best practices . . . . . . . . . . . . . . . . . . .19 4. . . . . . . . . . . . and identify any resistance that needs to be overcome. . . objectives have been positively accepted by management and staff. controls. . . The roadmap to follow for cultural change and effective communication will therefore be unique to each organisation. Every organisation will have its own existing culture and choice of IT Governance approach that it wishes to adopt. . . Wake-up calls are sometimes required at the highest levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . it is important to remember that different messages are needed for different stakeholders. . . . Given the significance of IT both in terms of investment and potential impact on the business – the risks of IT and of failing to exploit IT for strategic advantage must be stressed in any communication about IT Governance. . . . . As we said earlier. . . . Positive attitudes need to be promoted and used to influence others. . . . . . . .4 Developing an influencing strategy . . . then it is even worse for the end customer who finds technical jargon a smokescreen and lack of information relevant to his business a major headache. . . . . . 18 . . and motivate positive attitudes towards change. . . . .2 What are the key messages? . .1). . .

key customers of IT services Business Partners External investors/shareholders – as part of corporate governance • • • • • • • • • Providers Project and change managers (IT and Business) Programme managers Business managers and users Technical delivery and support teams Key players e. based on three primary IT Governance objectives and the related benefits that can be realised (Figure 4. ISO. lack of business understanding and poor appreciation of the other party’s requirements and issues. particularly with third parties • Working in partnership – equal investment and responsibility + Agility to respond to change • Clear accountabilities Management Control/Quality Management Performance Improvement • Standardised processes + Risk mitigation • Consistent approaches + Continuous efficiency and quality improvements • Comparison/adoption of external best practices (e.g. project champions Relationship managers and internal communications teams Suppliers (especially outsourced service providers) Contract and procurement management Peripheral players/influencers/policy owners e. ITIL) + Transparency and confidence about measures • Professional IT services • Management of risks Figure 4.g. the right language must be used. Ability to address these Objectives IT and Business strategic and operational alignment • IT and business working towards the same corporate goals • Architecture and other technology approaches seen as relevant and value adding to the business will realise these Benefits RoI/Stakeholder Value. CMMi. Transparency and Accountability + Shareholder Value + Leveraging investments for greatest return + Better use of IT capabilities + Cost effective IT solutions Effective Relationship Management (internal and Opportunities and Partnerships external) + Increased synergies • Mutual understanding of goals + Improved speed to market • Shared language and terminology + Improved efficiencies. Ideally. business sponsors. and communicate the major objectives and benefits of IT Governance.g. Facilities Management. Legal • • • • • • Controllers Internal audit and external audit (due diligence) External regulators Corporate governance coordinator Risk managers Compliance – regulatory and internal Finance/Project Managers/IT and business managers – reviewers of benefits/ROI Post investment appraisal/post project review teams • Key Messages • • • • Benefits of governance Why we need to do it Impact on the business strategy Commitment to support action plans • • • • Benefits of governance Why we need to change Your role and responsibility How you need to change • • • Need for independent assessment and assurance Relate to real business risks and impacts Work positively with management to address control needs Figure 4.2 19 .Communication Strategy & Culture 4 Who needs to be influenced? Investors • • • • • The Board IT Council/Management Team Senior business unit managers e.2 What are the key messages? In order to best influence stakeholders. Communications will improve if the business views the technology provider not as a simple enabler but as a valued business partner and if IT presents benefits in the language that the business understands. An inability to communicate effectively has been one of the major causes of IT failures. The following are examples of some of the key messages that need to be communicated.g. HR. + Increased assurance that controls are working CobiT.1 4. with too much technical jargon. and a balance has to be found between the business trying to understand IT and IT trying to understand the business.2). a common language is required.

and brokered an alternative solution. If this is not positively communicated. reputation and m a r k e t i n g a d v a n t ages. Behaviours will need to be changed and care should therefore be taken to ensure that participants will be motivated and see the benefits of the new approaches. Recommended approaches If IT risks are not communicated effectively.Consider known and new risks across both business and IT (e.g. inefficiencies. planning and implementing IT management changes. loss of service etc. g .Calculate a risk factor = likelihood x impact . then stakeholders will not appreciate their real impact.U s e c a s e s t u d i e s to illustrate business benefits as a direct result of effective g o v e r n a n c e . failure to respond to changing markets etc. e . projects with “unexpected outcomes”) to illustrate how issues might arise. productivity. financial losses. misuse of t e c h n o l o gy.IT Governance Developing a Successful Governance Strategy 4. its objectives and strategy. . reduced costs. .3 Communication best practices The experiences of the IT Governance SIG have shown that it is best practice to emphasise the importance of controlling IT related risks when communicating the need for IT Governance. In particular. i. The strategy should identify opportunities for the active involvement of stakeholders in developing the governance approach. The communications plan should be based on a well-defined influencing strategy.U s e c a s e s t u d i e s to illustrate how effective governance has identified risk t o t h e b u s i n e s s . a deviation from current priorities. take the issues seriously. 20 . mitigate or assign Using common business language: . or be motivated to insist on better controls. Management will resist it as a barrier to getting the job done. . c o n t r a c t u a l i m p l i c a t i o n s Critical Success Factors Involve all relevant stakeholders in a facilitated workshop environment Get clear ownership an d f u n d i n g c o m m i t m e n t f o r r i s k m i t i g a t i n g a c t i o n s Monitor/track all actions 4.Use case studies that have impacted the business or other businesses (e. badly managed operations and ineffective project management. loss of competitive advantage. or another management fad. Scenario modelling with risk assessment and mitigation: . focus groups etc.Consider options – accept. I d e n t i f y r e l e v a n t e x a m ples of governance providing business benefits beyond the b a s i c r e q u i r e m e n t o f e videncing control. i. as well as understanding the consequences of accepting responsibility. b) The “upside” business risks of not exploiting IT effectively. The stakeholders are likely themselves to be the targets of change and should be involved in discussing/ evolving responses to the change via collaborative workshops.e. and instead are surrounded by hype and complexity.L e g a l / r e g u l a t o r y. improved quality.e. external audit requirements) .4 Developing an influencing strategy Critical to the success of any IT Governance initiative is an effective communications plan.How governance can help mitigate the risk . make sure stakeholders understand and feel responsible for safeguarding against risks that would not exist if they had put in place effective IT Governance controls: a) The “downside” business risks associated with the use and function of IT. The following approaches are recommended to ensure risks have been properly appreciated: Emphasise the business impact of risks associated with misaligned IT strategies.Te c h n o l o g i c a l r i s k i n f i n a n c i a l / e c o n o m i c / b u s i n e s s t e r m s . critical service outages. Show how these risks can be mitigated by effective controls.g. then IT Governance will not be perceived as part of the corporate mission with Board level support. and ideally building specific change objectives/targets into personal performance plans. damage to reputation. virus attacks.

e.Communication Strategy & Culture 4 Influencing style examples Asserting • Stating expectations of improved IT Governance and consequences of not adopting the new control model Evaluating current capability. backed up by the personal reward scheme • Persuading Proposing new management approaches.1 shows different change approaches that can be used. and exposing unacceptable performance Creating incentives by setting clear IT Governance objectives. by educating top management about the key IT issues and the benefits IT Governance can provide. For IT Governance initiatives experience shows that the best approach is incremental change evolving and adapting of current practices to a new collaborative IT management approach.4. examples of the communications involved and the associated leadership styles. by breaking down technical barriers and encouraging shared responsibility for IT outcomes Listening to user feedback about IT services and encouraging suggestions via satisfaction surveys Disclosing IT problems and incidents seeking workable solutions instead of covering them up • Attracting Finding Common Ground by developing corporate mission statements and policies about IT Governance with support from the Board Visioning by IT and the business developing shared strategies and action plans. more ownership in the business of IT projects • Bridging Involving the business in IT decision making. based on development workshops Reasoning that changes are needed.4.1 21 . delivery quality etc. backed up by measurable and accountable objectives and targets • • • • • • Push Figure 4. Focus on Roles and Responsibilities Identify a n o v e r a l l s p o n s o r a n d s t e e r i n g g r o u p w i t h s p e c i f i c t a s k s a n d r e s p o n s i b i l i t i e s for lead i n g t h e c h a n g e Ensure t h e r e i s a c o m p l e t e s t r u c t u r e o f c a s c a d e d s p o n s o r s h i p d o w n t o t e a m / l i n e manager l e v e l Focus on individual situations Identify c h a m p i o n s ( t h o s e h i g h o n i n t e r e s t a n d / o r i n f l u e n c e ) Use suc c e s s e s a s b e n c h m a r k s D i s s e m in a t e a c r o s s t e a m s a n d s u p p o r t f o rmation of new teams Figure 4. The following table shows four typical influencing styles. Figure 4. It is important to select the most appropriate style taking into account who needs to be influenced and on what topic. based on business priorities. best practices. risk management. standards for IT activities.4 Pull The influencing strategies need to be designed to work in specific situations with the individual influence targets identified.g.

failure to meet business needs. Julia Balogun.5. Them and us attitudes.5. Gerry Johnson. Figure 4. measures in customer’s terms. Collaboration. The following techniques (Exploring Strategic. Divisive. Cranfield University) can help guide the best path to follow. To do this you must: Analyse the existing state Define the desired state Cultural style and paradigms are formed from several characterictics which can generally be illustrated as shown in Figure 4. standards and best practices owned by the organisation. budget overruns. project success stories. Hidden agendas.1 Desired Effective business and IT alignment: Demonstrable RoI. Kevan Scholes.5.5 Change roadmap Every organisation will have its own existing culture and choice of IT Governance paradigm that it wishes to adopt. measures in provider’s terms and a general lack of transparency leaving top management in the dark. Change Veronica Hope-Hailey. IT seen as business enabler. Characteristic Myths and Stories Current Poor business and IT alignment: Project failures.1 illustrates some of the typical current and desired IT Governance behaviours found in many organisations today. and can be used to assess how your organisational culture and management style currently deals with the governance of its IT activities and what cultural style it desires. Figure 4. lack of business terms. poor service.5 Figure 4. Symbols Power Structures Organisational Structures Control System Routines and Rituals 22 . Based on departmental units and who knows the most. The roadmap to follow for cultural change and effective communication will therefore be unique to your specific situation. user satisfaction. transparent reporting to top management. business driving IT.IT Governance Developing a Successful Governance Strategy 4. Based on defined processes. Joint forums for monitoring progress. Business literate in IT issues and opportunities. Partnerships. IT seen as overhead function. Common language based on customer needs. Mystique and technical jargon.

. . . . . . Improving the maturity of IT capability both reduces risks and increases efficiency – cost saving is often a justification. . .Capability Maturity Assessment 5 M Capability Maturity Assessment 5 5. . . . . .1 Why IT capability is important . surveys and assessments carried out around the world have shown that in general IT capabilities have not kept pace with increasing IT complexities and the growing demands for reliable. . . . . . and carry out these analyses as part of any due diligence review. . . . Improved workforce planning and investment to ensure recruitment and more importantly. . or service providers fail to deliver the value promised. . . . . . To exercise sufficient governance and oversight. . . . . . . . . . . . technology. . of skilled IT staff. . . . . . . . . . . . . . .23 5. facilities. . . . . . . . . . . . . . . . . . In many organisations board level management have a very unclear view of their IT capability. Agreement then must be reached regarding where and how to address inadequacies. . . . . . . . . Using the CMM scale it is rare to find even a defined (level 3) process in many organisations. . . . . . . . . . . . .23 5. .1 Why IT capability is important A key to successful IT performance is the optimal investment. training and development needs are fully identified and addressed for all staff. . . . . . . . . use and allocation of IT resources (people. . .24 5. . . . . . . . . . . . . Often inadequacies only manifest themselves when projects fail. . . . . . . . 23 . . . . . . or accepting the risks. . . . . by either investing in the internal infrastructure or seeking externally provided outsourced resources. . 5. . . and then take the necessary action to rectify weaknesses. data) in servicing the needs of the enterprise. . . . . . and assessments usually reveal significant weaknesses and an IT capability disproportionate to the high dependency organisations have on their IT service providers. senior management should insist on objective and regular assessments of their internal and externally provided IT services to ensure any inadequate capabilities are exposed before serious problems occur. . . . technology. . . . . . . . . . . data) to ensure that they are capable of supporting the current and proposed IT strategy is a key aspect of IT Governance. . . facilities.26 onitoring and assessing the adequacy of IT Resources (people. . . . . . . . . . . . . . . . . . . . . . operational systems crash.3 Setting maturity targets and considering improvements . . . . . . . . . . . . . . . . . . . . . . or request third party certifications when considering outsourcing or during mergers and acquisitions. . . . . Boards need to address appropriate investments in infrastructure and capabilities by ensuring that: The responsibilities with respect to IT system and services procurement are understood and applied. . . . . . . . . . retention. . and find it very difficult to understand the technical and organisational IT environment upon which they increasingly depend. . . applications. . . . Appropriate facilities are provided and time is available for staff to develop the skills they need. . . . . .5 Self-assessment tools . . . . . . . . . . . . . Cost control and reducing inefficiencies are also important reasons for reviewing technical and organisational capability. . . . . .25 5. . Most enterprises fail to maximise the efficiency of their IT assets and optimise the costs relating to these assets. . .4 Roadmap for sustaining the approach . secure and flexible services. . . . . . . . . . the biggest challenge in recent years has been to know where and how to outsource and then to know how to manage the outsourced services in a way that delivers the values promised at an acceptable price. . . . . . . . Appropriate methods and adequate skills exist to manage and support IT projects and systems. . . . applications. . . . IT education. . . Management should insist on objective and transparent assessments. . . This technique focuses on the IT management processes that control IT resources. In recent years. . . .2 How to measure IT capability . . Capability Maturity Modelling (CMM) techniques (CMM was created by the Software Engineering Institute with Carnegie Mellon) are increasingly being adopted by many organisations for assessing IT capability. . . . . In addition. . . . . . costs spiral. . . . . . . . . . .

minimising service incidents.a d j u s t i n g t h e I T s trategy Adjusting goals I m p r o v i n g c a p a b i l i ty O u t s o u r c i n g w h e n cost-effective The measurement of IT capability should be an objective assessment oriented towards business requirements.2 How to measure IT capability To ensure IT resources are managed effectively.”8 5. Identifying and anticipating the required core competencies in the workforce is essential. The following principles are recommended when carrying out an assessment: Set Scope Select a reference model based on standards and best practices most suitable f o r y o u r b u s i n e s s .A n a l y s i n g a n y g a p s i n capability . The Capability Maturity Model (CMM) approach first developed by the Software Engineering Institute for measuring software delivery capability is increasingly being adopted as the basis for assessing overall IT capability. human resources represent the biggest part of the cost base and on a unit basis the one most likely to increase. Effective management of the lifecycle of hardware. This will ensure that the current “as-is” and required “to-be” capabilities are realistic and measurable enabling any gaps to be identified and a plan to be drawn up to rectify any shortcomings. S E I .A s s e s s i n g t h e c u r r e n t capability of these IT processes . the KPIs and KGIs recommended by CobiT) Ensure simplicity and fl e x i b i l i t y Limit the number of m e a s u r e s . g .C C M .IT Governance Developing a Successful Governance Strategy Boards needs to ensure that IT resources are used and managed wisely by ensuring that: Appropriate methods and adequate skills exist in the organisation to manage IT projects. S i x S i g m a . When these are understood. . a n d a v o i d information overload Consider the following critical success factors: Appropriate level of ow nership Avoid complexity and b e flexible 24 . e . service contracts. but also for managing changes. retention and training programme is necessary to ensure that the organisation has the skills to utilise IT effectively to achieve the stated objectives.2). and assuring a reliable quality of service. an effective recruitment.D e t e r m i n i n g t h e r e q u ired capability .D e f i n i n g a n d j u s t i f y i n g necessary improvement projects or .R e .g. P M B O K – perhaps considering weighting measures Use an acceptable measurement methodology agreed with the stakeholders which is defined and transparent Set a baseline in the context of 1 and 2 above and present the current state assessment using a scale or rating system Set reasonable objectives for the targeted level of capability Define measures which relate both to “the journey” as well as the “end goal” (e. The capability assessment should be: B a s e d o n a l i g n m e n t o f IT goals with business goals Ta r g e t e d a t t h e I T p r o cesses critical to business success by. IT capability should be assessed on a regular basis and whenever resources are critical to strategic IT decisions. C o b i T. and changing business requirements. Of all the IT assets. m i n i m i s e m e a s u r e m e n t o v e r h e a d . This model provides a standard scale for assessing the maturity of any IT process on a five-point scale (figure 5. I T I L . software licences. IT assets are complex to manage and continually change due to the nature of technology. I S O 9 0 0 0 / 9 0 0 1 . T h e b e n e f i t s a c c r u i n g fr o m a n y s e r v i c e p r o c u r e m e n t a r e r e a l a n d a c h i e v a b l e . and permanent and contracted human resources is a critical success factor in not only optimising the IT cost base.P r o v i d i n g t r a n s p a r e n t visibility of the capability position .

and will be successfully implemented. Propose a c h i e v a b l e s o l u t i o n s 5. will be supported and funded by management.3 Setting maturity targets and considering improvements The real value of a capability assessment comes from the identification and implementation of cost effective improvements. Identify g a p s – p r i o r i t i s e i m p r o v e m e n t s 5.4 Roadmap for sustaining the approach Having initiated a capability assessment approach. Understa n d t h e e n v i r o n m e n t 2. t r a i n i n g a n d t o o l s Create a r e p e a t a b l e p r o c e s s a n d a g r e e f r e q u e n c y o f r e p o r t i n g Where p o s s i b l e a u t o m a t e m e a s u r e m e n t a nd reporting Assess a c h i e v e m e n t a g a i n s t t a r g e t s a l o n g s i d e o t h e r b u s i n e s s a s u s u a l t a r g e t s Figure 5. Set real i s t i c t a r g e t s a n d r e s p o n d t o e n v i r o n m e n t c h a n g e s 4. The following approach is recommended: 1. The following practices are recommended to help ensure the process is sustainable A r t i c u l a t e c u r r e n t c a p a b i l i t i e s i n r e l a t i o n t o an adopted framework S e t c u r re n t l e v e l s o f c a p a b i l i t y i n t h e c o n t ext of external comparisons 25 . a capability assessment process needs to be implemented as part of normal business procedures. and perhaps performed a pilot project. A realistic and practical approach is required to ensure that the proposed improvements are based on business priorities.2 5.Capability Maturity Assessment 5 E m b e d measures into business as usual processes Ensure s t a f f h a v e a d e q u a t e s k i l l s . Establis h c a p a b i l i t y i m p r o v e m e n t f r a m e w o r k 3.

It is based on the four domains of CobiT.5 can be used to help show overall capability at a high level. redundant effort Describe the benefits of implementing improvements in specific areas Describe the projected effect on the business after delivery of enhancements Initiating and sustaining capability enhancements Agree steering and review mechanism. i. s t a k e h o l d e r s a n d s p o n s o r s a s w e l l a s t h e w i d e r community where there i s l i k e l y t o b e a g e n e r a l i n t e r e s t i n o u t c o m e s Periodically review the o b j e c t i v e s a n d r e s e t g o a l s i f n e c e s s a r y. A management workshop can be used to arrive at an approximate initial assessment without extensive analysis. additional costs or risks. late or non-delivery of the strategic development programme. r e l e v a n t Motivate everyone invo l v e d b y p u b l i s h i n g a n d c e l e b r a t i n g s u c c e s s e s Agree key measures a r o u n d i m p l e m e n t a t i o n o f i m p r o v e m e n t s a n d m e a s u r e s o f resultant business bene f i t – m a k e p a r t o f a w i d e r I T b a l a n c e d s c o r e c a r d Agree communication t o t a r g e t s . sponsorship etc. s u s t a i n a b l e . The extent of the analysis depends on how precise you wish to be. broken down into the 34 CobiT sub-processes. Agree on prioritised programme of improvements L o o k f o r c o n t i n u o u s i mprovement opportunities where improvement is relevant or necessary F o l l o w t h e 8 0 : 2 0 r u l e .5 Self-assessment tool The simple self-assessment diagnostic in figure 5. d o n ’ t i m p l e m e n t m o r e t h a n i s n e c e s s a r y Embed all improvement s a s “ b u s i n e s s a s u s u a l ” . inability to realise opportunities. 26 . n o t a o n e .IT Governance Developing a Successful Governance Strategy State the effect on the business of the current IT capability state of affairs. c h e c k i n g v a l i d i t y o f goals against business s t r a t e g y 5. e .o f f i n i t i a t i v e All improvements shoul d b e a c h i e v a b l e . Describe the ramifications of NOT improving capability e.g.

5 Defined Ad hoc 27 .Capability Maturity Assessment 5 Optimised Managed Importance Repeatable IT Process/Maturity Planning & Organisation PO1 Define a Strategic Information Technology Plan PO2 Define the Information Architecture PO3 Determine the Technology Direction PO4 Define the IT Organisation and Relationships PO5 Manage the Investment in Information Technology PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality Acquisition & Implementation AI1 Identify Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Architecture AI4 Develop and Maintain Information Technology Procedures AI5 Install and Accredit Systems AI6 Manage Changes Delivery & Support DS1 Define Service Levels DS2 Manage Third-Party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Assist and Advise Information Technology Customers DS9 Manage the Configuration DS10 Manage Problems and Incidents DS11 Manage Data DS12 Manage Facilities DS13 Manage Operations Monitoring M1 Monitor the Process M2 Assess Internal Control Adequacy M3 Obtain Independent Assurance M4 Provide for Independent Audit H M M M M L L M M L L L M M M L M M H M L M L L L M H H L M M M M M Figure 5.

. . staff and auditors? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . be it an operational crash. . . . . Considering that a transparent and proactive risk management approach can create competitive advantage that can be exploited. . . . . . . . . . . . the IT Governance Institute®. .4 What are the roles of management. . Therefore. . not only financial risk. . . . .1 What are the risks? To enable effective Governance. . . . . where and how). . . . . . . . . . As a consequence. . 6. . . . retain and verify competence . Enterprise risk comes in many varieties. . . ensuring that the strategic objectives of the business are not jeopardised by IT failures. . . . . . . . . . . . . . .35 he management of risks is a cornerstone of IT Governance. . . . . . . . . . The following generic structure for expressing IT risks in any organisation is suggested: Business specific risk (e. . .5 Who needs to be competent? . . . .31 6. . . . . Insisting that risk management is embedded in the operation of the enterprise. when delegating to executive management. 2nd Edition. . . . . the board should manage enterprise risk by4: Ascertaining that there is transparency about the significant risks to the enterprise and clarifying the risk-taking or risk-avoidance policies of the enterprise. .g.7 How to obtain. . . . . . . . . .30 6. . . . . . . . . . . . . . . . . within which technology risk and information security issues are prominent. . . . . . .9 Key learning points . . . . . . . . . . . .29 6. . . . . . . . We must be conscious though that risk taking is an essential element of business today. . . The Bank for International Settlements. . .1 What are the risks? . . . . . . . . . . management are often concerned whether risks are being cost effectively addressed. . . . . . . . .3 How can standards and best practices be used – is certification useful? . . . . . . . . . . . . . Infrastructure protection initiatives in the US and the UK point to the utter dependence of all enterprises on IT infrastructures and the vulnerability to new technology risks. . . . . . . . . . . . . . . security breach or a failed project. . . . Operational risk of orders not being received) 28 4. . . . . . . . . . . and they need assurance that risks are under control. . . . supported by agreed principles of escalation (what to report. . The universal need to demonstrate good enterprise governance to shareholders and customers is the driver for increased risk management activities in large organisations. . . . . . . . . . . supports that view because all major past risk issues studied in the financial industry were caused by breakdowns in internal control. . . .IT Governance Developing a Successful Governance Strategy 6 T Risk Management 6. . a dependence on an increasing number of service providers. . . . . . . . . Board Briefing on IT Governance. . . .35 6. . . . . . . . . . . . . . . . . . . .31 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . and limited reliable risk monitoring information. . . . . . . for example. . . . . . . . . . . .33 6. . . . . However. . . . . . . . IT risks should always be expressed in the business context rather than in the technical language favoured by IT risk experts. . . oversight and IT. . . . .8 When to source competence from outside . . . . IT related risks are increasingly a Board level issue as the impact on the business of an IT failure. . . . . . . . . . . . . . . . . . . . . . Being conscious that the system of internal control put in place to manage risks often has the capacity to generate cost-efficiency. . . . . . . . . . . . develop. can have devastating consequences. . . . . . . . Risk is as much about failing to grasp an opportunity as it is about doing something badly or incorrectly. . .6 What competence is required? . . . . managing IT risks and exercising proper governance is a challenging experience for business managers faced with technical complexity. . Regulators are specifically concerned about operational and systemic risk. . . .2 What is the best approach for risk analysis and management? . . . . . . . . . . .32 6. The first recommendation these initiatives make is for risk awareness of senior corporate officers. . . . . . . . . Being aware that the final responsibility for risk management rests with the board so. .28 6. . . . . . . . . . . . . . . . . . . making sure the constraints of that delegation are communicated and clearly understood. . . . . . . . Success will come to those organisations that identify and manage risks most effectively. . . . . . responds quickly to changing risks and reports immediately to appropriate levels of management. . . . . . . . . . . . when. . . .

top management must be able to recognise IT risks and ensure that significant risks are managed. Significance of an IT risk is based on the combination of impact (what effect the risk would have on the organisation if it occurred) and likelihood (the probability of the risk occurring). culture. Figure 6.2 What is the best approach for risk analysis and management? Risk management consists of two main elements: Risk Analysis R i s k M an a g e m e n t Having defined risk appetite and identified risk exposure. but these headings can be used as a guide (Taken from a global study by the Economist Intelligence Unit in 2002): Investme n t o r e x p e n s e r i s k Access o r s e c u r i t y r i s k Integrity r i s k Relevan c e r i s k Availabil i t y r i s k Infrastructure risk Project ownership risk The OGC’s M_o_R framework visualises four levels of risks in a pyramid with appropriate escalation to higher levels for significant risks (Figure 6. national and international regulations). Denial of service attack on Internet customer order system) Business risks are affected by the business environment (management style.Risk Management 6 Generic common IT risk (e. management and the board may choose to: 29 . strategies for managing risk can be set and responsibilities clarified.1 For IT to be effectively governed. IT availability risk) Specific IT risk (e. Because of the complexity and fast changing nature of IT.g. There is no single accepted set of generic IT risk definitions. 6.. Dependent on the type of risk and its significance to the business. education and awareness is essential to ensure risks are recognised – not just at the top management level but at all levels throughout the organisation.1). risk appetite. It is increasingly common for a dedicated risk management function to be established or for external advice to be obtained on a regular basis to ensure that risks are monitored and the rest of the organisation is kept informed. industry sector factors such as competition. reputation etc. Maintenance of a risk catalogue or risk register can be helpful to ensure that a thorough review of all IT related risks takes place on a periodic basis and for providing assurance to management that risks are being addressed. IT risks can be similarly affected.g.

2 is suggested by the OGC (OGC Risk Management Framework www. change enablement is required. internal audits and external audits/assessments are also helpful to ensure objectivity.IT Governance Developing a Successful Governance Strategy Mitigate. how to do it. They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures. For technical areas such as Internet security. and be integrated with other methods and practices that are being used. To ensure effective and timely identification of risk. the use of a common language and a standardised approach oriented towards real business requirements is best – making sure everyone follows the same set of objectives. to be consistent with the risk management framework and be appropriate for the organisation. It is also important to identify the benefits of managing a risk as they can help to justify the business case for taking action.ogc. by implementing controls Tr a n s f e r. and a thorough approach.2 The analysis of IT risks can be very time-consuming and there is a danger of “analysis paralysis”.gov. however. The best practices adopted have. Benchmarking is another very useful way to compare how risk management is being addressed within the organisation in relation to best practice. Standards and best practices are not a panacea and their effectiveness will depend on how they have been actually implemented and kept up to date. b y s h a r i n g r i s k Accept. industry peer groups and other organisations.uk). management workshops involving knowledgeable and interested representatives from the business. as well as prioritising risk management actions. Conformance to generally accepted standards and practices can be very helpful when managing risks relating to outsourced services and third party suppliers. issues and priorities. the advice of an expert is likely to be required to ensure any technical vulnerabilities have been identified. Benefits can include financial savings such as reduced losses and improved efficiencies as well as intangibles such as improved reputation and image. To avoid practices becoming “shelf-ware”. Adoption of standards and best practices will help to enable quick implementation of good procedures and avoid lengthy delays re-inventing wheels and agreeing approaches. IT. so that management and staff understand what to do. audit and.3 Using standards and best practices – is certification useful? There is no doubt that effective management policies and procedures help to ensure that risks are identified and managed as a routine part of everyday activities. For risk management to be effective. if necessary external advisors. 6. Certification 30 . Risk management checklists are useful for raising awareness and reminding everyone of typical risk related issues. by formally acknowledging that the risk exists and monitoring it The following framework for managing risk in Figure 6. Figure 6. can help to rapidly pinpoint key risks requiring attention. and why it is important. Regular self-assessments.

and provide independent assurance to management. Providers. make sure that appropriate risk management plans are in place and are being followed in all key areas or provide improvement recommendations. skills must be transferred from the specialists to the rest of the organisation. or for raising significance within the organisation. staff and auditors? The ownership of IT risks. who are usually IT specialists. Investors and Controllers will have a good understanding of governance principles but they usually have a very poor understanding of how to apply these principles in the world of IT. escalating and delivering mitigating actions.Risk Management 6 against a standard may be important for helping to establish trust with trading partners. but there are standards and best practices covering specific areas.5 Who needs to be competent? A key characteristic of any successful IT Governance initiative is the establishment of an enterprise-wide approach that clearly sets out roles and responsibilities. In practice. In the IT environment there is no specific standard relating to risk management. The OGC make the following suggestions regarding risk ownership: Allocate r e s p o n s i b i l i t y a t a s e n i o r l e v e l f o r m a n a g i n g k e y r i s k s Ensure t h a t e v e r y r i s k h a s a n o w n e r . than operating effective management itself. Most IT Governance initiatives begin with the establishment of an IT Governance project team and the appointment of an IT Governance project manager. and monitor whether risks are being managed. and even costly investments being wasted. Certification may also only mean conformance with a baseline and may in itself not be sufficient to address all the risks in the organisation. Ultimately it is the business – the user of IT services – who must own business related risks including those related to the use of IT. ISO9000. IT management will then have a responsibility to endorse. IT and user staff have a responsibility to implement the framework. and giving direction for managing key risks is a fundamental aspect of IT Governance. Auditors can provide initial momentum by highlighting to senior management inadequate risk management practices or specific risks that are not being adequately addressed. 6. 31 . t h e r e may be separate owners for the actions to mitiga t e t h e r i s k s Ensure a n y o n e a l l o c a t e d o w n e r s h i p h a s t h e a u t h o r i t y t o t a k e o n t h e r e s p o n s i b i l i t y and that t h e y a r e a w a r e t h a t t h e y a r e t h e d e s i g n a t e d o w n e r Adopt a m e c h a n i s m f o r r e p o r t i n g i s s u e s – u l t i m a t e l y t o t h e i n d i v i d u a l w h o h a s t o retain o v e r a l l r e s p o n s i b i l i t y 6. provide the resources and funding to support any necessary risk management plan designed to protect their business interests. For IT Governance to be successful and sustainable. there is a danger that acquiring a certificate becomes more important as a marketing tool. PMBOK and Prince2 are the most widely used.4 What are the roles of management. emphasising that everyone has a part to play in enabling successful IT outcomes. In most organisations. assessing. potentially misguided actions. ISO17799. due to the complex and technical nature of IT. Implementation of effective IT Governance therefore depends on everyone having adequate and appropriate skills to fulfil their specific role. Over time the project team will become the specialists. establish and monitor the agreed risk management framework including key principles and mitigation strategies. conversely understand IT but have a poor appreciation of governance and control principles. but usually even these teams will require training to improve their competence in IT Governance concepts and implementation approaches. Audit should also align audits with key business risks and known areas of weakness. ITIL. The team is likely to be made up of people with some existing skills and relevant experiences. the IT service provider will need to provide guidance and work with business management to ensure adequate safeguards are in place. An absence of top management responsibility and accountability for risk management can result in serious risks being ignored. They should set the mandate for risk management. Of these CobiT. guiding and mentoring all role players. sometimes supported by external advisors. However.

Influencing skills – particularly.Risk management .Assess concerns .Ability to appreciate the impact of IT on the business.Be able to link the IT and business strategy.Stakeholder management – who should be involved and why . and show how IT supports and enables the overall strategic approach Ability to challenge: .6 Providers Role & Responsibilities IT management (internal and external).Uncover IT related issues . establishing reporting processes • Monitor performance. correct deviations Business and IT senior managers.6.2).Assess performance IT awareness and understanding: .Assess accuracy of requirements .Ability to make strong decisions relating to IT.Ability to understand how the business can use IT profitably .Ability to justify improvement actions . creating the seeds of change User representatives • Take responsibility for Quality Assurance programme (design and output) • Regularly check actual results against original (or changed) goals • Provide service feedback to providers Competence Required General executive leadership skills: . identify and prioritise key issues and actions .Awareness of overall business and IT strategy .Knowledge of the IT organisation and the wider business organisation . monitor risks.Probe business cases .Ability to communicate well in business language .6 What competence is required? Each group of role players will require different sets of skills to support IT Governance effectively (Figures 6.Understand the principles of regulation Supplier management skills: .IT Governance Developing a Successful Governance Strategy 6. and be able to direct and challenge IT approaches Ability to challenge: . identify concerns • Assess IT capability.Uncover IT related issues .Ability to think strategically – how can IT make a positive difference to enterprise strategy? .Budget management 32 .Assess impacts of risks and poor performance Ability to articulate requirements and monitor delivery: . Investors Role & Responsibilities Management board (authority to make things happen) • Give direction backed up with adequate support and sponsorship • Balance requirements with available resources.Contract and commercial management .Portfolio management .Aggregate assessment – be able to appreciate the whole IT picture.Assess and prioritise concerns . identify gaps • Initiate a continuous improvement programme • Develop business cases for improvements • Design and implement solutions • Commit skilled resources • Establish performance measurement system • Report to senior management • Respond to QA feedback from customers Competence Required Ability to manage overall IT activities: .Understand how to express IT related requirements. with support from business management • Take ownership and set direction of IT Governance activities • Build and achieve a pilot business case IT management • Set IT objectives • Define IT governance and control framework • Identify critical IT processes • Assess risks.Ability to understand the big picture and how IT plays a part . test deliverables and provide constructive feedback Figure 6.Assess performance .Ability to take a high level view and understand the rationales . making available additional resources if required • Insist on and seek measurable benefit realisation • Coordinate overseas/satellite parts of the enterprise to ensure their interests and constraints have been considered • Create organisation and structure to ensure board involvement in the governance process – by forming committees. business partners and project sponsors: • Implement organisation and necessary infrastructure • Take ownership of requirements • Champion and collaborate in IT governance activities • Ensure business strategy and objectives are set and communicated and aligned with IT • Assess business risks and impacts • Establish reporting processes meaningful to stakeholders • Communicate any business concerns in a balanced and reasoned way • Provide project champions.Ability to demonstrate value of IT to the business. from a value perspective but also from a risk perspective . able to influence the Investors . including return on investment .6-6.

mentoring and skills transfer competence so that others learn control theory . process owners) • Undertake core tasks • Report progress to plan People related IT Governance skills: .Understanding of sources of expertise Delivery management skills: . The IMPACT IT Governance SIG members have found that the following roles often provide people who would be effective in IT Governance roles.Objectivity and independence .6.Understanding of roles . laws and regulations Finance • Advise on and monitor IT costs and benefits • Provide support for management information reporting • Incorporate governance requirements into purchasing/contract process Competence Required How to apply good Governance practices effectively in IT: .Ability to communicate and explain the context of need for control. retain and verify competence Recruitment When considering who to place in IT Governance lead positions. measures and contracts/ agreements Training and Development • Ensure adequate education and communication HR function • Incorporate governance principles into induction and performance measurement process Core team • Define plan and deliverables • Organise team and roles (architects.Awareness of the business impact. be knowledgeable of real world examples .Ability to be practical and pragmatic .7 How to obtain.Coaching.1 Controllers Role & Responsibilities Internal and external audit • Scope audits in coordination with governance strategy • Provide assurance on the control over IT • Provide assurance on the control over the IT performance management system Risk management • Ensure that new risks are identified in a timely manner.Analysis ability – root cause determination .Negotiating skills to persuade others Figure 6.Understanding of IT processes. project manager. facilitator. staff in a number of existing positions may be excellent candidates. incentives. and the benefits of taking action . how they should be controlled. develop.Understand the business environment and its impact on IT . there is a need for breadth of business and IT knowledge rather than too narrow a specialisation. provide advice Compliance officers • Ensure that IT complies with policy. especially when creating an initial project team.2 6.Understanding of competencies required . Auditors Project M a n a g e r s Risk Ma n a g e r s Busines s A n a l y s t s Infrastructure Management Procurement/Contract Management IS Strategy – alignment with the business Quality Management Business Relationship Management Programme Managers However.Engagement and project management Figure 6.Ability to provide cost estimates . 33 .Risk Management 6 Suppliers/business partners • Integrate any own existing or planned governance practices with customer • Support and contribute to customer’s governance approach • Agree service definitions. the need for and justification of IT control . regulations etc. senior responsible officer. and how to monitor performance .Familiarity with best practices .6.Able to put theory into practice.Knowledge of corporate standards and policies affecting IT .

especially those holding key positions in controller functions. how IT affects the business. gaps in capability. T h i s i s e s p e c i a l l y true of external service providers.l o c a t i o n Enable job exchanges t o i m p r o v e a w a r e n e s s Providers Formalise documentatio n o f g o v e r n a n c e . and why IT needs to be controlled Focus on Professional training in IT Governance and consider certification in relevant skills Maintain continuing professional development Consider `soft` skills training to improve communication and influencing skills Retention of Skills The most effective way to retain IT Governance skills is by establishing standards and practices within the organisation rather than only within individuals. Establish an environme n t w h i c h f o s t e r s g o v e r n a n c e 3. especially from experts to operational staff P r o v i d e r s m u s t b e v a l ued for their governance skills and encouraged to invest in t h e m . s t a n d a r d s a n d b e s t p r a c t i c e s When training. This reduces reliance on key individuals and ensures sustainable processes are put into place. In addition: At all levels there will be a need to refresh skills continually because of the changing nature of IT S k i l l s t r a n s f e r s h o u l d a lways be encouraged. 34 . the IT related business risks. focus on s p e c i a l i s e d a n d r e l e v a n t a r e a s Organise internal event s t o r a i s e a w a r e n e s s Rotate involvement in governance meetings to improve understanding Use the results of assessments and maturity modelling to raise awareness of governance issues. removing cultural barriers and improving communications are all critical success factors for improving competence. Roll out the processes a n d s k i l l s 4. Training 2.IT Governance Developing a Successful Governance Strategy Developing Skills Demonstrating commitment by senior management for the importance of IT Governance and the value of being competent. Suggested techniques for improving skills by each group of role players are shown below: Investors Obtain external experiences to help position and challenge internal activities Obtain “360 degree feedback” C o n s i d e r a p p o i n t i n g E xecutive mentoring advisors Obtain and read Executive briefings Seek non-executive challenges to the Board C o n s i d e r e x t e r n a l E x e cutive IT awareness courses Foster cultural change activities Foster collaborative wo r k i n g a n d c o . and impact on the business of IT weaknesses Ensure management and control of IT is taken seriously Manage the transfer of s k i l l s f r o m t h e s p e c i a l i s t s t o t h e o r g a n i s a t i o n The sequence of events should be: 1. Measure compliance wi t h s t a n d a r d s a n d r e i n f o r c e Controllers Skills development is o f t e n m o r e a b o u t l e a r n i n g o n t h e j o b t h a n a b o u t t r a i n i n g courses Understand the business. Induction training is required for new joiners.

but are typically not understood in the context of IT T h e a p p o i n t m e n t o f a n I T G o v e r n a n c e m a nager and team should not be permanent b e c a u s e g o v e r n a n c e p r a c t i c e s h o u l d b e c ome business as usual 35 . forward-looking. focusing on competency aspects. competence will have to be developed within the organisation. This technique can also be a valuable awareness raising and reinforcing technique.8 When to source competence from outside Acquiring IT Governance competence from outside the organisation will be driven by two different objectives: When it i s m o r e c o s t . 6.7 Expertise IT Governance expertise exists within the Process owner and team IT Governance expertise is monitored and measured outside the Process Use of external experts and industry leaders for guidance.9 Key learning points The following list of key points have been identified by the IMPACT IT Governance SIG and should be considered when developing IT Governance skills: Skills optimisation Governance skills are normally found at the top level.h o u s e W h e n o u t s i d e i n p u t o f e x p e r t i s e i s b e n e f i cial in its own right However. if implementation of IT Governance is to be successful and sustainable. In many organisations where all or significant parts of the IT service have been outsourced. Another approach to verifying competence is to measure the maturity of IT Processes. responsibility and competence for controlling use of these services should still be retained internally. sustained implementation of IT governance then the environment will support continual skills growth. comparison to best practices 4 Managed & Measurable Understand full requirements Advanced. The chart below shows generically how this could be done based on guidance from CobiT’s Management Guidelines (Figure 6. Verifying Skills The best way to verify competence is to include governance skills in the appraisal process.Risk Management 6 If there is institutionalised. It is essential to retain sufficient skills internally to be able to sustain the business – and to understand and manage what is being outsourced. understanding 5 Optimised 6. since management of IT must be owned within the organisation. This should be based on performance on the job: Clear jo b o b j e c t i v e s a n d r o l e d e f i n i t i o n f o r I T G o v e r n a n c e IT Gove r n a n c e c o m p e t e n c i e s r e q u i r e d f o r r o l e Review o f c o m p e t e n c y p e r f o r m a n c e In addition. Generic Maturity Model for Governance Competence (CobiT) 1 Initial/Ad Hoc 2 Repeatable but Intuitive 3 Defined Process Understanding & Awareness Recognition Awareness Understanding of need to act Training & Communication Sporadic communication on issues Communication on the overall issues and needs Informal training supports individual initiatives Formal training supports a managed programme Training and communications support external best practices and use leading edge concepts Figure 6.e f f e c t i v e t o o u t s o u r c e s k i l l s t h a t a r e n o t a v a i l a b l e i n . surveys can be carried out periodically to measure the level of awareness in key competencies.7).

Roll out the processes and skills 4.IT Governance Developing a Successful Governance Strategy People must understan d why governance is important Governance skills need to be transferred from the specialists to the organisation as a whole The best approach to training is learning by doing and being part of the process The sequence of events should be: 1. Establish an environment which fosters governance 3. Measure compliance with standards and re-enforce 36 . Specialised training 2.

. . . and so governance should be focused on those relationships with the greatest risk and investment. . . . . . . this can lead to reluctance to take risks and a failure to seize technology opportunities. Effective governance of IT suppliers is therefore a key component of IT Governance. . . . . . . . . . . . . . . planning. .38 7. . . . . To some extent. the need to apply sound management disciplines and controls is even greater. . . There is a realisation that because IT is complex and has its own fast changing and unique conditions. considered openness and mutuality of benefit defines the basis for better working relationships. . . . Underpinning the customer/supplier relationship should be formal service level agreements which define objectives and measures in customer relevant terms. . . . . . . . . . . . . . . . management needs to be more aware of critical IT risks and whether they are being managed. . architecture. . . . . . . . . . . . . . . . . . ‘market relationship’ allows clearly definable boundaries between client and supplier. . provide for the oversight of the outsourcer. . . . . . . . . . . . . . .3 How best to select a supplier . . . . . . . . The outsourcing of a function or service is likely to be a major 37 . . Even when the bulk of IT is outsourced. . . . . . 7. . . . are highly specific to the way the business operates. . . . . the mix will vary with the reason(s) for outsourcing and which functions have been outsourced. . . . . . . . . . . and increasingly the trend is to outsource significant parts of the internal IT function. . . . . . . . . while the ‘partnership’ end of the scale requires an ongoing and close cooperation) How both parties engage with each other Commitment by both parties at a senior level Responsibility and accountability by senior decision makers on both sides Specification of governance responsibilities in a “governance schedule” within the contract Try to create a win/win partnership so that both parties are motivated for success – beating down the supplier is generally seen as poor practice. . . . However. . . . . . . .42 very organisation relies on numerous suppliers to support their business and IT strategy. . . . . . and software applications) used by critical business processes. . . . . . . . . . . . . . . . . . . . . several key functions should be retained because they supply continuity for clients of IT. . . . vendor management. . . if there is a lack of clarity and transparency when taking significant IT decisions. . . . . .1 Why is Supplier Governance important? “Because organisations are relying more and more on IT. . . . . . all organisations will need to retain some expertise in strategic functions. . . . . . Most organisations are highly dependent on a limited number of key suppliers. . . . and security. . . . . . . . . . . . . managed according to service management best practices such as ITIL. . One of the best ways to establish effective supplier governance is to focus on the relationship The correct form of the relationship (commodity provision. . . . . . . . . . .40 7. . .37 7. . . .40 7. operation and termination. to make sure that risks are managed and value is delivered from the investment in supplier products and services.2 The customer’s role . . . . . . . . . . . . . . . . . . . . The customer should take ownership of the whole transaction from defining requirements and selection all the way through to engagement. . . . . . . . . hosted data centres. . . . . . . . . For supplier governance to be effective the role of the customer is crucial. . Furthermore. . . . . . . . . . . . . . . . . . . .1 Why is Supplier Governance important? . . . . such as project oversight. . . .5 Service management techniques and SLAs . . . . . . . . It is not unusual for external organisations to provide critical IT infrastructure (such as telecommunications networks. . . while cooperation. . .41 7. . . . . . . . . . . . . . . . . . .Supplier Governance 7 E Supplier Governance 7 7. and are strategic to the organisation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . and so governance should to be focused on those relationships with the greatest risk and investment. . . .” (IT Governance – The Business Case) Most organisations are highly dependent on a limited number of key suppliers.4 The customer/supplier relationship . . .6 The supplier/outsourcing governance lifecycle . . . . . . . .

proper governance is crucial to help avoid potential service failures and large financial losses.2 The customer’s role For supplier governance to be effective.IT Governance Developing a Successful Governance Strategy strategic decision which should be governed carefully. or if critical infrastructure needs to be supported). The supplier is of course also a stakeholder and will want to ensure the relationship is properly managed. The customer should take ownership of the whole transaction from defining requirements and selection all the way through to engagement. Poor cultural fit 5% Provider's poor performance 8% Buyer's multi-buyer environment 3% Unclear buyer expectations 23% Poor communication 11% Other 11% Misaligned interests 15% Not mutually beneficial 11% Poor Governance 13% Figure 7. If the relationship is critical in support of the customer’s business strategy (which will be the case if significant outsourcing is planned. Only under a limited set of circumstances. the role of the customer is crucial. how customers perceive it and how it retains its position in the marketplace. then the customer’s role in ensuring effective governance will be particularly important and should address: 38 . It is essential that what is outsourced by the customer is NOT its core competency as this is what defines what the organisation is. one example being technology catch-up.1: Causes of outsourcing failures – source Outsourcing Center 2004 7. In such a complex technical and commercial situation. and that the financial and operational requirements are acceptable. It will be in the customer’s interest to balance the supplier’s needs with his own in order to arrive at a solution that provides reasonable incentives for the supplier while properly meeting the customer’s needs. Outsourcing is also a huge global commercial business opportunity for the service providers who will compete fiercely for market share. operation and termination. should core competencies be outsourced.

d o w n m a n a g e m e n t c o m m i t m e n t t o s u p p o r t a l l k e y d e c i s i o n s How to monitor and measure 1. Identify a limited range of meaningful and measurable key measures e. a n d i n a s h a r e d p r o c e d u r e m a n u a l w h e r e k e y r e s p o n s i b i l i t i e s a n d escalati o n p r o c e d u r e s a r e d e f i n e d . How to be an effective customer Organisation F o c u s on w h a t ’s c r i t i c a l Have the right capability to manage IT suppliers Ensure there are clear roles and respon s i b i l i t i e s o n t h e c u s t o m e r ’s s i d e o f t h e relationship Ensure there is an Executive level sponsor w h o w i l l b e r e s p o n s i b l e a n d a c c o u n t a b l e for all s ignificant decisions regarding key s u p p l i e r s Commit long-term Establis h relationships at multiple levels Organise suppliers according to criticality a n d r o l e s Technical Manage technical IT issues to ensure conformance where necessary and compati bility with in-house technical standards Ensure all relevant legal and regulatory requirements have been considered Standardise and commoditise solutions wherever possible S e t r e a l istic expectations regarding servic e d e l i v e r y Ta k e t i me to understand product and servi c e o f f e r i n g s U n d e r s t and how your own IT assets may b e a f f e c t e d b y s u p p l y o f e x t e r n a l p r o d u c t s o r s e r v i ce E n s u r e there is good control of the internal environment affected by the external supply Project Approach Ta k e c a re to manage all staff related issues S e t u p a co-ordination committee of senior customer representatives Make su r e t h e r e i s a p r o c e s s f o r b o t h p a r t i e s t o f o l l o w Build int o t h e r e q u i r e m e n t s a n d c o n t r a c t p l a n s f o r t r a n s i t i o n / t r a n s f o r m a t i o n f r o m t h e current s t a t e t o a n o u t s o u r c e d s e r v i c e Approac h c o n t r a c t s a n d r e l a t i o n s h i p s i n a balanced way ensuring risks have been consider e d i n t h e c o n t e x t o f t h e v a l u e e x pected from the supplier Avoid th e d a n g e r o f m i x e d m e s s a g e s c o ming from different parts of the customer organisa t i o n Make su r e t h e r e i s t o p .g.Supplier Governance 7 D i s c i p l i ne over managing the transaction and transparency of the results Indepen d e n c e f r o m t h e s u p p l i e r Accounta b i l i t y a n d r e s p o n s i b i l i t y f o r k e y de c i s i o n s Increasi n g s t a k e h o l d e r v a l u e ( b o t h i n t e r n al and for the supplier) Key gov e r n a n c e s t e p s a t e a c h s t a g e . b e s t d e f i n e d i n a g o v e r n a n c e s c h e d u l e i n the con t r a c t . Take ownership and define and obtain agreement for all measures 3.: Perform a n c e Financia l Risks Complia n c e Relation s h i p Value ad d e d Delivery 2. Supplier senior management should: 39 .

4 The customer/supplier relationship One of the best ways to establish effective supplier governance is to focus on the relationship: How both parties engage with each other Commitment by both parties at a senior level Responsibility and accountability by senior decision makers on both sides Specification of govern a n c e r e s p o n s i b i l i t i e s i n a “ g o v e r n a n c e s c h e d u l e ” w i t h i n t h e contract Make sure each party understands its role. Consider impact of any off-shore situations 7. Consider the size of supplier compared to your organisation and your requirements 3. several key functions should be retained because they supply continuity for clients of IT. However. provide for the oversight of the outsourcer. 40 . are highly specific to the way the business operates.IT Governance Developing a Successful Governance Strategy Provide data for all measures he is responsible for Monitor delivery performance Agree remedial action with customer C o m m i t r e m e d i a l a c t i o ns 4. Prepare an effective RFP 6. Consider pilots and pre-project trials 8. the mix will vary with the reason for outsourcing. Do due diligence reviews 5.3 How best to select a supplier The following steps are suggested: 1. To some extent. See key people 7. Consider the need to integrate several suppliers 4. Customer should: P r o v i d e c u s t o m e r s a t i s faction measurement data Consider benchmarking to other organisations and other services What functions should be retained by the customer? (Reference Forrester Research “Functions to Retain when Outsourcing. July 2004) Even when the bulk of IT is outsourced. and are strategic to the organisation. Check track record 9. 7. Customer IT service management should: Be responsible for monitoring and reporting Prioritise and recommend actions 5.4 summarises how IMPACT SIG members believe each group of stakeholders should focus in the customer/supplier relationship. Research the markets to identify preferred suppliers 2. all organisations will need to retain some expertise in strategic functions. Figure 7.

f i x e d penalties 41 . ITIL is recommended as the best source of guidance in this area. managed according to service management best practices. and the IMPACT SIG members recommended the following techniques: Use a s u p p l i e r g o v e r n a n c e f r a m e w o r k to drive service management practices (figure 7 . 5 ) .Supplier Governance 7 Party Stakeholder Focus Define outsourcing and procurement strategy Define supplier governance framework Provide supplier with strategic direction Approve contracts and any changes Consider future business requirements Define business objectives Evaluate performance Specify architecture Define business requirements Investors Customer Providers Manage relationship Manage projects Monitor service Verify financial ROI Manage contract Assess and monitor risk Controllers Ensure legal/regulatory compliance Perform financial analysis Ensure supplier service audit Establish security policy Define business objectives Protect supplier and customer investments Investors Commit resources for delivery Define service strategy Define governance framework Supplier Providers Define services Define service levels Monitor service quality Measure financial performance Controllers Figure 7.4 Monitor risk management Manage contracts 7. Create a s e r v i c e m a n a g e m e n t b o a r d t o o ve r s e e s e r v i c e d e l i v e r y Create a s e r v i c e c o d e o f p r a c t i c e “ h o w t o e n g a g e ” A d o p t s t a n d a r d p r o c e s s e s f o r m a n a g i n g t he services Develop a common language and common understanding of service objectives Ensure there is a clear definition of servic e s c o p e Define t he scope of the retained IT functio n Maintain the contract as a result of service c h a n g e s Create a policy and procedure manual for b o t h p a r t i e s t o f o l l o w Where possible define a service credit r e g i m e – t h i s d e s c r i b e s h o w ‘ o v e r s a n d unders’ on the service provision are h a n d l e d w i t h o u t r e c o u r s e t o h a r d .5 Service management techniques and SLAs Underpinning the customer/supplier relationship should be formal service level agreements.

but more importantly ensures a common understanding of the major processes (Figure 7.6 42 .IT Governance Developing a Successful Governance Strategy Figure 7. Figure 7.5 7.6).6 The supplier/outsourcing governance lifecycle The outsourcing lifecycle is useful in determining major points for governance throughout the contract.

. . . The CobiT Framework provides a tool for the business process owner that facilitates the discharge of this responsibility.43 8. . . . . There is therefore a need for IT management to work more closely with IT auditors. . . . . as comprehensive guidance for management and business process owners. By addressing these 34 high-level control objectives. . . . . . capitalising on opportunities and gaining competitive advantage. .3 What are the roles of IT and Audit for IT Governance? . . IT Governance guidance is also provided in the CobiT framework. . . . . . . . IT Governance provides the structure that links IT processes. . . . . Increasingly. so that everyone is “on the same page”.45 8. . . . . acquisition and implementation. . . . . . and monitoring IT performance. . and a failure to collaborate on control assessment and control improvement.45 he growing interest in IT Governance and increasing pressure to deal with regulatory compliance (e. . . . . . .44 8. . . . . A more effective approach requires better recognition of one another’s role and alignment to a mutually accepted and understood control framework. . .1 Introduction to CobiT Business orientation is the main theme of CobiT. . . . . . . . . . . . . . . . . this includes providing adequate controls. . The Framework starts from a simple and pragmatic premise: In order to provide the information that the organisation needs to achieve its objectives. . In particular. . . . . . and monitoring. . . . CobiT has historically been mostly used by IT auditors but the trend now is for IT management to use CobiT as a basis for IT process ownership. . 8. . . . . acquiring and implementing. . . This structure covers all aspects of information and the technology that supports it. . the business process owner can ensure that an adequate control system is provided for the IT environment.1 Introduction to CobiT . . . IT Governance integrates optimal ways of planning and organising. . and more importantly. . . . . For many years there have been barriers between auditors (both internal and external) and auditees (IT functions and business units). . . 43 . . . . . . corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT processes against CobiT’s 318 recommended detailed control objectives to provide management assurance and/or advice for improvement. . . . . . This can be due to communication gaps. . . . . . . . . . . . . Sarbanes Oxley). . . . . . As a consequence. . . . . . one for each of the IT processes. and a continuing focus on security. . . . . . . . . . In addition. . . . . . many IT functions and IT service providers are adopting CobiT as part of their operational control framework. . . . . . IT resources need to be managed by a set of naturally grouped processes. .g. . IT resources and information to enterprise strategies and objectives. but also.4 How can IT and internal audit work better together? . . . . . . . . . . . . . . hidden checklists. . .2 How is CobiT being used? . . . . a reference model for good controls and as a way to integrate other best practices under one “umbrella” aligned to business needs. . . It is designed to be employed not only by users and auditors. . . . . The Framework continues with a set of 34 high-level Control Objectives. . . IT Governance enables the enterprise to take full advantage of its information. . . . . . . . . . . . . delivery and support. . . has made IT management much more involved in risk management and control activities. . grouped into four domains: planning and organisation. . . . . . . . . . . . . . . . More advanced users make use of CobiT’s maturity modelling and metrics to measure performance and drive improvement initiatives. . CobiT is an IT Control and Governance Framework that is increasingly being adopted by organisations around the world as a common reference model for IT Control. . . . . thereby maximising benefits. business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. . . . . . . . . delivering and supporting. .IT & Audit Working Together & Using CobiT 8 T IT & Audit Working Together & Using CobiT 8 8. . .

it has driven the professional Audit firms to follow similar approaches. and assessed on the same basis by auditors. The guidelines are action oriented and generic and provide management direction for getting the enterprise’s information and related processes under control. 8. There is also a trend among service providers to use CobiT and other best practices to improve their market image and quality of service. The maturity modelling and metrics concepts within CobiT are probably the most popular for IT managers. The best practices in CobiT are a common approach to good IT control – implemented by business and IT managers. CobiT’s Management Guidelines are generic and action oriented for the purpose of answering the following types of management questions: How far should we go. both auditors and IT managers are adopting CobiT as the compliance framework for IT controls. Whereas auditors have been using CobiT mostly as a controls checklist. and consequently a massive CobiT-based controls documentation effort is underway. CobiT is often referred to as the “integrator”. There is currently a great deal of focus on the Sarbanes-Oxley Act in the US. and the reporting requirements that this legislation requires for Company Directors. Today. optimise use of scarce IT resources. IT managers see it more as a “best practice” framework for performance measurement and improvement planning. auditors and IT. helping to link these various IT practices to business requirements. The real value from any control evaluation. based on a generic set of IT processes meaningful to IT people. CobiT was created as an IT control framework for business managers. In response to this communication gap.itgi. Many companies are using CobiT as the framework for reporting the status of IT systems and controls. With increasing regulatory requirements such as Sarbanes-Oxley in the US. The profiles and scorecards that results are a powerful tool for communicating with senior management and demonstrating the reality of current IT capability in relation to what the business might have expected. and reduce the occurrence of major IT risks such as: Project failures Wa s t e d i n v e s t m e n t s Security breaches System crashes Failures by service providers to understand and meet customer requirements Due to its high level and broad coverage.IT Governance Developing a Successful Governance Strategy The Management Guidelines further enhances and enables enterprise management to deal more effectively with the needs and requirements of IT governance. and to integrate CobiT into their internal proprietary methodologies. it began as an Audit reference. There 44 . were talking a different language to business managers and IT practitioners. This has helped to break down communication barriers and improve the mutual understanding of IT controls. www. As organisations have adopted the CobiT approach. While SarbanesOxley has been very useful for putting IT governance and control on the Board’s agenda.2 How is CobiT being used? Although the long-term aim of CobiT was to be a common framework used by management and auditors. providing an easy and powerful technique for positioning IT control gaps in the context of business requirements. This is also helping to improve communication of control issues and make it easier to manage and audit IT activities against a commonly accepted basis.org) ISACA recognised in the early 1990’s that auditors. and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare?” (CobiT Framework 2000. Over the years CobiT has been developed as an open standard and is now increasingly being adopted as the control model for implementing and demonstrating effective IT Governance. for monitoring performance within each IT process and for benchmarking organisational achievement. for monitoring achievement of organisational goals. the effective use of best practices can help to avoid re-inventing wheels. It is not a “standard” as such but a “best practice” framework and set of guidance materials to be tailored for each specific situation. who had their own checklists for assessing IT controls. This was largely due to its origins within ISACA and its early adoption by ISACA members who are mostly from the computer audit profession. and at the same time provide a basis for IT functions to organise themselves into a process structure with accountable process owners. especially when based on CobiT. is the identification of control gaps and the implementation of a sustainable improvement programme. Because CobiT is open and independent of any specific vendor all parties can use it freely. as every organisation tries to deliver value from IT while managing an increasingly complex range of IT related risks. there is a danger that the effort will be limited to a documentation exercise to achieve compliance. bringing disparate practices under one “umbrella” and just as importantly. and because it has been based on many existing practices. Over the years its usage has widened out into the IT community and nowadays this is the fastest growing user segment. IT managers and auditors. The CobiT IT Process model has helped convey a view of IT understandable to business management.

Taking r e s p o n s i b i l i t y f o r e n a b l i n g a n I T Governance initiative or for initiating governa n c e p r o j e c t s s h o u l d n o t c o m p r o m i se Audit. but this c a n p r o v i d e a n e x c e l l e n t p o s i t i on to influence and recommend change.g. f o r managing the IT processes. A common framework and understanding i s n e e d e d i n o r d e r t o e n s u r e t h a t I T Management is exercising IT Governance . Education in control principles m a y b e n e e d e d . IT Gove r n a n c e r e q u i r e s m a n a g e m e n t c o m m i t m e n t a n d o w n e r s h i p w i t h i n I T a n d t h e busines s i n o r d e r t o m a k e i t h a p p e n . Typical examples using self-assessments are: R i s k a s sessments C o m p l i ance with specific standards (ISO 17799) C o m p l i ance with regulatory requirements such as Sarbanes-Oxley Q u a l i t y of service assessments 45 . A u d i t c a n t e s t c o n t r o l s e s p e c i a l l y w h e re control is critical and assurance is r e q u i r e d . the problems can usually be identified by IT digging into process failures – e. Executive management may point to historic data as showing no problems. 8. w o r k s h o p s a n d s t a f f secondments.so why should they worry about governance ? However.a c t i v e g u i d a n c e o n what should be done Role of IT IT has to be responsible for changing t h e c u l t u r e o f t h e I T o r g a n i s a t i o n . and therefore not the sole respons i b i l i t y o f a n A u d i t f u n c t i o n . Audit can play a part in setting standards. A u d i t m u s t d o m o r e t h a n j u s t i d e n t i f y p r o b l e m s . p a r t i c u l a r l y i n r e s p e c t o f e x t e r n a l r e g u l a t i o n . When re v i e w i n g G o v e r n a n c e . audi t c a n “ s o w t h e s e e d s ” . Given the speed of IT change and the hig h c o s t o f d e v e l o p m e n t p r o j e c t s . and more likely to motivate corrective action. so long as management take full resp o n s i b i l i t y a n d a c c o u n t a b i l i t y f o r i mplementation and operation of controls. and by p r o v i d i n g t r a i n i n g . a n d provide a s s u r a n c e t o t h e b o a r d . will help to ensure that eve r y o n e i s “ o n t h e s a m e p a g e ” . U s i n g a c o m m o n f r a m e w o r k f o r c o n t r o l such as CobiT. and adopting a f o c u s o n c o n t r o l s . B u t i n c r e a s i n g l y t h e r e i s a t r e n d for IT to “test themselves” by performing self-assessments.4 How can IT and internal audit work better together? Increasingly. To b e e f f e c t i v e a u d i t o r s m u s t : Be credible and confident to gain the r e s p e c t o f I T Not wait until the end of a phase to c r i t i q u e – b u t g i v e p r o . A u d i t c a n t h e n d e t e r m i n e i f i t i s h a p p e n i n g .IT & Audit Working Together & Using CobiT 8 is an analogy with the Y2K experience in that Sarbanes-Oxley should not be a one off exercise but an ongoing programme for improving management control and establishing governance. IT management have to be confident of their position to draw attention to internal weaknesses. a n d a u d i t c a n h e l p w i t h this by working together with IT. T h e y need to i d e n t i f y r o o t c a u s e s a n d m a k e c o n s t r u c t i v e r e c o m m e n d a t i o n s . T h e A udit function should remain independent. If IT (as so often) is in `fire fighting` mode it is harder for them to drive governance. control self-assessments are being performed by IT functions because it is more efficient than relying on limited IT audit resources. and providing control criteria and control b e n c h ma r k s .3 What are the roles of IT and Audit for IT Governance? Role of IT Audit IT Gove r n a n c e i s a m a n a g e m e n t r e s ponsibility. i t m a k e s sense to involve auditors in projects. IT should take a lead on governance. 8. project delay and excess cost. IT professionals often have a poor underst a n d i n g o f w h a t c o n t r o l s a r e a n d w h y t h e y are needed. The CIO and Head of Internal Audit should w o r k t o g e t h e r t o d r i v e c h a n g e . Indepen d e n c e s h o u l d n o t i n h i b i t p r o v i s i o n of advice.

Identify key risks. Appoint process owners. Analyse audit history and use to prioritise. Achieve a balance between regulation and improvement planning. Understand risk appetite. Governance Phase Audit contribution Common approach – culture. Provide where appropriate independent scorecards of IT performance. Perform “open book” audits (no hidden checklists or issues). s e c u r i t y ) H o w d o y o u c o n s i d e r y o u h a v e addressed each objective? S e l f c e r t i f i c a t i o n b y m anagement e. Demonstrate strengths and weaknesses. communication and language. Influence the Board and Audit Committee to take issues seriously and mandate change. g . Ensure scope alignment (audits versus governance). Provide thought leadership on available techniques. Perform a maturity self assessment on critical IT processes. Perform business impact analysis with business units. Provide Project Control and QA. Advise on WHAT should be improved. using business language. Coordinate with service providers who may be a trigger and may be using CobiT. Know your audience when explaining IT Governance. Figure 8. Integrate existing and other best practices. Demonstrate benefits. Perform risk self assessment. Provide independent control evaluations for critical areas. successes and significant trends. Create implementation action plan. Review and assure measures. Provide “Audit scorecards” showing performance against past audit reports. Facilitate job rotation/secondees. Ensure business and IT orientation to audit approach and recommendations. Do internal/external benchmarking. Define regulatory compliance requirements. CobiT) The methods used vary from formal schemes. Internal/external analysis. Liaise with 3rd parties and service providers. Provide independent view of the risk profile. Produce scorecards and RAG charts for IT performance in business terms. Identify key control weaknesses. CobiT. Adopt a Framework e. Understand impact of regulatory and compliance issues. Organise shared events. Provide explanations for deviations.5 IT Process Maturity assessments (e. charter.IT Governance Developing a Successful Governance Strategy IT contribution • • • Get CIO commitment. Facilitate job rotation/secondees. Share audit information and documentation. Use objective and independent position to recommend organisational change. • • • • • • • • • • • • • • • • • • • • • • • • • • Framework Approaches • • • • • • • • • • Focus Assess • • • • • • • • • • • Scorecard Improvement Provide assurance of IT self –assessments. Define business requirements for IT Governance together with business units. Provide workshops to improve understanding.g. Coordinate with external auditors. Get ownership from the business side. Don’t just make general recommendations – point to root causes. Perform controls self-assessments.org). perhaps based on IIA (Institute of Internal Auditors) or Internal Audit guidance to less formal approaches. Create business case for changes. clear ownership • • • Building Awareness & Ownership • • • Provide thought leadership. Share planning approach.itgi. Leverage regulations for positive effect. Provide positive statements where appropriate. Perform detailed self maturity assessments. Provide training in controls.g. controls adoption and CobiT. Regulations like Sarbanes-Oxley can be an enabler of change – encourage response to be more than just a documentation exercise.: Q u e s t i o n n a i r e s – b a s ed o n p o l i c y ( e . Define HOW improvements can be made. Sarbanes-Oxley Face-to-face interviews and workshops Pre-defined checklists 46 .g.g. All approaches can provide value e. RAG charts and scorecards. Influence the business and the board about IT management issues (use ITGI Board Briefing) (www.

IT & Audit Working Together & Using CobiT

8

The effectiveness of a self-assessment depends on the quality, objectivity, skill and experience of the people performing the review. Using an alternative means of checking to supplement the questionnaire can help as can obtaining Internal audit input in an educating/reviewing role. There are a number of constraints and challenges relating to self-assessments:
Level of m a t u r i t y Number/ v o l u m e o f t e s t i n g
Reliance o n t h e r e s u l t s - Object i v i t y - Compl e t e n e s s a n d R i g o u r
Resourc e s – I T i s t y p i c a l l y o v e r l o a d e d w i th d a y t o d a y p r e s s u r e s Political i s s u e s n e e d t o b e a d d r e s s e d – h o w t o g e t m a n a g e m e n t b u y - i n , a n d t h e r e may be a r e t i c e n c e t o i d e n t i f y a n d q u a n t i f y r i s k s
C u l t u r a l a s p e c t s s h o u l d b e c o n s i d e r e d – e .g. the need to balance positive messages with weaknesses
Av o i d r o u t i n e t i c k i n g b o x e s e x e r c i s e s w h i c h a r e m u c h l e s s v a l u a b l e

The following are some practical requirements for self-assessments:
Individu als performing assessments recog n i s e a c c o u n t a b i l i t y There will be a need framework/objectives / p o l i c y t o s e l f a s s e s s a g a i n s t ( e . g . b a s e d on Cobi T) Well designed questionnaires – keep them s i m p l e w i t h n o a m b i g u i t y, a n d e x a m p l e s to aid interpretation Coaching/training may be needed if using a w e b - b a s e d q u e s t i o n n a i r e Require supporting evidence to be docume n t e d
Training may be needed on risk identification, definition, and quantification

47

IT Governance Developing a Successful Governance Strategy

9
E

Information Security Governance

9.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 9.2 What is information security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 9.3 Where to focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 9.4 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 9.5 Action planning and best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
xecutive management has a responsibility to ensure that the organisation provides all users with a secure information systems environment. Sound security is fundamental to achieving this assurance.

Information systems can generate many direct and indirect benefits, and as many direct and indirect risks. These risks have led to a gap between the need to protect systems and the degree of protection applied. Although awareness of these security issues has increased significantly at board levels, most senior business managers are uncertain about actions they should take and rely heavily on technical advisors. Proper governance of security, like any other aspect of IT, requires top management to be more involved in setting direction and overseeing the management of risk. Faced with the fear of unknown risks, and uncertainty regarding the effectiveness of existing controls, top management naturally wonder where to focus attention and set priorities. A risk assessment is usually the best place to start. A complimentary approach is to focus on establishing a security baseline irrespective of the risks – i.e. ensure that all the basic measures are in place. Managing investments in the implementation and operation of controls is critical, since security can be an expensive and time-consuming task, and experience has shown that large sums of money can be wasted on ineffective or inadequately implemented technical solutions. However, proving security ROI can be difficult since actual reductions in losses or incidents must be shown, and it is sometimes impossible to know if a risk has been prevented. There is no doubt though, that the easiest way to demonstrate cash return is by showing the cost of incidents and wherever possible this should be done even if the examples are based on assumptions rather than actual figures. Increasingly, the benefits of good security are being recognised by management who understand that security is needed to enable e-business and that a reputation for good security can enhance customer loyalty, sales and ultimately share price. These benefits should be considered when building the business case for security investments. Given that IT security is a specialised topic and there is a shortage of skills, organisations will often seek support from third parties. Information security specialists can play a key role although governance and final decision-making must remain in-house.

9.1 Background
“In a global information society, where information travels through cyberspace on a routine basis, the significance of information is widely accepted. In addition, information and the information systems and communications that deliver the information are truly pervasive throughout organisations—from the user’s platform to local and wide area networks to servers to mainframe computers. Accordingly, executive management has a responsibility to ensure that the organisation provides all users with a secure information systems environment. Furthermore, there is a need for organisations to protect themselves against the risks inherent with the use of information systems while simultaneously recognising the benefits that can accrue from having secure information systems. Thus, as dependence on information systems increases, security is universally recognised as a pervasive, critically needed, quality.” (International Federation of Accounts (IFAC) Statement on Managing Security of Information 1998) Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated information security can add real value to the organisation by contributing to interaction with trading partners, closer customer relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process electronic transactions and generate trust.” 5

The view of the IMPACT IT Governance SIG is that Information security concerns have increased due to:
5. Information Security Governance: Guidance for Boards of Directors and Executive Management, the IT Governance Institute®.

48

Information Security Governance

9

Te c h n i c al complexity
Hackers a n d v i r u s s p r e a d e r s Increasi n g e a s e o f u s e , a n d t h e a c c e s s i b i l i t y o f I T s y s t e m s
Anywher e / a n y t i m e a c c e s s

Although awareness of these security issues has increased significantly at board levels, most senior business managers are uncertain about actions they should take and rely heavily on technical advisors. Proper governance of security, like any other aspect of IT, requires top management to be more involved in setting direction and overseeing the management of risk.
It is essential therefore for executive management to understand why information security is important and take action to ensure that:
The imp o r t a n c e o f i n f o r m a t i o n s e c u r i t y i s c o m m u n i c a t e d t o a l l a n d t h a t a p o l i c y exists to u n d e r p i n a c t i v i t i e s i n a c h a n g i n g e n v i r o n m e n t .
T h e o w n e r s h i p a n d r e s p o n s i b i l i t y f o r i n f ormation security is accepted by senior m a n a g em e n t i n t h e b u s i n e s s a s w e l l a s i n IT.
Everyone understands that security will not be satisfied simply by the appointment of a security manager – the security function is there to assist management and security is ultimately the responsibility of everyone.
Any shortage of skilled resource in this ar e a i s a d d r e s s e d , a s i t m a y b e i m p o s s i b l e to retain all the necessary skills and funct i o n s i n - h o u s e . Responsibility for any security aspects of c o r p o r a t e c o m p l i a n c e i s a c c e p t e d b y t h e Board.

Management concerns are focused on:
Gaps – what and where are the significant a n d s p e c i f i c w e a k n e s s e s i n s e c u r i t y ? Are these weaknesses being addressed? Are resources and money being wisely in v e s t e d a n d a r e t h e r i g h t c o n t r o l s b e i n g implemented in the areas most vulnerable t o t h r e a t ?

9.2 What is information security?
One of the causes of poor information security and ineffective governance of information security is a misunderstanding of what it actually covers and how it should be addressed. The ITGI publication, Information Security Governance: Guidance for Boards of Directors and Executive Management, describes information security as follows: “Security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, “valuable assets” are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium. The information must be protected against harm from threats leading to different types of vulnerabilities such as loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional damage. The objective of information security is “protecting the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.

Policy Development Roles & Responsibilities Design Implementation Monitoring

Awareness, Training, & Education

The security objective and core principles provide a framework for the first critical step for any organisation – developing a security policy. For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Once a policy has been approved by the governing body of the organisation and related roles and responsibilities assigned, it is necessary to develop a security and control framework that consists of standards, measures, practices, and procedures. Once the design of the security standards, measures, practices, and procedures has been approved, the solution should be implemented on a timely basis, and then maintained. Monitoring measures need to be established to detect and ensure correction of security breaches, such that all actual and suspected breaches are promptly identified, investigated, and acted upon, and to ensure ongoing compliance with policy, standards, and minimum acceptable security practices. Awareness of the need to protect information, training in the skills needed to operate information systems securely, and education in security measures and practices are of critical importance for the success of an organisation’s security program. Figure 9.2

49

A risk assessment is usually the best place to start and this should be based on analysis of the likelihood of different threats. data owners. top management naturally wonder where to focus attention and set priorities. be focused on business objectives not technical solutions and include representatives from key business units. A useful approach to improving the understanding. A key element of this approach is to create security within the infrastructure. An Operational Team will be needed to maintain and monitor security processes and operate administrative procedures. who should ultimately sign-off acceptance of the risk management plan. ensure that consensus is reached on where security investments should be made.itgi. security professionals and technology providers need to be utilised.org) standard or freely available guidance such as the CobiT Security Baseline (www. The Audit Function plays a key independent role in monitoring and assessing the adequacy of security within the organisation. The table below 50 6. Responsibility for governing and managing the improvement of security has consequently been limited to operational and technical managers. with little consideration given to enterprise priorities and requirements. operation. skilled resources such as information systems auditors. Providers & Controllers positively so that they understand the objectives and benefits of IT Governance and are able to communicate consistently to each other and within their groups. An IT Security Manager should be in place as an advisor to management and the project owner of security action plan. design. In practice. All interested parties should be involved in the process.” 6 Specific roles: A Forum or Council should be established to set policy. Due diligence must be exercised by all individuals involved in the management. The Forum should share knowledge of IT and risks. care must be taken to avoid implying that security has now been dealt with by hiring such a person (when it is everyone’s responsibility) or that this role relieves top management of their overall governance responsibilities. 9. this is an area where the business needs to be more involved. 9. vulnerability and impact. IT.iso.2. users. It should report into a governance board (or group IT board). use. This can be based on standard guidance such as the ISO17799 (www. and uncertainty regarding the effectiveness of existing controls. or monitoring of information systems. development. greater involvement of boards of directors. and for approving and overseeing execution of the risk management plan. However. It will be helpful if the risk assessment can be converted to a financial value derived from the impact – even if this is only approximate and based on rough estimates or scales – since decisions to improve security will usually be made based on financial parameters. However. information systems security professionals. Consideration of the impact of security threats should always be the responsibility of business management. the major activities associated with Information Security management relate to the items in Figure 9.e. internal audit and outsource suppliers. process owners. 1998) “Too often information security has been dealt with as a technology issue only. and information systems auditors all have roles and responsibilities in ensuring the effectiveness of information security. ensure that all the basic measures are in place. . The role can be part time and is often supported by external advisors. for information security to be properly addressed. It is often part of a Risk Management function. technology providers.IT Governance Developing a Successful Governance Strategy According to the IFAC guidance. awareness and ownership of security within the business is to appoint Information Security Coordinators. executive management and business process owners is required. This is usually a technical function and it is increasingly being outsourced.” (International Federation of Accounts (IFAC) Statement on Managing Security of Information. maintenance. It is critical to influence the Investors.3 Where to focus Faced with the fear of unknown risks. Information Security Governance: Guidance for Boards of Directors and Executive Management. For information security to be properly implemented. rather than on a piecemeal basis.org). A complimentary approach is to focus on establishing a security baseline irrespective of the risks – i. the IT Governance Institute®.4 Roles and Responsibilities “Executive management.

4). Project champions Relationship managers and internal communications teams Suppliers (especially outsourced service providers) Contract and procurement management Peripheral players/influencers/Policy owners e. Information security specialists can play a key advisory role although governance and final decision-making must remain in-house. Legal • • • • • • Controllers Internal audit and external audit (due diligence) External regulators Corporate governance coordinator Risk managers Compliance – regulatory and internal Finance/Project Managers/IT and business managers – reviewers of benefits/ROI Post investment appraisal/Post project review teams • Key Security Responsibilities • • • • • • • • • • • • • Risk sign-off Own the business case Set policy Define expectations and requirements Ensure legal and regulatory compliance Review performance Monitor delivery Quantify impact of risk Challenge the risk management plan Approve proposals and metrics Prioritise actions and investments Supply necessary resources Set culture and environment • • • • • • • • Risk analysis Design and implementation Creation of business cases – cost and solution Security operations Security administration Monitoring security incidents Education and training (both IT and HR) Creation and maintenance of scorecards for performance measurement • • • • • Understand impact of regulations Monitor adequacy and performance of controls (assessments and audits) Test actual performance of controls Monitor performance (execution of improvements) Provide independent assurance to management Figure 9.g.Information Security Governance 9 summarises how IMPACT SIG members believe each group of stakeholders should focus on their security responsibilities (Figure 9. g . Business sponsors.g.4 Given that IT security is a specialised topic and there is a shortage of skills. HR. Who needs to be involved? Investors • • • • • The Board IT Council/Management Team Senior business unit managers e. Facilities Management. There is also an opportunity for cost reduction compared with permanent in-house staff. Examples of outsourced security activities include: Testing ( e . key customers of IT services Business Partners External investors/shareholders – as part of corporate governance • • • • • • • • • Providers Project and change managers (IT and Business) Programme managers Business managers and users Technical delivery and support teams Key players e. f o l l o w i n g p a t c h e s ) Vulnerab i l i t y t e s t i n g ( n o t e : P e n e t r a t i o n t e s t i n g m u s t b e p e r f o r m e d w i t h c a r e a s i t may cra s h t h e s y s t e m ) Incident m a n a g e m e n t Third party security providers Special care should be taken when dealing with outsourced suppliers: Contract o r s n e e d t o b e v e t t e d f o r s e c u r i t y p u r p o s e s S u p p l i e r s d o h a v e a r e s p o n s i b i l i t y t o m anage security within their own activities – make sure this happens Although the supplier has to be trusted to carry out checks. the client must ensure that the necessary checks are in place Regulations such as Sarbanes-Oxley re q u i r e s t h a t g o v e r n a n c e r e s p o n s i b i l i t y remains in-house 51 .g. organisations will often seek support from third parties.

5 Action planning and best practice IMPACT SIG members suggest the following action steps be considered: 1. Classify objectives and actions into technical and non-technical areas Ensure that an effective security policy is in place Establish a security baseline Cover key vulnerabilities Communicate management concerns for security to ensure staff awareness Focus on changes – evaluate and test for security exposures Ensure that Board presentations emphasise security as an enabler and not as a disabler 52 . 3. 2. 6. 5.IT Governance Developing a Successful Governance Strategy 9. 4. 7.

. . . . External advice must be sought whenever the issues are sufficiently risky or complex. . . . . . . . . . . including: 53 . .5 Dealing with third parties . . . . . .3 Best approach to compliance . . . . . . . . . . . . . .1 Legal and regulatory factors affecting IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Critical success factors . . .Legal & Regulatory Aspects of IT Governance 10 I Legal & Regulatory Aspects of IT Governance 10 10. . . . . . . . . . . . . . . . . . . . . . . . . . From a legal and regulatory perspective this means that there is potentially a complex hierarchy of responsibilities that combine to meet the legal and regulatory needs of the customer. . . . . . . . . . . . . . . . . . . . . .53 10. . . . . . . . Every organisation relies on a growing number of third parties for support of IT services. . . . . . . Every organisation must identify the specific regulations affecting them and respond accordingly. . . . . . . . . . . . . . . . . . . . . . . including: General improvement in overall control of IT related activities Reduced losses and administrative costs More efficient and effective negotiation of commercial transactions A greater ability and confidence to take risks – because senior management feel more in control There are a wide range of laws and regulations.58 10. . . . . . . . Ultimately it is the customer’s responsibility to ensure that all the right controls are in place with any third party that is relied upon for legal and regulatory compliance.2 Roles and responsibilities . . . . . . . . . . . . . . . This is due to the need to guard against a wide range of new IT related risks and from a general increase in corporate regulations. . . . . . . . . . . . . . . . . . . . . . . . . .55 10. . . . . . . . . .1 Legal and regulatory factors affecting IT Governance The recent increase in the number of regulations affecting the use of IT is due to a number of factors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . The impact of not taking sufficient care over legal or regulatory requirements can be considerable including: Loss of reputation Inability to trade Financial penalties and losses Loss of competitive advantage Loss of opportunity On the other hand the benefit of complying with regulatory requirements and using legal measures to protect commercial interests can be considerable. . . . and ensure that the roles and responsibilities for understanding legal and regulatory matters are properly defined for each group of stakeholder so that each group can apply its specific expertise effectively. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 n recent years there has been a general increase in the number of regulations affecting the use of IT and also the number of situations where legal measures need to be considered. . . .4 What IT has to do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10. . .56 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . some specific to industry sectors that can have an impact on IT. . .54 10. . . . . . . . . .

some specific to industry sectors. Every organisation must identify the specific regulations affecting them and respond accordingly. that can have an impact on IT. 54 . including viruses. and o t h e r c r i m i n a l a c t s Intellectual Property. The IMPACT SIG has identified the following areas that ought to be considered: Personal data and privacy Corporate Governance . Laws to protect personal information and its potential misuse in electronic form.IT Governance Developing a Successful Governance Strategy A greater interest by regulators in the operations of all organisations caused by major corporate financial failures and scandals.2 Roles and Responsibilities Dealing with legal and regulatory requirements and knowing how best to use legal contracts can be challenging for IT experts who are not knowledgeable about legal matters. g . financial reporting. Compliance with IT-related legal and regulatory requirements and the effective use of legal contracts are clearly part of the effective control and oversight of IT activities by senior management and therefore key aspects of IT Governance. s i g n a t u r e s e t c . Concerns about security and privacy fueled by the overall increase in use of computers and networks and the impact of the Internet. h e a l t h . and for business managers who may not appreciate all the legal risks and issues associated with the use of advanced technology. which is resulting in regulations like the US SarbanesOxley Act forcing Boards of Directors to express opinions about their systems of control.). A g r o w t h i n t h e u s e of computer systems and networks for criminal activity and terrorism. Electronic commerce Email monitoring. External advice must be sought whenever the issues are sufficiently risky or complex. product licenses etc. p h a r m a c e u t i c a l etc. m o n e y l a u n d e r i n g a n d pornography etc. Organisations should therefore ensure that the roles and responsibilities for understanding legal and regulatory matters are properly defined for each group of stakeholder so that each group can apply its specific expertise effectively. appro p r i a t e u s e a n d c o n f i d e n t i a l i t y Email defamation Document and record retention IT products and services contracts Sector specific regulatio n s e . 10. A growth in complex contractual relationships for IT services and products (outsourcing. resulting in copyright and intellectual property issues of concern to both vendors and users. Tr a d e m a r k s a n d C o p y r i g h t Electronic communicati o n . Corporate regulations like the Sarbanes-Oxley Act can be just a minimalist compliance procedure with no potential benefit to the business or be used as an opportunity to invest in better IT controls. hacking. There are a wide range of laws and regulations. f i n a n c i a l . stock market requirements Money laundering. managed services. The growth in all forms of electronic media and the potential for misuse of valuable information assets. What might appear to be an initial regulatory burden can become an opportunity to transform to better managed practices if the rules are used positively and applied productively.

service providers. Legal Legal and Regulatory Responsibilities • Understand requirements (what regulations are to be complied with) • Set the mandate • Set priorities and expectations • Establish and ensure the expected degree of compliance • Based on advice concerning risk and cost: • Assess impact on business • Provide resource and funding to ensure issues are addressed • Define who is accountable • Obtain internal or external assurance as required that issues have been addressed and controls established • Monitor and evaluate compliance programmes and significant commercial contracts • Sign off specific compliance programmes • Provide approvals when required for significant legal or regulatory decisions • Advise on IT related technical and commercial risks that could impact legal and regulatory requirements • Provide proposals and business cases for legal and regulatory programmes. Project champions • Relationship managers and internal communications teams • Suppliers (especially outsourced service providers) • Contract and procurement management • Peripheral players/influencers/Policy owners e. key customers of IT services • Business Partners • External investors/shareholders – as part of corporate governance Providers • Project and change managers (IT and Business) • Project and change managers (IT and Business) • Programme managers • Business managers and users • Technical delivery and support teams • Key players e. 55 . asset registers) • Execution of compliance and contractual processes. projects or action plans • Formulate solutions for compliance or commercial contracts • Identify best practices for ongoing good control of legal and regulatory requirements • Exploit technology and tools where appropriate for ensuring compliance (e. and operation of elated controls • Provide compliance framework to ensure a sustainable “business as usual” approach to compliance • Provide evidence of compliance • Provide information relating to the cost of compliance and also cost of any incidents • Evaluate impact on business environment together with business units • Ensure vendors.g.g. any such framework must be flexible and responsive to new requirements. In practice. it is recommended that a framework for dealing with legal and regulatory issues be established. and regulations affecting IT to assess their impact on the organisation’s business • Develop an understanding of their impact on the organisation and advise accordingly on “what is needed” . HR.not necessarily “how” • Monitor adequacy of controls and compliance processes • Monitor the business and IT functions for performance in meeting legal and regulatory requirements and report back to management with advice regarding any shortcomings • Provide independent assurance to management that adequate controls are in place to deal with legal and regulatory requirements Controllers • Internal audit and external audit (due diligence) • External regulators • Corporate governance coordinator • Risk managers • Compliance – regulatory and internal • Finance/Project Managers/IT and business managers – reviewers of benefits/ROI • Post investment appraisal/Post project review teams 10. Business sponsors.g.Legal & Regulatory Aspects of IT Governance 10 Who needs to be involved? Investors • The Board • IT Council/Management Team • Senior business unit managers e. and subcontractors are involved properly and integrated within the overall compliance approach Table 10. Facilities Management.2 • Maintain awareness of current and emerging laws.g.3 Best approach to compliance Ideally organisations should deal with legal and regulatory requirements on a “business as usual” basis instead of reacting on a case-by-case basis. Because IT is fast changing and new regulations are also emerging.

Then it becomes possible to address all the relevant systems when standards have to change: Consider regulatory issues together Do not set up separate projects which may conflict with the standard approach D e c i s i o n m a k i n g m u s t rest with the business in terms of the extent and nature of compliance 10.3 Figure 10. This is usually unsuccessful or inefficient because outside of existing governance it is very difficult to allocate and establish responsibilities for monitoring and testing.3 illustrates a common problem when new regulatory requirements are imposed. However. the importance of the framework is emphasised by the need to understand which standards affect which systems. Gradually this has changed. first with IT specific legislation like the Data Protection act. there can be no clear prioritisation or co-ordination among different regulatory requirements.4 What IT has to do Historically. To be effectively handled the decisions concerning the regulation should be taken at the level at which business objectives are set and within the group or business risk framework. when the left-hand route is followed and a new regulation comes into force. and most recently by the realisation that corporate level regulations like Sarbanes-Oxley must be inextricably linked to the IT systems because corporate information and financial reporting has become so automated. most IT people did not think about compliance. Similarly. Conversely. as illustrated. For complex IT environments. This is the necessary level at which priorities can be determined and the standards framework can be applied.IT Governance Developing a Successful Governance Strategy Figure 10. a special programme is frequently set up outside the remit of existing standards and governance in the hope that the new regulatory environment can be incorporated. 56 . because regulations rarely impacted the technical environment.except in terms of good practice. it is possible to identify where there are already procedures in place that enable the new requirements to be met.

As a consequence. over many issues such as security. Business objectives and processes should drive the system of internal control and therefore the documentation process. 57 . meaningful to auditors and managem e n t ( e . a n d m a i n t a i n t h e d o c u m e n t a t i o n a s c h a n g es occur. increasingly driven by regulatory pressure. the documentation should be in a language that auditors would use. vendors. IT service providers. These contracts in turn demand greater controls be demonstrated by the parties to the contract. service availability.4 In addition. ownership of deliverables. b a s e d o n C o b i T ) . legal contracts for IT services are being given much more careful attention. Appoint p r o c e s s o w n e r s s o t h e r e i s a c c o u n t a b i l i t y a n d r e s p o n s i b i l i t y. Docume n t a r c h i t e c t u r e s s o t h a t t h e o v e r a l l e n v i r o n m e n t i s u n d e r s t o o d o n a continuo u s b a s i s . g . and internal IT functions are all realising that they must be better organised from a control and compliance perspective. Understa n d c o n t r o l c o n c e p t s . support of products etc. due to the very significant cost of IT investments. and therefore it is best to work with the audit community and adopt a common language and approach such as CobiT. t h e n e e d f o r I T c o n t r o l s . D o c u m e n t t h e s e p r o c e s s e s a n d c o n t r o l s ( e specially for compliance critical systems). intellectual property. Define p r o c e s s e s i n I T i n a l o g i c a l w e l l o r dered fashion. It is only a relatively recent realisation that IT related controls should be documented and monitored by IT functions. IT functions increasingly need to be more involved in legal and regulatory requirements and should: Work wi t h t h e b u s i n e s s u s e r s a n d r i s k m a n a g e m e n t g r o u p s t o i d e n t i f y c r i t i c a l systems a n d c o m p l i a n c e p r i o r i t i e s .Legal & Regulatory Aspects of IT Governance 10 Figure 10. and the complexity of customer and supplier relationships. The flow should be: For an efficient and effective compliance process. a n d h o w t h e y r e l a t e t o busines s l e v e l c o n t r o l s .

in pa r t i c u l a r. Clients cannot be o b l i g e d t o d o b u s i n e s s i n a w a y s p e c i f i e d b y t h e p r o v i d e r. C o n s i d e r t h e w h o l e i n f rastructure rather than tackling items on a piecemeal basis. or can see a commercial benefit in making the necessary investment.5 Dealing with third parties Every organisation relies on a growing number of third parties for support of IT services. To achieve these objectives: I T s h o u l d s e e k a d v i c e from HR. not driven by controls and compliance issues. and Audit.IT Governance Developing a Successful Governance Strategy Standardise wherever possible to avoid duplication of effort. In order for both sides to be clear on responsibilities it is essential that sufficient in-house capability is retained. In theory they might u s e a s t a n d a r d m o d e l a c r o s s a l l b u t i n p r a c t i c e t h i s i s unlikely. service providers have their own corporate governance agenda. 10. Adopt standard approaches and best practices – don’t attempt to reinvent the wheel as it wastes time and makes working with partners and auditors much less effective (compare with accounting. combined with the pressures of their business models – usually to provide a better service at a lower cost than the customer had previously experienced: They have to work wi t h d i f f e r i n g g o v e r n a n c e m o d e l s o f b u s i n e s s p a r t n e r s a n d clients. and if necessary external experts. Build in the need for th i r d p a r t y t e s t i n g a s r e q u i r e d . Generate business benefits from the control and compliance projects by performing gap analyses to drive improvements and efficiencies as well as building good controls. Be responsible for diligent procurement and proper control and management of third parties. Conversely. a r e u n w i l l i n g t o c h a n g e t h e i r o w n m o d e l . People who negotiate outsourcing contracts are usually at a commercial business level. and ultimately it is a question of negligence if controls were not operated properly. Ultimately it is the customer’s responsibility to ensure that all the right controls are in place with any third party that is relied upon for legal and regulatory compliance. but the p r o v i d e r m a y s t i l l n o t h a v e t a k e n a c t i o n h i m s e l f o r k n o w w h a t is required. Large clients. Legal. Most organisations actually get more rigour when they outsource but most contracts are built around existing operations with all their limitations. Special requirements such as vulnerability testing will not normally be seen as part of a contract unless formally requested and paid for. From a legal and regulatory perspective this means that there is potentially a complex hierarchy of responsibilities that combine to meet the legal and regulatory needs of the customer. Maintain evidence of controls being exercised to be better able to demonstrate compliance. 58 . The outsourcer or provider may not ensure full coverage of legal and regulatory requirements: The customer may go t o t h e p r o v i d e r a n d s p e c i f y w h a t i s r e q u i r e d o r p r o v i d e a questionnaire. The onus should be on the provider to spell out the risks – but the provider will not improve controls unless paid to do so. Legally there is a standard reasonable expectation of basic service.standard procedures are essential). The provider is unlikely to provide a higher level of control in specific situations (such as security) than the client had originally operated himself – but must have nevertheless an adequate set of controls.

6 Critical success factors The IMPACT SIG identified the following success factors to enable effective ongoing legal and regulatory compliance and proper control of legal contracts: Establish t h e r i g h t c u l t u r e t o e n c o u r a g e d iligence and good controls Commun i c a t i o n t h r o u g h o u t t h e o r g a n i s a t i o n b a s e d o n a B o a r d l e v e l m a n d a t e i s essentia l t o m a k e s u r e e v e r y o n e t a k e s t h e i s s u e s s e r i o u s l y a n d u n i f o r m l y Involve t h e r i g h t p e o p l e a s a d v i s o r s b u t d o n o t a b d i c a t e r e s p o n s i b i l i t y R e t a i n i n g r e s p o n s i b i l i t y f o r c o n t r o l a n d c o mpliance when using service providers Standardisation and a common approach is the most effective and efficient way to meet compliance requirements Use frameworks and accepted complianc e m o d e l s e s p e c i a l l y t h o s e a c c e p t e d b y auditors Integrate compliance objectives into the IT s t r a t e g y Ensure management are actively involved – n o t j u s t p e r f o r m i n g a s i g n .o f f a t t h e end Set the tone at the top Engage the governance and risk ma n a g e m e n t g r o u p s ( t h o s e w h o o w n t h e Provide a positive spin – good control s c a n b e v e r y b e n e f i c i a l Make compliance normal business pra c t i c e r a t h e r t h a n a p r o j e c t Translate into normal language Exp lain business context Carry out awareness training Institutionalise compliance behaviour framework) as soon as possible Make compliance meaningful and relevant Establish mechanisms for evidence and do c u m e n t a t i o n Establis h metrics for monitoring performan c e Create incentives and/or penalties as part of personal objectives Do regular compliance checking and tests Do regular review of risks (include 3rd parties) H a v e g ood incident management procedu r e s t o l e a r n f r o m l e g a l a n d r e g u l a t o r y i n c i d e n ts 59 .Legal & Regulatory Aspects of IT Governance 10 10.

. . . based on generally accepted standards as well as specific design standards.60 11. . . the effective governance of architectures in these situations is a key consideration. . . . A capability for setting the direction for technology improvement should be retained in house and often contracts will call for customers to control their own technical direction. . There is an analogy with the original use of architectures for defining the design of buildings – providing the blueprint that demonstrates what the end product should look like. . provision of readilyavailable. the term architecture is used to describe the technical design and interoperability of components that together make up the information system i. .IT Governance Developing a Successful Governance Strategy 11 G Architecture Governance 11. . .61 iven the complexity and fast-changing nature of IT. and that it meets the purpose for which it was intended. .1 Why is Architecture Governance important? Architecture (in Greek αρχή = first and τέχνη = craftsmanship) is the art and science of designing structures. . . Given the significant amount of outsourcing of IT services. cost-effective tool-kits and components Share all artefacts with outsource providers 11. In the context of computers. . . . . . . architectures are important for defining technical direction. of what technology can offer in terms of products. . . The IT Governance and Technical Architecture SIG members believe that in many organisations the 60 . meeting technical design standards as well as the business purpose and strategic objectives for IT. . based on generally accepted standards as well as specific design standards. captured in a formal design that will support evolution and change. . . . .2 What are the objectives of Architecture Governance? . meeting technical design standards as well as the business purpose and strategic objectives for IT. that it is built according to defined design standards. software and network components. . .1 Why is Architecture Governance important? . . . . . . Cost will usually be the driving factor in contractual arrangements – who will pay for architectural upgrades? The group identified the following critical success factors for achieving architectural governance: Ensure that the Architecture process and its governance is adequately funded Ensure good communications among all the groups concerned Align the architecture with the business strategy and the culture of the organisation Recognise that persuasion is always needed for compliance and that this can be enhanced by active project involvement. . . . . . . . . . . . . . .e. . Senior management may assume that providers will develop technology to improve productivity – this is not always the case. . . . . . . . . This is enabled by creation and maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations and standards. . . There are generally three overall end goals with respect to architecture governance: Business and IT Alignment (fit for purpose) Risk Management (reduced likelihood of design failures) Resource Management (cost effectiveness and value for money) The process of determining technological direction via an IT Architecture satisfies the business requirement to take advantage of available and emerging technology to drive and make possible the business strategy. . . . captured in a formal design that will support evolution and change. . architectures are important for defining technical direction. Architecture governance is therefore to do with ensuring that the principles of architectures are properly applied to the design and maintenance of information systems. . . . Architecture governance is therefore to do with ensuring that the principles of architectures are properly applied to the design and maintenance of information systems. technical consultancy. . . . . . Given the complexity and fast-changing nature of IT. . . . . . hardware. . . The business strategy may depend on an effective IT architecture. . . but who defines the architecture in the outsourced situation? The customer should always take control of his own requirements including architectural decisions even if the provider offers existing solutions and approaches. services and delivery mechanisms. . . . . that it is formed on a solid foundation. . .

An analysis of the maturity level of the organisations represented showed the following: Current m a t u r i t y r a n g e d f r o m 1 + t o 4 . v i s i o n s t a t e a n d i m p l e m e n t a t i o n r o a d m a p s Average l e n g t h o f t i m e b e t w e e n t h e i de n t i f i c a t i o n o f p o t e n t i a l l y r e l e v a n t n e w technolo g y a n d t h e d e c i s i o n a s t o w h a t t o d o w i t h t h a t t e c h n o l o g y The Open Group (www.Architecture Governance 11 challenge is to commit to a properly funded and business driven architectural approach.m a r k e t Increase d i n t e r o p e r a b i l i t y b e t w e e n s y s t e ms and applications And these performance measures: Percent o f I T b u d g e t a s s i g n e d t o t e c h n o l o g y i n f r a s t r u c t u r e a n d r e s e a r c h Number o f m o n t h s s i n c e t h e l a s t t e c h n o l o g y i n f r a s t r u c t u r e r e v i e w Business f u n c t i o n s ’ s a t i s f a c t i o n w i t h t h e t i m e l y i d e n t i f i c a t i o n a n d a n a l y s i s o f technolo g i c a l o p p o r t u n i t i e s Percent o f t e c h n o l o g i c a l d o m a i n s w i t h i n t h e t e c h n o l o g y i n f r a s t r u c t u r e p l a n t h a t h a v e sub-plan s s p e c i f y i n g c u r r e n t s t a t e . and with limited business and top management direction. f r o m 2 t o 4 ) a c r o s s t h e d i f f e r e n t parts of t h e o r g a n i s a t i o n . Often it is treated as too technical an activity. It considers: Capabili t y o f c u r r e n t i n f r a s t r u c t u r e M o n i t o r i n g t e c h n o l o g y d e v e l o p m e n t s v i a r eliable sources Conducting proof-of-concepts Risk.In larg e r o r g a n i s a t i o n s t h e r e w a s a s p r e a d ( e .t o . services and delivery mechanisms. The group assessed the maturity of Architectural activities based on the CobiT® maturity model (see Appendix).org) defines an Architecture Governance Framework which covers: 61 . g . CobiT® suggests focusing on these key measurable outcomes: N u m b e r of technology solutions that are not aligned with the business strategy P e r c e n t of non-compliant technology projects planned N u m b e r of non-compatible technologies and platforms Decreas e d n u m b e r o f t e c h n o l o g y p l a t f o r ms t o m a i n t a i n Reduced a p p l i c a t i o n s d e p l o y m e n t e f f o r t a n d t i m e . with inadequate or insufficiently skilled resources. This is enabled by creation and maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations and standards of what technology can offer in terms of products. constraints and opportunities Acquisit ion plans Migration strategy and roadmaps Vendor relationships Independent technology reassessment Hardware and software price/performance c h a n g e s Covering the following activities: Technological infrastructure planning Monitoring future trends and regulations Assessing technological contingency P l a n n i n g hardware and software acquisitio n s D e f i n i n g technology standards The group believe that measurement of these activities is difficult and may often rely on perception of trends. This assesses maturity on a scale from 0 to 5.opengroup.The lo w e s t m a t u r i t y w a s i n a b u s i n e s s w h e r e I T h a d r e c e n t l y b e e n o u t s o u r c e d The mat u r i t y l e v e l a s p i r e d t o w a s b e t w e e n 3 + a n d 4 .2 What are the objectives of Architecture Governance? The definitions CobiT® provides for setting technical direction were used to help define the purpose of Architecture Governance: The process of determining technological direction via an IT Architecture satisfies the business requirement to take advantage of available and emerging technology to drive and make possible the business strategy.No org a n i s a t i o n s a w l e v e l 5 a s n e c e s s a r y 11.

reliable architecture at much lower cost and in much faster timescales than agreeing and developing a solution in house (for example hosting services). A capability for setting the direction for technology improvement should be retained in house and often contracts will call for customers to control their own technical direction. Senior management may assume that providers will develop technology to improve productivity – this is not always the case. 62 . The business strategy may depend on an effective IT architecture. they may not be provided. Unfortunately. weaknesses and bad practices in outsourcing arrangements can lead to architectural misunderstandings or restrictions that can be costly or damaging to business performance.IT Governance Developing a Successful Governance Strategy Governance processes Policy management Compliance assessments D i s p e n s a t i o n p r o c e d u r es Monitoring and reporting B u s i n e s s c o n t r o l ( c o m p l i a n c e w i t h t h e o r g a n i s a t i o n ’s b u s i n e s s p o l i c i e s ) E n v i r o n m e n t m a n a g e m ent (the physical and logical repository management) and g o v e r n a n c e e n v i r o n m e nt (administrative processes). On the other hand the provider may enable a customer to adopt a proven. but who defines the architecture in the outsourced situation? The customer should always take control of his own requirements including architectural decisions even if the provider offers existing solutions and approaches. the effective governance of architectures in these situations is a key consideration. Cost will usually be the driving factor in contractual arrangements – who will pay for architectural upgrades? Even when improvements are called for by the contract. Given the significant amount of outsourcing of IT services.

. . . . . . . . they provide an equally significant opportunity to destroy value. . . including quantification of the direct and indirect benefits. . . . . . . . . . . . . . . . . Horror stories abound around the value destruction suffered by major organisations through the failed implementation of IT enabled business investments. which achieves the benefits that were promised. . . . . . . . . . whether IT-related or not. . . . .66 nsuring that value is obtained from investment in information technology is an essential component of IT governance. . . In the case of IT. . . when managed well within an effective governance framework. . Often. . . . . .64 12. . . . high-risk projects should always have an anticipation of a higher return. it is essential to embed active portfolio management into the organisation to maximise value creation and minimise the risk of value destruction. . . . . . . . . . . 63 . . . . . . Several of these elements are either subjective or difficult to measure. . . . . . . . . Other organisations have suffered in a similar fashion. . . . . . . .65 12. both the actual costs and the return on investment need to be managed” (ITGI Board Briefing V2 2004). . . and Southwest Airlines who were able to reduce procurement costs and increase service levels through their supply chain transformation project. . many successful organisations have created value through selection of the right investments. . . . . . . . For effective IT value delivery to be achieved. . . . . . provide organisations with significant opportunities to create value. . . the process needs visibility. . While particularly applicable to IT-enabled business investments. . this is often translated into: competitive advantage. . . leadership and commitment from the top. . . . . .5 Improving value delivery and ROI . Given the volatility of a portfolio of IT-related business projects. . . .66 12. . . . Without effective governance and good management. .3 Benefits management . . . . . . . . Expected return should always be related to risk as. . given the higher likelihood of failure. . . . . . it is essential to establish proper tracking mechanisms to determine the actual value delivered and enable accountability. . . . . . . . . . . 7. 12. . 20% of all expenditure on IT is wasted7.6 Measuring and controlling IT operational costs . . representing. . . Ensuring that the right projects are approved in the first place implies a need for accurate predictive costing of the total project across its lifetime and robust predictions of the potential return. . . . . . . elapsed time for order/service fulfilment. . . . . . annual value destruction of US$500bn according to a 2002 Gartner paper (Gartner. . . . . .63 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing the IT Investment 12 E Managing the IT investment 12 12. . . . . . . . . failures in IT enabled logistics systems at MFI and Sainsbury in the UK led to multi-million pound write-offs. . . . To ensure that the total process works and becomes part of the culture of the organisation. . . . . . . . . . . . . . . . .65 12. . . . . . . . . . In business terms. . . . . . . . . the ‘’end” is to contribute to the process of value creation in the enterprise. . the need is equally applicable to all investment decisions. . . . . . . . . . . .4 Measuring investment performance . . . . . . . . . . . . . . something all stakeholders need to understand. customer wait time. . . . . . ‘The Elusive Business Value of IT’. employee productivity and profitability. . . .2 Portfolio management . . . . . . . . . As with any aspect of IT governance. . . . . . . . . . . . . . . . . . . . . . . . . August 2002). . . . . . . . . . . . . . top management and boards fear to start major IT investments because of the size of investment and the uncertainty of the outcome. where IT is a means to an end. . . .66 12. . . . . . . . . and successfully managing them through implementation to realising the expected value. . . profit warnings and erosion of share price. . . . .1 Why is managing the IT investment important? “The basic principles of IT value are the on-time and within-budget delivery of appropriate quality. . On the other hand. . . . . . . . . . should be undertaken without full knowledge of the expected cost and the anticipated return. . . . . . . . . IT-enabled business investments. . IT Governance Institute® research on IT Value. . . . . . . . . No investment. Nike reportedly lost more than US$200m through difficulties experienced in implementing its supply chain software. . . . . . . . . . . . . . . . . . . . on a global basis. . customer satisfaction. . .1 Why is managing the IT investment important? . . . .7 Project risk managment . . . . . . . It is then no surprise that there is an increasing demand from boards and executive management for generally accepted guidelines for investment decision-making and benefit realisation. . . . . . . . . . . . . . . . . Examples include IBM who reportedly was able to save more than US$12bn over two years by linking disparate pieces of its supply chain and thereby reducing inventory levels. . . .

The process for managing IT investments can be summarised as developing. Managing portfolios can be difficult and requires sound business judgment as well as disciplined management otherwise projects that may be significant to the business may be overlooked or missed in the detailed management processes. Aligning the portfolio with the strategic direction of the enterprise in order to achieve the right balance of investments. This committee reviews major investments on behalf of the full board and advises on strategic direction. Portfolio management should focus on the total ongoing commitment not only the cost of the initial implementation. The committee should determine prioritisation of IT resources and projects in line with business needs and should be composed of executive management. equities or properties. just as one would a financial investment portfolio of for example. Implementing a decision-making process to prioritise the allocation of resources for IT operations. financial worth (as determined by the p r a c t i c e s o f e a c h e n t e rprise). temporary people or contractors who will also be more likely to give objective assessments. monitoring standards. It can be difficult to find and keep the appropriate people in place for this kind of work. Projects can be very hard to stop. t o g e t h e r w ith existing IT services and assets. This committee structure will provide the oversight and direction of IT investments. maintenance and systems development in order to manage and deliver an optimal return on the IT portfolio. The process should enable the effective and efficient use of IT resources and provides transparency and accountability into the benefit realisation.g. Essential elements in this process are benefit and cost justification. total cost of ownership and return on investment of IT. both delivery risk (the risk of not delivering a c a p a b i l i t y ) a n d b e n e f its risk (the risk of not realising the expected benefit from the capability). although it is a good practice to review projects on a regular basis and cancel those that are not likely to deliver value. as part of corporate governance. Portfolio management is needed to balance and prioritise between new projects and the operating costs of existing systems. The role of IT Councils Organisations should establish an IT Council (or Strategy Committee or similar group) at board level to ensure that IT governance. IT-enabled business investments can bring huge rewards with the right governance and management processes and full commitment from all management levels. Portfolio Monitoring Having created an investment portfolio approach. For example. H a v i n g e v a l u a t i o n c r i t eria in place that should include. and approved individual investment programmes. Below this committee an IT steering committee (or equivalent) should be established to oversee the IT function and its activities and developing IT plans. ensuring accountability at senior level and proper involvement of all stakeholders. Experience has shown that it can be effective to use bright. operating and maintaining financial controls over IT investments and expenditures in line with the IT strategic and tactical plans. at a minimum: alignment w i t h t h e e n t e r p r i s e ’s strategic objectives. It consists of: W o r k i n g w i t h t h e b u s i n ess to establish and maintain a portfolio of new and existing I T. 64 . Like all governance activities decisions made at the top level regarding the portfolio investment approach must be communicated down to individual programmes and projects and be monitored.e n a b l e d i n v e s t m e n t programmes that are needed to achieve business goals a n d w h i c h . budget ownership and accountability and control of actual spending. Building a portfolio that recognises that there will be a variety of categories of investment which will differ both in complexity and in the degree of freedom in allocating funds. targets and deliverables. via outsourcing or establishing shared services. business and IT representatives. and risk. form the basis of the IT budget. 12. Costs need to be monitored as well as cost reduction in business areas and revenue generating potential in the business. Real portfolio management implies a group at the top with an overview of priorities and what is needed – otherwise decisions will be based on relationships and sometimes “who shouts loudest” rather than an objective analysis. implementing. It can lead to possible savings on operating costs – e.IT Governance Developing a Successful Governance Strategy The message is clear. projects that are significant to aligning with the business strategy or small initiatives that are critical opportunities may be overlooked. It is recommended that a project office be established working at the programme level. The portfolio should also be monitored to ensure continuous alignment with strategic business drivers which may be changing with time and with risk factors – both internal to projects and externally. there is a need to monitor (post sign-off) all active programmes.2 Portfolio management Portfolio management is a good practice for coordinating any group of investments and can be effectively applied to IT investments. is adequately addressed.

In practice though. Investment performance assessment should review how the products of IT activities are performing – not just IT as such but the whole process. For more guidance refer to www. This may be because of job movement in the business. or as part of regular operational support a n d t h e n a g r e e d . o r w h e r e c h a n g e s t o o t h e r r e l a t e d p r o j e c t s i m p a c t t h e p r o g r a m m e The IMPACT IT Governance SIG members believe that seldom does true benefit monitoring take place. It is designed to be applied to delivery programmes and procurement projects. The OGC Gateway Process provides assurance and support for Senior Responsible Owners (SROs) in discharging their responsibilities to achieve their business aims.4 Measuring investment performance Management should establish a general monitoring framework and approach that defines the scope. The main reason though is probably a lack of willingness for the senior business sponsor to take ownership and accountability for monitoring benefits.ogc. either as a compon e n t o f I T. it will be impossible to know whether a return on the investment has been realised. The objectives of benefits management should include: Impleme n t a t i o n o f a b e n e f i t m o n i t o r i n g p r o c e s s .e n a b l e d i n v e s t m e n t p r o g rammes. Business sponsors should manage benefits but usually they do not. it seems this is rarely done for IT investments. the methodology and the process to be followed for monitoring IT’s contribution to the results of the enterprise’s portfolio management and programme management processes. Investment oversight and the drive to apply discipline to the monitoring process should be directed by the IT Council or management team via a standard process. The framework should be integrated with the corporate performance management system. Identific a t i o n o f I T ’s e x p e c t e d c o n t r i b ution to business results.4 65 .gov. Reportin g o p p o r t u n i t i e s t o i m p r o v e I T ’s c o n t r i b u t i o n . Many lessons can be Figure 12.uk. m o n i t o r e d a n d r eported on.Managing the IT Investment 12 Acquisition programmes and procurement projects in the UK central civil government are subject to OGC Gateway Reviews. 12. a p p r o p r i a t e a c t i o n s s h o u l d b e defined a n d t a k e n . The objective is to assess the overall performance of the portfolio of investments. The OGC Gateway Process examines a programme or project at critical stages in its lifecycle to provide assurance that it can progress successfully to the next stage. the process is based on well-proven techniques that lead to more effective delivery of benefits together with more predictable costs and outcomes. 12.3 Benefits management Monitoring whether or not benefits are being delivered is a key aspect of investment management. Updating t h e p r o g r a m m e b u s i n e s s c a s e w h e r e c h a n g e s i n I T ’s c o n t r i b u t i o n i m p a c t the prog r a m m e . or because the business owner of change is often not the operational owner of the benefits. including those that procure IT-enabled business change. Without it.

together with the business sponsor of those programmes.Proof of concept need e d ? 8. Doing this may be costly – especially if carried to too low a level.c y c l e . providing an independent monitoring function. if necessary. identifying.Need for market testin g .Will the customer wan t i t ? . Setting actual targets and metrics should be driven by the stakeholders who should also approve and monitor them. monitoring and controlling the areas or events that have the potential to cause unwanted change. I T. If the costs are recorded and analysed down to the lowest “service” level. Where there are deviations. e v a l u a t e d a n d i m p r o v e d .e n a b l e d i n v e s t m e n t s a n d t h a t I T ensures optimisation of t h e c o s t s o f d e l i v e r i n g I T c a p a b i l i t i e s a n d s e r v i c e s . and there are often opportunities to optimise these ongoing costs. p r o g r a m m e a n d p r o j e c t m a n a g e m e n t . e x a m p l e s o f e x t e r n a l b u s i n e s s related risk include: . IT Governance Institute®. A disciplined approach i s e n f o r c e d t o p o r t f o l i o .6 Measuring and controlling IT operational costs When managing IT investments. In this context project risk management should focus on the following: Risk assessments that l o o k b e y o n d t h e i n t e r n a l s o f t h e p r o j e c t Identifying the factors t o b e c o n s i d e r e d i n a d v a n c e i n a “ r i s k r e g i s t e r ” Tracking these items on a continuous basis Understanding the proximity of the risk – when might it hit? Evaluating the severity of the risk to determine the frequency of monitoring needed Risks considered to be h i g h s h o u l d b e c l o s e l y m o n i t o r e d – b y t h e s t e e r i n g c o m m i t t e e if appropriate – and fee d b a c k s h o u l d b e o b t a i n e d Project risks that relate t o e x e c u t i o n a n d d e l i v e r y . Its purpose is to eliminate or minimise specific risks associated with individual projects through a systematic process of planning. ValIT Framework.e n a b l e d i n v e s t m e n t s a r e m a n a g e d t h r o u g h t h e i r f u l l e c o n o m i c l i f e . Technology investments a r e s t a n d a r d i s e d t o t h e g r e a t e s t e x t e n t p o s s i b l e t o a v o i d the increased cost and c o m p l e x i t y o f a p r o l i f e r a t i o n o f t e c h n i c a l s o l u t i o n s . Value delivery practices a r e c o n t i n u a l l y m o n i t o r e d . Va l u e d e l i v e r y p r a c t i c e s e n g a g e t h e b u s i n e s s a n d a s s i g n a p p r o p r i a t e a c c o u n t a b i l i t y for the delivery of capabilities and the realisation of business benefits.7 Project risk management Project risk management is a very valuable process. then the business can decide whether to use the service. analysing. responding to. the programme business case should be updated.e n a b l e d i n v e s t m e n t s are managed as a portfolio of investments.e n a b l e d i n v e s t m e n t s i n c l u d e t h e f u l l s c o p e o f a c t i v i t i e s t h a t a r e r e q u i r e d t o achieve business value. appropriate remedial action should be taken and. The operational budget is likely to be a much larger financial amount than new investments. Va l u e d e l i v e r y p r a c t i c e s define and monitor key metrics and respond quickly to any changes or deviations. It can include a focus on costs and benefit realisation. 12. I T.5 Improving value delivery and ROI 8 To optimise the business value realised from IT-enabled investments it is recommended that : I T. insisting that the busine s s t a k e s o w n e r s h i p o f a l l I T.IT Governance Developing a Successful Governance Strategy learnt from analysing why projects are successful or not successful. 66 . so it is most effective to focus on significant services and cost areas. these should be identified in a timely manner and the impact of those deviations on programmes should be assessed and. It is therefore recommended that a cost management process be implemented comparing actual costs to budgets. 12. there is a tendency to concentrate on new projects rather than ongoing operations. 12. Costs should be monitored and reported.

achieving successful oversight of IT takes some time and will involve continuous improvement. Make sure you enable and motivate these changes. In most enterprises. Remember that implementation involves cultural change as well as new processes. Obtain top management buy-in and ownership. This needs to be based on the principles of best managing the IT investment. The goal is to make governance “business as usual”. Manage expectations. 67 .Success Factors 13 Success Factors 13 Focus on the following success factors: Treat IT governance initiatives as a project not a ‘one-off ’ step.

it is a challenge just knowing where to start. DfES. This Guide forms part of the NCC ‘Best Practice’ Guides series and is intended to be of practical use for decision makers in IT. across the broadest range of professionals and experts. Avis. Oxford Road. heightened focus on corporate governance. and TUI Group examined the key challenges. Royal Mail. This guidance is achieved through industry consensus. Barclays. Learning & Skills Council. it has never been more important to ensure your organisation governs the use of IT properly. IT governance initiatives are already transforming the way their organisations take responsibility for IT. Recognising the challenges faced by CIOs in establishing effective IT governance. It is presented in a form that should help you to understand better how to guide successful IT governance initiatives and make effective management and control of IT resources “business as usual”. heads of IT governance from Abbey. Over the past two years. 76 Shoe Lane. Against this background. BOC.NATIONAL COMPUTING CENTRE IT Governance Developing a successful governance strategy A Best Practice guide for decision makers in IT Throughout the past five years. This IT Governance Best Practice Guide is a comprehensive insight of the principles and practices that the group put together. The result. but also practical approaches for organisations to follow. For others. They must now demonstrate to auditors that IT systems which support financial reporting. The IMPACT Programme International Press Centre. Manchester M1 7ED Tel: 0161 242 2121 Fax: 0161 242 2499 M . all adding to the pressure on IT Directors and CIOs. With corporate governance on every boardroom agenda and increasing scrutiny of IT’s performance . London EC4A 3JB Tel: 0207 842 7900 Fax: 0207 842 7979 National Computing Centre Oxford House. managed by NCC. For some many businesses.IT governance has become a hot topic around the world. Aon. NOMS. They shared successful approaches and defined best practice. we have witnessed unparalleled corporate scandals and failures in global businesses. the NCCs IMPACT Programme launched an IT Governance Special Interest Group (SIG). stricter regulations and new directors’ responsibilities. Marsh. as well as monitor and manage business performance are based on sound management systems and controls. Its aim was to identify not just the issues that need to be addressed. Legal & General. Eli Lilly.

00 Non NCC Members .ISBN 0-85012-897-8 £35.00 NCC Members £50.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->